Accelerated Growth in Times of Adversity

How the pandemic emboldened one CISO to embark on the journey to enterprise resiliency

istock 1175911920
Eoneren

The need

It was a sunny, clear, and somewhat cold April morning in 2020. I was sipping my coffee when my phone rang with a familiar ring. Claire’s (the alias of the CISO for a major Financial Services client) name appeared on the phone and I was happy to connect with her. She started the conversation with a sense of urgency. COVID-19 had severely impacted their operational capability in multiple ways, and the third party that supports their call center said an outbreak in the center in Hyderabad had forced all call center reps to work from home.

The call center handles sensitive customer information, and Claire was concerned that they did not fully understand the risk they were taking on by having people work from home. Some questions that Claire had to address to the bank’s ORM (Organizational Risk Management) group included:

  • Beyond COVID-19: Yes, survivability during COVID-19 was top of mind for the board, both as operational continuity but also how they were going to deal with risk when they returned to normal operations. Claire saw this as an opportunity to build a much more resilient enterprise. An enterprise that could become anti-fragile (come out stronger when stressed) when the next crisis occurred. A crisis that could arise from global, regional, environmental, or financial volatility.
  • Unexpected changes in controls: The traditional controls the bank relied on had dissolved. Specifically:
    • How was the bank exposed to potential privacy breaches when they could not control the physical environment? Previously they relied on “Secure Call Centers” where all customer data was protected by a stringent set of biometric controls, closed circuit cameras, and other controls. Now, faced with the pandemic, the call center was forced to move to tele-work. The bank did not have a risk management strategy to handle it.
    • How could they guarantee that no family member was surfing over an employee’s shoulders and checking out the bank records of a local government officer (for example)?
    • How could they prevent an employee from using their cell phone to take pictures of their customer (secure) site?
    • What risk and liability would they take on if sensitive information were released to the press by a family member?
  • Trusted AI and Exponentials: As part of the digital channel customer outreach, Claire indicated that the bank is rolling out new digital products that are powered through exponential technologies such as Distributed Ledger, Machine Learning, and Cognitive as well as Deep Learning. Claire wants to ensure that her pivot to cyber resiliency has the structure, agility, and innovative-centric capability to help secure these exponentials and provide a robust trust platform to enable customer and stakeholder adoption.
  • Agility: Claire had designed a cyber security function that was built on a reference standard of structure, foundational capability, and strict adherence to governance/change management. Claire now realizes that this “immovable” structure does not have the agility to address rapid transformation of the business. She feels this could temper the strategic enablement value of her group.

In talking with Claire, it was clear that the organization was not prepared for the crisis and didn’t have the change “shock absorbers” to deal with unexpected crisis. It was also clear that we had to come up with a game plan to address the ORM’s explicit requirement to secure the third party. In short, we had to provide a sustainable enterprise strategy for resiliency.

Re-Imagine

Imagine if Claire could use this situation to help the organization pivot. Imagine if the organization could take what is an adverse global crisis (pandemic) and be a partner to pivot the business to:

  • Customer: Better engage with customers with an alternative “Channel to Customer” strategy.
  • Products: Provide new and innovative products to better engage with customers, investors, and stakeholders.
  • Range: Drive new market segments, regional and focused customer campaigns. That is how the bank can respond to the crisis to play a role in supporting the community.
  • Agility: Build a more agile organization built on the foundation that modernity requires the ability to drive performance through continuous “re-invention” of the company to drive scalable growth.

The strategy

Claire and I knew that the key to success was the ability to build an enterprise groundswell to become resilient. This meant demonstrating the business value and sharing the vision of how cyber resiliency supports strategic growth during and after COVID-19 and better prepares the bank for future crises. Integrated enterprise resiliency had to include strategic, financial, operational, and cyber resiliency as a tightly integrated framework:

resiliency 1 pager final MicroFocus

Figure 1 - Enterprise Resiliency is a cross functional initiative.  Download here

Call to Action

So Claire wanted to put together both a five-point plan supported through a 90-day campaign to get enterprise and cyber resiliency on the Board’s agenda and a strategy to ensure it could be tied to how the bank could thrive during and after COVID-19 and be able to sustain business growth through the next crisis.  She and I had a long discussion about what the five-point action plan might look like. It included the following:

  • Step 1 – Strategic Board-Level Imperative: Claire realized that this is an enterprise initiative and to be successful she needed to educate the executive leadership group, C-Suite, and even the Board.
  • Step 2 – Pivot to Prosper: Claire determined that for enterprise resiliency to be successful she would have to demonstrate how this systemic change in structure would result in a much more agile, anti-fragile organization. The organization could lead through digital channels, new AI-driven customer products, and real-time financial tools that better enable the bank to build a leadership growth path. Claire also knows that if cyber resiliency can be a partner for growth, cyber resiliency will be a business-enabled growth engine, able to not only protect but grow the business.
  • Step 3 – Re-Imagine: Claire needs to break down the organization’s value chain (i.e., how the organization delivers value, goods, and services) and overlay it with a resilient business modernization strategy. She is considering an enterprise campaign to re-invent trusted Digital Banking, Trusted AI, Smart Contracting, Predictive Fund Management Analytics, and other aspects of the bank’s value chain.
  • Step 4 – Build a Movement: Claire knew that, even if leadership supported the transformation to enterprise resiliency, to be successful she needed to build a movement within the bank, with the bank’s trusted suppliers/third parties, and with key stakeholders. She realized that transformation to resiliency was not a hyperbolic term, but truly meant a different way of operating. Instead of taking the position to “Defend Backwards” (i.e., just defend the “crown jewels”), the bank needed to “Defend Forward” To Defend Forward was designed to be proactive around cyber resiliency, increasing complexity for adversaries and building a defensive counter-adversary capability. In addition, Defend Forward (when positioned well) would allow the bank to better secure the value chain and enable digital transformation and innovation.
  • Step 5 – On a Journey: Claire and I chatted about the need to take the enterprise on a journey from what they were doing right now to what it would take to transform to a resilient organization. The maturity model shown below will provide key stakeholders with the vision, progression, and journey of what it would take to advance from traditional cyber security to cyber resiliency.
maturity model final MicroFocus

Figure 2 - Cyber Resiliency Maturity Model. Download here. 

Claire and I felt that we had a sound initial plan to embark on an exciting journey, using the pandemic to pivot and drive accelerated growth for the bank.

The Result

Armed with a cohesive and multi-modal (enterprise wide) strategy Claire started her journey to bring senior leadership on the journey. Through her strategic vision, she was able to convince the board that Enterprise Resiliency was a growth enabled paradigm shift for the organization and will allow the organization to “pivot to prosper.” Through that experience Claire is now chairs up the Enterprise Resiliency Leadership Committee with Cyber Resiliency playing a foundational role of enabling the enterprise to be more resilient and build a sustainable anti-fragile (grows stronger in times of adversity) structure.

 

Related:

Copyright © 2020 IDG Communications, Inc.