Stakes are increasing when it comes to leveraging technology to define and deliver new value. The CEO and the executive team leaders are reeling with the challenges of identifying and implementing new digital business models while also wrestling with making smart capital investments to develop and mature organizational capabilities that enable agility and rapid response to new market opportunities. At the same time, board directors are in a quandary, attempting to make sense of the digital landscape, and to obtain assurance that their CEO and executive team leaders are enabling the right culture, acquiring and nurturing the right talent, validating that the technology investments are prudent and reasonable, and effectively capitalizing on business opportunities while mitigating security concerns that pose significant risks to the company’s financial position and reputation.
Many refer to this point of time as the era of “digital disruption” for “digital transformation.” For me, these phrases seem somewhat of a misnomer. Taking a more macro and holistic look at this period, and reflecting on past history as a means to understand where we are and where we are headed, perhaps what we’re really witnessing is a revival of classic laissez faire economics. Market forces are being reshaped by technology in ways never previously imaginable. The pace of technology-driven innovation is far exceeding the ability of government and regulatory entities to put corresponding consumer protections in place, even as organizations struggle to recalibrate their information and technology governance and security to adjust to business opportunities appearing and vanishing in much shorter cycles. What’s really at stake today is the longer-term survivability of enterprises as we know them, coupled with the coming of inconceivable shifts in jobs and how people will work. And we find ourselves merely at the tip of the digital economy iceberg.
Dr. Peter Weill, director of MIT’s Center for Information Systems Research in Cambridge, Mass., says that, “in a digital economy, the whole company is responsible for generating value from digital investments.” To address this challenge, his research identified three key components on which enterprises must focus. First, there is the strategic, which is envisioning how the company will operate in the future. Second, there is oversight, which is making sure the major investments and organizational change is on track. Third, and of critical importance, is the defensive, which is effectively meeting the challenges of security, privacy, and compliance on an ongoing basis.
Key to meeting the aforementioned challenges? People, of course. No wonder that in Gartner’s recently released list of barriers to becoming a successful digital business, talent emerges as among the most significant. Not surprisingly, many organizations still follow the same hiring protocols they did 10 years ago. While arguably some criteria for new hires haven’t change, such as having a strong work ethic, a knack for problem-solving, good time management skills, and a thirst for continuous learning, there needs to be increased focus on recruiting those who demonstrate that they are digitally savvy or are grasping the need to prioritize growing their skills in this area. This means understanding how new and emerging technologies can be deployed, how to harness big data and statistical analysis to shape new approaches to product development and deployment, and applied knowledge of technologies that are or will shape the future of business, including the likes of cloud computing, AI and machine learning, blockchain, augmented reality, and perhaps even the promise of quantum computing. These attributes, along with a propensity to be comfortable with risk and uncertainty, should most importantly enable hiring managers to see whether candidates exhibit the right chemistry to fit into the corporate culture. Simply stated, traditional organizational hiring practices must be modernized to cultivate the right talent in order to successfully meet the challenges of the digital economy.
So, let’s not be fooled into thinking we’re okay because our company ship has yet to hit that digital economy iceberg. This iceberg runs long and spikes just beneath the surface. Navigating around it calls for “all hands on deck.” Traversing these choppy seas without incident means establishing and maturing the capabilities our organizations will need to turn on the dime when things matter most. The only way the CEO and executive teams can become confident is if the right talent is in place. Similarly, the only way for boards to obtain the assurance that the corporate ships are in good hands is to be convinced that the CEO and executive teams have established the right culture with the right people, and that they are effectively addressing the strategic, oversight and defensive components necessary to generate value from digital investments. As Peter Weill notes, “How good are you at each of these will predict your likely success in the digital economy.” I could not agree more. We find ourselves in exciting times—perhaps just as exciting as those who were paving the way of laissez faire economics back in the 18th century.
Editor’s note:This article originally published in CSO.
Matt Loeb, CGEIT, CAE, FASAE, Chief Executive Officer, ISACA
Governance, risk and compliance professionals shared ideas and gathered insights on how their roles are evolving in light of enterprises’ digital transformation efforts, evolving trends in innovation, and growing regulatory and security risks recently at the sold-out 2018 GRC Conference in Nashville, Tennessee, USA.
It’s time to challenge conventions
Keynote speaker Luke Williams, author, professor of marketing at the NYU Stern School of Business and founder of the W.R. Berkley Innovation Labs, told a packed opening session audience that organizations seldom take the time to question the underlying reasons why existing practices and procedures were put in place, stifling opportunities for innovation.
Williams said enterprises are often “paralyzed by possibility” with an abundance of incremental ideas for improvement, but tend to lack the unconventional, bold strategy options capable of delivering a major impact. Eventually, he said, organizations that lack a forward-looking openness to change will be overtaken by competitors.
