The New Milestone of Business Strategy
is not what You May Think

The 21st century can be easily associated with the fourth way of globalization and the digital era. As a consequence, companies are embarking on the digitalization process, thus adopting digital technologies to create value. For example, they seek to gather data analytics to enhance customers’ experience and acquire new ones, or they adopt innovative machines to better off operational processes. The global nature of enterprises has embraced new technologies – Clouds, Internet of Things, mobile apps, Information and Operational Technology. Moreover, the role that data plays is dominant and ubiquitous, it is a weapon and an asset of uttermost importance. Platform business models have increased the interdependence between companies, partners and stakeholders to share of information and rely one on the other. Remote working, especially with the advent of the Covid-19 Pandemic, has altered the relationship between employee-employers. The business environment is undergoing several changes; however, the other side of the coin when organizations innovate is the increased exposure to digital threats. Cyber incidents pervade different domains – the ability to perform business operations, reputation, Intellectual Property, customers’ confidence and trust, stock price.

 

Indeed, cybersecurity is becoming one of the most relevant areas of technology and operational business. To achieve an effective and efficient cybersecurity structure, companies shall design their own strategy, taking into considerations objectives, prioritized assets, compliance requirements and limits. There is no one-fits-all approach and best practices shall be taken as examples, not as fixed solutions. Data breaches, malware, Distributed Denial of Services (DoS), ransomware, are becoming more incumbent in today’s interconnected world and so should the understanding of companies on cybersecurity. Cybersecurity must be built into every aspect of the business, promptly and strategically. Business leaders must understand the fundamentals of cyber risk and cyber strategy and must ensure that it is perfectly embedded and aligned with the whole business strategy, in order to put the right pieces in the right place and build resilience.

 

The starting point shall be the security vision statement, thus explaining the goals to be reached within a planned horizon of time. The statement must address all the elements and fields that will be touched by the strategy, such as costs, eventual market shit, regulations, business expansion, technology used. In the second place, the business company has to assess the “current posture’, which is to say assessing the security program in place – if any, and the capabilities. This step includes an accurate analysis of the vulnerabilities and the maturity level of the organization. The current posture assessment is tightly connected to the vision statement, as it underlines the drivers and the objectives of the cybersecurity strategy. Once the current-state assessment is brought to an end, the gap analysis phase can take place. Gaps are the deficiencies emerging from the comparison between the target posture and the current posture; it a necessary procedure to highlight which actions must be prioritized. Prioritization criteria include the resources exploited, time to value, the level of risk reduction to be achieved. Finally, the company must plan the cyber strategy using the elements gathered from the previous steps, obtain an approval on the budget, and start the implementation. Even though this last step might seem easier and quicker, it is not. Internal and external communication, awareness training, resilience-building, are practices that often find resistance and obstacles throughout their application. The human factor (employee and executive managers) could be slow-learners or hostile to learning new methodologies and skills. Nonetheless, the people are crucial to have an effective cyber strategy; having the most advanced technologies would be useless if the human component is not ready to welcome digitalization and innovation process, as well as receiving training on the basics of cyber risk and cyber security.