“I think that done properly it will be a competitive advantage for us.”
With accelerating technology change, the disruption of incumbent business models is inevitable. The rapid rise in volume and success of start-ups, including ‘unicorns’, are an increasingly significant competitive force. Platform data service businesses are beginning to dominate across continents and industries and service businesses are shifting en-masse to subscription style business models. While many of these shifts are being felt in the mining industry, the industry has retained three main business models. In addition to the fundamental value drivers of safety and brand, each of these business models has its own distinct value proposition and implications for how cybersecurity risks manifest.
Integrated supply chains: Disruption sensitive: e.g. large bulk operators in aluminium and iron ore
Close relationships with key customers who value security of supply, low cost and product quality consistency. For these businesses, a major risk from cyber-attacks is the disruption of continuous production systems and its subsequent impact on their reputation for reliability with customers.
Production for sale into liquid spot markets: Delay sensitive: e.g. precious metals operators in gold, silver and platinum
Limited visibility of customers with minimal differentiation between products but are attractive to investors for their store of value. For these businesses, a major risk from cybersecurity is the disruption of their capacity to produce or trade at expected rates and its subsequent impact on the valuation of their assets by investors.
Explorers and deal makers: Loss sensitive: e.g. junior explorers, traders and portfolio managers
Value proposition is in securing previously unknown or undervalued mineralised assets. Historically, this has mostly been speculative but is increasingly in cooperation with end-customers with specific requirements. For these businesses, a major risk from cybersecurity is the theft of commercial and geological intellectual property from which they derive their competitive value and differentiation.
Many of these companies are major sources of export revenue for their local governments, both directly and through the surrounding equipment, technology and services sector, providing an additional layer of strategic risk and complexity. As major cyclones and operating interruptions (including tailings collapses, safety incidents, union activity) across key mining countries like Brazil, Chile, South Africa, Australia, Indonesia and Canada demonstrate, ongoing interruptions to mining activities are felt in federal budgets. As such, pressure to achieve and maintain resilience to cyber threats is an ongoing reality for executives and may be leveraged for government support.
“Cyber investment is good for business, we see it as an emerging competitive advantage as a base supplier for most supply chains.”
Cybersecurity discussion and commentary can tend towards pessimism rather than positivity. A fascinating theme running through the executive interviews and survey data, however, is the enormous potential that cybersecurity offers to drive a broad range of non-security benefits. Some are profound – transformation, differentiation, productivity and safety – while others are more prosaic – asset and supply chain management. Arguably the greatest commercial business threat is not financial loss, but loss of time – ‘time is money and loss of time cannot be recovered.’
Digital transformation is the catchphrase of the 2010s, overused to the point of distraction – ‘we have been doing digital transformation since the IBM PC hit the streets.’ Despite all the attention it attracts, few large incumbent operating businesses have successfully navigated the process of wholesale digitisation. Common problems of cultural resistance, legacy architectures, over-emphasis on inflexible platforms and ill-suited governance processes have proved difficult to overcome for most. What these types of businesses are good at, including miners, is the mobilisation of processes and people to address key risks – paramount in these is safety.
Should companies be able to internalise the importance of cybersecurity and apply their strong historical cultures of risk management, there is a good chance that they will begin to gain some traction in the establishment of a modern digital architecture for their organisation.