Developing Organisational Cyber Resilience – A Core Process for Digital Transformation
Digital transformation and innovation is one of the key agendas for almost all enterprises. As the world becomes increasingly hyper-connected through digitisation, enterprises are increasingly having to become more agile in their approach to shorten their strategy and execution life cycle. The resulting digital transformation agenda to drive innovation, growth and delivery of services at reduced costs is forcing senior decision-makers to commit resources more quickly. This requires enterprises to become more agile, by evolving mutual trust, shared understanding, collaboration and communications across traditional silos and with their supply chain, partners and customers.
The digital transformation associated rise in cyber risks can act as a ‘brake’ on large enterprises’ willingness and capability to be agile in exploiting the opportunities of digitally driven innovation. Often cyber security, despite being denied as a strategic risk, is delegated to IT and security to ‘manage’. These risks, as JC has previously argued, arise in part from inadequate controls and governance. Yet there is an approach to developing organisational cyber resilience that provides boards, CEOs, CIOs and CISOs with the means to elevate and integrate cyber security into a business focused approach. This in turn enables more effective governance of organisational digital transformation agendas, driving innovation and growth within the increasingly complex and dynamic hyper-connected world.
The business case to do this is based upon the premise that a highly cyber resilient enterprise is more agile than a less resilient one – and therefore better able to exploit the opportunities of an increasingly hyper-connected environment. A suggested approach to developing cyber resilience is based upon the British Standard Guidance on Organisational Resilience (BS 65000). BS 65000 describes Organisational Resilience as “the ability of an organisation to anticipate, prepare for, respond and adapt to incremental change and sudden disruptions in order to survive and prosper.” The good news is this is exactly what is also required to achieve the board’s strategic digital transformation agendas – because this is not just about controls and risk management, but exploitation of opportunities.
Digitisation has many aspects, but in simple terms it is the combined networking effects of increasing amounts of connectivity linking data, devices and people. This creates a value chain that enables people and enterprises to be more agile in their information exploitation through developing shared understanding and collaboration, to continually improve and innovate. This is leading to an era of exponential change due to the combined effects of hyper-connectivity and the resulting dynamic and complex environment which disrupts traditional services, processes, operating models. It is therefore essential for large enterprises, which are increasingly ‘digitally challenged’ by start-ups and digital enterprises from different sectors, to apply an organisational resilience approach.
Digital transformation therefore means cutting across traditional internal and external stovepipes, to develop mutual trust, shared understanding, communications and collaboration. Ultimately, it involves developing a more agile enterprise, which has the ‘DNA’ to be responsive, robust, flexible and adaptable. By placing people at the centre of cyber resilience, ranging from senior decision makers to managers and staff in all functions, to cyber security and IT specialists, they are also best placed to exploit the opportunities of digitisation as their understanding and confidence increases.
This can be achieved by using an agile approach based upon structured situation focused experiential learning for individuals and organisational development. By investing in this ‘board room to server room’ approach towards developing different skills, processes and structures dynamically – whilst being underpinned by essential information assurance and technology solutions – organisations can develop a more adaptive cyber resilience capability. In this way, boards, senior executives and the whole organisation will elevate and integrate cyber security into a core business process by developing an ‘Agile Organisational Cyber Resilience Capability Roadmap,’ as illustrated below:
Therefore, in conclusion, a highly digital enterprise that is cyber resilient is more agile than a less resilient one – and better able to exploit the opportunities of an increasingly hyper-connected environment. This organisational ‘DNA’ or agility to be responsive, robust, flexible and adaptable is enabled through digitisation, or the fusion of digital technologies, data, new structures and processes – exploited by people with additional skills and changed culture. There is an interdependent relationship between digital transformation and organisational cyber resilience – and unless organisations recognise the two and drive the skills and culture to support them, both digitisation initiatives and cyber security will be less effective in an exponentially, increasingly complex and dynamic hyper-connected world.
Richard Preece is a Director with DA Resilience; he is an experienced organisational agility and resilience ‘hybrid’ consultant and leader, who connects business and technical leadership of digital innovation cyber resilience and data protection.
The opinions expressed by guest bloggers are their views and do not necessarily reflect the opinions of Corix Partners.