GDPR – The Countdown Conundrum

Posted on : 30-01-2018 | By : Tom Loxley | In : Cloud, compliance, Cyber Security, data security, Finance, GDPR, General News, Uncategorized

Tags: , , , , , , , , , , , , ,

0

Crunch time is just around the corner and yet businesses are not prepared, but why?

General Data Protection Regulation (GDPR) – a new set of rules set out from the European Union which aims to simplify data protection laws and provide citizens across all member states with more control over their personal data”

It is estimated that just under half of businesses are unaware of incoming data protection laws that they will be subject to in just four months’ time, or how the new legislation affects information security.

Following a government survey, the lack of awareness about the upcoming introduction of GDPR has led to the UK government to issue a warning to the public over businesses shortfall in preparation for the change. According to the Digital, Culture, Media and Sport secretary Matt Hancock:

“These figures show many organisations still need to act to make sure the personal data they hold is secure and they are prepared for our Data Protection Bill”

GDPR comes into force on 25 May 2018 and potentially huge fines face those who are found to misuse, exploit, lose or otherwise mishandle personal data. This can be as much as up to four percent of company turnover. Organisations could also face penalties if they’re hacked and attempt to hide what happened from customers.

There is also a very real and emerging risk of a huge loss of business. Specifically, 3rd-party compliance and assurance is common practice now and your clients will want to know that you are compliant with GDPR as part of doing business.

Yet regardless of the risks to reputation, potential loss of business and fines with being non-GDPR compliant, the government survey has found that many organisations aren’t prepared – or aren’t even aware – of the incoming legislation and how it will impact on their information and data security strategy.

Not surprisingly, considering the ever-changing landscape of regulatory requirements they have had to adapt to, finance and insurance sectors are said to have the highest awareness of the incoming security legislation. Conversely, only one in four businesses in the construction sector is said to be aware of GDPR, awareness in manufacturing also poor. According to the report, the overall figure comes in at just under half of businesses – including a third of charities – who have subsequently made changes to their cybersecurity policies as a result of GDPR.

If your organisation is one of those who are unsure of your GDPR compliance strategy, areas to consider may include;

  • Creating or improving new cybersecurity procedures
  • Hiring new staff (or creating new roles and responsibilities for your additional staff)
  • Making concentrated efforts to update security software
  • Mapping your current data state, what you hold, where it’s held and how it’s stored

In terms of getting help, this article is a great place to start: What is GDPR? Everything you need to know about the new general data protection regulations

However, if you’re worried your organisation is behind the curve there is still have time to ensure that you do everything to be GDPR compliant. The is an abundance of free guidance available from the National Cyber Security Centre and the on how to ensure your corporate cybersecurity policy is correct and up to date.

The ICO suggests that, rather than being fearful of GDPR, organisations should embrace GDPR as a chance to improve how they do business. The Information Commissioner Elizabeth Denham stated:

“The GDPR offers a real opportunity to present themselves on the basis of how they respect the privacy of individuals, and over time this can play more of a role in consumer choice. Enhanced customer trust and more competitive advantage are just two of the benefits of getting it right”

If you require pragmatic advice on the implementation of GDPR data security and management, please feel free to contact us for a chat. We have assessed and guided a number of our client through the maze of regulations including GDPR. Please contact Thomas.Loxley@broadgateconsultants.com in the first instance.

 

Be aware of “AI Washing”

Posted on : 26-01-2018 | By : john.vincent | In : Cloud, Data, General News, Innovation

Tags: , , , ,

0

I checked and it’s almost 5 years ago now that we wrote about the journey to cloud and mentioned “cloud washing“, the process by which technology providers were re-positioning previous offerings to be “cloud enabled”, “cloud ready” and the like.

Of course, the temptation to do this is natural. After all, if the general public can trigger a 200% increase in share price simply by re-branding your iced tea company to “Long Blockchain“, then why not.

And so we enter another “washing” phase, this time in the form of a surge in Artificial Intelligence (AI) powered technologies. As the enterprise interest in AI and machine learning gathers pace, software vendors are falling over each other to meet the market demands.

Indeed, according to Gartner by 2020;

AI technologies will be virtually pervasive in almost every new software product and service

This is great news and the speed of change is outstanding. However, it does pose some challenges for technology leaders and decision makers as the hype continues.

Firstly, we need to apply the “so what?” test against the claims of AI enablement. The fact that a product has AI capabilities doesn’t propel it automatically to the top of selection criteria. It needs to be coupled with a true business value rather than simply a sales and marketing tool.

Whilst that sounds obvious, before you cry “pass me another egg Vincent”, it does warrant a pause and reflection. Human behaviour and the pressures on generating business value against a more difficult backdrop can easier drive a penchant for the latest trend (anyone seen “GDPR compliant” monikers appearing?)

