Cyber Risk Management is an Innovation Process

It is perhaps too simplistic to say the world has changed massively due to digital technology. For the last two decades, digital innovation has been the mantra of many businesses. This has provided increased prosperity, efficiency, new types of business, entirely new commercial sectors—and, unfortunately, new forms of business risk.

When looking at innovation, considerable work has been done to think about what it is, what makes it work, and how to make it more effective. One model that is often used is Absorptive Capacity. This concept was coined by Cohen and Levinthal as a firm’s “ability to recognise the value of new information, assimilate it, and apply it to commercial ends”. 

This concept has been refined to identify the distinct areas a company needs to develop to manage and professionalise its innovation:

  • Knowledge Acquisition Capability – How well we can get external information relevant to us?
  • Assimilation Capability – How good are our processes to understand and analyse external information?
  • Transformation Capability – How good are our processes to combine existing knowledge and the newly acquired and assimilated knowledge?
  • Exploitation Capability – How good are we at competitively using new external knowledge to achieve organisational goals?

How does cyber risk management relate to this? Cyber risk management is the process of obtaining data, processing it, combining it with existing knowledge and then exploiting it to improve the position of an organisation through better, more efficient protection. Ultimately, this is the same as the innovation process defined by Absorptive Capacity . However, we rarely think of cyber risk management in this way, nor do we consider maturity of the risk management process in a routine and structured way.

Cyber risk management starts with information—preferably good information. Many standards and best-practice approaches indicate the need to collect information, often from internal sources. Yet information, especially quantitative information, can be hard to find—as the HIPSTER project has discovered. And so we often use subjective expert-based opinion, either from internal sources or from external expert sources.

The maturity of an organisation shows in both the quality of the information that is obtained, and in the effectiveness of the processes to obtain, assimilate, transform and exploit it, although the quality of information and the effectiveness of the process often go hand in hand. We need both quantitative (numbers) and qualitative (non-numeric) information for a sound risk management process. And it is important that we recognise the distinction, and maximise the value of each type of the information to effectively support decision making by the organisation.

The lens of Absorptive Capacity can help us to understand our risk management process, just as it helps us to understand our innovation process. We can reflect on the processes in each of the four phases (knowledge acquisition, assimilation, transformation and exploitation), to decide where we should put effort to improve. This provides strategic development, and efficient resource allocation to improve the process of cyber risk management, rather than the ad-hoc, organic, and often knee-jerk reactions found in so many companies.

This concept can go further. Much of the focus of cyber risk management is about the company and risks to the company. But the products and services our company produces form part of a supply chain for other companies and also for end users. Using Absorptive Capacity as a development model helps improve product innovation, but it can also help us manage the security issues in our product development; therefore, helping to manage the risks for our clients and consumers.

This is one of the central tenets of the HIPSTER project: taking a risk-based approach to developing security features during product development reduces the risk to our company and also the risks to our supply chain. Aligning the way we innovate with the way we manage risk creates efficiency in our company’s development. But more importantly it enables us to be innovative in our risk practice, giving us the competitive edge we need.

  •  Dan Prince

Picture created by Anna Dyson using Midjourney