In recent years, the topic of digital transformation has moved to the top of the agenda in the business world. However, most of these discussions all too often seem to bypass the issue of cyber security. This is hard to understand in a context where many studies have clearly illustrated that cyber and privacy threats have started to damage the trust of consumers and have the potential to destroy considerable amounts of value.
If sound cyber security practices and respect for customers’ personal data are key pillars to any successful and lasting digital transformation, why are these topics of so little interest to senior executives?
There are two sides to this deep-rooted problem
And both the business world and the technology world are responsible in their own ways for avoiding the real issues.
On the business side, it’s quite simple: Corporate logics are dominated by considerations of short-term maximisation – be it for profit or shareholder value. Security does not generate revenues therefore it does not figure in this equation. The absence of security measures may eventually harm the trust of customers but this is seen as a long-term problem. As a result, many organisations approach cyber security from a reactive, tick-in-the-box point of view and it remains a back room topic that does not seem to provide tangible value in the short-run. As a matter of fact, in an efficient cyber security world, nothing happens. And for many business leaders, should something happen in that space, it will just be another problem for somebody to fix – in a context where many things can go wrong every day in large corporations.
But simply dealing with the complex and constantly evolving issues associated with cyber security in an ad-hoc manner without placing them in their context and resolving root causes cannot bring change.
This is the typical area where the mere quest for immediate solutions simply leads to long-term stagnation, as surveys keep highlighting year after year.
This is part of a broader business problem and this short-sighted mindset, as we have come to realise in recent years, can prove to be damaging to the long-term viability of many organisations.
This short-termist doxa reigns over every business schools, MBA programs and consulting groups where many executives are formed. After all, “in the long run we are all dead” wrote Keynes. Senior executives are taught to generate revenue and to focus on their bottom-lines; not to manage hypothetical loss-avoidance. And when they are taught to manage risk, they tend to focus on the actuarial frequency of risk events more than on probability which is always considerably more complex and costly to estimate.
In the cyber security world, where actuarial data is just not available (or trustworthy) and threats evolve constantly, this mental scheme creates the background for the wrong decisions to be made.
Cyber threats have historically been perceived as low-frequency events with low – or at least manageable – associated impacts.
Day after day, events in the news demonstrate that this is no longer the case.
However, the message is only filtering through very slowly and clearly other forces are at play that are still preventing large organisations from preemptively transitioning towards an effective and pro-active InfoSec strategy.
Nobel prize laureate Daniel Kahneman has shown that the subjective evaluation of the probability of an event happening depends partially on how easily the occurrence of this event can be imagined. This bias of imaginability might help explain why so few key executives – puzzled by the technical complexity of the issue and the fact that it seems to be constantly evolving – realise that cyber-attacks are not a matter of if anymore, but a matter of when. The true lack of understanding of the issue by many executives also spurs a paralysing fear of pushing much-needed InfoSec reforms forward.
At best, many organisations tend to reassure themselves by pouring money into ineffective technical solutions they do not quite understand either but that somehow “put ticks in boxes”, address artificially audit or compliance concerns, and make them feel like they have dealt with the problem and that they can now focus on revenue-generating business operations.
Issues, however, do not disappear simply because we stop thinking about them
Should any cyber security incident or near-miss happen (or receive wide-spread media coverage such as the TalkTalk incident in the UK in 2015), of course knee-jerk reactions and instant responses will be demanded, but those attitudes simply perpetuate the short-termist agenda and quite often create more problems than they solve.
If the Business world is not asking for it, the Technology world is very unlikely to draw the attention of top-executives towards the real nature of their cyber security problems. Eagerly leveraging their clients’ lack of real understanding, many tech firms – equally blinded by short-termist considerations – have been very happy to look elsewhere or sell them highly technical point solutions without addressing underlying governance, people and process issues. Of course, over the mid to long-term, those approaches rarely deliver the necessary levels of change around cyber security, and the whole topic ends up being perceived as negative, complex, costly and boring.
There are only two ways this destructive spiral will be broken
In the long-run, market dynamics and the digital transformation of society and business models may be enough to make businesses care about cyber security, as consumers become increasingly concerned not only about functionality of products but also about their safety, and the usage and protection of their personal data. If & when cyber security becomes a revenue generating competitive advantage, the lines will start shifting for good.
Meanwhile, if consumers’ perception around cyber security and privacy moves faster than businesses and technology can – or are willing to – adjust, politicians and bureaucrats will step in and react by imposing or tightening regulation. In many ways, this is already happening in Europe around data privacy.
In all cases, those businesses that have taken cyber security and privacy seriously from the start are likely to be ahead and to stay ahead in the digital transformation game.
This article was written in collaboration with Vincent Viers and originally published on Linkedin Pulse on 10 May 2016; the original article can be found here.