Why is this misconsception false?
In October 2016, Microsoft¹ identified 4 pillars: for digital transformation, which held as its definition:
1/ Engage customers: give them new experiences they will love, 2/ Empower employees: reinvent productivity and enable a data-centric culture. 3/ Minimize operations: modernize portfolios, transform processes and skills 4/ Transform products: innovate on products and business models.
If these 4 pillars are not directly applied to cybersecurity, the company is putting obstacles in its way. The success of the digital transformation is slowed down. Or even mortgaged!
What would be the failure of customer engagement?
It's the triple extortion. Ransomware operators now contact the customers of the companies they attack, in order to blackmail them. This has taken place in Finland, for example, where in October 2020, patients of psychotherapy provider Vaastamo received threats. It should be noted that the CEO was quickly removed. This is not anecdotal, it is a groundswell: in February 2021, the ransomware group REvil announced that it had added two steps to their double extortion scheme: DDoS (denial of service, distributed) attacks and phone calls to victims' business partners and the media. We can now bet on the fact that ransomware operators will add notification of authorities (e.g. CNIL) to their tactics.
To avoid this, it is necessary to proactively engage customers and business partners on the topic of cybersecurity, long before the cybercriminals do so. And consider (as attackers already do), that customers are part of the cyber terrain of the company. Yes, when, on the cyber subject, we barely mobilize the employees, we must already organize ourselves to mobilize the customers. It is not enough to alert them against phishing as banks or e-commerce players do now.
As far as business or IT partners are concerned, they should not only be considered as sources of risk, through "third party risk management" programs in the face of supply chain attacks. However, this risk is very real: in 2020, 40% of cybersecurity breaches will be linked to indirect attacks (Accenture). For maximum efficiency, you must also succeed in involving your partners. When it comes to ransomware, they are in the same boat as your company.
What would be the failure of employee empowerment?
It's mandatory cyber e-learning, cyber surveillance, phishing tests. Yet this is the type of "engagement" we see most often. An approach considered as "awareness" by many cyber experts, yet widely perceived as demotivating and guilt-inducing by employees. And just as decried by scientific studies in behavioral psychology, neuroscience and sociology. It also goes against the grain of the corporate culture that is often promoted: agility, sharing, and empowerment of each individual in the service of the group. Overall, everyone loses, because the cost of this form of security is major on the corporate culture and negatively impacts the efficiency of the employees.
And so what is empowering employees, in cyber? It means empowering them to become pillars of the company's cybersecurity. The effectiveness of this approach has been demonstrated, in addition to or in case of failure of purely technological means, for triage (case of SolarWinds, where a human was at the origin of the discovery of the attack, at the cyber technology expert FireEye), detection (eg. Case of Bangladesh Bank), emergency reaction. We are not alone in saying that humans can make a difference in the face of cyber attacks. The European Court of Auditors and ENISA as well as some large companies defend this approach. Still too rarely implemented. Despite the availability of employee engagement platforms, specialized in cyber, such as Captain Cyber.
Mobilization, of all, at scale, has become essential. [Listen to what Steve Purser (https://www.youtube.com/watch?v=xp6xqOSwjWA&feature=youtu.be), #2 of the European Cyber Security Agency, has to say about it.]
What would be the failure of minimizing operations?
It would mean not simplifying the cybersecurity architecture, but instead contributing to its complexity. Adding yet another "magic product" that will fix everything. While most companies fail to deploy the cyber tools they have purchased to all their employees.
Too often, multiple installed products do the same thing, or nearly so. In a December 2019 study by Reliaquest, 55% of respondents (among 400 cybersecurity decision-makers from companies with 1,000+ employees) indicate that their security team has reached a point of no return: too many security tools in place negatively impacts their security posture. While the cyber technology stack is negatively impacting cybersecurity for the majority of companies, it is holding back the rest.
The reliability of cybersecurity products is not, in itself, guaranteed. There are even cybersecurity products from well-known brands that are known to be vulnerable. This is what analysts from CyberArk found in December 2020, identifying 10 different brands among which Symantec, McAfee, Kaspersky, Fortinet, Checkpoint, Avira, Microsoft, Avast.
On the contrary, it is about participating in the transformation of business processes with a cybersecurity perspective, injecting a dose of cybersecurity into the skills of all employees, modulating this dose according to the position (and therefore the stakes of the position: positive risk or negative risk). This requires strong collaboration between HR departments and the various functions, divisions and BUs. And to achieve this, it requires the involvement of top management at the highest level to mobilize the managers of these entities. All of them will want data to measure the share of cybersecurity that is the responsibility of the business.
What would failure to transform products look like?
It would be to put products on the market without any proven cyber security functionality or benefits.
Instead, it has become critical to ensure that cybersecurity is built into the very core of a company's products. What McKinsey recommends: Build cybersecurity into business products and processes. For digital businesses - and almost every company we know of aspires to be a digital business - cybersecurity is an important driver of product value proposition, customer experience and supply chain configuration. Digital businesses need, for example, to design security into IoT products, build secure and convenient customer interaction processes and create digital value chains that protect customer data.
And it's working, even if the companies that are succeeding aren't shouting it from the rooftops. Like Netatmo, which is gaining market share thanks to cybersecurity (see our video interview with Fred Potter, CEO of Netatmo - Legrand Group). As well as Amadeus, the specialized IT services operator in the airline, business travel and tourism sector, which is winning tenders with its differentiation linked in particular to cybersecurity.
¹ For its part, Google is now adopting a definition that is primarily technology and cloud-centric, but has similarities with Microsoft's definition. Digital transformation is about using modern digital technologies, including different types of public, private and hybrid cloud platforms, to create or change business processes, culture and customer experience. This enables companies to meet the demands of changing industry and market dynamics.