Cyber, cyber everywhere. Is your cyber strategy everywhere too?

10/08/2019 23:53

Organizations are embedding connected digital technologies in their information technologies, operational technologies, and end products, making cyber a top organizational priority. Innovating fast is now contingent on a well-orchestrated cyber program.

IN the 21st century, the connective power of technology is giving rise to a wave of innovative products and services that are transforming the way people live and work. Consider Disney World Parks. Known for pushing the limits of its audience’s imagination, Disney World combined sensor technology, cloud computing, and artificial intelligence (AI) to create connected, radio-frequency identification (RFID)-based wristbands that help create more immersive and enjoyable experiences for guests. These wristbands have helped Disney World both improve operations and better serve visitors, enabling organizers to—for instance—deploy special events to remove ride bottlenecks in real time (such as putting on Disney-character shows that hold guests’ attention as they wait in long queues).

The technology has made it easier to create personalized guest experiences such as customized hotel accommodations and first-name-basis interactions with characters. And, not least, the wristbands, built with security as a top-of-mind design element, have helped Disney World cultivate safer digital and physical environments for its guests. For example, the wristbands are paired with multifactor identification mechanisms such as fingerprints and personal identification numbers to restrict park access and in-park purchases. And in a venue that caters to thousands of guests daily, the RFID-based wristbands can help security personnel quickly identify and reunite a lost child with his or her family.

To build innovative, connected experiences, businesses need a strong cyber program.1 Every time a device is connected to a sensor that in turn connects to a network, a new cyber vulnerability emerges at each connection point. On a larger scale, connected technologies increasingly underpin the functioning of the nation’s power grids, factories, entertainment venues, and communication and transportation infrastructures. Indeed, cyber vulnerabilities are seemingly everywhere these days, and they’re only going to become more prevalent in the future.

Yet, just because cyber is everywhere, it doesn’t mean that corporate strategies are necessarily following suit for addressing cross-enterprise risks. In Deloitte’s 2019 Future of cyber survey, which polled more than 500 C-level executives on cyber issues, more than 90 percent of respondents suggested that less than 10 percent of their cyber budgets were allocated to digital transformation efforts such as cloud migration, AI-driven products, and software-as-a-service (SaaS)—all areas where cyber vulnerabilities are becoming more prevalent.2

The risk isn’t just that cyber incidents will destroy value in the classical sense. The opportunity cost of what cyber vulnerabilities can prevent organizations from doing can be far greater. The specter of cybercrime and its fallout can cast a shadow over an organization’s efforts to turn technology to better use, strangling innovation and slowing digital transformation efforts to a crawl. Though digital and connected technologies are an immensely fertile ground for innovation for organizations in all industries, their potential will go untapped if that ground is perceived to be too risky to be worth exploring.

Many executives are wrestling with this reality even now. In a recent global study on AI initiatives among businesses, 49 percent of respondents, a plurality, cited “cybersecurity vulnerabilities” as their top concern.3 An earlier study polling US executives also revealed that 30 percent of respondents had slowed down an AI initiative to address cyber concerns, and another 20 percent had decided to not even start such initiatives due to their cyber implications.4

This is why cyber today is not purely a risk management issue, but is instead a core business enabler. For organizations to fully reap the benefits of new, digitally enabled technologies, they need to view cyber as a digital transformation priority. In an era when technological innovation underpins a business’s marketplace performance, organizations that put cyber at the forefront should be better positioned to drive innovation and, consequently, bottom-line growth. Conversely, in the absence of a well-orchestrated cyber program, new products and services will be exposed to greater financial, brand, and regulatory risks, likely slowing their development and marketplace penetration.

The good news is that, for those looking to redesign their businesses with cyber as a fundamental element, a host of new opportunities is emerging. While this is new ground for almost everyone, organizations can take action today to understand their cyber vulnerabilities, assess the risks, and put protections in place that make technology a safe space for innovation to grow the business.

Not just IT’s problem any more

In the past, cyber was viewed as a means of protecting information—financial data, intellectual property (IP), or personally identifiable information. As such, cyber naturally found its organizational home within the information technology (IT) department, traditionally tasked with managing and protecting information.

But in today’s “everything is connected to everything” environment, the implications of cyber go way beyond IT. A cyber adversary can strike wherever connected technology is deployed—whether it’s to hack a server in a data center, an oil rig in the ocean, or a pacemaker implanted in a person—and this makes cyber not only an issue for protecting information, but also a necessity for protecting systems and people, both inside and outside the enterprise. Moreover, the proliferation of use cases for connected digital technologies, even within a single enterprise—everything from, say, autonomous vehicles to medical implants to assembly-line robots—means that it’s unrealistic to expect consistency across either cyber vulnerabilities or security solutions.

