Defending the Organisation

While we generally view the accelerating digitalization of our economy and organizations in the face of acute disruption to be one of the silver linings of the acute COVID disruption, providing the opportunity to make changes to modernize operations that have been a long time coming, it also introduces new potential risks. The proliferation of technology and extension of an enterprise’s boundaries requires new approaches and methods for securing it. Historically, enterprises have just set up data centers and locked them down like Fort Knox. With the rise of the cloud and other distributed computing approaches, however, security must adapt and become more distributed. The old model of putting all your eggs in one basket and watching it won’t suffice.

As companies virtualize more and more of their enterprise—work and collaboration among employees and partners, customer interactions, transactions with suppliers—risks to their operations increase if their data or operations become compromised. The individuals supporting and managing technology are more distributed and systems more complex, and the level of sophistication and volume of bad actors and threats are ever increasing.

For example, AI will likely be increasingly used for both attacking and defending organizations’ digital infrastructure. We’ve already identified the benefits associated with increasingly automated and connected factories, yet they also come with an equal or greater number of associated cybersecurity risks as well. The same applies to the growing field of autonomous vehicles and connected devices. Each of these new devices and applications provides both an immense opportunity but also a potential weakness to exploit.

The more exciting part of digital transformation is the convergence of hardware and software and the Internet of Things in our world. You can start thinking about your traditional products as a channel for digital revenue. When I put that into the industrial businesses, if an industrial air compressor can be made into a connected product, it becomes a channel for business model disruption. I can sell air in an operational expense model, rather than selling machines in a capital expense model—we can also do the same thing with a train or almost anything else. The use cases are there and they’re very cool.

The issue of cyber security is pressing with respect to disruption. The acceleration of digital transformation that we observed in many companies also makes companies more susceptible to various types of adverse digital events.5 Our concern is that with the speed that many organizations are transforming, leaders are only considering the opportunities that come with the shift and are not considering the risks that also may be associated with it. In fact, our research on chronic digital disruption showed that executives were far more likely to consider the opportunities that digital transformation presented while often overlooking potential threats. While we have emphasized many of the benefits that companies have experienced with accelerating digital transformation in this book, we should also acknowledge the possible threats.

Cyberattacks and cybersecurity was already a major issue facing most organizations in a world of chronic disruption. Respondents to Deloitte’s 2019 cybersecurity survey showed that 95 percent indicated that their organizations had experienced a wide range of cyberattacks, with 57 percent indicating that their most recent cyber breach happened within the last two years. Among the biggest impact of these breaches are loss of revenue due to operational disruption (21 percent), loss of customer trust (21 percent), change in leadership (17 percent), reputational loss (16 percent), regulatory fines (14 percent), and drop in share price (12 percent). Additional impacts may be experienced for customers, such as identities being stolen, financial fraud, and account hijacking.

For three years running, survey respondents identified that chronic digital disruption—rapid IT changes and rising complexities—is the most significant cybersecurity challenge organizations face. The problem of cybersecurity, however, has only become more challenging amid disruption. Regardless of the source, threats are possible twenty-four hours a day, seven days a week, including when––and especially when––you are at your most vulnerable. When employees are stressed, they may be more likely to cut corners or drop their guard. Bad actors also know that a time of weakness is an opportunity that can be exploited. Furthermore, the acute COVID disruption challenged many existing approaches to cybersecurity. For example, many organizations’ cybersecurity infrastructures weren’t built with remote work in mind, and many organizations had to make key risk decisions when faced with lockdowns, giving up on certain cyber controls to keep employees productive.

It is important to have strong leadership who does have a comprehensive view of an organization’s defenses and to guide these efforts. If cybersecurity is an issue that crosses the entire organization, who should be the CISO and where should that person fit into the organizational hierarchy? Because cyber risk extends beyond the enterprise systems to all the products and services delivered by the enterprise, it doesn’t make sense to have it entirely bound within the IT organization. Reporting directly to the CEO is the single most commonly reported position for the CISOs, yet it still only represents less than a third of companies.