Three mindsets about cyber risk: Which one will resonate?

Filed under: Contributed Column,Daily News,Opinion,Print | Tags:,

The digital economy is getting hammered with advanced cyber attacks. As a business executive your awareness of this issue grows daily and cyber security is now weighing on your mind. You are not alone. After interviewing 588 C-suite and Board-level executives, the Lloyds’ 2013 Risk Index reported that cyber risk is considered the third-highest risk for global businesses — outranked only by high taxation and loss of customers.

As industry experiences its rude awakening to cyber risk, you might expect that it’s time to invest heavily in IT security — and you would be right in realizing that it’s not. There is much deeper change needed to adapt fully.

Where we are today reminds me of the 1980s when both Fujifilm and Kodak faced a similar rude awakening when it became clear that different parts of their market would switch from film to digital photography and render their traditional business models obsolete. The subsequent collapse of Kodak into bankruptcy and the transformation of Fujifilm into a firm with a market capitalization exceeding $25 billion in 2011 have been widely chronicled. So, why did these two firms fare so differently? While both firms faced a driving force to transform, Kodak held on to its old thinking too long, was complacent, and was ultimately too slow to adapt fully to the market change.

Today, we are experiencing similar circumstances to what Kodak and Fujifilm faced. However, this time the disruptive force isn’t digital photography, but rather the extent of business damage that cyber attacks can cause. So, how do we effectively combat these situations? What new thinking about cyber risk will allow us to adapt fully to this market change?

The first mindset you might have about cyber risk is the “internal risk” mindset. You might view cyber attack damages as an issue that impacts your business with unacceptable financial and reputational losses, and you are willing to invest some capital to stay out of the news and control financial losses. This mindset has been fairly prevalent and is limiting.

The next mindset develops when you notice that cyber risk is a shared risk between any two businesses that interact. You realize that your cyber risks are no longer exclusively yours and you are passing them along to your customers as liabilities. Likewise, your supply chain passes their cyber risk liabilities on to you. Sooner or later your customers will demand less cyber risk and in turn you will demand the same from your supply chain. You can see how this will cascade through value chains, and achieving reasonable cyber risk will become a “cost of doing business.” In this mindset your sense of urgency to reduce cyber risk grows as you realize it’s a matter of survival.

The third mindset builds on the “cost of doing business” mentality and digs deeper to notice that, beyond keeping customers happy, cyber risk might drive larger structural changes to industries. As you know, industry structures are relatively stable until they are transformed by shifts in any one of three areas: buyer needs, regulation or technology. Currently, cyber risk creates fertile ground for changes in two areas:

• Buyer needs: In what may feel like a flash, customers have expressed their heightened awareness of cyber risk. Less cyber risk is a vast, rapidly expanding buyer need.

• Regulation: Given the public safety aspects of cyber risk, more regulation is inevitable. You are probably already experiencing the tightening and may be rightly feeling that there is more regulation to come.

How much structural change will occur in your industry? It’s too early to tell. To put it into perspective, remember the opportunities that the Internet created and how it produced countless titans of industry like Amazon.com? Cyber risk may drive changes and create opportunities that big.

Let me explain. Roughly two decades ago the Internet was a disruptive technology and we leveraged the new infrastructure to craft new business models, overhaul business strategies, and arrange different value networks. Fast-forward to today and we can see that current cyber risk levels were simply not priced in. As we learn to price cyber risk in we might find that business models will be tested, entire value networks will need to be reconfigured, and business strategies will be overhauled.

This is the “disruption creates opportunity” mindset, and it’s the best approach because this deeper understanding naturally brings focus to things that will help you compete and adapt fully to the evolving market conditions.

The more you consider these deeper business implications the more you might wonder:

• How will we monitor customer demand for less cyber risk over time?

• How will our own business models and strategies be impacted?

• How can we use the market disruption to grow market share and enter new markets?

• How can we incorporate cyber insurance and what should we demand from insurers?

• How can we avoid excessively strict cyber regulation and track cyber legislation trends?

• Which standards show due care, exist today, and are marketable?

• Which security controls — previously seen as too costly — should be revisited for their value?

• How should we shift outsourcing and partnering strategies?

• How will this change our workforce and incentives? Where are the critical skills gaps?

• How can we become more proactive about monitoring and treating cyber risk?

• How can we ensure we transform fully and quickly to capitalize on the opportunity?

If you were to assemble the perfect team to answer these questions and more, who would you pull in? Perhaps the CEO, CFO, General Counsel, Strategy Officer, HR, CIO, CISO, Marketing, and Sales? Your list may vary slightly and that’s OK. The key aspect to notice is that you are building a cross-disciplined team that reaches well beyond IT security because fully adapting to a market disruption in a manner that is affordable and balances all of the business realities isn’t something that IT security can do on its own.

You may be tempted to have a few meetings and then fall back into your old comfort zone and let IT security worry about this. I encourage you not to. IT security has been trying to solve this problem for many years on its own and has failed. In fact, in September I polled cyber security leaders in my network with one simple question that follows the money: Have we obtained the significant investments to adequately respond to advanced cyber attacks?

The result: 92 percent of cyber security leaders state that industry, for a variety of reasons, has not made the investments to thwart advanced attacks. For many companies, security spending has escalated the past few years, yet there is almost unanimous agreement that it hasn’t worked, so falling back into the same way of thinking and into the same paradigms will not bring great results.

Now is the time to move your organization out of the comfort zone and into that place where great results happen.

Just like with Kodak and Fujifilm, some of your competitors will stumble to adapt fully and some will capitalize on this Internet-scale shift.

As you meet with your critical staff, you may want to ask one simple question: “Have we reviewed how the world’s No. 3 risk impacts our business?” The dialogue that follows may prove uncomfortable, and it is at that point you will know it’s time to place increased and deeper attention on the business implications of cyber risk.

James Ryan, an innovator in the cyber security space and co-founder of Litmus Logic LLC (www.litmuslogic.com), speaks at the DoD CyberCrime conference and Cyber Security Summit, was a guest on the History Channel to describe cyber warfare, and is a member of the Cyber Security Summit’s Executive Council.