I had the pleasure of attending Gartner’s 15th Security & Risk Management Summit in London over the last two days and it’s always interesting to hear about latest research, forward-thinking perspectives and discuss new insights. This year Gartner continued the message that the Digital Business, - or the Digital Enterprise as Karl-Heinz Streibich, CEO of Software AG, calls it in his book of the same name - will impact our lives tremendously, in business and privately. Some say it will impact life even more than the introduction of internet.
Digital business also means new, digital risks. New risks related to the growth of IoT (Internet of Things) - a world in which cars, smart meters, the main entrance to your home and everything else is equipped with an internet connection. While great opportunities exist in this brave new world, there are new threats too.
In response to the need to balance the opportunity and risk surrounding IoT, Gartner use the term ‘Smart Risk’. To give some more insights in ‘Smart Risk’, Gartner’s Analyst John Girard introduced three relevant stakeholders.
The CISO (Chief Information Security Officer) can be perceived as keeper of best practices for Security & Risk Management. CISOs can lead Smart Risk initiatives working to simultaneously improve security and manage costs. This can be done e.g. by running system patches in time. Or planning IT. Simple procedures avoid failure.
The CIO (Chief Information Officer) is the second actor. In Gartner’s research ‘CIOs Technology Priorities’ from 2014 ‘BI/Analytics’ are at highlighted as number one priority. Analytics is typically, a business-driven requirement to support decision making. Interestingly, ‘Security’ did not feature nearly as highly at 8th position.
While the CIO can be seen as blocking business by imposing costly security controls, CIOs become more successful the better they answer the question “how to leverage innovation and simultaneously keep control over risks?”
That sentiment was echoed by Gartner’s Andrew Walls when he said “The CIO must influence the employees to turn risk into opportunity”. Walls underlined a serious problem: “security is useless, nuisance employees don’t care and there’s bad communication about security.” In contrast to capital markets and trading, where staff are rewarded for taking extraordinary risks, Walls underlines the importance of rewarding employees taking more control and responsibility for risk & security. He says this can be done by advertising, storytelling, peer pressure, peer recognition and consistent leadership.
Walls talked about “a transition from a control-centric principle towards people-centric responsibility.
From principles towards rights & responsibilities.” Gartner even goes so far as to describe People Centric Security (PCS) in terms of “Awareness and education gives people the tools to do the right things. Stick to your risk priorities and act like it. Important point is not to forget identifying opportunities as well.”
The CEO (Chief Executive Officer) is the third actor. CEOs often see security as an IT thing handled by IT people. Gartner’s Analyst Paul Proctor described how: “CEOs believe security is a problem that can actually be solved. This is what causes our problems with executives." This opinion is the opposite of CIOs and CISOs. They believe there is no such thing as perfect protection. Another issue is that CEOs see security too often as a project. It is not. Security must be continuous and a governance process is required that makes conscious decisions by IT and non-IT.
In order to get the right security topics on the table of the CEO and BoD, Proctor advises to learn to communicate more effectively. “You need to prioritize actions in a context which are of interest of CEOs and executive decision makers.“ Balance between risk and opportunity by using the link between KPIs and KRIs. Measure causality, serve it as early warning signal to influence real decisions.
This cannot be achieved with manual processes and activities. You need to become digital. What about the influence of Digital Risk Officers then? Not that they exist at the moment. However, Proctor said that Gartner predicts 1/3 of large enterprises in digital business will have in future a Digital Risk Officer, whose job is to manage the risk of digital innovation"
Analysis of all three stakeholders gave me valuable insights. When you think about it, the insights you need for risk are not so very different from the insights you need to run your business most effectively. In both cases, you need deep insight into the operations of your enterprise. You need to understand how efficiently your business processes are operating. You need to know what’s going into your products, where it’s coming from, and what factors might complicate your ability to deliver your products. You need to know how much money you’re spending (and where and why) as well as how much money you’re making (and where and why). You need to know which areas of the enterprise are working well and which need to be improved. Causality between KRIs and KPIs makes perfectly sense. Particularly when you reflect them to your business processes and business owners, because then you make it smart, actionable and you speak the language which executives understand.