In terms of the bandwagon jumping, Gartner says;

Similar to greenwashing, in which companies exaggerate the environmental-friendliness of their products or practices for business benefit, many technology vendors are now “AI washing” by applying the AI label a little too indiscriminately

The second point, is to ask the question “Is this really AI or Automation?”. I’ve sat in a number of vendor presentations through 2017 where I asked exactly that. After much deliberation, pontification and several “well umms” we agreed that it was actually the latter we were discussing. Indeed, there terms are often interchanged at will during pitches which can be somewhat disconcerting.

The thing is, Automation doesn’t have the “blade runner-esc” cachet of AI, which conjures up the usual visions that the film industry has imprinted on our minds (of course, to counter this we’ve now got Robotic Process Automation!)

So what’s the difference between AI and Automation? The basic definition is;

  • Automation is software that follows pre-programmed ‘rules’.
  • Artificial intelligence is designed to simulate human thinking.

Automation is everywhere and been an important part of industry for decades. It enables machines to perform repetitive, monotonous tasks thus freeing up time for human beings to focus on the activities that require more reasoning, rationale and personal touch. This drives efficiency and a more productive and efficient business and personal life.

The difference with Automation is that is requires manual configuration and set up. It is smart, but it has to follow set instructions and workflow.

AI however is not developed simply to follow a set of predefined instructions. It is designed to mimic human behaviour to continuously seek patterns, learn from it data and “experiences” and determine the appropriate course of action or responses based on these parameters. This all comes under the general heading of “machine learning”.

The common “fuel” that drives both Automation and AI is Data. It is the lifeblood of the organisation and we now live is an environment where we talk about “data driven” technologies at the centre of the enterprise.

Whilst it’s hard to ignore all the hype around AI it is important for decision makers to think carefully not only in terms of what they want to achieve, but also how to filter out the “AI washing”.

Battle of the Chiefs

Posted on : 25-01-2018 | By : Tom Loxley | In : Predictions, Uncategorized

Tags: , , , , , ,

0

2018 Prediction – Deep Dive

Chief Information Officer 1 – Chief Digital Officer 0

Digital transformation is undeniably the main driving force for change in businesses today. We have seen the financial sector being completely transformed by new technologies that offer the ability to engage customers in very different ways, driving more profits. Originating in the marketing department, digitally morphed into E-commerce where it gained more budget and more power. This led to the establishment of a new executive role of the Chief Digital Information Officer (CDiO). The more traditional role of the Chief Information Officer (CIO) faded in many organisations as CIO’s concentrated on their legacy systems, often accused of being slow to change in this new fast-paced environment. The CDiO rose as the star of the transformation show moving at lightening digital speed, propelling the competitive advantage and adding value to the business.  The two Chiefs have been working alongside each other uncomfortably over the past few years, neither understanding the boundaries between them. Not for much longer ….

We are starting to see some CDiOs come adrift as the main power point, with the promised world of digital failing to emerge. They too are being slowed down and unseated by the weight of legacy systems and legacy ideas in many organisations. Business leaders are getting impatient with the time to deliver ‘revolutionary’ change. Is it that these changes take time or is there a hint of the ‘Emperor’s new Code’ about this?

Broadgate believes that 2018 will see the resurgence of the CIO as the leading force. The digital buzzword is fading as digital is increasingly seen as a core part of any business strategy, intrinsic to the organisation. The development of the CDiO was a good short-term fix to turbo charge the digital roadmap, taking some of the weight off the CIO shoulders and enabling change. It could be said that the CDiO role developed as a result of an early division of labour between old and the new as digital models emerged. However, recently we have seen a considerable shift across all major sectors with four trends leading the charge for change: cloud, mobility, IoT and big data. It is this technological innovation that has enabled the role of the CIO rise once more.

This is the big moment for the CIO essentially becoming the hero of the digital age, not only embracing the new but also connecting the old with the new and really enabling organizations to move forward. That said, we must not underestimate the scale of the challenge CIO’s face, there is a level of complexity in this new age of digital transformation that isn’t going away. Compounding this issue, business processes are often overlooked when technology is being rapidly applied. In many cases the CIO needs to reach out to their business counterpart in the area where technology is going to be deployed to ensure not only that there is complete connection but also that, working together, they understand how the business will function in that new environment and how orchestrating business technology will produce and deliver a strong result. CIOs must now take ownership of both to ensure they are not locked out of future technology decisions. The CIO who can keep up with the pace of new technology adoption can stay ahead of potential CDiOs encroaching on their territory.

The 2018 Broadgate Predictions

Posted on : 19-12-2017 | By : richard.gale | In : Predictions

Tags: , , , , , , , , , ,

1

Battle of the Chiefs

Chief Information Officer 1 –  Chief Digital Officer 0

Digital has been the interloper into the world of IT – originating from the Marketing Department through the medium of Website morphing into Ecommerce. The result was more budget and so power with the CDiO than the CIO and the two Chiefs have been rubbing along uncomfortably together, neither fully understanding the boundaries between them. 2018 will see the re-emergence of CIO empire as technology becomes more service based (Cloud, SaaS, Microservices etc) and focus returns to delivering high paced successful transformational change.

