The Role of Business in Cybersecurity

Figure 1 depicts some considerations that Business (and Technical) personnel in an organization should keep in mind when defining the Cybersecurity Risk Metric or measuring the cybersecurity level of an IT system:

1. Each security event, or class of security events, or security characteristic (confidentiality, integrity, availability) of a system can have its own Cybersecurity Risk Metric. To make the original question “How secure is this IT system?” more understandable and measurable, it should be reformulated as “How secure is this IT system against unauthorized access?” or “How secure is this IT system in terms of the confidentiality of the information it manages?” or “How secure is this IT system in terms of remaining operational even in the face of hardware failure?”.
2. Because achieving zero cybersecurity risk is not possible, the Business (not the Technical people) must define a maximum tollerable security risk (LT) for each Cybersecurity Risk Metric while keeping in mind that it is proportional to the cost that must be spent to achieve it. Lower tollerable risk implies higher costs for implementing the security controls required to achieve it. The activity required to reduce an IT system’s actual security risk to the tolerable security risk is known as risk mitigation, and the associated costs are known as risk mitigation costs. It is worth noting that security risks can be reduced not only through technical measures, but also through the combination of technical measures and cybersecurity insurance (a topic I will address in another article).
3. The security risk threshold (LH, LM, LT) should vary depending on the business criticality of the IT system in order to strike the right balance between cybersecurity level and cost to implement and operate it. For example, the IT system that manages end-of-year gifts to employees should have much higher thresholds (LH, LM, LT) than the IT system that generates client bills and collects revenue. If the first system fails due to a security incident, the organization can perform the same task manually or wait for the system to be repaired. If the second system fails, the job cannot be completed manually, and the organization risks losing money and its reputation, as well as facing regulatory or legal consequences.
4. To simplify cybersecurity implementation and measurement, an organization can define its own standard Cybersecurity Risk Metrics, as well as security risk thresholds for each, based on the business criticality of the IT system. As a result, when the Business requests the implementation of a new IT system, the Technical staff is already aware of the minimum expected cybersecurity compliance level. Furthermore, the original question “How secure is this IT system?” can be phrased more simply as “Is this IT system compliant with our cybersecurity standard?”.

Based on these considerations, the Business in an organization should not delegate all cybersecurity activities to their Technical colleagues, but should instead play a key role in defining the Cybersecurity Risk Metrics so that they are fully aware of how well IT systems they own are protected against cybersecurity threats and how much budget they should set aside to mitigate the actual security risk to the maximum tolerable security risk (security risk to mitigate).

When the Business plays this role, they will correctly rephrase the initial question (“How secure is this IT system?”) and will be able to pretend and comprehend a more precise and quick response. Their technical colleagues, on the other hand, should understand that cybersecurity is primarily a business matter, that should not be used for political purposes within the organization, and that they should make every effort to ensure that the Business is involved in defining the organization’s cybersecurity standards, that the Business provide the cybersecurity requirements for the IT systems they own, and that both of them are perfectly aligned.