Cybersecurity Challenges & Organizational Change Management
5 Reasons Why Your Security Posture Matters
When it comes to data protection and cybersecurity strategy, organizations are faced with an increasingly tough challenge – securing their critical data assets during frequent periods of organizational change.
Whether you’re going through a merger and acquisition, adding new office locations to your already global business operations, hiring new members of your C-level management team, dealing with integrating more and more technologies or signing up new third-party vendors, chances are that you’ll need to figure out if your cybersecurity strategy is resilient and effective enough to deal with these changes.
Can it protect your organization through the stormy waters of complex business deals? Is it mature enough to shield your operations against intrusions? Or do you simply need to revisit it to make sure everything is still working how it’s supposed to be?
Let’s look at 5 typical scenarios that today’s modern businesses are facing, and discuss possible ways in which a healthy cybersecurity maturity level may come in handier than you think:
- Mergers and acquisitions
- Integrating new technology
- Adding new geographical locations
- Engaging with new third-party vendors
- Hiring new C-level executives
Disclaimer: Note that this list is not exhaustive and is meant to provide some of the most common types of organizational change where a healthy cybersecurity posture may be beneficial.
Mergers and acquisitions
Mergers and acquisitions (M&A) are common occurrences in today’s globalized business environment. In 2017, the global M&A volume reached over US$3.15 trillion with 18,433 deals in total. As usual, the technology sector has the highest annual deal count. A 2016 study by the stock market operator NYSE has revealed that the majority of business executives are ready to lower a deal’s valuation or even back out of the deal completely if major vulnerabilities are discovered prior to deal closure or if the entity in question suffers from a high-profile data breach.
Figure 1: Cybersecurity and the M&A Due Diligence Process (NYSE, 2016)
Therefore, it comes as no surprise that due diligence on cybersecurity is becoming an increasingly critical factor in M&A transactions.
According to Bloomberg, “companies and investment funds are adding an extra layer of scrutiny to acquisitions by screening targets for cybersecurity risks”. Particularly after the scandalous hack of internet giant Yahoo! back in 2014, M&A practitioners, executives, and investors seem to have realized how critical a healthy cybersecurity posture is in M&A decisions. Cybersecurity has transcended the boundaries of technical relevance and entered an entirely new sphere: business impact and valuations.
Regardless of how many entities are involved in an M&A transaction, it becomes increasingly important to evaluate and unify the appropriate governance, enterprise information security and cybersecurity mechanisms for the new entity. By carefully auditing their IT operations and the effectiveness of their cybersecurity strategy, organizations can make sure to identify and hopefully close their cybersecurity gaps prior to closing a deal.
Not sure where to start? A security posture assessment can be a great way to evaluate what the entities’ current security posture is, what is missing and what steps need to be undertaken to strengthen their defenses. All of this can help ensure smooth M&A transactions.
Integrating new technology
In today’s digitalized business environment, more and more organizations find themselves at crossroads between implementing the latest and greatest technology tools all while maintaining an acceptable cybersecurity posture to protect themselves against breaches and intrusions. While the interconnectivity of systems and devices can bring increased efficiencies, data analytics, and alignment, it also poses risks to the organization that have to be addressed.
According to a 2018 cyberrisk survey, three out of four senior-level finance and treasury executives admit that their organizations had to deal with new cybersecurity risks due to the increased usage of new technologies. These cyberrisks include operational risks, business continuation, errors and omissions and regulatory risks.
“Risk managers will need to stay on top of technological trends and anticipate how these will impact their organizations going forward in terms of cyber risk exposure.”
As technologies evolve, so will their security gaps and vulnerabilities. Therefore, organizations will have to stay on top of the game when it comes to:
- knowing which technologies they currently use,
- whether these technologies are vulnerable or not, and
- what they need to do to secure these technologies against breaches and intrusions.
Evaluating your overall cybersecurity posture will be an important step towards managing the risks associated with newly-added technologies in your environment.
