Imagine an insurance company whose business model is thoroughly digital. Empowered by customer consent, the company monitors its customers’ activities related to their coverage, communicating with them through various digital channels about behaviors that raise or reduce risk, and thus raise or reduce premiums.
The company functions as both insurer and life advisor with a business model that essentially runs on trust, supported and enabled by extensive technology capabilities, including a wide range of sensors, payment cards and processing systems, and big-data analytics that compare customer activity to risk models. That trust is secured via an extended value chain that includes digital suppliers and their suppliers, many of them beyond the direct control of the company. What happens if that value chain is disrupted by an operational failure, a malicious actor, or governmental intrusion?
Attackers use the same architectures
With IT intrinsic to operations and relationships in the entire digital business value chain, it’s easy to see why 89% of CIOs in the 2015 Gartner CIO Survey said digital business would create new types and levels of risk. Inside and out, enterprises are architected for agility and convenience, not resilience, according to Richard Hunter, vice president and Gartner Fellow. However, the architectures that offer agility and convenience to enterprises and their customers are the same ones attackers use to gain comprehensive access to enterprise systems once they get a foothold anywhere in the extended value chain.
“Inside and out, enterprises are architected for agility and convenience, not resilience.”
Legislators worldwide are responding to the sudden urgency of cyberprotection with new laws, and more will surely follow, but it’s unclear how this can improve the situation beyond widening the availability of information about attacks. Regulatory compliance is insufficient to protect the enterprise and its customers. The emerging standard is resilience, meaning the ability to recover rapidly from unforeseen circumstances. Organizations must invest in three risk disciplines to increase trust and resilience: foundation, awareness and governance process.
Invest in three risk disciplines
1. Rearchitect the foundation to make people, processes and technology more resilient
The transformation to full-scale digital business extends well beyond the IT organization, impacting the design and staffing of nearly every business function. Its sheer scale underscores the importance of applying resilience to people, processes and technology. In the next decade, trade-offs between convenience and resilience will be driven by increasing regulation. Significant investment will be required throughout the enterprise to meet the challenge of resilience, a much higher bar than regulatory compliance.
2. Increase awareness to build trust and resilience
Arguably, most of the high-profile cyber-attacks on enterprises in recent memory began with a phishing attack—meaning psychological manipulation—on a single enterprise employee, and only awareness on the part of the employee could have prevented the consequences. Technology alone cannot and will not protect the individual and the enterprise from carelessness or malicious actors. Personal awareness and responsibility with respect to safety and propriety must become priorities for the enterprise. Enterprises must replace once-a-year compliance-oriented training with ongoing awareness campaigns. Given that the lines between personal and business technology are blurring, enterprises should also consider extending protections to employees at home.
3. Extend governance to build trust and resilience throughout the ecosystem
Malicious cyber-actors now include nation-states, and no single enterprise can successfully defend itself against such opponents, let alone against operational failures deep within the enterprise’s ecosystem. The risks of digital business go far beyond the walls of the enterprise, and governance processes must follow. Enterprises must broaden and deepen internal governance, look to their ecosystems for additional support, and lend their influence to the creation of common defenses.
“Technology alone cannot and will not protect the individual and the enterprise from carelessness or malicious actors.”
Enterprise trade-offs in favor of convenience for employees and customers are routine in this era. Now the scale and ferocity of assaults on enterprises, and the underlying interdependent complexities of digital business, should signal enterprises to shift trade-offs towards resilience in both business and IT operations. Within a few years, regulation will speed that shift. Enterprises should expect the risks of digital business to increase in the meantime, and plan accordingly.