16 - 10 - 2020 - Insights

Cybersecurity strategy is an important element for security management and effective general strategy

A cybersecurity strategy involves much more than making technical choices – ideally, it is a combination of insights into corporate management and technology.

There has been a dramatic increase in digital threats in recent years, which makes the strategic management of cybersecurity more important than ever before. A cybersecurity strategy steers a company’s operations, helps prioritise measures and, most importantly, enables a proactive approach to cybersecurity.

A good cybersecurity strategy aligns with the company’s high-level strategy

Cybersecurity has been traditionally viewed as a technical aspect only, and its implementation has been left to each company’s ICT department. In order to fully integrate cybersecurity into the corporate strategy, it must be linked to the company’s high-level strategy. In this regard, it is important to identify the risks and challenges imposed by digitalisation that are holding the company back from achieving its strategic objectives.

Risks are of course specific to each company, but a digital disruption can harm customer cooperation, delivery chains or production flow. Other risks can include corporate espionage to gain a competitive advantage or confidential information for stock exchange.

Once the risks have been identified, the probabilities and financial impacts must be determined. Only then is it the time address specific malware programs or technical issues and make fact-based management decisions on what preparations need to be put in place.

This requires the person preparing the cybersecurity strategy to be able to combine technological expertise and management acumen. It is the only way to talk about cybersecurity in a language the management understands.

Cybersecurity affects everyone – mobilisation based on metrics and division of responsibility

Once the cybersecurity strategy and the relevant decisions have been made, it is time to deploy the strategy in practice. The first phase of mobilisation is to assign responsibility for each strategic element and determine the metrics for monitoring the implementation of the strategy. As a high-level metric, it is possible to monitor interruptions in the production chain or customer process, whereas lower levels focus more on practical matters, such as firewall functionalities, network security and discrepancies related to data communications.

At the same time, it is important to remember that the cybersecurity strategy affects every company employee. Simply repeating the message over and over again is not enough when incorporating behavioural models and processes into daily activities. Instead, the communications must provide justifications. It is far easier for employees to commit to processes and behavioural models, when they have a clear understanding of the impacts a possible problem may have on themselves and the activities of the company and its customers.

Updating the strategy based on situational changes

An effective cybersecurity strategy is never static. Systems and threats advance quickly which means that those responsible for cybersecurity must keep a close eye on the environment and any situational changes. In the event of a significant shift in the risk level of any area, the cybersecurity strategy must be reviewed. This is also necessary when the company’s general strategy is amended.

Henry Nieminen

Henry Nieminen

Share article

Stay on top of the industry trends and subscribe to our newsletter

The most important news, inspiring articles, and up-to-date insights from our experts across various industries and information about our upcoming events.

Accept the terms and conditions. We handle your information responsibly.
Please review our privacy policy.