James Ryan, CSyP, CEA, PMP

The digital economy is getting hammered with advanced cyber attacks. As a business executive your awareness of this issue grows daily and cyber security is now weighing on your mind. You are not alone. After interviewing 588 C-suite and Board-level executives, the Lloyds’ 2013 Risk Index reported that Cyber Risk is considered the 3rd highest business risk — outranked only by high taxation and loss of customers.

As industry experiences its rude awakening to cyber risk you might expect that it’s time to invest heavily in IT security and you would be right in realizing that it’s not. There is much deeper change needed to adapt fully.

Where we are today reminds me of the 1980’s when both Fujifilm and Kodak faced a similar rude awakening when it became clear that different parts of their market would switch from film to digital photography and render their traditional business models obsolete. The subsequent collapse of Kodak into bankruptcy and the transformation of Fujifilm into a firm with a market capitalization exceeding $25 Billion in 2011 have been widely chronicled.

So, why did these two firms fare so differently? While both firms faced a driving force to transform, Kodak held on to its old thinking too long, was complacent, and was ultimately too slow to adapt fully to the market change.

Today, we are experiencing similar circumstances to what Kodak and Fujifilm faced. This time, however, the disruptive force isn’t digital photography, but rather the extent of business damage that cyber attacks can cause. So, how do we effectively combat these attacks and what new thinking about cyber risk will allow us to adapt fully to this market change?

Choose from Three Mindsets

The first mindset you might have about cyber risk is one I call the “internal risk” mindset. In this mindset you view cyber attack damages as an issue that impacts your business with unacceptable financial and reputational losses and you are willing to invest some capital to stay out of the news and control financial losses. This mindset is fairly prevalent and has been limiting.

The next mindset you might have about cyber risk develops when you notice that cyber risk is a shared risk between any two businesses that interact. In this mindset you realize that your cyber risks are no longer exclusively yours and you are passing them along to your customers as liabilities. Likewise, your supply chain passes their cyber risk liabilities on to you. Sooner or later your customers will demand less cyber risk and in turn you will demand the same from your supply chain. You can see how this will cascade through value chains and achieving ‘reasonable’ cyber risk will become a “cost of doing business.” In this mindset your sense of urgency to reduce cyber risk grows as you realize it’s a matter of survival.

The third mindset builds on the “cost of doing business” mentality and digs deeper to notice that beyond keeping customers happy cyber risk might drive larger structural changes to industries. As you know, industry structures are relatively stable until they are transformed by shifts in any one of three areas: buyer needs, regulation, or technology. Currently, cyber risk creates fertile ground for structural changes in two of these three areas:

  • Buyer Need: In what may feel like a flash, customers have expressed their heightened awareness of cyber risk. Less cyber risk is a vast and rapidly expanding buyer need.
  • Regulation: Given the public safety aspects of cyber risk, more regulation is inevitable. In fact, you are probably already experiencing the tightening and you may be rightly feeling that there is more regulation to come.

How much structural change will occur in your industry? It’s too early to tell. However, to put it into perspective, remember the opportunities that the Internet created and how it produced many new titans of industry like Amazon.com? Cyber risk may drive changes and create opportunities that big.

Let me explain. Roughly two decades ago the Internet was a disruptive technology and we leveraged the new infrastructure to craft new business models, overhaul business strategies, and arrange different value networks. Fast forward to today and we can see that current cyber risk levels were simply not priced in. As we learn to price cyber risk in we might find that business models will be tested, entire value networks will need to be reconfigured, and business strategies will be overhauled.

This is the “disruption creates opportunity” mindset and it’s the best one because this deeper understanding naturally brings focus to those things that will help you compete and adapt fully to the evolving market conditions.

The more you consider these deeper business implications the more you might wonder:

  • How will we monitor customer demand for less cyber risk over time?
  • How will our own business models and strategies be impacted?
  • How can we use the market disruption to grow market share and enter new markets?
  • How can we incorporate cyber insurance and what should we demand from insurers?
  • How can we avoid excessively strict cyber regulation and track cyber legislation trends?
  • Which standards show due care, exist today, and are marketable?
  • Which security controls — previously seen as too costly — should be revisited for their value?
  • How should we shift outsourcing and partnering strategies?
  • How will this change our workforce and incentives? Where are the critical skills gaps?
  • How can we become more proactive about monitoring and treating cyber risk?
  • How can we ensure we transform fully and quickly to capitalize on the opportunity?

If you were to assemble the perfect team to answer these questions and more, who would you pull in? Perhaps your team would include the CEO, CFO, General Counsel, Strategy Officer, HR, CIO, CISO, Marketing, and Sales. Your list may vary slightly and that’s okay. The key aspect to notice is that you are building a cross-disciplined team that reaches well beyond IT security because fully adapting to a market disruption in a manner that is affordable and balances all of the business realities isn’t something that IT security can do on its own.

Sustain the Best Mindset

Now, you may be tempted to have a few meetings and then fall back into the comfort zone and let IT security worry about this. I encourage you not to. The truth of the matter is that IT security has been trying to solve this problem for many years on its own and has failed. In fact, in September I polled cyber security leaders in my network with one simple question that follows the money: “have we obtained the significant investments to adequately respond to advanced cyber attacks?”

The result — 92% of cyber security leaders state that industry, for a variety of reasons, has not made the necessary investments. So, while security spend has escalated in the past few years, there is almost unanimous agreement from cyber security leaders that industry has not made the investments that defend against advanced cyber attacks. Wouldn’t you take a new approach to dealing with cyber risk if you absolutely knew that the old way was leading to ineffective spend? Yes. It’s time for a course correction into a new approach that accounts for the bigger picture and uses the “disruption creates opportunity” mindset.

Small Step Forward

As you meet with critical staff in the coming weeks you may want to ask one simple question: “How will we capitalize on the world’s number three risk?” The dialogue that follows may prove uncomfortable and it’s at this point you will know it’s time to build a more useful and powerful mindset about cyber risk inside your organization.