Know what you don’t know: Cyber exercises as a business enabler in a hyper connected age

February 1, 2023

In recent years, you may have noticed a steady drip of articles arguing that cybersecurity is becoming a business enabler, rather than a pure cost to businesses. The argument is that cybersecurity, when done well, creates a business environment where innovation, agility and growth can thrive.

Cybersecurity as second nature

According to a survey by Vodafone, 86% of high-growth businesses see cybersecurity as an enabler of new business opportunities, rather than simply as a means of defense. Almost 90% of companies believe that strong cybersecurity helps with their reputation in the market, attracts new customers, and improves loyalty among existing customers.

The theory is that if cybersecurity is embedded in the foundation of business processes and is seamless, it creates a safe environment for innovation and growth, rather than acting as a brake on the organization. In an ideal world, cybersecurity would be second nature, rather like the way in which personal hygiene acted as a defence during the pandemic. If people did the simple steps diligently – washed their hands, isolated if they were ill and so on – it meant that people were able to work together and companies could operate as normal. The same is true for cybersecurity – the routine, small actions need to be second nature if the wider defences are to be strong.

But cybersecurity is becoming more challenging as digital transformation accelerates and the use of cognitive technology becomes more widespread. The ultimate objective is to ensure that cybersecurity becomes a business enabler in an interconnected – and therefore increasingly risky – digital world.

Cybersecurity spending and false sense of security

Worldwide spend on cybersecurity exceeded $60 billion in 2021; according to Deloitte, companies spend between 6% and 14% of their total IT budget on cybersecurity every year, with financial services institutions spending the most. The danger is that this level of spending can give a false sense of security.
If cybersecurity is to be a business enabler, it’s essential to know what you don’t know. And that’s where organisations like Nortal excel. It’s vital that organizations and companies understand the true level of their resilience in a crisis situation – and that can only be done by rigorous real-life testing.

We all think we know how we would behave in an emergency, but we can never know for sure until it happens – or until we test ourselves in a realistic simulation. We don’t know everything that could possibly go wrong. This is why the military conducts regular drills and mission analysis – so they understand exactly what could happen before it happens on the battlefield. So when it comes to real life, there are as few surprises as possible.

The real question for businesses is on the organizational rather than individual level. How would individuals react as a team under pressure in a crisis? Would everyone know what to do? Are robust procedures in place, tested, and validated?

Cyber exercises: testing your organization to understand the unknowns

Our role is to create realistic scenarios that test the ability of companies, people and governments to react well to a cybersecurity crisis. We aim to test and improve cyber resilience, to make sure that business continuity is maintained during a crisis, and to deliver proof of a business’s real cyber capabilities.

To achieve this goal, the cyber resilience exercises address cybersecurity matters in an interdisciplinary way. There are technical challenges for the technical team, the potential impact is amplified to challenge the leadership, and incident response processes and policies are stress tested. This all combines to evaluate individual, organisational, sectoral or even national cyber resilience capabilities.

Earlier I asked if we know how we would behave during an emergency. The real question in cybersecurity goes one step further: How would a group of people and organisations react to an emergency situation – together?

Large-scale cybersecurity incidents typically involve huge amounts of people and many different organizations. Say, for example, the systems of a nuclear power station in France are attacked. Depending on the scale and success of the attack, the response could extend far beyond the power station itself – to involve Government, emergency services/first responders, power companies, the military, specialist companies serving the nuclear sector, data companies, intelligence agencies… the list is long. How will each behave? How will they interact? What should the chain of command look like? These are the large-scale issues and questions that we test, examine and analyse. It is our role to highlight situational awareness, evaluate the cybersecurity posture of an organization (or in some cases, jurisdiction), and identify what needs to be done to take defences to the next level.

Cybersecurity is a shared responsibility but it is often assumed that it’s a job purely for Incident Response Teams. The truth is that most cybersecurity issues are not technical – a cyber security event can have wide-ranging consequences that impact almost every part of a business, sector, or jurisdiction. Cybersecurity has implications for us all and cyber resilience depends on all of us. To create a truly cyber-resilient organization in the digital age takes commitment at all levels. That’s why we are here, and that is what we will help you be.

Csaba Virág

Csaba Virág

Director, Cybersecurity Capacity Building

15+ years in finance, mobile tech, IT development and cybersecurity. Certified ethical hacker. EU and global cyber capacity building. Member of ENISA Advisory Group and chair in various EU level organizations. Cybersecurity-as-an-enabler advocate.

Related content