These factors have two important implications for an organization’s cyber strategy:

  • The number of cyber stakeholders is expanding. With IT, operational technology (OT), and the end user coming into the picture, cyber has to be an important consideration for executives from across the top ranks of management. It can no longer be relegated into an organization’s sublayers, but instead should be represented in the C-suite so that the broader business can better understand the priority and importance of creating a cyber-secure enterprise. Included in the lengthening list of cyber stakeholders are individuals such as the chief supply chain officer (CSCO), the chief innovation officer, the chief marketing officer (CMO), the chief operations officer (COO), the chief risk officer (CRO), chief information officer, and chief information security officer (CISO), plus procurement, facilities managers, plant managers, and even (or especially) employees on the ground. A cyber governance model that starts and ends with the CISO under the confines of IT is no longer enough.
  • Standardization doesn’t apply. On the surface, most IT security solutions are fairly standardized, database structures are uniform, and firewalls still work broadly—regardless of industry or use case. However, how a hospital deploys robotics can be very different from the way a smart factory does. Nowadays, organizations combating cybercrime need to consider IT, OT, and customer product environments—all with have their own nuances that often lack a cross-organizational framework. Because of this, each cyber solution requires a level of bespoke customization that makes every solution set unique.

A cyber strategy that recognizes these principles can help organizations develop approaches to strengthening security that fuel—not throttle—the pace of innovation.

A stakeholder challenge: Getting people to step up

Since cyber is everywhere, cyber awareness needs to be embedded everywhere. That means that cyber must be part of everyone’s job in a very literal sense. Converging cyber environments blur the lines of responsibility among stakeholders. No longer does the onus of cyber fall squarely on the CISO; rather, it is—or should be—a cross-functional endeavor.

Take the CMO, for instance. For the typical CMO, striving to build customer appeal and brand equity, cyber is new ground.5 Yet CMOs are continually looking to digitize their efforts and enhance the customer experience through technology. To do this seamlessly—and safely—the CMO must incorporate cyber professionals, and their relevant expertise, into the development of customer-facing initiatives.

The CMO is only one of many people who need to be involved. To illustrate how cyber touches nearly everyone’s role, consider the major stages of product development:

  • Innovation. Chief innovation officers regularly look to advanced technologies to fuel new products. If cyber is not adequately considered, these innovations could be halted even before they begin. Or, worse, they could go to market with serious cyber vulnerabilities.
  • Sourcing. As supply chains increasingly transition to digital supply networks, which transform linear supply chains into interconnected ecosystems,6 CSCOs need to ensure that third-party vendors meet the company’s required security standards. This is a regular issue for automotive original equipment manufacturers (OEMs), for instance. A vehicle’s infotainment unit can consist of multiple components—navigation technology, USB drives, smartphone integration capabilities, and more—sourced from different vendors that may have inconsistent security protocols.
  • Manufacturing. In today’s converging environment, the plant manager’s role is not limited to simply coordinating actions between humans and physical machinery. Plant managers are integrating robotics, sensor technology, and even augmented reality (for example, to assist in maintaining and repairing equipment) into their workflows.7 Each of these technologies creates a new connective endpoint, each with its own cyber considerations.
  • End-product support. The final product a customer buys represents a culmination of the first three stages. But cyber considerations don’t necessarily end with the sale; many types of products need to be continually protected after they are launched. This may entail safeguarding both data and functionality—especially functions that are automated, such as customer-facing chatbots.

In practice, unfortunately, cross-functional collaboration on cyber issues rarely happens. In the aforementioned Future of cyber survey, only 30 percent of respondents indicated their organizations have integrated some form of cyber liaising into their core business functions to facilitate cyber awareness and readiness throughout the organization.8 One big reason for this may be the relatively junior position of many CISOs in the executive suite. The study also highlighted that the CISO is often pushed down the organizational chart, even as the growing importance of cybersecurity would seem to call for the role to be elevated. For example, nearly 80 percent of responding CISOs report to the chief information officer or the chief security officer (CSO), despite the majority of CISOs saying that they were seeking greater access to the CEO (and, thereby, to the rest of the organization).9 This poses a real problem for cyber-awareness. With the CISO’s influence buried in the depths of the organizational hierarchy, it is difficult to cultivate a cyber-aware mindset across the rest of the C-suite.

Read the Full Article https://www2.deloitte.com