Natasha Nelson is a recent graduate of the Sloan School of Business at MIT. During her studies, she invited CIO Association members to participate in the research she was conducting. The research paper How Companies Achieve Balance Between Technology Enabled Innovation and Cyber-Security was recently released, and is available to CIO Association Members. According to the findings of this research, only 13% of companies believe that they have found the right balance between the two priorities, and are experiencing relatively low negative impact on innovation imposed by the cyber-security activities.
The following Practical Recommendations are offered in the conclusion section of the paper:
– Using the same questions as were posed in the survey, evaluate which quadrant the company is in, and compare with their risk and innovativeness profile in other parts of the company.
– Adjust for the industry factors and the company’s inherent risk posture to see which quadrant would be most appropriate for your firm in the short and long run. If there is no current cyber-security regulation or such regulation is not enforced, the company may be exposed to a weaker security posture; this should become a subject of a strategic discussion with the board.
– Evaluate board and senior leadership support; use frequency, length and interactivity of the board cyber-security briefings as a proxy to compare against others in this study.
– Examine cyber-risk measurement practices; specifically, ask whether the risk is measured, how often it’s measured, whether it’s used for the purposes of accountability, strategic planning, budget approval or any other purposes.
– Check for possible misaligned incentives in the organization structure; this will be especially relevant for companies with high competitive pressures to release new digital products and solutions – in these cases, if product managers are not ultimately responsible for the security of these products or solutions, an unintended set of risks might be created.
– Check for the culture, education and awareness at all levels. For example, pay specific attention to the technical education of the development teams and the education of any executives that could become victims of ransomware as well as the broader employee population who could be targeted for social engineering.
– Ensure strong technology management and governance practices.