INSIGHT: Digital business requires new approach to digital security

January must be listed somewhere as the official month of “all-day meetings.”

This is the time of year when CEOs and their teams hunker down with leaders throughout the business in daylong meetings to kick-off plans, programs and initiatives.

If you’re anything like Peter Sondergaard, Senior Vice President and Global Head of Research, Gartner, then you know you’ve been in too many of these meetings when you catch yourself using terms like “I think we need a bio-break.” Sigh.

“I have been working with a lot of client CEOs and their teams over the past few weeks, and one topic keeps coming up over and over again — information security,” Sondergaard reports.

“The sensational headlines from last year about systems breaches, compromised customer data and brand attacks have struck a chord for leaders who see this as a very real and present danger for their organisations.”

What’s to be done?

According to Sondergaard, an ICT industry veteran, the same headlines that have clearly spooked CEOs into putting information security on their priority list have also polarised them into a perilously narrow way of thinking about what actually constitutes information security risk.

“Too often they see the solution as merely improving the tools and platforms managed by their CIO and IT organisations,” he adds.

“But this is not sufficient. Information security is no longer just a technical problem handled by technical people. It requires systemic behaviour change in business process and by all employees.

“And as more enterprises become digital businesses, they will require a digital risk and security program.”

In speaking with Gartner’s chief of research for security and risk, Paul Proctor, Sondergaard believes it is clear that CEOs must own the responsibility of redefining what security and risk means for their organisations as they become digital businesses.

To address these challenges head on, Gartner research strongly recommends that CEOs consider the role the digital risk officer (DRO), which is a new role or an expanded set of responsibilities for the chief information security officer (CISO).

Digital risk officer: A new year, yet another new role?

“As organisations, marketplaces, customers and every other factor impacting our strategy constantly change, new opportunities and risks inevitably present themselves to CEOs and senior leaders,” Sondergaard says.

“New roles with defined responsibilities are often created to focus the necessary time, resources and expertise on these issues so that, putting it simply, something gets done about it.”

Page Break

Sondergaard believes these roles are sometimes transient, or a way of defining a specific additional focus for an existing senior leader.

“Either way, the title acts as a rallying flag within the organisation for all these initiatives to coalesce in one place,” he adds.

“And rather than own a specific new initiative, which inevitably causes friction within the C-suite, the most successful executives instead focus on coordinating the multitude of activities and direct efforts in one coherent direction.”

It’s all about focus

With 2015 already one month down, Sondergaard advises that CEOs need to task the DRO to investigate the risk implications of digital innovation and the level of risk that is acceptable across the organisation in a world of increasing digitalisation of both physical and virtual assets and processes.

“The assessment of risk needs to span the digital business from one end to the other, not in isolated pockets such as products, business units or traditional channels,” he advises. “It must be across the entire process to be successful.”

To be successful, Sondergaard claims the DRO needs a deep level of understanding of the Internet of things (IoT), operational technology (OT), physical security, information security, privacy, business continuity management and risk.

“The DRO needs to understand the entire digital platform of the organisation,” he says. “In many organisations the CISO may assume these expanded responsibilities, but may not continue to report to the CIO.”

What next?

Digital risk and security is only one of several capabilities that CEOs need to re-evaluate, according to Sondergaard, who advises that they should assume accountability for and then assign specific responsibility for to a leader within their organisation.

“Digital business requires an added set of capabilities as a CEO,” Sondergaard adds.

Gartner believes the rapid digital change around us leaves every CEO with only 24 months to develop a digital strategy, reassign and/or expand corporate responsibilities and start executing change.

“It’s clear that the size of the challenge does not match the number of professionals who are qualified to help, which creates a high price for this scarce competence,” Sondergaard warns.

“So there’s no time to lose. Is this on your all-day meeting agenda?”