Business Continuity:
Cybersecurity in Focus

For the second time this spring, Elastisys invited leading cybersecurity experts in northern Sweden to share knowledge and discuss cybersecurity. During the afternoon, suppliers, people responsible for critical societal services, and other industry experts gathered to talk about business continuity and how organizations can actively work with cybersecurity. Among the questions discussed were:

• Is there a plan?
• How do we prepare to handle incidents when they happen?
• How do we evaluate our suppliers?
• How do we make security a priority?

In this blog post, we at Elastisys summarize the key insights from these discussions.

It quickly becomes clear that cybersecurity in an organization is not just about rules and processes — it’s also about communication. Many companies don’t talk about cybersecurity across the whole organization, only in certain parts. Because of this, someone must be clearly responsible for driving the topic and communicating it. If everyone is responsible, then no one is really responsible. In your organization, who owns this responsibility — the CISO, the communications department, or no one at all?

It was also discussed that cybersecurity is not only important in traditional IT-heavy industries. Recently, we have seen examples of organizations that are not usually connected to IT being heavily affected by cyberattacks. Even though these attacks are unfortunate, they have served as a wake-up call for many industries. The main point is that cybersecurity must start becoming a priority, because attacks can lead to major data breaches, financial losses, and damaged reputations.

A security-focused culture starts at the top and spreads through the organization. It’s about how leaders act — not just what they say. As a leader, you need to take extra responsibility, lead the way, and set a good example. People follow what others do, not what they say.

Another topic that came up was automation. As a leader, you can influence this. The idea is to make it hard to do things wrong. By automating tasks where possible, you reduce the risk of human error and strengthen processes. Communication is important here too: how you explain these changes matters. Present them as safety measures, not as extra work or punishment. If people feel safer, they are more likely to follow — and even appreciate — the new processes.

There are hundreds, maybe thousands, of possible security actions an organization could take. So where do you start? The group discussed the importance of spending more time on what is truly critical and less time on low-impact tasks.

But how do you know what’s most important? The best approach is to sit down and rank different tasks and systems, and identify which actions are easy and inexpensive but have big impact.

In practice, this is challenging because it can be hard to evaluate risks. For example, reducing a risk from level 5 to level 2 might be cheap and easy, while going from level 2 to level 1 could be very expensive and time-consuming. This is why prioritization matters. You must consider risk level, time, cost, and available resources when comparing different actions.

Organizations usually have many suppliers and systems. Often, companies assume that “someone else” is responsible for security. But who actually holds the responsibility, and how do you know that? You need clear answers to these questions. If you don’t have them yet, someone must take ownership of finding the answers and creating a process.

One reason companies blindly trust suppliers is that the cybersecurity industry is still young and immature. There aren’t always clear expectations for reviewing suppliers. Many organizations simply trust certificates or the supplier’s own claims. To change this, organizations need to start taking ownership of their supplier choices and review them before signing contracts.

What does it cost if production stops? How do we measure security? And what is the full impact of an attack? Maybe we need to think backwards: calculate how much a cyberattack could cost us and compare that to the resources needed to prevent it.

Some consequences can’t be undone, no matter how fast you recover. For example, leaked personal data or a damaged reputation. Everyone agrees that the cost of losing brand trust is devastating — it simply cannot be allowed to happen.

Just like at the previous meeting, participants talked about the general lack of interest in working with security. Security professionals are often evaluated on things unrelated to security, or only noticed when something goes wrong. This makes security work thankless at times. One way to improve this is to quantify security work.

One idea discussed was using KPIs to measure security at a cultural level, not just in numbers or code. Examples of cultural security KPIs include:

• How often do we talk about security?
• How often do we run security workshops?
• How many incidents did we report last month?
• What actions have we taken or planned?

The discussions highlighted the importance of communication and having someone clearly responsible for driving cybersecurity forward. If everyone is responsible, no one is. As with many other topics, leadership support is essential, and security work must not only happen when a major attack hits the news. Business continuity requires continuous effort.

To work effectively with cybersecurity, an organization needs a plan. A plan for everyday security work, and a plan for what to do if an attack happens.

Making security a priority is an ongoing challenge. A good first step is to prioritize security actions and create cultural-level KPIs to better measure and evaluate your organization’s security progress. And remember: you are responsible for reviewing your suppliers and ensuring they meet the requirements set by your organization and by regulations.