Invisible Infostructure #3 – Bon Risk Appétit
Businesses connect to the outside world in order to be competitive, find new channels and collaborate effectively with clients and partners. This puts a strain on security and privacy, as openness and connectivity seem to stimulate the opposite of these qualities. However, hiding information behind an impenetrable corporate firewall is not a business enabler, and being prepared for any security breach in advance is an illusion. Instead, organizations must develop a healthy ‘appetite for risk,’ using smart tools to quickly detect intrusions and be ready to respond extremely fast and effectively.
Let’s start with a little story. Imagine you are the CEO of an innovative electronics company on a business trip to Australia. Unfortunately, your plane crashes in the middle of nowhere. You are lucky to survive the crash. You manage to send an SOS signal with your smartphone, together with your GPS coordinates. As a result, a plane drops water and food; but at the other side of a river full of hungry crocodiles.
What do you do?
You need the supplies, but you know that if you try to swim across this river, the crocodiles will get you. It’s a no-go area. This insight shapes the boundaries of your risk tolerance.
Still, you are starving. So you start to develop a certain appetite for risk, as you clearly want to stay alive. You know you have to reach your goal on time, if necessary only just within the boundaries of your risk tolerance.
Then, with your phone’s battery almost drained, you find a YouTube video about survival techniques and you learn how to make a simple boat to safely cross the river. You have shown the right Risk Attitude to do whatever is needed – even in unexpected ways - to stay alive under difficult circumstances.
Back at home you create the next-generation phone with built-in survival capabilities!
What can we learn from this simple metaphor?
What we define as ‘Bon Risk Appétit' is not about eliminating all risks but about doing what is needed to achieve business objectives at an acceptable level of risk that matches these objectives. Also, by taking a fresh perspective on dealing with risks, you might be pleasantly surprised by new business opportunities.
When looking at security with some proper risk appetite, we need to distinguish three different perspectives. We recommend taking a holistic view of the problem domain, considering all three perspectives when crafting solutions:
1. The perspective of the organization, wanting to do business at acceptable risk levels (for example, regarding security concerns).
To protect your own organization, it is wise to base your security architecture on proven security principles and security patterns. Note that the chosen solutions will very much depend on the business context (e.g., regional regulations that apply), the organizational culture (e.g., the current security awareness) and the amount of ‘Bon Risk Appétit' of the management of the organization (which may be an evolving value).
More information about business context sensitive security principles can be found here. With respect to the application of proven security patterns, check this out for the latest insights and developments.
2. The perspective of a common business infrastructure fabric, based on Social, Mobile, Analytics and Cloud services (SMAC) (for example – excusez le mot - cybercrime and intelligence concerns)
When crafting the underlying infrastructural business fabric – both for your customers and for your own organization – you should look both from outside-in as well as from inside-out.
Outside-in: you should only use SMAC services from a customer perspective, based on business scenarios, the identified amount of ‘Bon Risk Appétit' and specific business requirements (here’s an excellent starting point for this approach).
Inside-out: base the underlying infrastructure on the Jericho forum commandments, combined with time based security concepts to make it more resilient against cybercrime and intelligence risks.
3. The perspective of the customer (for example, regarding privacy concerns)
In the end, it’s all about your customers. Nowadays, it is more important than ever to be transparent towards them about what you do with their data and to which extent their privacy concerns are addressed. Use the Jericho forum identity commandments as a sound basis for your architecture decisions.
If needed, soon the customer could be assisted by something like a virtual privacy protection agent, which analyzes the privacy policies of different business services and advises the customer about what business services are most appropriate.
Now does that whet your appetite at least a bit?
This contribution by Ben Elsinga
Part of Capgemini's TechnoVision 2014 update series. See the overview here.