Organisations must invest in three risk disciplines to increase trust and resilience in the ever-changing Digital Age industry.
Running a digital business presents business leaders with an increasing level of complexity and new threats, and according to research analyst firm Gartner, this requires a change in their approach to IT risk and cybersecurity.
“We are at the intersection of two major macro trends,” says David Willis, VP and distinguished analyst, Gartner.
“The first is the transformation to a digital business. The second is the growing capacity and sophistication of digital adversaries to breach our defences and cause major business disruptions in business operations.”
Willis says CIOs are feeling the impact of the digital business age.
So much so that of the CIOs in the 2015 Gartner CIO Survey, 89 percent believe that digital business would create new types and levels of risk.
“Inside and out, organisations are architected for agility and convenience, not resilience,” Willis adds.
However, Willis believes the architectures that offer agility and convenience to enterprises and their customers are the same ones that attackers use to gain comprehensive access to enterprise systems once they get a foothold anywhere in the extended value chain.
“Regulatory compliance is insufficient to protect the business and its customers,” Willis adds. “The emerging standard is resilience, meaning the ability to recover rapidly from unforeseen circumstances.”
Going forward, Willis believes organisations must invest in three risk disciplines to increase trust and resilience:
Re-architect the foundation to make people, processes and technology more resilient:
The transformation to full-scale digital business extends well beyond the IT organisation, impacting the design and staffing of nearly every business function.
Willis says its sheer scale underscores the importance of applying resilience to people, processes and technologies.
In the next decade, trade-offs between convenience and resilience will be driven by increasing regulation. Significant investment will be required throughout the organisation to meet the challenge of resilience, a much higher bar than regulatory compliance.
Increase awareness to build trust and resilience:
Most of the high-profile cyberattacks on organisations in recent memory began with a "phishing" attack - meaning a psychological manipulation - on a single enterprise employee, and only awareness on the part of the employee could have prevented the consequences.
“Technology alone cannot and will not protect the individual and the enterprise from carelessness or malicious actors,” Willis adds.
Personal awareness and responsibility with respect to safety and propriety must become priorities for the business.
“Organisations must replace once-a-year compliance-oriented training with ongoing awareness campaigns,” Willis adds.
“In addition, as the lines between personal and business technology are blurring, organisations should also consider extending protections to employees at home.”
Extend governance to build trust and resilience throughout the ecosystem:
Malicious actors now include nation states, and no single organisation can successfully defend itself against such opponents, let alone against operational failures deep within the enterprise's ecosystem.
Willis believes the risks to digital businesses go far beyond the walls of the enterprise, and governance processes must follow.
“Organisations must broaden and deepen internal governance, look to their ecosystems for additional support, and lend their influence to the creation of common defences,” Willis adds.
Trading security in favour of convenience for employees and customers is routine in this era, Willis adds.
Now the scale and ferocity of assaults on businesses - and the underlying interdependent complexities of digital business - should signal organisations to shift trade-offs toward resilience in both business and IT operations.
“Within a few years, regulation will speed that shift and organisations should expect the risks of digital business to increase in the meantime, and plan accordingly,” Willis adds.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.