Incorporating Cyber Security Risk Management into Strategic Management

​Companies are in continuous competition with each other. As a result of this competition, 50% of the companies in any given industry are creating earned value while the other 50% are losing it. 

​Companies can create positive earned value through their market power and innovation strategies, while the use of capital resources decreases their earned value. While this concept seems simple in principle, companies often devote considerable resources to understanding their position vis-à-vis competitors and how to improve it.

What may be less well understood is the role cyber security and risk management play in supporting, or inhibiting, the earned value creation of the organization. Risk assessments serve the purpose of identifying, and helping to prioritize, risk management activities that provide the greatest value to the organization. Once it understands and prioritizes risks, an organization can differentiate itself from their competition by proactively addressing risks that could impact its performance. If one organization is able to defend its portal from a distributed denial of service (DDoS) attack while a competitor cannot, then a competitive advantage has been created.

Does compliance add strategic value?

As many security professionals have understood for years, compliance is very important, but it does not mean you are secure. In earned value management terms, it is important to understand that cyber security compliance activities do not add strategic value. Once compliance is met, one competitor does not stand out from another. There is no such thing as being “the most compliant. 

Further, compliance activities drain resources while protecting someone else’s interests. If 80% of your cyber security efforts are geared towards compliance, how many opportunities are lost for the organization? For example, payment card industry data security standard (PCI DSS) compliance shifts liability away from the organization and back to the credit card companies. While compliance is certainly beneficial to the organization from a risk reduction perspective, it is of greater benefit to the credit card companies than to the company now meeting PCI compliance. Hence why they created PCI DSS.

Lastly, it is critical to understand that compliance activities were not created for the benefit of your innovation and growth. Your ability to innovate is tied directly to your unique resources and your ability to use those resources to fulfill a gap in the market. The compliance regimes do not factor in whether your unique resources are lost, stolen, or compromised, but intellectual property is the lifeblood that will fuel your organization. With the leftover resources that can be put toward cyber security after compliance requirements are met, do you have a good idea where the weakest points are in your ecosystem? Protecting those resources that create differentiated products or services is entirely the responsibility of your and your partners’ organizations, but because IP is not supported by compliance efforts, these resources may be less well protected. Your organization must proactively safeguard them to maintain a competitive advantage. Therefore, it is critical to know what your key resources are and what can best be done to protect them in the most resource efficient manner.

Incorporate Strategic Management in Your Cyber Security Prioritization

Increased awareness and understanding of the intersection between strategic business management and cyber security risk management is critical and provides multiple advantages, including:

1. Understanding whether the goal of a particular security effort should be mere compliance, or something broader that provides positive earned value to the company. For example, efforts pertaining to data at rest encryption being leveraged to safeguard intellectual property and PCI data, rather than just PCI.​
2. Ability for security professionals to communicate how their activities support business growth and protect innovation, which provide a competitive advantage to the company.
3. More informed budget conversations between C-level officers as to how prioritized cyber security investments and risk mitigation efforts should be prioritized to add the most value to the company.