“First and foremost, we need to raise the level of awareness of the information our systems and networks contain. Security isn’t just about developing technical solutions. In a broader perspective it’s about identifying a company’s most vital information and deciding what needs protecting.”

This was Marcus Wallenberg’s take on the concept of cyber security during an interview in the latest issue of our customer magazine, Combined.

He believes the concept should be viewed in a broader risk context and identifies one of the management team’s most important jobs: risk management, in this case relating to IT systems and the information stored in them.

Risk management is about balancing business or operational benefit with security. And it requires management teams to have sufficient knowledge to impose the right requirements on the operative processes. There also needs to be a solid crisis management organization in place, i.e. making the right decisions when information systems come under attack.

It’s vital to understand the value of the information handled by the business and the consequences of such information being lost or corrupted. The consequences for contractors or a third party often also need to be considered. And it’s about knowing what is most critical and in need of protection – and when. Cyber security is a constantly evolving concept.

A management team also needs to understand potential threats and the various contexts in which threats arise.

Threats may manifest themselves in different ways, but the aim is often the same – extortion, industrial espionage, brand attacks, theft of intellectual property, sabotage and suchlike. Management teams need to be capable of assessing the consequences of a threat in various operating situations, using qualified input values from employees, to make well-informed business or operational decisions.
A management team should be able to answer key fundamental questions about cyber security:

  • How well does our capability match the current threat situation in our operating environment?
  • What are the organization’s most important assets?
  • How do cyber security risks affect the business’s goals and strategy?
  • How do we manage our risks, threats and potential attackers?   
  • Are we complying with relevant standards and regulations?
  • How do we compare with others when it comes to our security level, investments and suchlike?
  • What incidents have occurred?
  • What caused these incidents and what have we done about them?
  • Are we getting better at cyber security and risk management?

The answer to the last question may sound simple: Yes or no. But answering it requires a solid understanding of all the other questions. It also requires the right information and decision-making documentation from the organization. And most importantly, a good level of security awareness.

Improving isn’t just about raising the level of security. It also means adapting it in response to existing threats and risks. It’s about being able to prioritize and take action at the right time. That’s why cyber security is clearly a matter for the management team.