Cybersecurity: growing from startup to scaleup

Daniele Bonomi & Lukas Kortenhorst
jun 07, 2023 · 11 min lezen Engels
Annual report cybersecurity growing up from startup to scaleup

Business is booming. Pandemic-accelerated digital transformations are long underway. Having embraced new ways of working, many organizations see themselves as tech companies that instinctively apply digital and datadriven solutions to support their business. SaaS solutions have become modern-day staples and, clearly, the cloud is here to stay.

Yet because of these blooming developments, cyberattacks are booming too. According to a 2022 IBM report, data breach costs have broken records, now costing an average of $4.35 million per breach, compared to the $3.86 million IBM reported for 2020. These damages, moreover, are exceeded by the average cost of phishing, at $4.91 million per attack, and of ever-rising ransomware, at $4.54 million per attack (on top of the cost of ransomware itself). For the manufacturing industry, in particular, Rabobank found that in 2022, as many as one in five companies was likely to experience a cyberattack, compared to the one in 8,000 to experience a fire or the one in 250, a burglary. As a recent Forbes article noted, to Benjamin Franklin’s statement that nothing in life is certain except death and taxes, we must now add a third certainty: cyberthreats.

Hacking may once have been the relatively innocuous handiwork of bored nerds in basements, but today’s criminal digital adversaries are professionals. On the dark web, transnational cybercrime syndicates have their own HR departments, advertising jobs (vacation days included) and recruiting specialists. These individuals can infiltrate, conduct reconnaissance on, and negotiate ransom with victims, while an extensive network of affiliates undertakes the infection and encryption processes and a help desk coordinates the financial transactions. State actors have come to weaponize cyberattacks, adding fuel to already flagrant geopolitics. All threats concern technical disruptions that could jeopardize business continuity, but many will inevitably erode public reputation and consumer trust.

However, just because cybercrime has officially transitioned from the ranks of startup to scaleup, doesn’t mean organizations can stall their IT modernization journeys. They must not get caught in the brinkmanship between cyberthreats and security. Rather, they need fit-for-business security. In other words, cybersecurity is no longer the job of a single team or toolkit. It, too, has scaled up to become a full-time issue impacting and impacted by everyone in the organization.

“To the statement that nothing in life is certain except death and taxes, we must now add a third certainty: cyberthreats.”

Cybersecurity enables digital resilience
For business to flourish even in the midst of advancing cyberthreats, organizations need digital resilience. If agility were a photograph, resilience would appear as its film negative: while agility allows organizations to spring up and seize opportunities, resilience lets them stay steadfast on course no matter the hurdles. Resilience fu nctions to stand up against adverse effects, to stop the adversaries and quickly recover when problems occur. And cybersecurity enables that resilience. This means possessing the ability to deal with security threats, incidents, and events as they occur in real life in real time.

The digital resilience we impart on our customers standardly takes two shapes. We provide security at scale through building platforms that shelter mission-critical workloads. By establishing a secure and compliant platform with built-in automation and auditability, we enable customer teams to tackle their business challenges in a safe, seamless fashion. Our other method emphasizes enabling customers to boost their own digital resilience. We do this by sharing our expertise via trainings and workshops, providing insight into company posture and maturity, and offering services to detect threats and protect organizations against them.

Either way, all security solutions must begin with a proper risk assessment that puts the business front and center. Because, to quote the mantra of security experts everywhere, cyberattacks are not a question of if, but when. Any implemented measures should be based on that risk assessment. While plenty of IT companies can deliver solid security services and plenty of consultancies can analyze business risk, we have always combined the two. Informed by our 20 years of working with mission-critical IT, we handle security not as something added to, but rather built into the business.

Codifying and translating
Growing organizations means more people and more projects. Cloud computing only speeds up that growth. This can make it all the more complex to provide security solutions and troubleshoot issues. Yet, we can successfully implement security at scale because we have always been a security company. As a mission-critical outsourcer, by definition, we deal with the assets that, if unavailable or compromised, hurt an organization the most. Plus, we have codified many of the security measures that we have always taken when protecting those mission-critical workloads. This keeps knowledge clear, consistent, and accessible to everyone within the organization.

For each customer, the security measures we codify are tailored to their IT environment and must make sense for the business. This allows us to monitor and drive change for those aspects that are key to improving security posture. As such, all that we create becomes secure by design. We help make digital hygiene a habit that’s practiced daily. Integrating security and its upkeep into our culture enables business to flourish. To illustrate, we build cloud enablement zones with guardrails because they give DevOps teams enough freedom to deliver functionalities while their security officers take comfort in knowing that base-level security is maintained. These measures are essential because they ensure that security doesn’t get in the way of innovation.

By integrating security and risk experts on all our teams, we ensure the twin priorities of digital resilience and trust are part of each solution. Crucially, our security officers and engineers know how to speak the same language as they target the same metrics. In fact, we must understand multiple languages to fulfill each party’s needs. The regulators will have their security and data protection requirements. The engineers will present their securely crafted designs. And the C-suite, one day potentially held liable when things go wrong, will have their own security expectations.

Our translational work takes the form of diligent reporting, assessments with insights boards can use for fact-based decision-making, and concrete actions that make daily work more efficient.

“For business to flourish even in the midst of advancing cyberthreats, organizations need digital resilience.”

Fortifying the business

Nowadays an enormous amount of information about security and risk is available. Security toolkits abound. Eager or overwhelmed, organizations may be tempted to just try on solutions and see what fits. But staying secure, especially through the whirl of evolving technology and digital transformations, demands a deliberate commitment to maintaining digital hygiene and supporting it with codified practices. Better business is the ultimate goal, but achieving it requires technical understanding of how an environment operates and how its technology will hold up against the real threats it will be subjected to. Securing the tech to fortify the business is applicable across sectors and industries. But since no two organizations are alike, security can never be one-size-fits-all. As an organization grows, security should not come at the cost of losing that which uniquely equips it to provide a signature service or product. For example, because they handle money and all the sensitive data surrounding it, financial institutions may choose to have more rigid security processes in place, even if it means sacrificing speed. Other players in a more competitive market may have less they need to protect. Retailers, for example, may decide to take an agile approach because the cost benefits of speed and user-friendly features outweigh some risks that companies in regulated markets are unwilling to take.

Still, security is never complete. It requires constant work and systematic methods that protect presentday assets and anticipate how to defend future ones. It demands full-time awareness of ongoing cyberthreats and reverence for their destructive potential in the virtual and physical worlds. And it calls for an attitude that treats security not as a state, but as a set of practices and plans that perpetually evolve.

Meanwhile, as cyberthreats become more rampant and regulations more rigorous, our customers have more and more explicit security questions. Today, Schuberg Philis – which itself began as a threeperson startup – has much to draw from our experience and knowledge across mission-critical and thus society-critical environments. By deploying a multidisciplinary team of experts who each operates under knowledge of the full business context, we can answer these evolving questions. Ultimately, we’ve been executors of digital resilience since day one. So although the next cyberattack is certain, we help customers feel equally certain about their digital resilience. It’s built into their fit-for-business security.

“Although the next cyberattack is certain, we help customers feel equally certain about their digital resilience. It’s built into their fit-for-business security.”

Frank Breedijk 3031

Meer weten?

Neem contact op met Frank Breedijk.