Over the last few years, business leadership and strategy consultants- now also in cybersecurity- have popularized the concept of “VUAC environments” in the minds of the media and the public. This acronym, originally coined by the US Army, stands for Volatility, Uncertainty, Complexity, and Ambiguity.
In other words, VUCA defines the extremely changeable, unpredictable environment where organizations currently operate. This environment has made traditional business risks less predictable. In this sense, the microeconomics author Adam Jolly classifies these risks as:
- Strategic: structural threats to the business such as bad investor relations or a hostile takeover.
- Financial: those that generate a large impact on the results sheet.
- Operational: those that can slow down or disrupt the organizations operations in terms of goods and services.
- Normative and legal fulfillment: new regulations that the organization has to comply with, such as those related to personal data.
- Other kinds: this includes other events such as natural disasters, unpredictable geopolitical conflicts, and accidents.
This worsening of risks is corroborated by business leaders, as seen in the XXIII global survey of CEOs carried out by the consultancy firm PwC. Their principle concerns are on the rise: over-regulation, trade disputes, and uncertain economic growth, as well as cyberattacks.
Business Risk Intelligence and transversal cybersecurity_
As businesses became more aware of the dangers posed by VUCA environments, organizations began to take increasingly strategic measures to deal with these risks: the found the most efficient way of reducing the impact of VUCA through prevention and foresight. But to achieve this, they needed to have as much information as possible about all the risk factors. This is how business risk intelligence was born.
It might seem logical to think that preventing cyberattacks is one of the key missions for business risk intelligence, but the fact is that they are such an overarching threat that it makes little sense to try to fit them into just one of the categories, such as natural disasters or accidents. These days, cyberattacks are transversal, since they can increase financial, operational, legal, and even strategic risks. This is why cybersecurity needs to be a transversal element when it comes to dealing with mitigating or reducing all types of risks.
BRI and CTI_
Bearing in mind the fact that cybersecurity is so relevant in business risk intelligence, it can at times get lumped together with another, more specific concept: cyberthreat intelligence (CTI). While the two concepts have certain overlap, there are differences between the two types of intelligence:
- Cyberthreat intelligence (CTI) looks for and analyzes potential risks to the organization’s cybersecurity, both with their own data sources and with external sources that use a variety of tools to identify Indicators of Compromise (IoCs). In these cases, they can use solutions such as those based on SIEM alerts, although, as we explained in a previous blog, these alerts alone can be insufficient.
- Business risk intelligence (BRI) encompasses a wider range of risks than just digital risks, and therefore gathers and analyzes information that can affect traditional business risks. This doesn’t mean that it excludes cyberthreats; quite the contrary, in fact: they are included as a factor that influences all risks.
Strategic vision of risks_
Organizations can turn to cyberthreat intelligence solutions that expand on the data provided by the organization itself and go further than solutions that use reactive tools. This is where Cytomic Platform comes in. It processes large volumes of data, attributes, events and threat intelligence analytics on the cloud combined with artificial intelligence algorithms. This way, it can achieve complete cyberthreat intelligence.
As well as all of this, it is also necessary for the senior management to have CISOs that understand and can explain the consequences of cyberthreats on more traditional business risks, so that the organization can make the best possible decisions.
This is where business risk intelligence comes in, by considering cybersecurity to be a transversal pillar. To complement this strategic vision, CISOs must have a partner that not only provides the technological solution to cyberattacks, but that also understands and can advise on the consequences of cyberthreats on business risks. In other worse, a partner that can accompany them at all times and can provide additional value via a technology-service binomial.