One of the big 2014 trends for IT is the increased shift from being a division supporting the business to becoming more and more a business partner. When technology is deployed and managed to fully support business processes and advance effectiveness and efficiency on the E2E (exchange to exchange) outside in customer view processes, the overall organization has increased agility that is easier to sustain.
CYBERSECURITY – CRITICAL CONCERN
Cybersecurity is of special concern these days and addressing this increasing threat with sustained agility is a ‘must have.’ But how do you do that? What does it take?
Best practices in process and performance excellence give us the model and the framework to reach that agility. And, as we all know, agility in the processes is sustained as long as agility in the people is sustained: as in an engaged workforce and an organization fostering learning and innovation.
In a recent article on zdnet on the challenges facing the CIO in 2014, : http://www.zdnet.com/challenges-facing-the-cio-in-2014-7000022666/
a good section was reserved to discuss the impact of cyber security.
Let’s look at a few cybersecurity highlights in this article and discuss the process and performance excellence aspects that may play a role in moving the dial from “I don’t know where am I and what is happening” (read: panic and nightmare) to preventive and optimizing.
CFO’S MUST LEAD ON CYBERSECURITY
Undercyber attack, EY’s 16th annual Global Information Security Survey, shows that cyber attacks around the world are increasing in volume and sophistication. Many organizations do not even know they are victims of cyber attacks.
The costs of these attacks to the organization – whether financial or reputational – can be staggering. For CFOs, information security needs to be a top priority in safeguarding their organization’s future.
Threats are increasing. Of the 1,900 organizations around the world surveyed for this study, 59% cite an increase in external threats in the last year. However, more companies have been compromised than realize it.
- Do you have measurements in place assessing the effectiveness of your information security?
- Are these measurements aligned with your processes?
If the data (measurements) are not aligned with the processes (i.e. what you do) then you don’t have the information you need to make decisions.
Companies are doing more, but not enough. While 43% of respondents say their company has increased their budgets for information security, many information security professionals believe that they have insufficient resources to meet the threats they face.
Using quality and process excellence best practices, resources currently used on ineffective and inefficient processes, could be re-located to security. An organization training its people in cybersecurity (such a ‘hot’ topic that opens up career opportunities) will benefit from an engaged workforce. It will also benefit from higher quality subject matter experts: if I already know really well these processes and the technology supporting them and if now I am getting the training on information security, I could bring a lot more value add than a information security specialist who doesn’t know our processes or a process person who doesn’t understand the security aspects.
Freeing up people by improving ineffective and inefficient processes, also means freeing up their minds and allowing innovation.
The C-suite must be onboard. To build the capacity to tackle the increase of cyber threats, executives must support their information security teams. Together they can put the investment and strategy in place. Just 1 in 10 of the organizations we surveyed currently has monthly cyber security briefings to the board.
A few questions may be considered:
- Is cybersecurity part of the strategy?
- Is there a strategic goal associated with it and a systematic way to review and continuously adjust it?
- Is the strategy and goals associated with cybersecurity effectively communicated throughout the entire organization?
Many have not aligned cybersecurity to risk. Organizations need to align their cybersecurity strategy to their risk appetite and the overall risk environment. Sixty two percent we surveyed had not created this alignment.
We all refer to cybersecurity as a ‘threat.’ But this should be one of the all the threats that have to be acknowledged it in the bigger picture of Strengths, Weaknesses, Opportunities and Threats (SWOT). A SWOT analysis is a best practice for the strategic planning process. If cybersecurity is acknowledged as a threat, it should be considered together with all other organizational threats: managed and prioritized in a holistic manner, as part of the overall Risk Management. The more integration in managing risk, including cyber security, the more effectiveness could be achieved in managing it and having a chance to reach the levels of maturity of being able to prevent and optimized risk management.
In the context of managing risk, we should also reiterate that the prerequisite of good risk management is process management (well defined systematic processes measured and managed for effectiveness and efficiency). With this framework in place, risk management is an extension of quality. Also, people skills are naturally evolving and build on quality capabilities to include risk skills.