Artificial intelligence brings great potential – and risks
While artificial intelligence and machine learning are gaining traction – and generating plenty of buzz along the way – organizations face difficult decisions in knowing where and when to introduce AI. In a session on the ethical considerations related to AI, co-presenters Kirsten Lloyd and Josh Elliot highlighted an extensive list of powerfully compelling uses for AI, such as advancing new medical treatments, preventing cyberattacks, improving energy efficiency and increasing crop yields. They also encouraged organizations to create an ethical review board and the position of chief ethics officer to deal with the related risks.
ISACA board Chair and closing day keynote presenter Rob Clyde implored the audience to focus on safeguards to prevent unintentional harm from AI projects and services.
Audit and governance professionals must actively address cyber risk
The volume and complexity of today’s cyber threats demand that GRC professionals, along with internal auditors, support their colleagues who are in cybersecurity roles and work to provide assurance to ensure organizations are prepared to navigate cyber threats.
In a session on advancing IT audit capabilities in cybersecurity, co-presenters David Dunn and Jon Coughlin noted that the traditional belief that a good internal auditor can audit anything is being challenged by the growing cyber threat landscape, and that standard controls might be insufficient. Internal audit functions must deepen their skills across a range of cybersecurity frameworks.
In the conference’s final keynote, Deloitte Managing Director Theresa Grafenstine called cyber risk a top priority for GRC professionals. When organizations fail to adequately address the risk, said the former Inspector General for the US House of Representatives, it is generally due to a lack of knowledge and resources, rather than not recognizing its importance.
Compliance must become more adaptive
A combination of new regulatory requirements, such as the General Data Protection Regulation (GDPR), and a flurry of emerging technologies being deployed to enable digital transformation call for the recalibration of compliance policies and procedures.
Session presenter Ralph Villanueva encouraged compliance professionals to understand – rather than memorize – the intent of frameworks they are implementing to have a more strategic understanding of how those frameworks best align with enterprise goals. He said compliance professionals also must anticipate how emerging technologies might impact the organization’s compliance protocols going forward.
Security measurement must be improved
While more organizations are recognizing the importance of areas such as risk management and information and cyber security, it can be difficult to quantify the effectiveness of the related investments – a major concern for the C-Suite. Session presenter Brian Contos said organizations need to develop more sophisticated security metrics beyond performing vulnerability scans and patching. Contos addressed several platforms capable of removing guesswork and assumptions from the security equation, while potentially freeing up resources by phasing out outdated tools that no longer serve their intended purpose.
The next GRC Conference will take place 12-14 August 2019 in Fort Lauderdale, Florida.
As digital business hastens the speed of application development and gives way to complex, interconnected software systems (think Internet of Things, microservices and APIs), we need to address that penetration testing, although thorough, is slow and expensive. On average, it takes eight months to identify and understand the cyber and regulatory risks associated with any new software, according to research from security company Sonatype.
Software development trends are compounding the issue in that software is being built and released faster (see the “Agile Manifesto”), but the tools and people resources to address security risk are not keeping pace.
Trends such as DevOps that require security teams to deliver deep integration and the automation of security tooling drove us, in conjunction with Centre for Secure Information Technologies at Queen’s University Belfast, to ask the question, “What is the path to self-securing software?”
Penetration testers and tools will only scan the website they can observe; there could be many aspects missing from the testing scope. However, what is really interesting is that in reality, the CODE contains everything that the website can do (functionality, data, etc.).
We were interested to discover if there a way to scan code to automatically understand WHAT it is. For example, is it a website or desktop application? Does it allow the user to enter financial info or personal details? If it does, where is that info stored? This information can be used to drive other testing tools or penetration testing by informing them of what the code is, the associated functionality, data types, etc. In essence, this information can automatically inform the scope and focus of security testing.
We looked at source code parsing technology, and how, by using it, we can determine what a web application actually is/does. Antlr was deemed to be a popular tool in this area, allowing us to build a tool that scanned website source code and provided us with a digital understanding of the website. We could then use that data to drive automated security tools.
The result? We were able automatically understand the attack surface of a website by scanning the code. We could then use that intelligence to further drive manual, commercial or other open source testing, facilitating continuous, and automated, security testing of developing code. Since the orchestration and execution of security testing was automated, it could easily be wrapped into development teams’ daily (or weekly) processes, flagging security issues long before the system was deployed externally.
We believe that the tool we created (and have further developed at Uleska) is addressing the “pressing need to orchestrate tools and automate testing in a continuous delivery pipeline and facilitate AST at scale, as well as improve context and prioritization for remediation efforts” that Gartner has identified for so-called ASTO (Application Security Testing Orchestration) tools that are coming onto the market.
