Lancaster University Management School - 54 Degrees Issue 19

Cyber security is not only about stopping disaster. You see big impacts when cyber security fails. There was the MOVEit attack on the BBC, British Airways, and other major organisations; there are leaks of data and details – such as with the Police in Northern Ireland – and long-term ramifications from such leaks and product failures are significant. Yet there is so much more to cyber security than preventative measures – and their issues. In business, you are there to add value – to customers, but also to other communities, like shareholders. Cyber security has been positioned primarily as a protective mechanism for that value creation, preventing attacks, securing products and ensuring clients do not suffer problems because of data leaks, and so on. But there is something interesting about this protective mission. It is important to understand its role in value creation, not just value protection. PART OF THE BIGGER PICTURE Business strategy is often focused on the value creation of the new, or the enhancement of the existing, rather than incorporating that protective element cyber security provides. Within many organisations, cyber security is separate from the core business strategy, yet it is a value creation enabler, because it empowers the strategy. A key thing to understand is that if you manage risks properly, you will be able to take more risks. If you look at skydivers, they do not just jump out of a plane without any preparation. No, they take the time, manage the risks, and have back-ups. They have processes in place that enable them to take that bigger risk. When you think about this in terms of cyber security, you are using it to manage that risk. You understand the risks of using digital technology, and you put the protective elements around that. That enables the business to take greater risks and adopt strategies that would have been impossible otherwise. When I work with organisations to explore this, they realise how they can use cyber security to do something differently, to open doors to new opportunities. ENABLING INNOVATION Cyber security can enable and empower certain aspects of their business model. As part of that, I borrow a concept from cybercrime, and I talk about cyberenabled innovation and cyberdependent innovation. Cyber-enabled innovation is where you do cyber security well, so that it enables you to do more. Some criminals do this. They take technology and enhance their criminal intent and their capability to reach more people. Phishing is an example, where criminals can now reach everybody in the world. They only need 1% of people to respond. If you hit 100 million people, that means responses from one million. If you can get them all to give you £10, that is £10 million. Innovation has empowered their reach and capability. The same thing goes in in business. If you are protecting large volumes of customer records at a high standard, this enables you to do major data analytics rather than removing the risk and not keeping those records at all. You can use this data to improve products, better target customers, increase your markets – any number of things. The other example is cyber-dependent innovation, where you use cyber security technologies in new ways to develop products in a seamless and transparent way. For example, you can see how core cyber security technologies such as biometric authentication and security technologies have enabled new services. 24 |

RkJQdWJsaXNoZXIy NTI5NzM=