Manage risk and cybersecurity through a business lens
- 24 November, 2016 06:30
Digital ethics, analytics and a people focus will be as important as technical controls.
As organisations transition to digital business, infrastructure and applications are less directly owned, and more services are outside IT control. Sixty percent of digital businesses will suffer major service failures by 2020 due to the inability of IT security teams to manage digital risk, according to Gartner.
Concern over cybersecurity and technology risk hinders innovation — the lifeblood of digital business transformation. CIOs need to address these challenges through the lens of business value, to gain a better understanding of the dependencies business outcomes have on technology.
Not only does taking this approach improve risk management decision making, it also improves corporate performance through better risk management. Corporate performance is a great foundation for prioritisation of resources against business outcomes.
In addition, CIOs engaging their peer executives to better understand the business value of IT will have more rigour and defensibility when their business case is tied to corporate performance dependencies on technology.
Digital business changes everything
CIOs need to understand the current context and trajectory of managing technology risk and cybersecurity in a modern enterprise. Cybersecurity is a critical part of enterprise value delivery with today's broader external ecosystem and new challenges in an open digital world.
As organisations transition to digital business, externally owned infrastructure and services must be addressed by cybersecurity. Digital trust must be established with customers, and partners will be required to effectively compete.
Safety becomes an issue with the intersection of technology and the physical world (IT/operational technology [OT], Internet of Things [IoT]). The pace of business accelerates to algorithmic speeds as algorithms take over business decision making from human intervention.
Material shifts in culture, behaviour and technology are required to effectively address technology risk and cybersecurity. In the future, security officers will work more like intelligence officers and trusted advisors, as citizen and business unit IT become the dominant model.
Organisations will learn to live with acceptable levels of digital risk as business units innovate to discover what security they need and what they can afford. Digital ethics, analytics and a people focus will be as important as technical controls.
Digital trust must be established with customers, and partners will be required to effectively compete.
Looking through a business lens
To view cybersecurity and technology risk through the business lens, CIOs must take into consideration the following factors:
1. Leadership and governance
Improving leadership and governance is arguably more important than developing technology tools and skills when addressing cybersecurity and technology risk in digital business.
2. Accountability is non-negotiable in the digital business world
Security has new levels of funding, but that comes with new expectations for execution. As the ways to create and consume IT services evolve, such as business unit IT and citizen development, the security department has less control. Cybersecurity program value delivery is advancing from defence and protection-only to support resilience and risk-based approaches. This requires a shift in culture and skills.
3. Evolving threat environment
Advanced threats continue to evolve through targeted and pervasive mechanisms. The blurring of lines between physical and digital have made safety a primary concern of cybersecurity. Incident response must address recovery and resilience in the face of aggressive business disruption attacks.
4.Cybersecurity at the speed of digital business
Digital business moves at a faster pace than traditional business, and traditional security approaches designed for maximum control will no longer work in the new era of digital innovation. Business opportunity, development, decision making and expectations will have to be addressed in a timely and efficient manner, requiring new skills and practices.
5.Cybersecurity at the new edge
It used to be easy to protect data because we knew where it was — in the datacentre. The new edge has pushed far beyond the data centre into OT, cloud, Software-as-a-Service (SaaS) and things. Organisations need to address cybersecurity and risks in technologies and assets they no longer own or control.
Business unit IT is a fact in most modern enterprises, and won’t be shut down by cybersecurity and risk concerns. It must be embraced and managed to deliver appropriate levels of protection.
6.Cultural change
With the acceleration of digital business and the power technology gives individuals, it’s now critical to address behaviour change and engagement — from employees to customers. Cybersecurity must accommodate and address the needs of people through process and cultural change.
Communicating business value
To better communicate the business value of IT, here are some top actions for CIOs to consider:
· Create executive awareness and appetite to manage and accept appropriate levels of risk that support business outcomes.
· Use people-centric security to create behaviour change, so people move from being the weakest link in the security chain to the strongest.
· Build and formalise a risk-based approach and program that acknowledges the basic risk appetite shift when adopting digital business.
· Identify gaps and opportunities for improvement, stack-rank the resulting remediation projects and create multi-year remediation plans.
· Manage cultural change to create a risk-engaged culture.
· Help non-IT counterparts understand and consciously engage in good decision-making related to technology risks.
· Transform technology risk and cybersecurity into a business function.
· Position accountability for security as a business unit issue, which allows business units to choose their level of investment.
Paul Proctor is a VP distinguished analyst at Gartner, leading CIO research for technology risk, cybersecurity and the business value of IT.
Send news tips and comments to divina_paredes@idg.co.nz
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Sign up for CIO newsletters for regular updates on CIO news, views and events.