Digitalised business operation binds companies together

Digitalised business operation binds companies together

Digitalisation has made companies and organisations increasingly reliant on each other. Operating a business in a network society requires strong trust, as protecting business secrets and personal information is crucial. The challenge concerns all businesses regardless of their size or field. The rate of change of the digital world is so fast that societal regulations can hardly keep up.

“The global price tag for cybercrime continues to grow rapidly. Paradoxically, the costs of cyber-attacks are decreasing while the costs of defence measures against attacks are increasing. This applies to both the public sector and the private sector.”

The pandemic’s effects on how work is being done have increased the number of digital appliances and their use in society, which has increased the potential area for cyber-attacks. The realisation of cyber risks may threaten the existence of companies and the safety of people (e.g., attacks targeting infrastructure and healthcare). All operations are becoming more digitalised and complex than before, which is why they are exposed to cyber-attacks more often. (1)

The importance of the private sector and its challenges must be seen as a part of cyber security and its national strategic management. Specific attention must be paid to the risks of subcontracting chains. A central challenge is to convince companies that information and cyber security are a real competitive factor in the digital world and that the availability of secure products and services must be promoted globally. The involvement of companies must be enhanced to increase the security of products and services for the end user. (3)

As strategic management is of specific interest to company owners and the stock market, cyber security must also be considered on this level. Ensuring and maintaining cyber security is a continuous process which must be adjusted to match the needs of each individual company through development and practice. A company should continuously develop its cyber security strategy as well as related operations and technology (4).

Due to the nature of modern service chains, an attack on one cell of the network or one industry sector could cause recurring problems in the whole network or in other industry sectors.

A smart company exceeds minimum operation requirements

“Strategic work turns a threat into a possibility.”

That is why smart companies and especially their decision-makers should always be one step ahead. The safety of digitalisation is included in business strategy, not only as a safe net, but as an enabler of business growth. An aware business manager and a committee expert see it as a competitive advantage, which allows the company to set itself apart from others by minimising disturbances and securing safety. Digital security is a part of a company’s sustainability, and consumers and employees are aware of this fact.

Cyber security should be the top priority of senior management because in the end, senior management is responsible for everything that happens in the company. Cyber security should also be managed in a centralised and consistent manner in all departments of the organisation. Cyber security challenges faced by companies are typically related to the theft of trade secrets and information assets through cyber attacks. This is why applying cyber security governance to prevent cyber-attacks is necessary.

Cyber security has become a necessary requirement in business operations. To create a truly effective cyber security strategy, cyber threats must be acknowledged in all operation processes and companies must specify their strategic goals. Recognising the cyber security needs and performance indicators of an organisation are the prerequisites for an effective cyber security strategy (5). They also facilitate the management’s process for reporting.

Strategic goals in a company

Based on research and surveys, efficiency goals have often been set for company production and service operations. Likewise, digital security goals have also often been set for products and services. A company’s strategy normally involves setting central goals for safety components, but similar goals for cyber security are often lacking.

Despite this, more attention should be paid to developing the following aspects:

  • Possibilities and success factors of company digitalisation
  • Financial goals set for digital security and
  • Efficiency requirements for cyber security (expense – efficiency).

Typically, a company includes their strategic goals in their business strategy or cyber strategy roughly like this: “Production reliability is developed utilising a cyber-secure method” or “A safe service experience is guaranteed”. Another way to integrate these goals is to include them in a continuity management plan.

Company committees often have shortcomings in their cyber security. This is also affected by the field’s regulation in which case the skill requirements are regulated by the field’s set of rules. At the start of operations, the company’s responsibilities are often vague. However, knowledge and interest in cyber security have clearly grown. Progressive companies already have a chief digital officer in their committees to share their valuable input with the management.

Most companies use a risk-based operation model, which ensures that the management’s decision making is based on overall risk assessments. Decisions are made in accordance with business operations, and they focus on the critical factors. The effectiveness of safety measures is complemented with operative training if needed. Areas for future development are drawn up based on the results of internal and external auditing.

Cyber threats are monitored using multiple channels. For example, some companies may have threat intelligence as part of their organisation. Field-specific cooperation, networking and cooperation with the National Cyber Security Centre commonly produce most of the information and situation pictures. Reporting to the management often occurs on a weekly or monthly basis depending on the situation, with once a month being the most common.

Cyber security is already a competitive advantage in itself. Its significance as an advantage has been demonstrated in competitive conditions when a certificate is required for a quote or other operation description. If the products involve monopoly products, cyber security is required for delivery reliability and corporate social responsibility. A positive customer experience is also a part of this advantage.

It can be said that cyber security is the change in the scheme of things in a company’s operations (not just technology), and cyber threats must be treated as a business risk. Cyber security is also an aspect of management. Implementing strategic goals is seen as an important advantage. Digital and cyber security are difficult to achieve and purchasing expertise is expensive, but many companies buy such services nevertheless. Different partnership programmes are also regarded as an important part of a company’s operations, especially if they are organised by authorities (credibility).

Securing company strategy realisation

Most companies have a regular and functioning strategy process or an operation model for drawing up company strategies (or equivalent guidance). Companies have management-approved risk management policies, responsibilities and processes. Drawing up a company’s strategy (or similar) is usually the responsibility of the chief executive officer or managing committee.

The tasks and responsibilities of companies are also clearly defined in exceptional situations and emergencies. Companies have a viable contingency and continuity management plan as well as a related disturbance and crisis communication plan.

