The Impact of Technology and Security on Business Landscape
By Dan Polly, Director, Enterprise Information Security, First Financial Bank
As an enterprise security leader or member of a security team, you know that the technologies empowering our businesses are maturing rapidly. And emerging technologies need to be understood earlier in their lifecycle than ever before, lest a future opportunity be missed. You also understand that these technologies are often distilled down to business products and services across the enterprise. This in turn has led to business roadmaps that play out like twenty-lane expressways, full of new initiatives and projects traveling at unprecedented speed – each of which could possibly be the difference between market leaders or market followers. As part of the mechanism that propels these initiatives and projects, you have probably been asked to venture into these high speed lanes to evaluate and mitigate potential cybersecurity and information technology risks. In many instances your team’s participation is the key to success or failure.
So how are rapid changes in technology and security impacting the business environment? The nature and pace of these changes are increasing the risk of not only lack of service availability, data breaches, and reputation damage, but also negative business outcomes such as initiative failure or delay.
For example, a company may have a goal of bringing real-time chat to external clients, while simultaneously reducing resources used to support overall client interaction. The business will likely pursue this goal through either internal development, or third-party product or service offerings. To most areas of the business this may seem like a standard purchase or vendor engagement. But while there may be general knowledge of the underlying technology, information technology and cybersecurity teams realize these products and services are comprised of vast and complex technologies. Let’s take that real-time chat function - this could contain elements of cloud computing, artificial intelligence, deep learning, entire conversational platforms, and more. If the function works properly and risks have been mitigated it’s a win for both clients and the business. However, if it fails to perform as expected and misunderstands customer input, fails to comprehend context resulting in fragmented responses, cannot perform a bot-to-human escalation, or worse, lacks the transparency that reveals the client is conversing with a bot (potentially introducing a trust issue) the damage may be severe.
"Compounding all of these challenges, teams are also faced with the critical need to recruit experienced cybersecurity professionals and retain current talent"
It’s clear that cybersecurity teams face several challenges today:
• Maintaining operational excellence. Cybersecurity teams must “keep the lights on” every day and not only ensure that preventative and detective controls are in place and operating, but also be able to shift to an incident response footing at a moment’s notice.
• Compressed initiative timeframes. Enterprise projects may require rapid deployment to seize business opportunities.
• Aggregate signature initiatives. In the most successful and innovative companies, fantastic ideas are generated across lines of business. Unfortunately, these initiatives may filter down to teams, such as cybersecurity, IT, and other administrative teams at the same time, confusing priorities and slowing all projects.
• Complexity and steep learning curves. Product and services offered today may be composed of underlying technologies or specialized software/ platform solutions requiring expert knowledge to adequately assess risk, resulting in unidentified risks, or mitigations that only partially reduce risk.
• Compounding all of these challenges, teams are also faced with the critical need to recruit experienced cybersecurity professionals and retain current talent. There is nothing worse than losing a key performer in the middle of a critical assessment or deployment.
While there are no silver bullets to solve all these issues, there are organizations that manage the risks effectively. Successful enterprises either align the IT and business functions early, or ultimately recognize that they must incorporate IT leadership into the senior leadership level in order to remain competitive. As organizations continue to recognize cybersecurity as a critical function to support the business, alignment is also required. When cybersecurity leadership is present at the senior and executive level, or at the very least strongly sponsored, the challenges posed by rapid technological advancement are buffered. Budgets, initiative prioritization, and human resource allocation pass through the lens of all critical functions. This equips the individuals responsible for the overall success of the business with all of the tools necessary to manage both opportunity and risk.
What if your organization isn’t ready to invest in this type of transformation? Building in a bridging strategy is absolutely appropriate. Engage your senior and executive management where possible, and embrace the lessons many CIOs and CTOs have learned while elevating IT leadership to the senior and executive level. CIOs and CTOs present the most relevant model for bringing cybersecurity leadership to the decision table. From the individual contributor to the CEO, all employees want their company to perform and win, in what for many may be competitive business verticals such as retail, insurance, manufacturing, health services, banking and so on.
As new and disruptive technologies emerge, organizations will swiftly seize the opportunities created. The threat landscape will continue to change and evolve. Successful organizations recognize this and are proactive in making cybersecurity an integral part of business decisions and practices.