How and why does cybersecurity inform strategic business decisions? This week, Jax Fong from Brookfield Asset Management explores how cybersecurity is a growing enabler of attitude and decision-making when it comes to long-term business investments.
What’s the relationship between business strategies and drivers, compared to IT strategy and cybersecurity when it comes to influencing strategic decision-making?
When we talk about strategies, they are pretty much different roadmaps: the business perspective, the IT perspective and cyber. IT and cyber are enablers for the business, and roadmaps give you the different checkpoints in terms of what you want to actually achieve. Organisations as a whole want to focus on operational sustainability and what is actually holistic.
Each of these different strategies then forms the bigger picture of what the identity of the organisation is. In terms of business drivers, that actually describes the appetite of the organisation in terms of rate of change and what is expected of the different pillars to support what is viewed as sustainability. Given that most businesses can’t operate without the support of technology, and given the situation with COVID – there is such a great need and reliance on the internet.
IT and cyber are enablers of the business; they are almost core requirements in order for businesses to exist. If IT is providing the infrastructure for businesses to operate in, cyber is almost like the insurance in protecting that infrastructure – to make sure that it’s actually available, that it’s able to provide integrity and also the confidentiality to give the confidence and trust for businesses to operate in.
Is any of this impacted by whether an asset management organisation has a long-term or short-term investment strategy?
It does. A lot of asset management firms – and definitely with the experience I’ve had with Brookfield – it’s all about long-term investments. But when I draw back on some of the past organisations I’ve worked in, some of them actually have shorter-term views. The culture could actually drive the different activities to build up the components within the roadmap.
For example, if it’s long-term, it might be a lot of due-diligence activities that happened beforehand; the different compliance requirements that could come in. Or alternatively, the drivers might not be about having the immediate profits from within the next one to three months, but could actually be a longer term of six to 12 months. But an organisation with a shorter-term focus would want to see immediate returns.
What that gives us from a security perspective is the understanding of what is acceptable risk, and what is acceptable when we’re assessing the investments that are being made. It could really change in terms of what is expected from a strategic roadmap – there are very different directions.
If you look across the landscape of organisations – with the different industries, different regulatory influence, different sizes – how do you approach risk from a cybersecurity perspective when there is no-one-size-fits-all solution?
There are basic principles that I apply, and the very first step is actually understanding the context. That’s almost fundamental for any risk practitioner.
The context is very specific to the business itself – what are their business objectives? What are their drivers? What does the business expect?
The other aspect to take into account is knowing the landscape we operate in. Is the organisation only operating within Sydney? Or is it a multinational organisation, like in the case of Brookfield? There could be region-specific considerations because each one would have very different ‘pull’ and ‘push’ factors that need to be taken into account.
It’s also about knowing who your audience is, as well as your allies and your stakeholders. All of this could actually help form the context.
Last but not least: culture. There are country-specific nuances. What could be considered acceptable in the US may not be acceptable in Asia, for instance. The language used could be very different as well. So understanding the context is key for the first part of risk management.
Stakeholder management is integral to making all of this work within an organisation. Who are the stakeholders and how do they differ in terms of needs and expectations?
From the perspective of a cybersecurity professional, the stakeholders are both internal and external.
As a regulated entity, the compliance, legal and regulatory functions at Brookfield are my first go-to internal stakeholders. We talk about needs and expectations; making sure that we maintain our operating licences so that we can continue doing key business activities.
The second internal stakeholder that I would see as critical are the different business units – whether we talk about finance or the tax functions. Internally, pretty much every single department would actually form part of the key, because fundamentally, security is something you can’t do alone. So making sure that we get buy-in from different folks on the ground really helps drive the principle that security is everyone’s responsibility.
Because of the industry that I’m in, regulators are definitely one of the key external stakeholders. Investors as well. We don’t deal with retail clients, we deal with major investors of large organisations or funds, but both have very different expectations. Regulators want to see that we are good corporate citizens, that we are operating within the regime and following good practices and principles. Investors, on the other hand, want to make sure the money they’re investing is going to an organisation they can trust – that they are not going to lose their investment and hopefully make a profit.
Summing up how to use cybersecurity as an enabler for strategic decision-making, what would be your key takeaways?
The first point is being aware of your landscape to develop solutions or strategies that will help the business achieve what they intend to do. A lot of times, security professionals are very focused on the latest technology tool they can implement to protect the organisation. Sometimes an organisation is focused purely on achieving the business objective – they don’t want the perfect solution, but they want just enough to meet the specific timeline they have set.
The second point is having a roadmap that is supported by an acceptable framework. It provides a common language and something that is easy to go back to – because you can implement the perfect solution, but if your stakeholders do not understand what you are doing, you’re not going to get the buy-in you need to be effective.
Last but not least, the question about knowledge sharing is very important, and also working together with your stakeholders. Cybersecurity doesn’t work in isolation, and it’s never siloed. There are many dependencies on cybersecurity, so understanding your stakeholders and what their dependencies are will help move things along.
Want more insight into the world of security, identity access management, biometrics and more? Get your weekly fix with the Identity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.