Manage risk and cybersecurity through a business lens

Digital ethics, analytics and a people focus will be as important as technical controls.Paul Proctor, Gartner

As organisations transition to digital business, infrastructure and applications are less directly owned, and more services are outside IT control. Sixty percent of digital businesses will suffer major service failures by 2020 due to the inability of IT security teams to manage digital risk, according to Gartner.

Concern over cybersecurity and technology risk hinders innovation — the lifeblood of digital business transformation. CIOs need to address these challenges through the lens of business value, to gain a better understanding of the dependencies business outcomes have on technology.

Not only does taking this approach improve risk management decision making, it also improves corporate performance through better risk management. Corporate performance is a great foundation for prioritisation of resources against business outcomes.

In addition, CIOs engaging their peer executives to better understand the business value of IT will have more rigour and defensibility when their business case is tied to corporate performance dependencies on technology.

Digital business changes everything

CIOs need to understand the current context and trajectory of managing technology risk and cybersecurity in a modern enterprise. Cybersecurity is a critical part of enterprise value delivery with today's broader external ecosystem and new challenges in an open digital world.

As organisations transition to digital business, externally owned infrastructure and services must be addressed by cybersecurity. Digital trust must be established with customers, and partners will be required to effectively compete.

Safety becomes an issue with the intersection of technology and the physical world (IT/operational technology [OT], Internet of Things [IoT]). The pace of business accelerates to algorithmic speeds as algorithms take over business decision making from human intervention.

Material shifts in culture, behaviour and technology are required to effectively address technology risk and cybersecurity. In the future, security officers will work more like intelligence officers and trusted advisors, as citizen and business unit IT become the dominant model.

Organisations will learn to live with acceptable levels of digital risk as business units innovate to discover what security they need and what they can afford. Digital ethics, analytics and a people focus will be as important as technical controls.

Paul Proctor, Gartner

Digital trust must be established with customers, and partners will be required to effectively compete.

Looking through a business lens

To view cybersecurity and technology risk through the business lens, CIOs must take into consideration the following factors:

1. Leadership and governance

Improving leadership and governance is arguably more important than developing technology tools and skills when addressing cybersecurity and technology risk in digital business.

2. Accountability is non-negotiable in the digital business world

Security has new levels of funding, but that comes with new expectations for execution. As the ways to create and consume IT services evolve, such as business unit IT and citizen development, the security department has less control. Cybersecurity program value delivery is advancing from defence and protection-only to support resilience and risk-based approaches. This requires a shift in culture and skills.

3. Evolving threat environment

Advanced threats continue to evolve through targeted and pervasive mechanisms. The blurring of lines between physical and digital have made safety a primary concern of cybersecurity. Incident response must address recovery and resilience in the face of aggressive business disruption attacks.

4.Cybersecurity at the speed of digital business

Digital business moves at a faster pace than traditional business, and traditional security approaches designed for maximum control will no longer work in the new era of digital innovation. Business opportunity, development, decision making and expectations will have to be addressed in a timely and efficient manner, requiring new skills and practices.

5.Cybersecurity at the new edge

It used to be easy to protect data because we knew where it was — in the datacentre. The new edge has pushed far beyond the data centre into OT, cloud, Software-as-a-Service (SaaS) and things. Organisations need to address cybersecurity and risks in technologies and assets they no longer own or control.

Business unit IT is a fact in most modern enterprises, and won’t be shut down by cybersecurity and risk concerns. It must be embraced and managed to deliver appropriate levels of protection.

6.Cultural change

It has been a platitude for years that cybersecurity requires people, process and technology, but the people and process haven’t received the same attention as technology. Cybersecurity in many organisations has been written off as a technical problem, handled by technical people, buried in IT.

With the acceleration of digital business and the power technology gives individuals, it’s now critical to address behaviour change and engagement — from employees to customers. Cybersecurity must accommodate and address the needs of people through process and cultural change.

Communicating business value

To better communicate the business value of IT, here are some top actions for CIOs to consider:

· Create executive awareness and appetite to manage and accept appropriate levels of risk that support business outcomes.

· Use people-centric security to create behaviour change, so people move from being the weakest link in the security chain to the strongest.

· Build and formalise a risk-based approach and program that acknowledges the basic risk appetite shift when adopting digital business.

· Identify gaps and opportunities for improvement, stack-rank the resulting remediation projects and create multi-year remediation plans.

· Manage cultural change to create a risk-engaged culture.

· Help non-IT counterparts understand and consciously engage in good decision-making related to technology risks.

· Transform technology risk and cybersecurity into a business function.

· Position accountability for security as a business unit issue, which allows business units to choose their level of investment.

Paul Proctor is a VP distinguished analyst at Gartner, leading CIO research for technology risk, cybersecurity and the business value of IT.

"Help non-IT counterparts understand and consciously engage in good decision-making related to technology risks."

Send news tips and comments to

Follow Divina Paredes on Twitter: @divinap

Follow CIO New Zealand on Twitter:@cio_nz

Sign up for CIO newsletters for regular updates on CIO news, views and events.

Join us on Facebook.

Copyright © 2016 IDG Communications, Inc.

6 digital transformation success stories