In 2020 Covid-19 provided significant challenges to organisations around the globe, forcing many businesses to reconsider how they operate. Agile decision making is a marker of businesses that have been able to adapt to the changing situation. Consider remote: last summer Sungard found that 95 per cent of organisations have had staff working from home, with 35 per cent reporting all staff have been working from home.
In tandem with the move to remote working, there has been a widely reported increase in levels of online engagement of all types. However, this has been met with a decrease in the levels of consumer tolerance for web outages. The increased reliance on technology has required greater emphasis on resilience, both technological and operational, and shines a light on the importance of integration between IT, the wider business and senior leadership.
It is not only in customer-facing areas where leadership attention needs to be focused. Product development, the use of advanced technologies, and securing key tech talent are business priorities that need to be acted on quickly. For some organisations the pandemic has acted as an accelerant for digital transformation (DX). However, this joined-up approach is far from universal, with some organisations still seeing IT as a “service provider” separate from business operations.
The changes initiated and accelerated by the emergence of the global pandemic are irreversible. So too are the threats to business: 2020 saw a significant increase in the incidence of cyber-attacks exploiting the broader attack surface created by remote working. The threat posed by ransomware should cause leadership to think about how they view and prioritise the recovery of data. Regulators, too, are taking a closer interest in operational resilience, which should encourage a coherent cross-functional approach, rather than a siloed approach, to IT, business continuity, infosec and supply chain risk management.
To operate successfully in this “new normal” environment, leadership interest in technology needs to shift from improving the bottom line to seeking competitive advantage by embracing digital technologies. To do this effectively they need to understand the technologies and align them with corporate strategies.
Agility and complexity
The increasing complexity of IT systems is affecting agility. As organisations grow, they may acquire legacy IT systems along with the companies they acquire. This means there can be a number of platforms operating together. And in many companies integration has been limited, making it hard to make changes or react with speed to emergencies such as the pandemic. Dealing with legacy systems that have not been integrated is a key issue.
Where an organisation is not being agile, the user base will let it know quickly enough. With people working from home, many organisations needed new collaboration tools quickly. As a result, some people started using tools that weren’t vetted by security, for example Zoom. This could have been a threat to company assets. But it was agile, and agility was necessary. The solution was for organisations to accept that people were going to use Zoom and to take them over to the more secure corporate version.
Another important strategy is to ask people what they need. But don’t do this at scale. Sending out mailshots won’t work. Instead, break the organisation down into small teams and ask them what they need. Don’t try a one-size-fits-all approach.
And take other actions at the same time. Ramp up perimeter security. Increase messaging about security so that people are reminded of its importance. Help people use the new technologies that are being forced on them. That way there is a chance the people will go from thinking about IT as a cost-centre and revaluate it as a benefit that lets business function by preventing outages and increasing efficiency.
In addition, businesses need to consider resilience. As new opportunities arise organisations need to be ready to seize them. This requires a “readiness” mindset where people are ready and systems are scalable. If you think defensively and focus on cost reduction, you will never be able to benefit from new opportunities.
In many ways the pandemic has ultimately benefited business efficiency. Things such as trading using slips of paper won’t work when everyone is trading remotely. You need digitalisation. And organisations that have been pushed to do this quickly realise the benefits to customers, employees and the business as a whole.
IT departments as well as organisational leaders need to be very clear about what needs to be protected. This is because regulators now require this. Security is mandated by privacy legislation, for instance. And operational resilience is required by regulators of financial services, who may define certain “crown jewels” that need particular protection.
Demonstrate that protection has been prioritised, both to regulators and the board. But compliance with regulations shouldn’t be a box-ticking compliance exercise. Regulations have a purpose. Protection should go beyond fulfilling the requirements of the regulation and instead fulfil the wider requirements of the business.
When considering how to prioritise the risks from new technology it is essential to get the board to understand what they really care about. Often it is P&L. So getting them to think about IT as an enabler of business, a way of making more money, will help getting them to engage with IT’s requirements. To do this, IT leaders need to be comfortable talking about issues other than IT. Indeed, everyone in IT needs to gain an understanding of what the objectives of the business are, and how they can be supported. And junior staff need to accept that technical skills will only get them so far in their career. There is a need for communications and management skills as well.
A big problem is that security and the board often seem to speak different languages. How can IT professionals articulate IT concerns and issues effectively to decision makers if they are not speaking the same language? The pandemic has made things easier by stressing the importance to the business of robust IT systems. But another thing that has made a change is GDPR. The bottom line impact is a fine of 4 per cent of turnover: that’s enough to make any board member sit up and take notice.
But it isn’t just about money. Businesses suffer reputational damage from cyber-breaches, and so do board members. And while businesses may recover their reputation, board members frequently don’t.
IT leaders can use this type of language (money, reputation) to influence board members (always remembering that threats of disaster are generally ineffective). But how this language is used will depend on the bias of the individual board members. Some will be focused on their own reputation, others on customers, others on the business.
IT leaders also need to ensure that the IT strategy they develop is something that underpins the boards strategy – which means they need to know what that is. This means that communication shouldn’t be one-way. It shouldn’t just be about reporting to the board. IT leaders must get business leaders to tell them what they want. There is a need to talk at the strategic level, to gain trust and acceptance. Is the board looking to a move into China? The IT department must be able to describe how IT can support that move. They key is for IT to be seen as a business enabler rather than a cost centre.
- IT needs to transform itself from being a provider of services (and thus a blockage) into a broker of services where it finds solutions
- IT needs to get away from measuring cost to measuring the benefits it brings to the business
- There is a need to train the board to help them understand what would happen if things failed – the financial, operational and reputational damage that might occur: this will draw IT closer to the board. At the same time, treat board members as individuals and understand their particular agendas and fears
- Avoid doing too many things. Identify the top four or five things the business wants to achieve and create an IT strategy that underpins these. Sometimes you have to say no if you are going to do a good job
- Don’t look at things in isolation. Think about dependency mapping. Understand the key assets and processes and how they interrelate – and don’t forget to include suppliers in this analysis
- The attack vectors are changing because of remote working. Accept that and accept that you can’t protect everything. Identify and focus on the crown jewels
- Measuring your success (and trumpet it). But make sure you are using KPIs that are meaningful for the business and not just IT