 

Battle of the Algorithms

Quantum 2 – Security 1

All the major Tech companies now have virtual Quantum computers available (so the toolkits if not the technology). These allow adventurous techies to experiment with Quantum concepts. Who knows what the capabilities are of Quantum but through its enormous processing power it will have the capability to look at every possible combination of events for a giving situation at once. That is great in terms of deciding which share to buy or how people interacting on Facebook but it will also have the potential to crack most current encryption mechanisms. Saying that it will enable another level of secure access too!

 

Battle of the Search Engines

Voice 2 – Screen 0

OK Google, Alexa, Siri…. There’s a great video of Google talking to Alexa on infinite loop. That’s all fun but in 2018 Voice will start to become a dominant force for search and for general utility. Effectively stopping what you are doing and typing in a command or search will start to feel a little strange and old-fashioned. OK in the office we may not all start shouting at our computers (well not more than normal) but around the home, car using our phones it is the obvious way to interact. This trend is already gathering momentum. VR and especially AR will add to this, the main thing holding it back is the fact you look like an idiot with the headset on. Once that is cracked then there will be no stopping it.

 

RoboWars – to be continued…

Robots 1 – People 1

AI and ‘robot process automation’ RPA are everywhere. Every services firm worth its salt has process automation plans and the hype around companies such as Blue Prisim is phenomenal.  This is all very exciting and many doomsayers have been predicting the end of most jobs (and some the end of most people!). Yes. Automation of processes is here. It’s been here for years – that is what most ERP (aka workflow) systems do. It makes absolute sense to automate mundane processes and if you can build in a bit of intelligence to deal with slight differences in the pattern then all the better. Will it result in the loss of millions of jobs… well maybe and probably in the short-term but once again, as every time in the past, technology will replace human endeavour whilst humans will be busy building the next creative, innovative wave.

 

The Lightbulb Moment

Internet 1 – Internet of Things 3

Is there anything left which is not internet connected? Two years ago, there were very few people that had any interest in communicating with a lightbulb – apart from flicking a light-switch. Now IoT connected lightbulbs appear be everywhere and the trend will grow and grow. The speed this happening is accelerating and the scope of connected devices is expanding beyond belief. Who would have thought we needed a smart hairbrush? This is all fine and will enrich our lives in ways we probably haven’t even thought about yet but there is a cost. We are allowing these devices to listen, see, control parts of our lives and the data they gather has value both for good and bad reasons. There is no ‘culture of security’ for IoT. Many of the devices are cheaply designed and manufactured with no thought towards security or data privacy. We are allowing these devices into our lives and we don’t really know what they know and who knows what they know. This may be a subtler change for 2018 – the securing of ‘the Thing’ – well lets hope so!

 

Welcome to our ESports Day

Call Of Duty 2 – Premiership Football 1

Sport is a big business. From Curling to Swimming to Indy Car racing it has a thousand differing forms, millions of participants and billions of armchair viewers. Top class athletes in a popular sport can earn millions of dollars a year both from performing and through product endorsements.

Video games have been popular for years. They started as single, two player games and now are worldwide multiplayer extravaganzas where you can battle, race or fight against people throughout the world. A number of superstars or EAthletes have emerged, first through winning competitions and then through youtube etc where their tournaments are recorded and watched again and again. This business has now broken the $1B mark – still way off ‘real’ sport but its growing massively and some point soon will become part of the mainstream.

5 Minutes With Mark Prior

Posted on : 18-12-2015 | By : Maria Motyka | In : 5 Minutes With

Tags: , , , , , , , , , , , , , , ,

0

Which recent tech innovations are you the most excited about?

I get most excited about how my business can benefit from technology (whether it’s new or not). It’s my team’s job to understand our business; its processes, strategy and competitor landscape and bring technology to bear to address those challenges.
Smith and Williamson is a very client centric business – there is a great opportunity to leverage even well-established technology like IPT, Workflow and Document management to improve the service we provide to clients. Additionally Cloud based collaboration tools offer new ways to engage with our clients 1-1 and perhaps open up new markets for services.

Like all industries if we can both improve the service to the client through technology and at the same time lower the cost of servicing a client we will be successful.

From a pure technology perspective I’m looking forward to improvements in price and functionality of end user devices – particularly low cost 2in1 windows devices displacing the desktop or traditional clam laptop as the default end user device. I hope the combination of these devices, windows 10, office 365, Wi-Fi and IPT will provide a better mobile platform that’s easier to manage and support and offers a seamless user experience regardless of location and connection type.

Looking ahead I’m also interested in how graphene will impact IT – whether it’s in battery technology or the size and speed of microprocessors, it appears to have the potential to be revolutionary (and it was invented in the UK!!).

 

How do you see business applications in wealth management adopting As-a-Service operating models?

