Many CIOs are getting too controlling when it comes to IT security, with the result that they may be hampering their organization’s ability to be innovative.
That is the conclusion of James Kaplan, partner and co-leader of the IT Infrastructures and Cybersecurity Practices at McKinsey & Company, who has co-authored the new book, Beyond Cybersecurity: Protecting Your Digital Business. (2015: Wiley, $24.78 on Amazon).
Beyond Cybersecurity is intended to be a how-to guide, offering solutions for business leaders that they can implement in their own organizations. In addition to Kaplan, the authors include Tucker Bailey, principal at McKinsey & Company; Chris Rezek, senior expert consultant at McKinsey & Company; Alan Marcus, senior director, head of Information and Communication Technology Industries, at the World Economic Forum; and Derek O’Halloran, director, head of Information Technology Industry, at the World Economic Forum.
What the book is not is a tutorial on how to just say no. It covers critical IT security practices, but focuses more on how to prioritize what needs to be protected versus what is expendable.
A core argument of Beyond Cybersecurity is that many companies approach IT security backwards. Too many firms mistakenly view cyber-security as primarily an IT issue, when they should approach it as core to the business, and focus on securing valuable data assets while bolstering innovation.
“You can’t treat cyber-security as a control function. If you do, you won’t protect yourself very well and you will certainly limit your organization’s ability to innovate and to extract value from technology investments,” Kaplan said.
The problem for many organizations is that they try to protect too much–in some cases, everything. That isn’t realistic, or even doable, Kaplan stresses. That fact has been confirmed by several recent IT security studies, which all agree that it is no longer a question of “will” a typical organization suffer a security incident, but “when.”
As a result, “the question that we need to be asking is how do I protect myself while continuing to get value from technology, or even better, how do I take an acceptable set of technology risks that will yield business value,” Kaplan said.
“Too often we see people imply that technology risk is inherently a bad thing, and that is sort of like saying that financial risk is inherently a bad thing. When making financial investments you have to put capital at risk in order to get returns,” Kaplan said.
Kaplan gives the example of a new mobile customer care platform for a mobile application that allows customers to buy from you.
“With the application, you’re taking risk,” Kaplan said. “You’re creating new types of transactions that could be subverted or compromised. You’re creating new vulnerabilities in your environment. But you’re presumably going to get business value in terms of new revenues, or better customer experiences or more efficient set of interactions.”
CIOs and business executives need to have open dialogue about how to strike that balance between acceptable risk and reward. When that dialogue doesn’t happen, the CIO or CISO may not know where to best invest scarce security budgets and how to properly staff IT defenses. They may focus too much on protecting networks and systems, as opposed to specific data.
“Many people are asking too narrow a question–‘how do we protect ourselves?’ As a result, they’re getting too narrow an answer, which is to say, a largely speaking technology-focused answer,” Kaplan said. “That involves putting more and more controls in the environment, and more governance around what people do.”
“Taken to the extreme it can reduce an institution’s ability to innovate and to capture value through technology,” Kaplan said. “Instead, we suggest that people need to take a more holistic view and they need to think about changes to business processes. They need to think about designing technology architecture that is more secure from the start. They need to understand which assets are at risk and which are more critical, so they can focus protections on the most important thing.”
Kaplan offers several tips for how IT leaders and business execs can better prioritize their security investments.
First: Prioritize information assets and business risks.
“This is almost the fundamental practice. If you don’t know what is important you can’t know what to protect, and therefore you try to protect everything. That is the same as protecting nothing,” Kaplan warned. “Unfortunately, for too many companies, when they think about risk they’re do it in terms of an unpatched server or an unmonitored circuit, rather than in terms of the types of information we need to protect and the underlying risks.
Second: Build security into business and operational processes.
Third: Create a plan that is flexible to change.
“Change the mindset at the front lines so people really understand the value of the information they are interacting with. Lots of people talk about security awareness but very few really understand the assets that need to be protected, or even which groups of employees have which types of assets,” Kaplan said.
Fourth: Develop security policies around business functions.
“For too many, the goal is a technical remedial response plan, rather than a true business response plan that takes into account things like the decisions around notifying customers or notifying regulators, for example.”
Fifth: Design technology architectures and applications to be inherently secure.
Six: Put priority solutions in place for the most important information assets.
Seven: Develop analytics that can combine intelligence and real time data from the company’s technology environment so they can provide security defenses in real time.
“We would suggest that business processes, business models, technology architectures need to be designed with security as an outcome. That will allow companies to take intelligent risks with less of the overhead and less of the impact on innovation that traditional security models have,” Kaplan said.