Impacts of Enterprise Change on Cyber Capability
The InfoSec Consulting Series #3
By Jay Pope
How do new developments in technology impact the Information Security Manager’s plan to effectively execute in their role, and influence business transformation projects?
Last week we discussed some key priorities for the Information Security Manager’s (ISM) first 30 days, and most of those priorities were based on establishing your position and relationship management. Another factor that will determine your plan for how you execute your role will be the organisation’s enterprise technology. In this article I have referred to my own recent experiences in supporting the security function of a major transformation programme for a central government client. I’ll discuss the challenges that can be introduced as state-of-the-art systems quickly become yesterday’s news as the next digital innovations are unveiled and adopted.
The Challenges Ahead
The Information Security Manager will of course need to be prepared for plenty of challenges, particularly in organisations where managers and executives are cautious of advances in technology unless the cost savings are significant. To remain current, viable and relevant, organisations need to be prepared to adapt and respond to new cyber capability, but persuading stakeholders and people of influence within the company isn’t necessarily easy. People tend to be resistant to change, so as the ISM, you will need to have an excellent understanding of what motivates people, and how to influence their behaviour and attitudes.
Facilitating Business Transformation
After spending some time getting to know the people with whom you will be working and assessing the leadership styles of management, your duties as an Information Security Manager are likely to encompass business transformation issues. This will require you to consider new technologies and systems as they arrive on the market, or consideration of necessary changes to systems being driven by Brexit deadlines. Effective business transformation can deliver major benefits, including an increase in profits together with an overall reduction in administration and operating costs. As such, it’s an important aspect of business growth.
To stimulate that growth, a company’s people, technology and processes need to be aligned with its business strategy, but this is by no means a straightforward or painless process. The sheer unpredictably of the market and economy make it difficult to select the most appropriate course of action. Any changes will be constrained by financial resources, and opinions of senior managers and the board. In addition to the opportunity to increase profit margins, a newly implemented cyber capability will help an organisation to make the most of emerging technologies, and these will also drive constant changes to the business model. As an ISM, you must, therefore, identify the organisation’s key players, striving to assure them of the need for train and improve and the benefits that can arise from it. You will also need to consider whether changes will be driven by IT personnel or by end users, whilst keeping both groups on-side throughout the process.
Key Risk Areas
Business transformation programmes in global organisations and large government departments will result in a much broader scope for security risks, and operational impacts on the cyber capability particularly during the Exit, Transition, & Migration, (E, T, & M) phases of the service development lifecycle. Exit, Transition, and Migration is defined by the following activities:
- Exit: The activity required by the incumbent Contractors to exit from their contractual responsibilities and pass responsibility for service delivery to the new supplier at the Operational Service Commencement Date;
- Transition: The activity undertaken by a new supplier to mobilise the contract and assume responsibility for the delivery of services at the Operational Service Commencement Date;
- Migration: The activity undertaken by the new supplier to modify or replace the way services inherited at the Operational Service Commencement Date are delivered.
Large scale digital transformation programmes can be very challenging especially where there are multiple concurrent lines of development and where exiting service providers have been providing the service for a long time. The likelihood is that there will need to be some rearchitecting of the cyber capability and plans may need to be put in place to alleviate the natural resistance to change.
Information Security Consultants through their Managers will need to be effective in managing security stakeholder oversight during a transformation programme. Proportionate measures of information security governance during E, T, & M will help to ensure secure sustainment of legacy services within the organisational risk appetite whilst the new replacement services are being developed and onboarded.
The diagram highlights some of the key risk concerns that will need to be considered in cyber capability planning for a major transformation programme.
The major challenge is to instigate changes that will offer tangible benefits to the organisation without impacting negatively on the budget. Any risks need to be calculated with extreme care, considering the prevailing market conditions, whilst the strategic goals need to conform to the organisation’s core values. As the Information Security Manager, you will need to emphasise the scope that new technology provides for encouraging best practices, whilst considering that many people fear change. The challenge is to convince key stakeholders that any changes are based on improving overall performance. The most positive outcome would be for staff and managers to embrace the proposed changes, but this is not something can be achieved overnight, and you must be prepared to put a great deal of time and effort into creating a plan of action. This will need to factor in the concerns of the board and senior managers, in addition to promoting the benefits associated with such a program.
A comprehensive risk-assessment created specifically to highlight areas of concern and provide workable solutions is a prerequisite. This will go a long way towards alleviating the concerns of c-level executives and board members. That said, I have learnt that programmes that operate in isolation, or disseminate information solely among the top tier of management will most certainly breed resentment or distrust, so it’s vital to include as many people within the organisation as possible in communicating plans, key discussions and consultations.
The goal is to have everybody throughout the company on-side, creating a motivated group who are united in one common aim, regardless as to the individual benefits to be had from the proposed changes. Any Information Security Manager needs to spend time creating realistic criteria designed to measure Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) – done correctly, these metrics will reassure stakeholders that the changes are having a beneficial effect, which encourages and enthuses them, leading to a more motivated workforce.
One factor that you must keep in mind is that the security of the organisation’s information systems is not necessarily at the forefront of management’s minds. Senior managers and board members are generally preoccupied with strategic aspects of the business, such as its financial position and prospects, and IT matters are not always an area of interest, let alone an area of concern.
Board members are primarily concerned with their shareholders, so security needs to emphasise the benefits to shareholders in addition to employees. Some board members may not have much experience of the organisation’s information systems, but by pointing out the importance of adhering to regulations governing the use and storage of data (such as GDPR), the CISO may be able to influence the board’s opinion. The good of the company is of importance to the shareholders, and a focus on the need to have appropriate systems and defences in place will never be misplaced.
It can be worthwhile exploring the steps that other similar organisations have taken to ensure the integrity and safety of their data systems. Pointing out measures that the company’s competitors have taken can be a powerful influence in implementing important changes. As an Information Security specialist, you should be at pains to point out the latest trends in data security, including highlighting major breaches in security that have taken place across similar industries. A detailed report of security breaches may be particularly helpful in focusing board members on the need for enhancements to information security systems.
It’s also a good idea to suggest regular briefings with board members on cyber capability issues. This provides an ideal opportunity to highlight areas of concern and address problems before they become major events that could be detrimental to the business. The goal is to encourage members of the board to become aware of the importance of keeping up-to-date with the latest technology issues, including emerging threats, and systems integration issues. This ensures that the emphasis is on staying one step ahead of hackers and threats, which can only be achieved when senior managers and board members understand the very real threats that they are facing.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.