Have our institutions become too complex to secure?
In today’s hyperconnected world, companies need to consider multiple areas of cyber risk throughout their ecosystem.
Even a decade or so ago, the technical operations, systems and footprints of many large companies had become extremely costly and complex. Breakneck digitisation in the smartphone era has exacerbated matters, as companies have increasingly created ecosystems with a variety of new partners to help expand their reach and capture new, profitable growth. They range from supply chain relationships across goods and services (including IT services) to partnerships for data, distribution, marketing and innovation. Even more recently, the business challenges of the COVID-19 pandemic have spurred faster adoption of digital solutions that rely on data, digital networks and devices that are most often operated by companies outside the organisation’s borders.
The technology architecture of many organisations, often made up of layers of legacy systems with multiple constraints on their flexibility, represents an ever expanding dimension of complexity. (By contrast, many “digital native” companies of more recent vintage have a simplicity advantage. These companies are built digital from the ground-up, using more recent generations of IT, standards and techniques meant to create increased interoperability across systems.) Legacy structures are often riddled with open seams and soft connections that can be exploited by attackers, whose capacity to infiltrate sprawling systems has grown. The pressures on these legacy structures have intensified as companies have pushed their current IT to keep pace with the digital natives. Mergers often multiply risks, by connecting already complex networks of systems, which makes them exponentially more complex.
As a result, complexity has driven cyber risks and costs to dangerous new heights. The numbers of significant cyberattacks globally are increasing and include potentially devastating criminal “ransomware” attacks and nation-state activity targeting government agencies, defense and high-tech systems by, for example, breaching IT network-management software and other suppliers. Each major incident exposes thousands of users (at both companies and government agencies) to risk, and can go undiscovered for months.
As senior leaders revisit their growth strategies in the wake of the pandemic, it’s a good time to assess where they are on the cyber-risk spectrum, and how significant the costs of complexity have become. Although these will vary across business units, industries and geographies, leaders need good mental models for self-assessing the complexity of business arrangements, operations and IT.
One conceptual framework for thinking about complexity and the cyber-risk spectrum is the Coase Theorem, formulated by Nobel Prize winner Ronald Coase. He posited that companies should use external contractors to supply goods and services until the transaction or complexity costs associated with those arrangements exceed the coordination costs of doing the work in-house. A similar dynamic may be at play in cyber-risk assessment. Cyber risk (whether generated through a supplier relationship or customer relationship or internal arrangements) is a sort of “external” cost—one that has risen as cyber attackers get better and become more pervasive. At the same time, the “transaction” costs within the enterprise of establishing multiple nodes of partnerships (where risks are hidden) have actually gone down, thanks to the ubiquity and lower cost of digital interactions. The upshot: a new environment where the costs of failure have risen markedly while the costs of creating complexity have gone way down.
Leaders seeking to strike a better balance can start with some basic principles. One is ensuring that strategic moves won’t increase complexity risk and make the current situation worse. Another is understanding that simplification of company IT may require more than minor rewiring of systems, and instead may demand more fundamental—and often longer term—modification to IT structures, to make them fit for growth. In our experience, the challenges and opportunities fall into three areas.
Although the benefits of simplification are large, extending far beyond cybersecurity, we’re under no illusion that they are easy to realise. Reducing complexity while establishing a framework for governance and shared responsibility demands deliberate action, over the long and the short term. It also demands the attention and energy of CEOs and boards who understand its value, and are ready to invest in changing mindsets, across the management team, about the benefits of simplicity. Leaders who are ready to step up and set the tone will create a better blueprint for a securable enterprise.
Get your business ready for what comes next
Using our market leading studies, data, and expert analyses, we pinpoint the forces making an immediate impact on your business—and empower you to reinvent the future by examining global macrotrends, exploring sector-specific shifts, and discovering the latest technological tools to drive change.Find out more here
Global & US Cybersecurity & Privacy Leader, PwC United States
Sharp, actionable insights curated to help global leaders build trust and deliver sustained outcomes. Explore our latest content on the global issues affecting organisations today from ESG to value creation, technology and cyber to workforce transformation.Explore now