Adding new geographical locations
In an era of globalization, international trade and business relations, many organizations choose to establish additional geographical locations to serve their local customers better. No matter if newly-added locations are located within or beyond national borders, there are several business impact considerations that must be taken into account, such as:
- The new location may fall under additional regulatory compliance requirements, such as NIST, GDPR, PIPEDA
- The new location may not meet corporate cybersecurity standards, such as appropriate security processes, incident response procedures, technology defenses, 24/7 monitoring requirements, physical security requirements etc.
- Employees at the new location may not be properly trained when it comes to security awareness
If your organization wants to embark on the globalization bandwagon and conduct business globally all while meeting your data privacy and security obligations, make sure you have “an internal governance structure that fosters a culture of data privacy from the top down” to get ready for what lies ahead of you.
Before adding a new geographical location to your business structure, make sure you’re 100% aware of your current cybersecurity posture and how it may change by integrating the new location.
Related Post: Data Breach Notification Laws: Canada, U.S. & Europe
Engaging with new third-party vendors
As businesses struggle with meeting all their obligations with in-house personnel or tools, they tend to engage with a variety of third-party organizations. Each third-party relationship exposes the organization to a certain level of risk that should be managed. In fact, recent statistics have shown that only 1 in 4 organizations actually monitors their third-party relationships, thus exposing them to considerable risk.
Turns out you are only as secure as your least secure contractor. Surprisingly enough, many organizations don’t even know how many third parties they actually engage with (see Figure 2 below). Before adding new third-party vendors, you should evaluate them carefully and make sure they are operating according to security best practices that apply to your specific business context and industry.
Figure 2: Key Findings from NAVEX Global’s Third Party Risk Management Benchmark Report (NAVEX Global, 2016)
For example, organizations that need to comply with the Payment Card Industry Data Security Standard (PCI DSS) and outsource their credit card processing to third-party providers are not exempt for their legal liabilities in case on non-compliance.
A risk assessment can help evaluate the level of compliance of your third-party provider. It can also be helpful to conduct an overall cybersecurity posture assessment before and after adding a new third-party provider to evaluate your cybersecurity maturity and the impact that this organizational change can have on your maturity level.
Related Posts: Third-Party Security
Hiring new C-level executives
In response to increasing cyberthreats, regulatory requirements and data protection obligations, the roles and responsibilities of the C-Suite have evolved. A study revealed that cybersecurity literacy is usually not a strong suit for C-level executives, many of whom are unprepared or unsure when it comes to facing their cyberrisks. To address growing cybersecurity concerns, organizations are now creating new positions for Chief Security Officers (CSO), Chief Risk Officers (CRO), Chief Data Officers (CDO) and the like.
The appointment of new C-level representatives often triggers the need for an assessment of current information security and cybersecurity mechanisms and initiatives. Conducting a cybersecurity posture assessment can be helpful for C-level executives to identify the organization’s current security posture at a glance, reveal weaknesses and gaps, and provide them with a clearly-defined action plan to address these shortcomings.
Regardless of whether the C-Suite deals with large of amounts of confidential data, a highly-regulated environment or upcoming M&A transactions, knowing your cybersecurity posture and understanding what needs to be done to strengthen it can have measurable benefits for protecting the business and ensuring their job security at the same time. In the words of the Global Banking & Finance Review, “as enterprises and government agencies are required to follow GDPR (…) and other cybersecurity guidelines, more than just the CEO will be targeted for replacement.”
When it comes to cybersecurity and organizational change, we have learned that a healthy cybersecurity posture can a crucial element in helping your organization navigate periods of change. Evaluating your cybersecurity posture can help you close M&A transactions, integrate new technologies safely and effectively, secure new geographical locations, manage the risk of engaging with third-party providers, and make the job of your new C-level hires easier.
Regardless of which type of organizational change you may be going through right now, defining and improving your cybersecurity posture is not only essential to build a long-term security strategy but can also help guide you through change, provide some perspective and manage your risks each step of the way.
Do you know what your current cybersecurity posture is? If you’re not sure, we’ve developed a handy-dandy checklist that will help you get a high-level overview of where you’re at in terms of your cybersecurity posture.