Businesses routinely evolve alongside the challenges of their operating environments. If the challenge is power, they ensure they have a power backup. Organisations that cannot afford downtime invest in connectivity failover.
And yet, when it comes to digital infrastructure, many businesses treat “security” as a separate, IT-delegated silo rather than a core pillar of operational performance and, in the worst-case scenario, survival. This is a mistake, because the era of viewing cybersecurity merely as a defensive IT function is well and truly over. Cyber risk is fundamentally a business risk, which means that true resilience demands a commercial, rather than a purely technical, approach.
What does this mean? If we are honest, security is often viewed as a grudge purchase. Imagine a boardroom where a Chief Information Security Officer requests a budget of about KES 77-million based on detailed threat modelling. The board reviews this and counters with approving KES 46-million. That KES 31-million difference is not a savings for the business. It is an unmitigated financial risk that the business has chosen to absorb. This is an important insight – the C-suite needs to translate technical vulnerabilities into bottom-line exposure.
Defining acceptable risk
Cybersecurity is not binary. In other words, you are not “safe” or “breached”. Cybersecurity is entirely about an organisation’s specific appetite for risk. By way of analogy, imagine two people walking into a Las Vegas casino with $200. They make their way to the roulette tables, where the first person puts the entire $200 on a single, high-risk number. That’s a high tolerance for risk. The second person spreads the bet across multiple, defensive layers.
Businesses, especially enterprise-level financial services institutions, are burdened by complex legacy systems, which work. Because of this, they cannot eliminate risk entirely. Therefore, they need to define what “acceptable risk” looks like and then strategically map out which of their systems are uniquely vulnerable.
Remember, risk is not just about hackers – it is also about accessibility. For example, a bank or insurer’s risk profile is complicated by the need to broaden the client base and bolster social and financial inclusion. If a bank tightens security by forcing app-only biometrics in all interactions with the customer, it risks alienating its least tech-savvy customers. In many cases, this forces organisations to rely on legacy SMS, which comes with vulnerabilities, creating a permanent risk window that the board must acknowledge.
The hidden cost of friction
The whole point of cybersecurity is to try to keep digital infrastructure safe. Yet, as we all know, hyper-aggressive security can, ironically, also be damaging to the bottom line if it disrupts operations. Organisations, then, need to work with platforms and partners that are known for reducing false positives, where security software blocks legitimate business. In high-volume environments, such as trading floors or during busy periods, a system disruption of just a few minutes has a meaningful, quantifiable financial cost.
Understanding that, organisations have the blueprint for good security. It works almost invisibly, with a light touch. Disruptive security eats into profits daily, while good security boosts commercial ROI through quality threat intelligence.
Good, or quality, security is not just about an impenetrable wall. It is also about telemetry and context. High-quality security platforms understand user behaviour. If a system detects a login from Nairobi and almost immediately from New York, it understands that no one can travel halfway around the world in three minutes and therefore flags the anomaly. This intelligence-driven approach personifies light touch because it only interrupts the user when context and behaviour is genuinely suspicious.
Are you asking the right questions?
When organisations reframe cyber risk as business risk, the next step is to understand that risk extends beyond their own walls. Many people reading this will remember when Heathrow Airport suffered a major power outage. A major global hub was taken offline for a day, not by a direct attack on its core systems, but because a utility provider ignored an earlier alert about moisture in a nearby power substation.
C-suites would do well to challenge their organisations to ask the right questions. Are they simply checking if the primary systems are safe, or are they interrogating the “substations” connected to their operations: their legacy applications, third-party vendors and integrated supply chains?
The sobering truth is that risk isn’t just the lack of a firewall. It is also a technical debt. There are systems running, right now, in financial organisations that are unpatchable. And so, the cybersecurity discussion shifts away from patches to asking how to best segment and protect a vulnerable old heart with a modern shield. This is a strategic architectural decision and not a simple software install.
Cybersecurity should be a continuous, boardroom-led exercise in commercial resilience that requires working with partners who understand there is no finish line in cybersecurity. You cannot arrive. All you can – and should – do is strategically and tactically plan your race according to the risk you are willing to take on board.
By Tony Anscombe, Chief Security Evangelist at ESET