Firms buy solutions that best meet their needs – how those solutions are delivered is often secondary, however vendors that deliver their solution (only) as a service are I feel better placed to rapidly adapt and evolve their offering as it’s a single code set, single port etc. This should keep their costs down and by passing those savings to customers they will drive adoption and create a virtuous circle. It should also mean they can focus development resource on new features rather than maintaining multiple code sets and branches.

 

In your opinion, what are the biggest data security risks that financial organisations are currently facing and how can they be overcome?

I think everyone understands the need for perimeter security, good patch management, access controls etc. But I think an area this is sometimes overlooked are “end users” either inadvertently or deliberately exposing data. We need to ensure we classify our data based on risk, educate our employees and have appropriate audit trails and controls based on data classification (all easier said than done). Service like MS Office 365 and OneDrive mean this has to be driven as much by policy and education as by IT.

 

Why did you choose Broadgate to assist you? What value has working with Broadgate brought to your team?

I’ve known the team for many years and trust them to do a good job for their clients.

Broadgate’s engagement style is collaborative and consultative, unlike other firms where every conversation is viewed as a selling opportunity.

 

Which technology trends do you predict will be a key theme for 2016?

Every year we think it will be cloud – maybe this year it will happen (though personally I’m not sure it will) Financial service firms are still hesitant to put client data into the public cloud and many firms say the cost of cloud is more than the marginal cost of adding capacity to their own facilitates.
Hosting strategies are difficult to formulate as the options are many and varied with no clear leaders. I think Google will drive into MS market share (a few years ago I can’t recall anyone seriously considering alternatives to MS Office) which should ensure healthy competition and better options for their customers.

The CIO Guide to a successful Information Security Practice

Posted on : 30-06-2015 | By : jo.rose | In : Cyber Security

Tags: , , , , , ,

1

Our colleagues at Corix Partners have recently published on their blog a series of articles highlighting the eight key management rules CIOs and CISOs should follow to build and deliver a successful Information Security practice. We publish below a summary of the series which deconstructs in-depth eight views commonly held by Information Security practitioners and explores the Governance and Leadership dynamics which surround Information Security.

1. Think of Information Security as a Control function and not as a Support function

Information Security within a large organisation is often simplistically seen as a support function, and, as such, many stakeholders expect it to help streamline or ‘enable’ the business. The reality is, Information Security needs to be seen as a control function – and rules (that may be perceived as restrictive) are a necessary part of ensuring its effectiveness. CISOs must have the management skills to effectively communicate the threats facing the information assets to all stakeholders across the business – and they must get everyone on the same page when it comes to ensuring the appropriate controls are put in place to protect these assets.

2. Create a sense of reality around the threats and do not focus only on IT aspects

A commonly held view among Information Security communities is that businesses don’t care enough about Information Security – and decisions are often made from a convenience or cost avoidance perspective. However, a disproportionate focus on technical details and IT issues by the security teams themselves is often to blame for the disengagement with the subject. It’s down to the CISO to effectively communicate to the business the real threats faced by information assets, how this could translate into real consequences across the organisation – and how protective controls can prevent this from happening. If the level of Risk (resulting from the presence or absence of controls) is presented in a language that the businesses can understand, the CISO will build a meaningful dialogue with them that should drive the right decisions.

3. Focus resources on the proper implementation of key Controls and sell success

It’s often believed that Information Security is a chronically underfunded practice, and budgetary limitations are a barrier to its success. However, research by the World Economic Forum (‘‘Risk and Responsibility in a Hyper-connected World’) has shown that many large organisations in fact spend more than 3% of their total IT budgets on cyber security. Despite this, few have reached an acceptable level of cyber security maturity. Instead of requesting budgets to fund new technical initiatives, CISOs should tilt the magnifying glass and focus the resources they do have on the proper implementation of key controls – which have been mapped for a long time and alone can be highly successful in preventing most cyber attacks. Implementing demonstrable controls will give the business confidence that real protective measures are being put in place and that the spend is justified.

4. Pin tactical initiatives against a long-term Information Security roadmap

Within Information Security communities, the CISO is frequently regarded as a ‘firefighter’, working mostly in a reactive manner around cyber security incidents and attacks. This approach is often further fuelled by management’s short-term obsession with audit and compliance issues. While reacting to breaches or acting on regulatory demands will always remain a priority, especially as cyber threats continue to evolve and regulation increases, the key focus should be on addressing the root cause of the underlying problems. The CISO must pin tactical initiatives against the backdrop of a long term transformative Information Security roadmap and think beyond mere technical and tactical solutions. But to be truly successful, the CISO must also have the gravitas to influence lasting change and the personal skills to drive security transformation.

