Why cybersecurity needs to be part of your business strategy

Thierry, let's start with a definition. What does strategy mean?

Everyone knows the word. But many companies don't really understand what a strategy is. It's basically a simple concept: "Where are we today, how do we see the future, and what is our concrete ambition?" Strategy is about finding the path to our desired future.

I want to demystify strategy and enable companies to purposefully set out on their path. The operative word here is "set out." After you understand the situation and decide on the direction, you have to act. You have to get to grips with the strategy and continuously work on it.

When we consider the future, one element that is increasingly coming into focus is cybercrime. How do security considerations feed into corporate strategy?

With the increased use of technologies such as artificial intelligence/machine learning and the growing number of connected and networked devices, the number of cyberattacks is also on the rise. Cybercriminals are becoming more sophisticated, making it increasingly important for organizations to take a proactive approach to cybersecurity. A passive approach is simply not enough anymore.

Digital transformation means many companies have shorter time-to-market and are constantly introducing new software updates into the production environment. In this context, we need to consider cybersecurity as an integrated part of the overall strategy. Security should be built in (keyword "security by design") and not an afterthought.

I think in the technological environment, companies that pursue a strategic security concept are in a better position to succeed.

Can you give a specific example where a company has effectively integrated cybersecurity into its overall strategy?

Banks are the first to spring to mind. Cyber defense systems have been part of their strategy for years. Recently, I have observed that SMEs and startups are also tackling the issue.

SMEs sometimes face the challenge that they are suddenly faced with cyber risks due to "Internetization" (connecting to the Internet) of their traditional products, for example in the machine industry. In many cases, the relevant knowledge must first be acquired before the topic can be addressed strategically.

For digitally-oriented startups, it is often more of a resource issue. They are aware of the importance of cyber risks, but they have to overcome personnel and financial challenges in order to build up the corresponding defense mechanisms.

What do you see as the biggest cybersecurity threats to companies right now, and how can they prepare for them?

Data loss in its various forms is certainly an enormous problem. In this context, issues such as "ransomware", data breaches, data leaks or IP theft are relevant. With the consequence that companies are no longer able to operate, become susceptible to blackmail, lose credibility or lose their competitive advantage.

Attacks on physical infrastructures such as machines, supply chains, access systems and vehicles should also not be underestimated. In addition to the obvious economic damage, attacks on these systems can also place human lives at risk.

In my view, it is becoming increasingly important to be prepared, to develop appropriate defense systems and keep them up to date. For many companies, it has become a matter of survival. In addition to the necessary know-how, it is of course always a question of cost-benefit considerations.

What specific approaches do you see in practice?

In my view, the "standard strategy" is to familiarize oneself with the subject. Namely, by training specialists, raising staff awareness, complying with cybersecurity standards for hardware, software and network solutions, and having them regularly "checked" by third parties through regular testing, bug bounty programs or vulnerability disclosure programs.

Another strategy I find interesting is the systematic move to the cloud. Especially for smaller companies with limited knowledge and budgets, it can make sense to put "everything" in the cloud. This creates a certain dependency on the corresponding providers, but their security provisions are state of the art. Under this arrangement, security is, to a large extent, outsourced.

What do you recommend to companies who do not yet have a cybersecurity strategy?

First, they have to take time to tackle the issue. In other words, cyber security needs to be "put on the agenda," as the saying goes. After that, I see the classic procedure that is used for strategic issues: The first step is to analyze the current situation, i.e., what threats do we face in the company and how critical are the risks? From this comes the need for action. As part of the strategy formulation, it is then a matter of coming up with options for countermeasures such as penetration tests and bug bounty programs. At the same time, the willingness to take risks must be determined. Together, these factors result in the set of measures to be taken. Which are then planned and implemented.