Clearly, enterprises need to do better and as with operating and strategic issues it is an executive board who has the responsibility to lead on this. So are we approaching the whole question of ‘Security’ the right way?
Should we be talking about 'Security' at all? The word and associated practices impart the implication that there is a definable environment to be made secure. Substitute the term 'Risk' and there is a wider sense of commercial forces that any enterprise and its partners including customers are subjected to. To trade any Enterprise and its management must accept a series of risks, the question is how to identify and quantify these risks.
Maybe I am wrong to say this, but I feel that currently for many boards the issue of 'security' is neatly parked under the CTO as a defined task involving the IT department and its operations. Defining Security in this manner as a technology matter means it is not seen as part of the Executive Boards’ ongoing duties to define and manage as part of the Enterprises’ trading risks. It is off the agenda and ignored at Board Meetings with the exception of an occasional agenda item for budget purposes, or as a result of external publicity.
As the role of technology is continually expanding across their industry, market, and enterprise it's not just the IT department involved, nor is it only internal IT operations that traditional security is designed to address, now it’s the whole business model.
This state of affairs may be good for ‘Plausible Deniability’ allowing the executive board members to express shock and bewilderment in the face of a 'security breach', and maybe in the non-digital business world it was okay. But what about now and into the future when all industries are becoming increasingly online trading organisations?
As the role of technology is continually expanding across their industry, market, and enterprise it's not just the IT department involved, nor is it only internal IT operations that traditional security is designed to address, now it’s the whole business model. A business model dependent on new and still changing technologies deployed in new ways, all of which involve increasing online connectivity on demand to the market place for the success.
Digital business is a game changer in every sense for the enterprise, and its executive board needs to change its game in response or be held to account for failure to discharge their duties to shareholders.
So how does an executive board go beyond the current security of internal IT to embrace the necessary wider mandate required by online digital business without trying to become technology wizards? Having defined what we currently think of and expect from security in its current role let’s consider risk management within the enterprise.
'Risk' is usually understood to encompass a wide range of potential threats across all aspects of the Enterprise. Risk management is concerned with the identification, assessment as to the level and impact, even in selected Risk cases contingency planning. All of which would normally form a Risk Register for the Board to supervise, monitor, and call for further actions as and when needed.
As digital business evolves there are a lot of new potential risks, and some very real short term risks, not just in hacking breaches, other areas too. Extending the Risk Register, and executive board monitoring to understand and direct expert attention is a very necessary move. One that auditors should equally be calling for as well, after all not knowing exactly what risks your new and growing online digital business is creating for your enterprise in all aspects is pretty obviously a rather disturbing operational oversight!
Not knowing exactly what risks your new and growing online digital business is creating for your enterprise in all aspects is pretty obviously a rather disturbing operational oversight!
The challenge in extending the Enterprise Risk Register lies as much in finding experts with the experience to identify and assess.
Creating new revenue streams, gaining market share, capturing new customers are all the reasons why digital business is growing and will continue to grow. But it is a huge game change in the way business is conducted through opening up online relationships, transactions, and models in a manner that introduces new commercial risks.
Security is one of them, but as all the recent failures show it is not possible to partition the topic off as a simple technical challenge to the IT department, instead it is up to the Executive Board to start to firmly lead the way in gaining recognition of what is at Risk across the whole enterprise in a manner the executives can understand.
A full Risk Register of Digital Business will initially paint a disturbing picture, but that’s to be expected, and allows structured actions. Failure to identify risks and act can only lead to questions about competency when the inevitable happens. Executive Board leadership of the Digital Business elements is required every bit as much as for the traditional Business!
Andy Mulholland is vice president and principal analyst at Constellation Research, focusing on cloud business models. Before this, he was Global Chief Technology Officer for the Capgemini Group from 2001 to 2011, where he successfully led the organisation through a period of mass disruption.
Send news tips and comments to firstname.lastname@example.org
Follow Divina Paredes on Twitter: @divinap
Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.