Healthcare has experienced significant modernization and is now closely intertwined with IT. But as the industry changes and marketplace demands evolve, new challenges emerge. Understanding how to address these challenges is paramount to the future success of healthcare organizations and their stakeholders.
Five healthcare IT challenges the industry is facing
What used to be a small intersection is now a fully developed relationship. It’s nearly impossible to understand the current or future state of healthcare without looking at IT and the role it is playing.
Even with all of the good things that are happening, there are some challenges, hurdles, and points of friction that must be dealt with and overcome. Let’s highlight a few of the more significant ones you should know about.
1. Data security
Data breaches are, unfortunately, a part of modern life. As more and more data is created and stored online, hackers will continue to go for valuable information. Because of the privacy associated with patient data, healthcare providers are often primary targets.
The challenge moving forward is for organizations to be more protective of their data, without adding unnecessary layers of bureaucracy. Better access control and simplified reporting will play a key role.
2. Network integration issues
On the business side of healthcare, there are plenty of mergers and acquisitions. Unfortunately, they often lead to network integration issues. The biggest challenge involves blind spots.
“Blind spots are areas where IT does not have complete visibility into what is happening on the network or how applications are behaving,” explains Keith Bromley of Ixia. “Mergers between IT systems for any organization, especially healthcare systems, take time. The problem is that patients and doctors do not have time to wait. Electronic medical records (EMR) must be available at all times, for all patients.”
Figuring out a way to smooth over these transitional points and prevent blind spots from occurring will be a key focus in the months and years ahead.
3. Remote patient care
The latest research suggests that 71 percent of all healthcare providers use telehealth or telemedicine tools to connect with patients. Considering that just half of healthcare providers were using telemedicine solutions and services in 2014, this represents a rather steep increase in adoption. The expectation is that close to 100 percent of providers will be using solutions like these by as early as 2021.
But there are still some distinct challenges. One such challenge is the issue of helping patients get the care they need after leaving the direct care of the healthcare provider.
“As a physician, I know that medicine is important to people’s health, but the vast majority of what determines a person’s health is not medicine, it’s the ability to take care of themselves, live well, manage disease, and give care to others outside the doctor’s office,” says Stacy Lindau, MD, who has worked closely with Rush University Medical Center to incorporate the NowPow platform to help them connect with patients after they leave.
The more sophisticated platforms like these become, the more well-rounded patient care will become.
4. HIPAA compliance
Whereas cybersecurity and strict BYOD policies are important for businesses in every industry, issues like these are even more challenging in healthcare. HIPAA laws are very strict on issues like unlawful disclosure of private patient information, and any unintentional mishaps can result in huge fines and significant reputational damage.
Having a plan in place for dealing with ransomware is crucial for healthcare organizations of all sizes. While encryption and backup storage are important, they may not be enough. Organizations that consult with cybersecurity experts specializing in HIPAA laws will see the biggest benefits.
5. Consumerization of medicine
“A big area of interest for healthcare institutions is the consumerization trend in which information is being collected and made available to mobile and web-based devices. For instance, hospitals are now embracing bring your own device (BYOD) for healthcare professionals and support the use of patient accessible Wi-Fi,” Bromley explains.
As consumerization increases, it’ll be important for healthcare organizations to choose the right technologies and use them in the appropriate ways. A failure to invest in the best solutions for the application will bog organizations down and create additional friction that hurts the patient experience (not to mention the practitioner’s experience).
Putting it all together
Healthcare innovation happens at a startling pace. From pharmaceuticals to health procedures, changes are occurring around the clock. From an administrative perspective, however, few areas are more important than successfully managing and governing the technology that enables the innovation. As IT progresses, so will the healthcare industry.
For IT professionals, understanding this relationship will help you get a firmer grasp why certain developments are taking place and what direction the industry is headed in the future.
On 25 May 2018, the world did not stop simply because the General Data Protection Regulation (GDPR) became enforceable. For many organizations, however, the enforcement date became a distraction, an unofficial deadline. In reality, there was no finish line.
We all recall the panic-driven deluge of marketing consent emails from companies this past summer – some we engaged with, many we forgot about and others we never even noticed. That deluge has now slowed down to a trickle.
Also, noticeably quieter are the salespeople peddling “GDPR-compliant” and “one-size-fits-all” solutions. Foreboding news headlines no longer scream about fines of up to 20 million EUR or 4% of total worldwide annual turnover for the slightest misdemeanor.
Three-plus months on from the enforcement deadline, here are a few observations and reflections on how organizations are adjusting to life under the new European privacy and data protection regime.
