Is it time to reframe Cybersecurity?

The discussion around cybersecurity and its importance to businesses is a timely one. Despite growing awareness, there's a growing debate on whether the current approaches to communicating its relevance, particularly by cybersecurity professionals and vendors, may be missing the mark. Are we overcomplicating the issue, making it boring and inaccessible to senior leaders, or simply pushing strategies that lack business context?

Do People Care About Cybersecurity?

While it's clear that the importance of cybersecurity has increased over the years, only a small percentage of business leaders feel truly confident in their ability to mitigate these risks effectively. For example, in a 2023 PwC survey, fewer than 40% of global executives expressed high confidence in their cybersecurity measures, indicating significant gaps in preparedness. This reflects not only a sense of fatigue but also a possible misalignment between what cybersecurity experts emphasize and what business leaders care about most: continuity and resilience (EY Building World)(PwC).

Furthermore, communication between cybersecurity experts and business executives is often fractured. A report from the World Economic Forum (WEF) highlights that although more conversations are happening, cybersecurity professionals and executives still "speak different languages." The focus tends to be on incidents rather than on how cyber risks tie into broader business strategies (World Economic Forum).

Should Cybersecurity Be Rebranded as Operational Resilience?

The idea of rebranding cybersecurity as "operational resilience" is compelling. Operational resilience emphasizes business continuity, reputational risk, and adaptability, areas that matter deeply to senior leaders. Many executives are already embedding cybersecurity into their broader resilience plans. A PwC study revealed that 65% of organisations are increasing cyber budgets in 2024, with a catastrophic cyberattack ranking as one of the top threats to business continuity (PwC). Reframing the discussion from cybersecurity, a technical or isolated issue, to operational resilience, which encompasses multiple risks, may increase engagement from senior leaders.

HR’s Role in Strengthening Resilience

Human Resources (HR) departments can play a pivotal role in bolstering operational resilience. Beyond compliance training, HR can cultivate a security-first mindset across the organisation. For example, integrating cybersecurity awareness into leadership development and performance management can significantly improve organisational preparedness. Upskilling employees on basic cyber hygiene and involving them in regular drills can ensure that cybersecurity isn't just seen as the 'IT department's' responsibility. (World Economic Forum)(PwC).

Bottom Line Impact

Organisations with strong operational resilience strategies are often better positioned to respond to crises and maintain customer trust. Research by EY indicates that businesses with robust resilience strategies can more effectively safeguard their reputation, reduce recovery costs, and sustain operations during disruptions. (EY Building World) The competitive advantage is clear: companies that can rapidly adapt to and recover from cyber incidents are more trusted by customers and investors, driving long-term value.

Acceptable Loss and Risk Appetite

Determining an acceptable operational risk loss is complex. Most organisations assess this by balancing their appetite for risk with the potential costs of an incident, including recovery expenses, reputational damage, and legal liabilities. However, this "healthy" risk appetite varies significantly by industry. For some sectors like finance, the tolerance for cyber losses may be near zero due to regulatory oversight, while others may accept higher risks if the costs of mitigating them are prohibitive (World Economic Forum).

While cybersecurity is undoubtedly critical, reframing the conversation around operational resilience might bridge the gap between technical specialists and business leaders. This shift could lead to more proactive and collaborative efforts in safeguarding modern organisations.

Key Takeaways:

1. Reframe cybersecurity as part of a broader operational resilience strategy to better align with business leaders' priorities.
2. HR departments should contribute by embedding cybersecurity awareness into company culture and upskilling employees.
3. A strong operational resilience strategy provides a competitive advantage by reducing downtime, safeguarding reputation, and ensuring business continuity.