5. Assign Information Security Responsibilities and Accountabilities

Countless security awareness programmes follow the train of thought that Information Security is everyone’s business – across the organisation. While it’s true that everyone in an organisation can do something at their level to protect the business against threats, it cannot be ‘everyone’s responsibility’ – as this attitude can quickly derive towards becoming ‘nobody’s responsibility’. The CIO must ensure that the CISO is accountable for ensuring that the appropriate controls are in place across the organisation, backed by a sound Information Security Governance Framework. They must ensure that accountabilities and responsibilities are cascaded down to all relevant stakeholders across all silos (e.g. HR, Legal, Business units, third-parties etc.).

6. Operate Information Security as a cross-silo practice and not just as a technical discipline

Information Security practice is regularly considered a purely technical discipline. However, information exists in both digital and physical forms and more importantly – is constantly manipulated by people during the business day. While technology should undoubtedly play a strong role, in many industries, a stronger focus on the other elements of Information Security is often required. In order to implement an effective Information Security practice, CISOs need to establish a controls based mind-set across all silos of their organisation.

7. Operate Information Security as an ongoing structured practice and not just a series of technical projects

Information Security practitioners always seem busy with technical projects. In fact, Information Security should be there to provide continuous and long-term protection to the business. Therefore, it should not be approached just as a series of tactical projects with a set start date, end date and check-list of deliverables. All technical projects and tactical initiatives within an organisation’s Information Security practice should be seen as forming part of a structured practice and aligned with a long term Information Security strategic roadmap – aiming to achieve an Information Security vision and deliver lasting change across the organisation.

8. Operate Information Security to focus on People and Process supported by Technology, not just the implementation of the latest Technical Products

In order to ‘keep up with the hackers’ as technology evolves and cyber attacks become increasingly more advanced, many believe that business protection is derived primarily from the implementation of the latest technical products and solutions. While it can be tempting to believe that the latest technology products are going to be the ‘silver bullet’ needed to keep the business safe, in reality there’s often more to consider. It’s critical that the Information Security practice addresses any weaknesses in the organisation’s functional structure (people and processes), before turning to technical products as potential solutions.

Thanks to JC Gaillard and Neil Cordell for this contribution. The full series, ‘The CIO Guide to Information Security Practice: 8 Key Management Pitfalls to Avoid’ can be found on the Corix Partners’ blog.

The Reporting Line of the CISO is Key to Success

Posted on : 30-04-2015 | By : john.vincent | In : Cyber Security

Tags: , , , , , , ,

0

This article examines the organisational relationships between the role of the Chief Information Security Officer (CISO) and the corporate environment around it, with a focus on why reporting lines are essential and how they should be structured.

Why is the reporting line of the CISO still a hot topic amongst Security communities?

The actual role of the CISO varies greatly from one organisation to another – even if, on paper, job descriptions often look similar.

Of course, the best reporting line for the CISO is the one that positions the role in the best way within the organisation – in relation to the real challenges that the CISO is expected to resolve.

But in practice, corporate governance across large organisations also varies greatly, depending of industry sectors and geographical dispersion. Many large organisations operate (efficiently or not) matrix organisations – and, in those cases, it’s unlikely that the CISO will have a single reporting line, leading to a large number of variations where formal and informal authority have to be combined. This is well analysed by Peter Berlich in a recent post.

Annual surveys published by the Big 4 consultancy firms over the past 10 years have been highlighting such diversity, and show that the reporting lines now span almost the entire spectrum of board members (including the CEO, COO, CAO, CFO, CRO and Legal counsel). Results indicate that a reporting line to the CIO seems to be the most common in the field, however, this still only accounts for approximately one third of the responses to the surveys on average (with all caveats due to the fact that the methodologies vary from one firm to another and respondents could be different from one year to the next).

Reporting lines into IT departments (at levels below the CIO) remain common in many industries, for example accounting for up to 26% of respondents in the Life Sciences sector according to the EY 2014 Global Information Security Survey. Reporting lines into audit and compliance departments are still commonplace today.

In addition, many of these job titles – in particular, the COO, CAO, CRO and CIO – could hide a variety of actual roles and individual profiles. This is particularly true in larger firms, where multiple reporting and “dotted lines” can also lead to situations where accountability is seen as a vague and relative concept.

In short, the current situation seems to reflect the confusion that has been surrounding Information Security Strategy and Governance for the past 10 to 15 years. Beyond the natural diversity of the CISO roles in terms of content, it seems that many large organisations have treated the CISO reporting line in a casual and ambiguous manner, instead of positioning it in the best way to protect themselves against the genuine threats they’re facing.

How important is the reporting line of the CISO?

The reporting line of the CISO is the most essential channel of authority, as it presents to all stakeholders – in an un-equivocal manner – the real level of importance placed on Information Security by the organisation.

Because Information Security is a matter that cuts across too many corporate silos (HR, Legal, Business Units and IT etc.), matrix reporting and “dotted lines” should be avoided. These multiple reporting lines are rarely efficient, rarely understood fully and generally add to the confusion. This can hinder the leadership of the CISO and their ability to deliver.

