Amit is the CTO of Private Equity (PE) Microsoft UKAdvising firms on their strategy from business, technology and innovation perspectives.
Raising capital helps accelerate the growth of your business. It helps with investments to improve product development, to enter new markets and geographies, or to add complementary service lines. Throughout that growth, the expectations of customers, partners and regulators will increase with the size of your business. One area that can be difficult to navigate and focus on is cyber security.
More than $8.6 billion in cryptocurrency is believed to have been laundered by cybercriminals in 2021, and the most recent Verizon Data Breach Investigation Report (registration required) found that “the number of breaches seen by organizations small and large” The difference between has become much less clear.”
A common technique used by cybercriminals is to attempt passwords exposed in previous cyber attacks against an organization’s IT systems. Criminals hope that unsuspecting users will use the same password and be able to gain access to company information. Microsoft’s October 2021 Digital Defense report found that batches of 1,000 passwords sell for 97 cents in criminal markets.
It is widely accepted that businesses need to function; Although 77% of senior management teams say cyber security is a high priority for them, 1 in 4 discuss it less than annually, or never at all.
Often, this is due to a lack of knowledge and experience within management teams of issues, and while technical jargon can make the topic difficult, negotiations at the board level should focus more on good governance and business risk management, just like in finance. . , commercial or other business matter.
Building the right foundation will not only protect your business from costly cyber threats but also differentiate the business as a reliable and sensible investment option for potential investors. It can also help increase business value and protect business valuations at exit. It’s also good for business: The Association of European Risk Management Associations found in 2012 that people with more advanced risk management practices had on average 12% higher income growth than those with emerging practices.
Cyber security in people, processes and technology
It’s important to start those conversations as a management team, assessing your understanding and abilities internally and acknowledging that improvements may be needed. Many small and medium-sized enterprises (SMEs) do not have a dedicated person for cyber security. Even some businesses with hundreds of employees don’t have dedicated cyber professionals. Hiring or seeking professional advice from major suppliers and partners can be invaluable.
Outside advice can help avoid the problem of being biased or unfairly implicated. For example, for many organizations, cyber security begins as a part of IT, and it shifts the operational focus to checking security alerts and ensuring software patches. These technical activities are an important part of basic cyber hygiene, although it is also important to understand the limitations and consequences of treating cyber security as a purely technical issue.
According to the Cyber Security Breach Survey 2021, “the approach often depended on who was conducting the evaluation. There was a greater focus on technical IT issues and improvements, led by IT teams. In one example, the evaluation was purely Technical was and was not done. Cover areas like user awareness and training.”
Cyber security requires a holistic approach of people, processes and technology to be successful. Make sure you are developing an understanding of what is required in all three areas.
importance of clarity
When conversing about new topics, it’s also important to make sure you’re “speaking the same language,” as assumptions can be a major source of vulnerability and ultimately business risks. Offices and warehouses that are closed overnight tend to break down even though they are “safe,” so it’s important to establish a clear, collective understanding of your expectations.
Those initial conversations may take longer, but if you take the time to examine and challenge what different people mean, you’ll set yourself up for long-term success and avoid costly misunderstandings.
The same applies throughout your development journey. Risk increases when different functions of your business operate at different speeds. If your legal or business team can’t keep up with new client contracts, you either give up revenue or close the deal and take on a commercial risk.
The same is true of cyber risk, either because security cannot remain intact and the risk goes undetected, or you stifle innovation and growth by tying teams into cumbersome processes.
There is no one-size-fits-all safety approach: Take the time to resume safe work practices and build in improvements as part of a commitment to continuous improvement.
What to do
Private capital organizations and management teams of SMEs need cyber security as a board-level agenda item. This will ensure that the correct degree of focus is given, ensuring that it is treated as an occupational problem through the exposure lens rather than as a technical problem. It cannot be solved by a single technology solution or product.
This business approach to risk can be used to design an overall cyber security strategy that is aligned and sensitive to business priorities. Third party support (from a consultant or technology partner) can be useful for testing and challenging strategies or scaling up in-house teams where talent is spread out or unavailable. This risk analysis and strategy sets the direction and also provides a benchmark that the Board can use to review progress.
Investors are increasingly concerned about the security position of their portfolio companies and their expectations are in high demand. Having a clear plan and understanding of your cyber risk can be effective in guiding negotiations with investors and raising capital on more favorable terms.
This article is co-authored Robin Oldham From Cydea.
The Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. am i eligible?