Skip to content

Chapter 2

Exploring operational excellence in IT Security: A study on Cybersecurity risk management and business impact

Since 2017, cyber risks, such as attacks or data theft, have been regularly featured in the top 5 of the World Economic Forum’s annual Global Risk Barometer, a sign of much welcome awareness among the world’s top leaders.

In 2020, they disappeared from the ranking, which was established before the Covid-19 pandemic. However, from data leaks to ransomware, the news keeps reminding us that no one is completely safe and that the damage is increasingly heavy. So what has happened? Did companies tackle the problem head-on, to the point where they felt sufficiently protected? Or is there a false sense of security around cybersecurity? If the latter is correct, why and how have CIOs and CISOs failed to maintain their vigilance? It is these questions, among others, that we wanted to answer by launching an EMEA survey on cybersecurity, together with IDC. The study was carried out before the Covid-19 hit, which makes the results even more valuable. This dramatic episode has shown us that our resilience is increasingly dependent on digital systems, and therefore on our ability to protect them from the very threats that the crisis is intensifying.

We are publishing the results in a series of three white papers, each focusing on a dimension of the study that we feel is fundamental in exploring these questions fully. After addressing risk management and the business impacts of cybersecurity, and then looking more specifically at the case of workplace and digital transformation security, this third and final issue focuses on Operational Excellence in IT security.

While the IDC survey results have highlighted a number of unfortunate shortcomings and obstacles, they have also confirmed that perceptions of cyber-security have changed significantly. The same survey carried out some ten years ago would certainly have revealed low appreciation and interest in the subject at that time. Today, even if an organisation has not yet made all the improvements on their list, particularly in terms of resources, everyone agrees that cybersecurity is a major issue that contributes directly to value creation.

The challenge for companies is to capitalize on this change of mindset both in organisational and operational terms. How can we ensure that cybersecurity is no longer a matter for specialists, to be dealt with separately, but rather a matter for everyone, effectively integrated into daily processes? It is this question of security management and its operational excellence that we are addressing here. Without entering into the details of the results, which our experts will discuss in detail at the end of this document, the answer to this question largely involves «shifting-left». This will mean approaching cybersecurity more upstream of projects, first through a security policy whose formal framework will be imposed to everyone, then through approaches such as Security by Design and DevSecOps, which reconcile the needs for agility, efficiency and security on a practical level. It is at this fragile point of balance, between rigour and flexibility, that the operational excellence of cybersecurity lies.