When cybersecurity is treated as a separate effort, there is the potential of ‘white space horizontal and/or vertical’ risks. And, to clarify, in this context, ‘horizontal white space’ are the gaps in complete and correct handshake between subprocesses along the end-to-end processes. ‘Vertical white space’ are the gaps in the management processes. Examples of management processes include: setting direction, cascading down strategic goals into tactical action plans and communication. For example, did the leaders communicate well the strategic importance of cybersecurity, its strategic goal and define how this is cascading down at tactical level.
Achieving process excellence means minimizing white space and maintaining the agility to sustain and continuously improve. When cybersecurity is part of the overall risk management discussion, the specific requirements related to white space elimination WILL include the cybersecurity and this will ensure less gaps or missing controls. It also means managing risk in a comprehensive way. All the assumptions and possible failures are looked at holistically, including the side effects that may happen from one to another. And when this comprehensive approach is repeatable, well deployed, measured, managed and improved, it means we can prevent most of the problems and we can optimize. We are building agility in the system.
INVEST IN INNOVATION
Organizations should spend more on innovation. When it comes to cybersecurity, organizations need to spend less on operations and maintenance, and more on investigation and innovation. Currently, only 14% of cybersecurity spending goes on security innovation, despite the rapid evolution of hacking techniques.
For any organization that doesn’t have good process management in its operations, a lot of time is spent on fighting fires, re-do, duplicate or unnecessary work to the employee’s and managers’ frustration. In particular, if the approaches used to deal with cybersecurity are not systematic, well deployed, measured for effectiveness and continuously improved, it is almost certain they are not effective. If the approach in place is ‘fighting fires’ (read reactive) but the expectation is to continuously innovate, there is a big gap that will continue to grow. Time and resources need to be invested in creating systematic and mature (read measured, managed and continuously improving ) approaches. This is the reliable foundation that will allow the people to innovate and the approaches to be changed with ability to scale up. You cannot have time for innovation when operations are inefficient and people are stressed-out. Morale is down and there is no way to have a culture of organizational learning.
New developments are going to mean new threats. If companies spend too much time and resources dealing with threats to their current technology, they may find themselves exposed when the next wave of technological change comes. New developments, such as big data and ‘bring your own cloud,’ and those further off, such as ‘in-memory computing’ and the ‘Internet of Things,’ must be considered now.
How do you enhance product development to include cyber security in an agile way: process in place to continuously adjust requirements as the business and internet context is changing. What is the approach you have to cyber security requirements in end-to-end product development? How do you change and improve IT processes to answer to the new requirements and be able to adjust with a much faster speed when new requirements will have to be addressed. Again, mature IT processes that are measured and managed will be able to change faster and without creating other risks.
Cyber threats are changing. Hackers are becoming more organized and sophisticated, and many recent cyber attacks have involved the electronic siphoning of funds. As well as posing a significant reputational risk, these kinds of attacks can invite greater regulatory scrutiny, which in turn increases organizational costs.
PEOPLE AGILITY
Agility of an organization is measured in agility of its people, but it has the foundations on a well managed process framework – with the goal of high maturity levels of quality and risk management.
People and processes have to have a good alignment that is continuously re-adjusted.
Engaged workforce gives a significant edge when it comes to cybersecurity: loyal employees are less likely to create cyber attacks from inside and, they will be more engaged in innovating cyber security solutions and preventive approaches.
Again, it comes back to the organization maintaining a culture of innovation and engagement and operations based in well managed end-to-end processes.
Cybersecurity must be a permanent focus. Cyber criminals are constantly changing their methods to take advantage of new technologies and new weaknesses in corporations. Companies can never completely fix cybersecurity. Organizations must continue to focus on it, and aim to recognize and counter threats before they appear.
The cybersecurity threat is increasing and significant breaches are becoming part of the daily news. As an organization, you cannot keep up unless you build process managed operations and an engaged workforce. The information that is used for decision making is the data aligned with the process. In this way, you have the agility to enterprise-wide changes in a systematic and sustainable way, maintaining the alignment, the effectiveness and the efficiency on the end-to-end process, without compromising quality of services and products because of cybersecurity related changes.