To be effective in the new world of digital transformation, any organisation needs to address cybersecurity as a continuous effort.
In this article we present a framework to help managers to implement a structured approach to manage cybersecurity in the context of a digital transformation process. Businesses should start with addressing cybersecurity at the highest organisational level by including cybersecurity in business strategy, using secure-by-design principles, ensuring business continuity in case of cyber threat and treating cyber risk as part of a holistic risk management approach.
I. A New Environment of High Digital Density
Alarms are sounding louder and louder: with the digital revolution come not only great opportunities and profound changes in the business models of companies of all sectors, but also great threats. One of them, perhaps even the main one, is the lack of security of emerging digital ecosystems. We constantly receive disturbing news about ransomware, denial of service, or data theft. However, it does not seem that companies around the world pay enough attention to them, nor that they are aware of what cyberattacks mean to the smooth running of their businesses.
In fact, it was clearly summed up by Inga Beale, CEO of the insurance company Lloyd’s at the World Economic Forum meeting in Davos in 2017, when she stated that there are currently two types of companies in the world in terms of cybersecurity: companies that know they have been attacked and those that have been attacked but do not know it. This leads us to the inevitable conclusion that if we think that we have not yet been the victims of a cyberattack, we inevitably are part of this second group, living in a fallacious ignorance.
The increase of Digital Density as the percentage of connected data that an organisation uses to create, deliver and capture value leads to an increased complexity of the business. The exponential growth of connections, representative of the 4th Industrial revolution, allows users an easy access to huge amounts of data, which has many benefits for businesses, such as obtaining a greater efficiency or creation of innovative services and products.
However, this digital revolution also carries its dangers. Until recently, only some computers in organisations were connected to the Internet, and the dilemma of data security was simply to protect the digital perimeters of the organisation itself. However, increasing Digital Density has forever changed the playing field: nowadays not only individual devices get connected to the Internet or to other networks, but the whole digital and physical realities are blended. This has exponentially increased the surface of attack of the organisation. Therefore, more than ever it becomes important to treat cybersecurity as the “business function of protecting an institution from the cyber-attacks”, especially considering such constraints as “other business objectives, resource limitations, and compliance requirements”.
In this article, we propose a framework for the management of cyber security as an integral phenomenon in the context of a digital transformation process, which includes designing value propositions using secure-by-design principles, good technical management, the establishment of governance at the highest level, and the active and safe participation of any manager or user in the organisation.
About the authors:
Sandra Sieber is a Professor of Information Systems at IESE Business School. She holds a Ph.D. in Management from IESE and a Degree in Economics and Business Administration from Universitat Pompeu Fabra. Currently, most of her work is centred on how the digital rise is affecting organisations from a variety of perspectives.
Javier Zamora is a Senior Lecturer of Information Systems at IESE Business School. He holds a Ph.D. in Electrical Engineering from Columbia University and a M.Sc. in Telecommunications Engineering from Universitat Politècnica de Catalunya. His current areas of interest are focused on how high digital density is transforming organisations and sectors.
1. James Kaplan and others. (2015). “Beyond Cybersecurity”, Wiley.
2. Zamora, J. “Programming Business Models Through Digital Density”, IESE Insight, 2017, Issue 33 (ART-3013-E).
3. S. Sieber, J. Zamora, D. Daswani and S. Gil. (2016).“La Ciberseguridad en la empresa: decálogo de buenas prácticas.” IESE-Deloitte Draft Document, June.
4. McAfee Report, in partnership with the Center for Strategic and International Studies. (2018). “Economic Impact of Cybercrime – No Slowing Down”. February.
5. IBM Institute for Business Value. (2016). “Securing the C-Suite: Cybersecurity perspectives from the boardroom and C-suite.”
6. S. Durbin. (2016). “The C-Suite Gets Serious About Security.” CIO Insight, February.
7. Chief Security Officer (CSO), Chief Information Security Officer (CISO), Chief Data Officer (CDO).