by Peter Sondergaard | January 30, 2015 | Comments Off on Digital Business Requires a New Approach to Digital Security
January must be listed somewhere as the official month of “all-day meetings.” This is the time of year when CEOs and their teams hunker down with leaders throughout the business in daylong meetings to kick-off plans, programs and initiatives. If you’re anything like me then you know you’ve been in too many of these meetings when you catch yourself using terms like “I think we need a bio-break.” Sigh.
I have been working with a lot of client CEOs and their teams over the past few weeks, and one topic keeps coming up over and over again — information security. The sensational headlines from last year about systems breaches, compromised customer data and brand attacks have struck a chord for leaders who see this as a very real and present danger for their organizations.
What’s to be done?
The same headlines that have clearly spooked CEOs into putting information security on their priority list have also polarized them into a perilously narrow way of thinking about what actually constitutes information security risk. Too often they see the solution as merely improving the tools and platforms managed by their CIO and IT organizations.
But this is not sufficient. Information security is no longer just a technical problem handled by technical people. It requires systemic behavior change in business process and by all employees. And as more enterprises become digital businesses, they will require a digital risk and security program.
In speaking with our chief of research for security and risk, Paul Proctor, it is clear that CEOs must own the responsibility of redefining what security and risk means for their organizations as they become digital businesses. To address these challenges head on, our research strongly recommends that CEOs consider the role the digital risk officer (DRO), which is a new role or an expanded set of responsibilities for the chief information security officer (CISO).
Digital risk officer: A new year, yet another new role?
As organizations, marketplaces, customers and every other factor impacting our strategy constantly change, new opportunities and risks inevitably present themselves to CEOs and senior leaders. New roles with defined responsibilities are often created to focus the necessary time, resources and expertise on these issues so that, putting it simply, something gets done about it. These roles are sometimes transient, or a way of defining a specific additional focus for an existing senior leader. Either way, the title acts as a rallying flag within the organization for all these initiatives to coalesce in one place. And rather than own a specific new initiative, which inevitably causes friction within the C-suite, the most successful executives instead focus on coordinating the multitude of activities and direct efforts in one coherent direction.
It’s all about focus
CEOs need to task the DRO to investigate the risk implications of digital innovation and the level of risk that is acceptable across the organization in a world of increasing digitalization of both physical and virtual assets and processes. The assessment of risk needs to span the digital business from one end to the other, not in isolated pockets such as products, business units or traditional channels. It must be across the entire process to be successful.
To be successful, the DRO needs a deep level of understanding of the Internet of things (IoT), operational technology (OT), physical security, information security, privacy, business continuity management and risk. The DRO needs to understand the entire digital platform of the organization. In many organizations the CISO may assume these expanded responsibilities, but may not continue to report to the CIO.
Digital risk and security is only one of several capabilities that CEOs need to re-evaluate, assume accountability for and then assign specific responsibility for to a leader within their organization. Digital business requires an added set of capabilities as a CEO. Gartner believes the rapid digital change around us leaves every CEO with only 24 months to develop a digital strategy, reassign and/or expand corporate responsibilities and start executing change.
A recent article in the Wall Street Journal noted that experienced CISOs with these skills are now commanding $1M+ packages. It’s clear that the size of the challenge does not match the number of professionals who are qualified to help, which creates a high price for this scarce competence.
So there’s no time to lose. Is this on your all-day meeting agenda?
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.Read Free Gartner Research
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.