As an essential part of the digital journey, enterprises must always be connected to the outside world. This puts a strain on security, as openness and connectivity seem to stimulate the opposite. However, hiding behind an impenetrable corporate firewall is a digital passion killer and being prepared for any security breach is an illusion. Instead of walling themselves off, organizations must develop a healthy appetite for risk, using smart tools to quickly detect intrusions, and respond in real-time. Furthermore, security should be an integral part of the solutions lifecycle, not an afterthought. A digital platform with built-in security actually enables new business, rather than preventing it.
The Bon Risk Appétit design principle is not about eliminating all risks – an impossible task. It is about doing business at
an acceptable level of risk. It is also about taking a fresh perspective dealing with risks – a perspective which not only makes the risks acceptable, but also could well turn them into opportunities – a new competitive advantage or even a disruptive business model.
The perspective contains the following components:
1) Information security is no longer the purview of the IT department. It is the business, and notably the top of the business, which takes over risk management – as a key component of every business decision. For the digital enterprise, cyber-security is a condition for survival, but also the way to create trust, an essential ingredient in dealing with digitally enabled customers and clients. Security thus should become an enabler to doing new business; or even the catalyst to disruptive business models that were unthinkable before new security technologies became available.
2) It should be built-in as a central feature of the enterprise digital platform, so that agile solutions can quickly be developed – near to the business – but are also inherently secure. Furthermore, security should be end-to-end embedded in the solutions lifecycle, not as an afterthought but also not exclusively in the domain of architecture, business analysis, infrastructure, or applications. Where mixed DevOps teams are quickly becoming popular as they remove the classical barriers between applications development and operations, it makes a lot of sense to make security experts an integral part of these teams as well.
3) At the center of risk thinking is enterprise data. What is it worth? At what level should it be protected? Who should be able to access what? How to classify and archive it? How to destroy it? When? As the digital enterprise increasingly relies on its IQ, it focuses risk analysis on what makes it intelligent. A situational approach is crucial here: not all data is the same and there is not one size of security measures that fits all.
4) As not every security breach can be predicted and avoided in a black swan world, the early detection of any attempt to steal or corrupt data is key. Early detection minimizes damage in the same way that early recognition of software flaws minimizes the cost of error correction. Equipped with tools like HP’s Security Information & Event Management, the security data scientist spots anomalous behaviors, unfolding attacks and initial damage, so that immediate action can be taken.
5) Risk management should always be done with the customers in mind – on their trust depends the business success of the enterprise. Full transparency regarding their data, the use that is made of their information, the way the enterprise protects them as if they were their own: customers deserves an accurate picture; their business will be their way to thank the enterprise. It’s also a crucial cross-check that any security expert or risk manager should continuously make: are the measures we are taking still helping the customer to do business with us, or are they by now actually preventing business?
6) Risk management should also be done with partners in mind – on their trust depends the business success of the enterprise as well. They themselves are becoming digital enterprises, and mutual relations will be re-scripted to reflect the new respective roles. An essential part of these scripts will be devoted to which intelligence enterprises share and which remains their own. With that comes also an analysis of which risks business partners are willing to share, including joint measures that should be taken to detect anomalies and respond in real-time.
In any case, an open and situational mindset is crucial to give security its rightful place in digital transformation: as an enabler for business and a foundation for change. A perspective that whets the appetite for sure.
Contributon by Bernard Barbier
and Pierre Hessler