Competitive advantage through superior cyber resilience

May 2022  |  SPOTLIGHT | RISK MANAGEMENT

Financier Worldwide Magazine

May 2022 Issue

Successful organisations in today’s technically-advanced and highly global markets prepare themselves for cyber war.

In the same way that medieval kingdoms built fortified castles that were difficult to scale, employed trained and highly skilled armies, and were strategically positioned to fend off both offensive attacks and drawn-out sieges, today’s businesses need to be ready to fight.

This means being ready for the worst-case scenarios and willing to invest in advanced cyber security systems, and hiring personnel who are at the cutting edge of cyber resilience, ranging from board members who craft appropriate strategies, through to the leadership team and staff who execute day-to-day activities.

Taking a proactive and serious approach to planning necessary procedures that will ensure operations continue, or at least recover quickly, in the face of a serious cyber attack can literally make the difference between survival and failure.

The nature of competitive advantage

The concept of competitive advantage inherently addresses the question of how to create a unique advantage for the company which potentially enables it to achieve success over its rivals. This is based on the notion of capturing value by excluding rivals from opportunities, or by achieving something that competitors are otherwise struggling with.

In today’s 4.0 economy, personified by extensive digitalisation and the advent of necessary cyber security, which can encompass nuisance attacks through to catastrophic failure, finding success against such widespread concerns offers two sources of competitive advantage: temporary and sustainable.

As the description suggests, ‘temporary’ allows limited benefits over a short period of time, during which any advantage may well vanish. Naturally then, ‘sustainable’ competitive advantage is the preferred option, which leaves a firm’s competitors in a position where they are unable to replicate, access or diminish its achievements.

It is wise to rely on core competencies as sources of sustainable competitive advantage. However, this can add a further layer of complexity because when an organisation chooses to rely on technology as its core competency, it is opting for a non-static feature in a rapidly changing world.

Cyber resilience – the route to competitive advantage

Cyber security is an established concern for leaders around the world. However, the most successful organisations have taken the issue a step further by adopting a cyber resilience stance.

For example, the UK government’s ‘National Cyber Strategy 2022’ outlines five foundational pillars, one of which relies upon “building a resilient and prosperous digital UK”, aimed at reassuring businesses and inspiring the wider public’s confidence. Similarly, the World Economic Forum’s (WEF’s) ‘Global Cybersecurity Outlook 2022’ highlights that over 90 percent of cyber leaders believe cyber security and cyber resilience are issues of identical importance.

A reinforced cyber security strategy can be positioned as a rich source of competitive advantage for an organisation as long as it offers long-term value. However, since technology itself is constantly changing and dynamic, systems must incorporate these features as well.

A strong cyber security strategy is only as effective as its success operationally, which is bound to require changes over time. The differentiator, setting leading firms apart from their less successful peers, is the pursuit of change.

Organisations need to invest in their people, processes and systems, and take into account the development of necessary cyber security capabilities. Cyber resilience is ultimately dependent on shrewd board governance and a competitively-minded management team, who will craft and execute a robust cyber security strategy that secures competitive advantage.

Novel perspectives of competitive advantage

Discussions about delivering competitive advantages from technology have been around for decades, but it is only recently that these concepts have fallen into association with a fortified cyber security system and come to the attention of board members, government representatives and members of top leadership teams.

The importance of adaptability

According to the chief executive of a pan-European cyber consultancy: “For cyber security to actually be a competitive advantage, there needs to be a process in place. It needs to be cyclical, as a never-ending ongoing process. It needs to be adaptive and dynamic, in terms of its capabilities, that it can constantly keep learning and adapting.”

This interviewee possesses a wealth of insight gleaned from their career in cyber consultancy. Their thoughts echo the idea that adaptability and dynamism are two essential pillars that determine a strong cyber security strategy. Even this may be insufficient as the needs of the cyber realm change and evolve.

Additionally, since all of these cyber security management systems rely on technology, they need to be made adaptive and equality-autonomous. Clearly, for a cyber security strategy to offer competitive advantages to an organisation, it needs to incorporate the element of resilience.

A reliance on human capital

The importance of focusing on technology does not mean being divorced from the people who implement it. Understanding that cyber security and resilience relies on a team, processes and systems, brings the spotlight back onto the individuals involved in enforcing it.

In the words of a C-suite executive at a big tech company: “You need the people who can create and build the technology program. You need the architects and also there is a lot more emphasis on artificial intelligence (AI) – robotics. You need to be able to train the AI so it does not then have all the biases in it. So, you need a subset of creators, and then you need a subset of users and so on.”

This comment clarifies that the discussion of competitive advantage shaped by cyber resilience requires distinct attention to the people it involves. If it were just a matter of technology, then all of the technologically-advanced firms would be successful in purchasing state-of-the-art cyber secure systems.

Clearly, it is imperative to examine the human resources aspect within information technology because it is people who decide the fate of the cyber realm and make it resilient enough to provide a unique advantage to the firm.

With major cyber incidents occurring so frequently, perhaps the question that organisations need to start asking is not whether they will be attacked and how this will impact them, but when they are attacked, how will they achieve the least impact on their operations and stakeholders.

Resilience is one of the most important characteristics on the path to triumph, and cyber resilience is the implement of choice for achieving organisational wins against rivals. A firm that can map its pathway to continued function with little if any exposure by cyber incidents may well be the last one standing, and this is the best benchmark of any competitive advantage.

Andrew Kakabadse is professor of governance & leadership, Ruchi Goyal is a doctoral researcher and Nada Kakabadse is professor of policy, governance and ethics at Henley Business School. Mr Kakabadse can be contacted on +44 (0)1491 418 776 or by email: a.kakabadse@henley.ac.uk. Ms Goyal can be contacted by email: r.goyal@pgr.reading.ac.uk. Ms Kakabadse can be contacted on +44 (0)1491 418 786 or by email: n.kakabadse@henley.ac.uk.

© Financier Worldwide

BY

Andrew Kakabadse, Ruchi Goyal and Nada Kakabadse

Henley Business School

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.