Friday, February 21, 2014

Thoughts on "Risk and Responsibility in a Hyperconnected World"

Hat tip to Tim Dierking of Aclara for spotting and forwarding this January 2014 World Economic Forum / McKinsey report: "Risk and Responsibility in a Hyper-connected World." Tim pointed to a couple of excellent sections on cyber resilience and future scenarios which you'll find within, but I'm going to call out a different selection for your immediate consumption.

This below is taken directly from the McKinsey summary, which while not energy-sector specific, is right on the money, IMHO, on the culture, leadership and organizational dynamics aspects of what's needed to do security right in 2014+.  Here you go:
A CEO-level issue 
Given the trillions of dollars in play, the stakes are high. And given the range of social and business issues that cyber resiliency affects—for example, intellectual property, regulatory compliance, privacy, customer experience, product development, business continuity, legal jurisdiction—it can only be addressed effectively with active engagement from the most senior business and public leaders. 
Even improving cybersecurity capabilities within a single institution requires collaboration across a host of business functions. Operational managers must assess which information assets are most valuable. Privacy and compliance functions have to evaluate the impact of losing customer data. Decisions about how much to monitor employee access to sensitive data have major HR implications. And procurement must negotiate security requirements into vendor contracts. 
Given the scale of impact and the degree of coordination and cultural change required, progress toward cyber resilience requires active engagement from the CEO and other senior leaders. They have to make clear they expect the following:
  • an honest, granular assessment of existing capabilities and risks, given their business model
  • alignment on the most important information assets and a clear approach for providing them with required protection
  • a road map for getting to a scalable, business-driven cybersecurity operating model
  • a well-practiced set of skills for responding to breaches across business functions
Sustaining the pace of innovation and growth in the global economy will require resiliency in the face of determined cyberattacks. Only CEOs and senior public leaders can solve the problem, because of the strategic and organizational-change issues that need to be resolved.
And so continues the exhortation for senior business and government leaders to take more ownership of the security risk challenge.  It's not easy.  In fact, in the overly technical ways it's usually presented to them, it's overwhelming and way out of their comfort zone.

For the umteenth time: Security leaders need to meet them more than halfway by speaking plain-English business language and as much as possible converting technology and security risk into dollars and cents to be gained or lost. Clarity and persistence are the keys here, as there are no gold, silver, or bronze bullets to hasten the process.

The summary and full report can be found HERE

1 comment:

Bryan Owen said...

WEF hyperconnected series might even be a bellwether for C level interaction on cyber.

Increasing realization the technical problems are more like pollution - pervasive and affecting everyone.

(Remember when the vibe was along the lines 'that could never happen to us')

Up tic in staffed security programs is one of the main indicators on the plant floors.

Sadly though the mission objective is frequently unrealistic and overreaching.

If executives are articulating risk appetite it seems to be getting lost in the translation.