Design for Cybersecurity While You are Young


We get it, cybersecurity protocols typically doesn’t directly generate revenue. Especially for startups on course to prove out their MVP. When time is of the essence, security must be prioritized as an afterthought.

We are here to tell you that your business is not alone (even amongst behemoths). And, we detail out a simple cost effective process that your organization can realistically design and implement from the start and build towards a fully fledged Cybersecurity Risk Management Framework (when you are a behemoth).

How does Cybersecurity relate to accounting? Cybersecurity risk is really a business risk and it’s important to consider whether there are security risks that affect the accuracy of investor-grade reporting and the implications of internal controls and compliance.

The Cyberthreat Narrative

HBR developed a tool called a Cyberthreat Narrative. It addresses the four parts of the story of a potential cyberattack (ACCNTNT added the 5th):

Identifying Cyberadversaries

Cyberadversaries could be either vengeful or opportunists. To plan against their attack, it is important to understand who could be out to get you, their motivations, and their capabilities.

We Do Not Know, What, We Do Not Know

Even a world-class system can’t prepare a company for every possible scenario. According to HBR, A more fruitful approach is to adopt the view that cybersecurity should focus more on [a] threats’ potential impact on a business’s activities.

  • How would this event disrupt your supply chain?
  • Does this expose your trade secrets?
  • How would this make you fail to meet your contractual obligations?
  • Does this threaten lives?

Assign a Trusted Security Committee

Identifying and fixing cyberrisks is a social process. To accurately assess where the most important ones lie, you must consider the viewpoints and opinions of a wide range of employees.

Start by assigning a Trusted Security Committee in charge of regularly reporting to the board on current critical business activities and risk position.

Bear in mind that identifying security risks is an ongoing process. Your business, along with people and systems will continuously grow and evolve.

Have the Trusted Security Committee meet periodically on the following:

Cybersecurity is a Board responsibility. Because boards represent the fiduciary interests of the company’s owners and are charged with adopting a long-term view of the company, we believe that they have the authority and responsibility to oversee efforts to identify cyberrisks.

Assign a Novel Risk Response Team

Novel risks aka Black Swan Events are triggering events that comes from outside the risk bearer’s realm of imagination. Novel risks can result from multiple routine failures that trigger high risk failures, or the risk can materialize rapidly on an enormous scale.

The Novel Risk Response Team should:

  • Be alert for anomalies
  • Scan for unusual events outside your industry
  • Mobilize your Trusted Security Committee to deal with the situation quickly
  • Be given authorization without repercussion to approach a novel risk event with rapid evaluation and procedural override

And, To Recognize Risks Earlier, Invests in Analytics

During an extreme shock your historical data sources may become obsolete. It doesn’t matter how good your information was yesterday. You may need new information. — Cassie Kozyrkov, Chief Decision Scientist at Google

Create a culture where analysts can explore an flourish in thoughtful foresight and crisis response. They should not be treated as dashboard janitors or human search engines

Make Cybersecurity an Essential Design Requirement

A study conducted by MIT worked closely with three global companies to gain an understanding as to why cybersecurity is given no regard until it is too late. Even though most customers expect protection to be an implicit part of the package when making purchasing decisions — product teams, generally, will push the product to market if:

  • Security ultimately compromises customers’ needs
  • Delays time to market
  • Requires specialized resources that elongate design and build

These are all pretty justifiable reasons. Why compromise capturing a share of the market and risk ROI?

According to MIT, the answer, then, is for designers to be knowledgeable enough about security themselves to be able to conceptualize the product with cybersecurity from initial design.

Just like manufacturability, functionality, reliability, and cost — cybersecurity will become an essential design requirement.

Including cybersecurity as a key criterion during initial design avoids:

  • Legal Exposure
  • Shut-down
  • Additional work
  • Redesign costs
  • Delays to release
  • Brand negligence

Best Times to Stress Test

Full disclosure, we are just trying to be sensible. Desperate times call for desperate measures and it is important to understand your organization’s security vulnerabilities during adverse periods. Jamie Dimon listed the following times to stress test during an interview with Harvard Business Review:

  • Geopolitics
  • Capital Downturn
  • Recession
  • War

The biggest potential disruption to our business is new forms of payment. You have PayPal, Venmo, Alipay, and more. These companies are doing a good job of embedding basic banking services in their chats, their social, their shopping experience.

Lean-In to Security

It can take a couple of years to get good at cybersecurity implementation, and with this being said, the message on prioritizing security needs to persevere.

Here are 6 Steps that Leaders can take to change your organization’s values, attitudes and beliefs about security:

Your ACCNTNT is here as a valuable resource when developing data security and designing classification methods into your investor-grade reports.