It is key to go back to basic organisational principles. Ideally, the CISO should have a single reporting line – positioned at a level in the organisation that will maximise the impact of the role. The profile of the CISO should be adequate and suited to a Board-level reporting line and the CISO should have the gravitas, credibility and management experience to influence their peers (as discussed in the Corix Partners February 2015 feature on the C-Suite blog). If the Board feels that’s not the case, the Board should start by addressing this issue.

If the CISO is expected to get things done across the organisation, the reporting line should be to the CIO or the COO – as these executives are most likely to be the closest to Information Security matters within an organisation.

But ultimately, the actual reporting line decision should be made at Board level – and based on the results of a high level assessment of the maturity of security controls across the organisation.

From that point, the Board should be able to focus on inspiring the right spirit for the role – and there are, broadly speaking, three different types of profiles the CISO can fall under:

The CISO as a Figurehead

The Board may feel that the business is well-protected against Information threats and that the CISO needs to be a “figurehead” – a well-networked senior executive, credible with business leaders and capable of representing the firm at conferences and global events. A reporting line to the CEO or another board member (possibly the COO) may be suitable, particularly for industry sectors or smaller firms where controls are already a mindset.

The CISO as a Firefighter

If the Board is primarily driven by short-termist views and concerned only with the resolution of recurring audit or compliance matters, its priorities will almost always drive a tactical agenda. The CISO will end up in a complex programme manager role, constantly having to influence stakeholders and act as a “firefighter” to keep projects on track – ensuring priorities remain set as they should be across IT and the business.

A reporting line to the CIO or the COO is essential in such context, given the complexity of the CISO role and the cross-silo nature of Information Security challenges. Delegating down must be avoided at all costs, simply because it sends a highly dangerous message across the organisation. Irrespective of the personal profile of the CISO, downward delegation implies that Information Security is not that important and can only fuel internal politics and confuse prioritisation amongst stakeholders.

But this alone is not sufficient enough to ensure success, and the actual success of the CISO will rely entirely on having a proper Information Security Governance Framework in place to ensure that all stakeholders have a clear understanding of their respective roles and responsibilities in the programme delivery, and the way C-level management will be involved.

Most tactical approaches in the Information Security space fail simply because they compromise too much on the last two points.

The CISO as a Change Agent

If the Board is concerned about the maturity level of controls and wants to drive lasting improvements across the organisation, the CISO needs to be a “change agent”. It’s in this situation that the positioning of the reporting line is most critical.

The reporting line must be given, without exception, to a control-minded senior executive that the Board trusts to supervise change in the Information Security space. Again, this should ideally be the CIO or the COO – and delegating down must still be avoided at all costs, as this is one of the most common failure factors.

Where controls maturity issues are serious enough – particularly in large organisations with a high Internet footprint facing serious cyber security challenges that may bring the whole business down – the CEO must consider whether the situation has reached a critical point.  Here, a direct involvement in the resolution of these issues is required and the CEO must consider taking the CISO role as a direct report as a result.

In other situations, where controls maturity is low, it’s the need to drive improvement that should be a key factor in the reporting line decision – not arbitrary separation of duties considerations. Separation of duties considerations are often negative organisational devices aimed at dealing with conflicts of priorities generated by non-control-minded executives. In large organisations, these considerations can create more problems than they solve, by engineering arbitrary political barriers with the potential to damage the CISO’s leadership ability and hinder change delivery. Internal politics often make it extremely hard to influence change “across the fence” (i.e. in parts of the organisations where you don’t belong).

It is key to look at the problem from a positive angle and only give the CISO reporting line to a control-minded senior executive who can be trusted by the Board on their prioritisation, because the key issues are in their area of accountability.

How to determine the best reporting line for the CISO?

The prime focus should be on delivering results, based on a thorough examination of the prime operational focus of the organisation (People/Process/Technology) and its dependency on information attributes (Confidentiality/Integrity/Availability). The CISO reporting line should be positioned in the area where the most change is required and where most of the efforts will be targeted.

 

 

 Fig 1 – Recommended Reporting Line for the CISO position

If most of the problems are in IT, the reporting line of the CISO should be to the CIO. If most of the problems are outside IT, the reporting line of the CISO should be to the COO.

Multiple lines of defence and separation of duties considerations must come second to, or be wrapped around, the need to drive results – in particular where Information Security maturity levels are low. Those can be left for the CIO or the COO to drive, as mentioned in this February 2015 feature on the C-Suite blog.

If these individuals are not control-minded or the Board feels they cannot be trusted with a Security change programme (or if these individuals simply think they’re too busy to take on the role), the Board should ask itself whether it is the attitude that the CIO or COO shows towards Security and controls which is the root cause of the low maturity situation the Board is aiming to resolve.

—————————————

This article was courtesy of one of close partners, Corix (details below).