The company management is committed to developing digital security. The implementation of which utilises a management-approved information security policy or an equivalent information security implementation document. Companies also have access to control policies and a process for managing access. Strategic work has defined communication policies and transparency principles in the case of crises. Hence, companies can now communicate about digital security risk situations and other new risks effectively.

Despite the existence of a good basis for digital and cyber security, the following areas for further development should still be taken into consideration:

  • a standardised method should be used in strategic planning
  • a single company does not have the ability to estimate adequate resources and budgets for digital and cyber security
  • audits regarding information security and information systems are not conducted regularly

Companies utilise risk management methods in their operations. These methods estimate the risk, its effect in Euros and its effect on operations. Cyber security must also be incorporated in the method to evaluate business risks. The results must be reported at least once a month.

The most important goals of a company are often communicated by higher management, but the process should be developed further still. Things get done through communication and mundane operations, and repeating them is viewed as important. Safety culture is seen as a positive thing in most companies. In certain companies where traditions are far-reaching, and the danger level of work is high, the issue of safety becomes a daily topic. Based on multiple responses, cyber and information security should also be included in occupational safety.

To limit risks, companies utilise information security procedures and internal inspections derived from them. Service management and contract management are significant factors in digitalisation and supplier selection. Nowadays, operations rely heavily on contract management, trust management and discussion. Regular external auditing is a significant tool for companies which employ the use of a standard.

Cyber security must likewise be considered in operation processes. The owner of a company is in a key position as cyber security is still seen as an auxiliary activity. Based on the information received, it can be concluded that companies value mutual cooperation and authority, open-source threat modelling as well as common threat situational pictures. Continuity planning, a recovery plan and training are central elements in cyber security strategy implementation

“Digital security to become a company success factor”

Strategic work starting points in companies

Based on research and surveys, company values often include digital security. Despite this, small and medium-sized companies in particular, still have room for improvement. Efficiency requirements are often set for production and service operations, but their digital security goals need to be further developed.

Digitalisation possibilities for small companies should be improved in general. All company sizes should develop financial digital security goals. Risk management, on the other hand, is something to which companies pay a lot of attention.

There should also be more focus on standardising strategic work in companies of all sizes, especially since standards and similar procedures are clearly unfamiliar to many. In contrast, the evaluation of required resources for digital and cyber security is effective. Sufficient resources and the skills of employees are seen as adequate in general. The critical factors of business operations have been identified in general.

Strategic work in a company

Based on research and surveys, almost every company currently has a strategy-based operation model. Planning the strategy is typically the chief executive officer’s responsibility, but consolidated corporations are an exception to this rule as the strategy may be planned by a strategy manager. In smaller companies, the chairperson of the board can also have a role in strategy work. In general, company managers are seen as being committed to developing digital security.

Digitalisation is connected to all business operations. Strategic work sets goals for operations, but significant shortcomings were identified on the digitalisation level and in continuity requirements as digital success factors are only partly defined in companies.

Implementing company strategy and measuring results

Companies tend to utilise a management model for developing digital security. However, there are a few companies of different sizes whose situations are not as favourable. Information security and access control policies (operation models) are only documents that guide implementation in most companies.

When it comes to monitoring the operational environment, small and medium-sized companies have the most to improve on, for example in digital security in supply chains. More attention should be paid to details in company management reporting and risk communication.

Auditing for small and medium-sized companies has plenty of room for improvement. Even though guidelines regarding operation continuity, recovery and communication are mainly in order, regular training is rare or non-existent.

Digipool´s #STRATEGY22 – Secure digital data, secure business

The aim of the Digipool´s Strategy22 project was to produce practical development and improvement suggestions to support company managers and management groups where cyber security related leadership is concerned. The strategic management of cyber security can be defined as recognising and setting aims derived from securing a digital operational environment, reconciliation of actions and precautions as well as managing large-scale disturbances (2).

The results of the project highlighted the challenges of strategy work in terms of the security of digitalisation and provided solutions and tools to enable strategy work to lead companies towards a safer everyday life. The products alone do not bring about change yet. Instead, further action is needed to bring about change. The owner of the project, Digipool, will continue to work to make their products available to companies, both as direct distribution and through various training programs.

Sorry folks only in Finnish 👇

https://www.digipooli.fi/fi/ajankohtaista/uutinen/strategia22-projekti-havainnot-ja-tuotokset

Sources:

The CEO’s Guide to Cybersecurity, September 2021. https://media-publications.bcg.com/BCG-Executive-Perspectives-CEO-Guide-to-Cybersecurity.pdf (1)

Martti Lehto, Jarno Limnéll, Tuomas Kokkomäki, Jouni Pöyhönen, Mirva Salminen, Kyberturvallisuuden strateginen johtaminen Suomessa, Maaliskuu 2018, Valtioneuvoston selvitys ja tutkimustoiminnan julkaisusarja 28/2018. (2) (3)

Kim, J. (2017). Cyber-security in government: reducing the risk. Computer Fraud & Security, 2017(7), 8–11. (4)

Alashi S. A., Badi D. H. (2020) The Role of Governance in Achieving Sustainable Cybersecurity for Business Corporations, Department of Information Science, King Abdulaziz University, Jeddah, Saudi Arabia. (5)

Aapo Cederberg, Strategic cyber leadership is needed to address current security challenges. Cyberwatch Finland Magazine 2021/3. (6)

We’re on social media and we’d love you to give us a follow! You can catch us on LinkedIn and Twitter by using hashtags #cyberwatchFI #CyberCatchFI

Share this article

Did you find what you were looking for?

We will be happy to tell you more about our cyber security services.