Design For Digital #4 – Bon Risk Appétit
On their digital journey, enterprises must always be connected to the outside world. This puts a strain on security. Openness and connectivity seem to stimulate their opposites. However, hiding behind an impenetrable corporate firewall is a digital passion killer and preparation for every security breach is an illusion. Instead of walling themselves off, organizations must develop a healthy appetite for risk, using smart tools to quickly detect intrusions and respond in real time. Furthermore, security must be an integral part of the solutions life cycle, not an afterthought. A digital platform with built-in security actually enables new business, rather than preventing it.
The Bon Risk Appétit design principle is not about eliminating all risks — an impossible task. It’s about doing business at the acceptable level of risk. It’s also about taking a fresh perspective which not only makes the risks acceptable, but could turn them into opportunities — a new competitive advantage, or even a disruptive business model.
The perspective has seven components:
1. Information security is no longer the purview of the IT department. It’s the business, and notably the top of the business, that’s taking over risk management as a key component of every strategic decision. For the Digital Enterprise, cyber-security is not just a condition for survival, but is also the way to create trust, an essential ingredient in dealing with digitally enabled customers and clients. Security thus, should become an enabler to new business; or even the catalyst for disruptive business models — that were unthinkable before new security technologies became available.
2. Information security should be built in as a central feature of the enterprise digital platform. Agile solutions can quickly be developed near the businesses that are also inherently secure. Furthermore, security should be embedded end-to-end in the solutions life cycle not as an afterthought, or exclusively in the domain of architecture, business analysis, infrastructure, or applications. Where mixed DevOps teams are quickly becoming popular as they remove the classical barriers between applications development and operations, it makes a lot of sense to make security experts members of these teams.
3. At the center of risk-thinking is enterprise data. What’s it worth? At what level should it be protected? Who should be able to access what? How to classify and archive it? How to destroy it? When? As the Digital Enterprise increasingly relies on its IQ, it focuses risk analysis on what makes it intelligent. A situational approach is crucial here: not all data is the same and there isn’t a one size of security measures that ts all.
4. Not every security breach can be predicted and avoided in a black swan world. The early detection of any attempt to steal or corrupt data is key. Early detection minimizes damage in the same way that early recognition of software flaws minimizes the cost of error correction. Equipped with tools like HP’s Security Information & Event Management, the security data scientist spots anomalous behaviors, unfolding attacks and initial damage, so that immediate action can be taken.
5. Risk management should always be done with the customers in mind. The success of the enterprise depends upon their trust. Customers deserve an accurate picture of their data from the use that is made of their information to the way the enterprise protects them as if they were their own employees. Their business will be their way to thank the enterprise. It’s also a crucial cross-check that any security expert or risk manager should continuously make: are the measures we’re taking still helping the customer to do business with us, or are they by now, actually preventing business?
6. Risk management should also be done with partners in mind — on their trust depends the success of the enterprise. Many are becoming Digital Enterprises, and these relationships will be rescripted to reflect new respective roles. An essential part of the script will be devoted to the type of intelligence enterprises share and the type that remains their own. With that comes also an analysis of the risks, business partners are willing to share, including joint measures that should be taken to detect anomalies and respond in real time.
7. In view of their constantly full executive plates, business executives often find it too difficult to translate their fears into clear actions. Helping them define their security To Do’s might well be the most productive security measure. The simplest way to organize these To Do’s is in three categories:
– compliance obligations
– business risk ‘cartography’ with the matching measures
– responsibility towards clients to maintain relations of trust
In any case, an open and situational mindset is crucial to give security its rightful place in Digital Transformation: as an enabler for business and a foundation for change. A perspective that surely whets the appetite.
Experts: Bernard Barbier
and Pierre Hessler
Part of Capgemini’s TechnoVision 2016 update series. See the overview here.