JC Gaillard (jcgaillard@corixpartners.com)

Managing Director

Corix Partners

The upwardly mobile CIO

Posted on : 27-02-2014 | By : richard.gale | In : Innovation

Tags: , , , , , , , ,

0

Back in 2011 we discussed the challenges to progression of CIOs and changes they could make to move up to CEO level. After reading a great article in Information Age magazine on Richard Lloyd-Williams (CTO at Net-A-Porter) we thought it would a good time to revisit the subject.

The essence of the article is that the successful implementation of the right technology is integral to Net-A-Porter’s success “if the website is down we have no money” says Lloyd-Williams. The CIO and IT push innovation, keep the engine running and the transactions flowing. Richard’s predecessor went on to become CEO of MrPorter.com so we can watch and see how they progress.

Net-A-Porter is a classic internet company – a great idea (selling high end fashion clothing) utilising slick branding and innovative technology. So can the same approach be used by other ‘non tech’ organisations? We think the answer is a yes but it requires certain changes in behaviour and outlook by the CIO and IT teams generally.

Business Orientated viewpoint

This is obvious and most CIOs have a deep understanding of the business they work within. The additional piece that needs to be added is getting into the mindset of the CEO or Sales Director to understand and fully comprehend their viewpoint and drivers. This is a difficult challenge, to move away from the value add, cost focused, efficiency mode to true strategic thinking about the direction of the company and the path to achieve that success. A way to do this is for the CIO to be included and an active part of strategic planning and ALSO the execution of this which will involve extensive time alongside the CEO and senior team. A seat on the board of the organisation is a good starting point for this to begin.

Integration of IT into the business

Again we have seen this add so much value to a firm. It may not be the most obviously cost effective mechanism as local, expensive, business savvy people generally command a premium but the speed and quality of the solutions can easily outweigh the obvious costs. There has been a trend to move IT and specifically development away from the business to lower cost ‘factories’ of production. This may achieve headline cost savings but we question the overall benefit to the business. What needs to be catered for is ensuring a degree of standardisation (in architecture, documentation and supportability amongst other things) in the solutions delivered to avoid overlap, gaps and ‘instant legacy’ systems that cannot be sustained long term. Net-A-Porter manages this by having a common service orientated architecture that the business units plug in to.

Small, nimble teams

This is really part of integrating IT into the business. Small teams that can work with the business, and get a deep understanding of what the business want and can deliver on that vision quickly and completely. This agile approach and it really does work and also should be flexible enough to cope with the inevitable changes of direction as the business and market changes. Less than double figures is a good size for a team that can work closely together, have great communication whilst having the breadth to have expertise in the areas required to deliver successfully.

Empowerment & devolved responsibility

Providing support and direction to your teams whilst giving them enough scope to make decisions and backing them up where needed is a difficult but necessary attribute. As most CIOs have come from an IT background there is a certain level of ‘baggage’. This is usually a very positive aspect as it is required to help make intelligent, experienced based decisions but can be something of a double edged sword as diving into the detail of an issue can be too easy. Trusting, supporting and letting the team make their own decisions empowers and motivates your resources as they feel accountable for the successful outcome.

Continuous, iterative delivery

Large projects with big steps of delivery are sometimes necessary. Most of the time, though, a big project can be broken down into smaller parts with discernible business benefits drives momentum and keeps the team – both business and IT motivated. The ‘every journey of a thousand miles starts with a single step’ statement rings true in IT as it does for life.

 

I started this blog with the aim of showing how successful CIO’s can step up to the next level with the right skills and mindset. This has morphed into our thinking in regard to a good model to deliver IT projects. The points above are truisms, but ones that we’ve seen make teams and individuals successful time and time again.

Data Analytics – Big in 2013…Bigger in 2014

Posted on : 31-01-2014 | By : john.vincent | In : Data

Tags: , , , , , , , , , , ,

0

We didn’t produce our annual predictions this year, but as we approach the end of January we thought the topic of data analytics trends deserved some attention. So, we’ve listed the Top 5 trends in this space that we believe will be prominent, or emerge stronger, during 2014. We strongly believe that the data analytics theme and driving decisions and future strategies will be at the forefront (see our other article on moving from hype to execution).

As always, we are interested in your thoughts!

1) More emphasis on Predictive Analytics

Looking back on past performance, peer groups and trends has been the traditional way of shaping and product and service strategies. However, with the improvement in predictive analytics, both from an infrastructure perspective with products like Hadoop managing unstructured data inputs, tools and a new breed of Data Scientists, technology leaders can now work closely with the business to drive decision making.

2) The Mobile Data surge continues

Seems that consumers can’t operate now with their trusty smartphone or tablet. Indeed, it is estimated that in 2014 mobile internet traffic will overtake desktop usage. With the amount of data that consumers download (and tariff limits increasing accordingly), the possibilities of companies using this information to analyse customer behaviour and adapt accordingly is huge.

