Gap between cyber strategy and business strategy is costly

Matt Middleton-Leal, Regional Vice President, EMEA North at Qualys, explores how mismatched definitions of ‘strategy’ leave security initiatives underfunded – and why money-led risk narratives help bridge the gap.

George Bernard Shaw is often credited with the observation that the United States and the United Kingdom are “two nations divided by a common language.” In his poem The Hollow Men, T.S. Eliot invokes the idea of ‘the Shadow’ that falls between conception and creation – what we say and what we mean. But what does this have to do with risk?

As in Eliot’s poem, there is a gap between what IT security leaders define as strategy and what business leaders look for. That gap can make it harder to get support for initiatives that reduce risk over time, particularly when IT is perceived as simply asking for more and more cash to fix problems. That perception is unfair, because security is essential to business operations. Without security in place, companies open themselves up to attacks, fines for compliance failures, and the risk of operational disruption.

For IT security leaders, setting strategy around risk involves how to deploy technology, people and processes to control threats. By stopping attacks and reducing the risks, perils and hazards they represent, IT can help keep the business secure.

For business leaders, strategy involves how to create and capture more value, across more channels, for more customers. They then want to understand the risks around those decisions – from whether opening an office in a new location will lead to enough sales, to whether new products for existing markets will generate a better return.

In the IT security team, these strategic decisions can seem well outside its sphere of influence. In the business team, discussions around technology are often seen as tactical. This leads to a gap in understanding.

Getting strategy and risk right

To get past this problem, security leaders will have to do most of the work. CISOs have to put their actions into a wider context and treat security as an exercise in capital rather than one in technology. This makes it easier to show where security and risk management supports overall business strategy, and where risks could jeopardise strategic objectives.

The starting point is money. Security teams can provide insight into what risks exist, how much they could cost the business, and what the organisation’s existing controls do to keep risk within acceptable levels. In essence, CISOs have to move away from saying, “We see 50,000 issues in our IT and these 10 are the most pressing. I need investment to fix them,” and instead respond with, “These 10 issues have a 30% chance of costing us $200 million in revenue and potential fines. I can deploy $400,000 to cut the risk by two-thirds.”

Security is often treated as a binary exercise — either we are vulnerable, or we are not. But this mindset is not helpful when there are so many cyber risks out there. At this point, it is impossible to protect against everything that could be a threat, so decisions have to be made about where to spend resources. This changes the focus from ‘Are we protected?’ to ‘Have we protected ourselves against the biggest potential sources of risk?’ To judge this, technical information alone is not enough.

Putting risk into a financial context makes it easier to have conversations across the business about which risks need to be eliminated, which risks need insurance to guard against them, and which ones sit below the organisation’s current risk threshold. It also makes it easier for the business to see where risks and costs should be included within its overall approach — and how this affects the strategy it wants to pursue.

Talking the right language around risk

This approach also helps avoid cyber security being treated as a purely technological problem. With so much of company operations now relying on technology, cyber risks can become business risks – including legal, regulatory and reputational exposure.

In the US, the Securities and Exchange Commission’s cyber incident disclosure rules have raised the bar for how public companies assess and disclose material incidents, and for how they describe cyber risk management and governance. That, in turn, has increased scrutiny on the quality of internal reporting, decision-making and disclosure controls – not just the underlying technology.

In the UK, the Government has introduced its Cyber Security and Resilience (Network and Information Systems) Bill, which is intended to push IT service providers and data centre operators to strengthen security posture and compliance reporting. As currently proposed, it introduces a two-stage incident reporting approach: an initial notification within 24 hours, followed by a fuller report within 72 hours. Leadership teams need to understand that this level of compliance will be part of operating in regulated and critical sectors – and that failure to comply can carry serious consequences.

To help organisations execute their strategies, IT security teams have to share information on risk and the controls that manage it. Leadership teams can use that information, framed around monetary impact, to demonstrate that they are investing effectively in risk controls – and show where additional spend can directly reduce risk to acceptable levels. However, this depends on whether everyone involved can speak the same language and avoid conflicts in meaning. By concentrating on risk in business terms, teams can better align behind the same strategic path – and reduce the shadow gap between idea and execution.