Organisational impact as a unifying language

            Now more than ever, a common language becomes crucial. As the economy tightens,

            so does the focus of the organisation on what is truly important – operational uptime, customer trust,
            reputation, regulatory compliance and, typically, the ability to continue generating revenues.

            This is the lens through which discussions must be held. It’s not about cyber risk, but operational risk. In
            an economic downcycle the point must be made that, while the root cause of the problem might be micro,
            the impact could be macro. However, with the devil lying in a fragmented tangle of technical details far
            away from operations, this is often lost in translation.

            Take Colonial Pipeline for example.  The shutting down of the pipeline was caused not by a direct attack
            on OT systems, but a knock-on effect of billing infrastructure being compromised and a fear of lateral
            movement  into  critical  areas.  Imagine  trying  to  convince  a  board  in  advance  that  such  a  seemingly
            tangential risk would ultimately stop 380m litres of oil from flowing, every day. Doing so would have
            required a mastery of big-picture storytelling, just enough technical nuance, and a need to not appear a
            scaremonger.



            Making an effective cost argument for risk initiatives

            In contrast to being able to articulate big picture impacts, security leaders in challenging economic cycles
            also need to articulate and defend the finer details of how they are prioritising investment. OPEX will
            invariably come under the spotlight as the security function is quizzed on potential cost savings.


            Against this backdrop, communicating the ‘bang for buck’ from specific defensive capabilities is important.
            By  breaking out  the  cost  of security  initiatives  line  item at  a  time and  highlighting  how  much  risk  is
            addressed by each, management teams can better understand the impact of expenditure. This is where
            risk  frameworks  can  be  a  useful  tool.  By  summarising  how  a  seemingly  fragmented  set  of  security
            initiatives  mesh  to  secure  operations,  it  communicates  where  investment  performs  best.  Just  as
            importantly, it highlights where exposure will occur should cost savings be sought.

            Take, for example, identity programs.  A strategic approach to identity is an increasing part of board level
            conversations  because  it  represents  a  highly  effective  investment  against  a  broad  swathe  of  cyber-
            attacks.  While, to date, conventional controls have only covered small sections of the identity threat
            surface – security teams are waking up to the wholesale risk reduction benefits that can be achieved by
            understanding where these gaps lie and preventing malicious access. Doing so stifles lateral movement
            - stopping threat actors carrying out a wide range of attacks. Highlighting the return on investment from
            such initiatives will stand security leaders in good stead with their boards.

            Equally important in such conversations is making the case for protecting the workforce as much as
            possible. During tough times, it is tempting for senior teams to cut heads to make quick cost savings.
            While, on paper, this represents a short-term gain – the lost investment in people will be hard to replace
            when  the  inevitable  upswing  occurs  –  requiring  an  expensive  and  lengthy  process  down  the  line.
            Positioning your people as a cost-effective defensive investment, rather than an overhead, is crucial.





                                                                                                             207