3) Wearables and the “Internet of Things” revolution

For the first time we are seeing this whole subject make its way onto the CIO agenda. In 2013 we saw some activity, with the release of watches from Samsung and Sony (and the continued speculation of iWatch in 2014), smart health monitors, telematics devices and so on. For this year, expect the pace to pick up with organisations looking at new products and how to tailor the data to differentiated service offerings (such as insurance premiums).

4) Data Visualisation – Part of Business as Usual

The ability of business users to take more control of the organisational data, drive “what if” scenarios and visualise through dashboards have really taken off in the last few years. Once the data was transported out of the rigidity and control of central IT departments through to the users for agile manipulation, products like Qlikview, Tableau, Board and the like have really taken off. We expect this to become an expected part of the end user toolkit in 2014 and also see some consolidation/acquisition in the provider market.

5) On-Demand Analytics develops further

Cloud computing made great steps in 2013, with Microsoft Azure, Amazon Web Services and other providers extending the infrastructure, product sets, security and pricing to a level that is starting to entice customers away from build to buy.  We expect a further increase in shifting from on-premise infrastructure to running data compute analytics and business intelligence in the Cloud in 2014.

 

 

Is it the time for Joint Shared Services?

Posted on : 29-11-2013 | By : john.vincent | In : Innovation

Tags: , , , , , , , , , , , , ,

1

Last month we wrote about how the rate of technology change is outpacing the internal IT departments of organisations. It certainly seems that the “squeeze” is on with cloud and external providers offering more agile compute services at the infrastructure level (now at an on-demand cost which can compete), and the business consumers procuring what they need, when they need it and of course where the need it through Software as a Service (SaaS) providers.

Two years ago the ability for CIOs to raise the virtual “Red Card” at these external forces through risk, compliance, data security, cost and the like still existed, particularly in areas such as financial services (although we constantly heard anecdotes of technology services being brought on credit cards in the front office and expensed back). However, today it is more a case or working out how to protect digital assets and company reputation from the increased decentralisation of technology governance (business/end-user empowerment), whilst continuing to deliver operational services against a backdrop of having to justify value.

So, whilst this move of technology governance to the corporate edges continues, the question is “What approach should organisations take to sourcing their underpinning infrastructure commodity services?”

We have seen decades of ebb and flow for the sourcing of technology services….Outsourcing, off shoring, near shoring, right shoring (we may have finally run out of prefixes…), managed services and the like. Internally, organisations have coupled this operating model with shared service functions such as Finance, Human Resource and Operations to deliver further efficiencies. What is less prevalent, however, is collaboration between client organisations.

Large service providers have shown the benefits through economies of scale to running client technology platforms. However, whatever your position is on outsourcing technology, many would argue that the clients themselves do not benefit fully from these efficiencies. This is of course natural where there is a fragmented delivery chain and limited client side collaboration. So, is the time right to extend the shared service model and create shared service models, or joint ventures, between peer organisations?

If you take the infrastructure layer then we think…YES. As we said in our previous article, where is the business (or more importantly brand) value in having technicians crafting infrastructure services? There are pockets/exceptions, but typically the “compute plumbing” supporting business applications does not drive competitive advantage. However, in todays fast moving landscape it is very easy to erode value through rigid or elongated timescales for service provisioning.

The pace of change is clearly illustrated by the transformed data centre market. Back in 2005/2006, many large corporate CIOs were scrambling to purchase their own data centres as space and power became scarce. Fast Forward to today and many of those same organisations are sitting with surplus capacity.

In the space of a few years, driven by new the revolution in virtualisation and cloud computing, it would now seem a bad strategy to build and manage your own client facility. 

The question to ask is how organisations can collaborate together to source their compute requirements together for mutual benefit. For back office processing there have been “carve outs”, collaborations or joint ventures such as in the investment management and insurance markets. Leading on from this, there is no reason why peer organisations couldn’t combine to create a SPV/JV for their underlying infrastructure requirements. This has the potential to bring many benefits, including:

  • Increased market leverage for commodity service pricing
  • Reduced fixed overheads and move from Capex to Opex
  • Improved standards and policies in areas such as security and risk management (through collective influence)
  • Increased agility and time to market
  • Enhanced technology innovation 
  • Improved focus on core business competencies

There are many others (and no doubt many counter arguments, which happy to receive…)

So what stops organisations proceeding? Well, most of all we are talking about a cultural shift which, if driven from the technology organisation themselves (CIO), is unlikely to get much traction. This level of change is not something that can be technology driven. This needs to be a top down, business led discussion.

It also doesn’t apply only to technology. Many years ago (I think late 90’s) I attended a conference where the speaker talked about measuring real company value and how organisations would over time “jettison” those operations that didn’t contribute to the customer proposition. What is left in the final end game? In the extreme example it is simply those creating the Strategy and Brand alone, with everything else sourced from the market. When you think about it, it does make sense.

Every year previously we have produced our predictions for the coming 12 months. We don’t see this happening in that timeframe but at least opening up the discussion should be on the CEOs “to-do” list in 2014…