#1: Business as usual for some?
It would be inaccurate to say that organizations have quickly thrown off the restraints placed on them by the GDPR regarding the processing of personal data. However, it would be equally inaccurate to claim that poor data protection practices have been fully discarded and that we are now living in an era where organizations treat our personal data appropriately.
For Europeans at least, there is evidence of some change in behavior from large technology and global marketing companies, some of whom are already under scrutiny by regulators. For some other organizations, however, GDPR fatigue has begun to set in and organizational priorities are shifting from expensive programs to other hot-button enterprise risk issues.
GDPR compliance initiated a rush of activity that led to the creation of (or updates to) policies, procedures, system inventories and contracts. Some organizations brandished these new shiny documents as their evidence of being “GDPR-ready.”
However, having controls by themselves without a plan to assure that their design and operating effectiveness achieves the desired control objectives is half-hearted. Weak governance and the absence of privacy assurance programs increases the risk of a return to the past.
In reality, control effectiveness cannot be fully determined until after a designated cycle of operation. It may take at least one year before we start to see true changes in organizational attitudes toward data protection.
#2: Integrating privacy into enterprise risk management
Forward-thinking organizations saw GDPR compliance as an opportunity to return to the drawing board and, in some cases, revisit their approach toward enterprise risk management.
Far from simply fulfilling a checklist of requirements, some organizations used their GDPR compliance programs to test the alignment between their operational risk, information security, IT governance and privacy functions.
This also was an opportunity to embed privacy risk into enterprise risk management frameworks, check the health of three-lines-of-defense models, adjust risk tolerance levels and develop new key risk indicators (KRIs) to provide end-to-end assurance.
Where new privacy risk management processes (such as steering committees) have been implemented, they will need time to develop traction. In the long term, the right approach could see organizations improving the maturity of their data protection controls while also improving their overall enterprise risk posture.
#3: The “SAR-pocalypse” did not happen
It just didn’t.
Depending on who you spoke to, the increased public awareness of privacy rights enshrined in the GDPR would unleash an avalanche of data subject access requests (SARs) from incentivized or incensed data subjects.
Executives feared that customers, disgruntled employees and coordinated activists flexing their new regulation-enabled muscles would bombard their service desks with requests seeking to enforce rights of access, erasure and others.
The term ‘SAR-pocalypse’ (a hypothetical denial-of-service scenario caused by an organization’s inability to manage an excessive volume of SARs) was whispered in hushed tones with real concerns that failing to deal with requests within the required period could attract penalties.
In the weeks just before and after the enforcement deadline, many organizations did in fact see a sharp rise in the number of data subjects requests they received. However, many of those requests originated from people annoyed with the panic mass mailing campaigns in the weeks prior to the enforcement date. Understandably, many of the requests were for erasure and account deletion.
A retail organization I spoke with noted a higher-than-usual volume of requests in the weeks leading up to 25 May. Requests to be erased reached an all-time peak in the weeks following. However, by mid-June, those numbers had begun to drop. By the end of August, request volumes had returned to pre-25 May levels.
I am yet to hear of any organizations admitting that their service desks have toppled over due to a flood of SARs. However, organizations should not trivialize the need to keep their personal data flows up-to-date and to keep testing the effectiveness of their process for responding to SARs and other GDPR-related queries.
#4: Waiting to see what the regulators will do with penalties ‘Data Breach Scapegoats Wanted!’, wrote one satirical industry commentator on social media.
While Europe’s regulators adjust their oversight machinery to be able to effectively police the GDPR, there is a collective holding of breath by organizations waiting to see what precedents will be set with post-25 May financial penalties.
Perhaps the most high-profile data privacy related incident to hit the headlines since the GDPR enforcement deadline was the one involving the infamous Cambridge Analytica. For its part in the scandal (which preceded the 25 May enforcement date), the UK Information Commissioner’s Office (ICO) fined Facebook £500,000 (the maximum fine under the old UK Data Protection Act 1998).
Data privacy breaches continue to be reported, and post-25 May, the UK regulator has continued to take enforcement action against erring organizations. For example, British Telecommunications plc (BT) was fined £77,000 (hardly 4% of their global annual turnover) for sending nuisance emails to customers.
When scrutinized through the lens of Article 83 (“Each supervisory authority shall ensure that the imposition of administrative fines…in respect of infringements…shall in each individual case be effective, proportionate and dissuasive”), it might be a while before a “GDPR-scale” maximum penalty is imposed on any organization.
The absence of scapegoats may be because Europe’s regulators are either overwhelmed with data subject complaints or simply biding their time until they find the right opportunity to set a dissuasive precedent.
Rather than waiting for precedents and second-guessing regulators, organizations should continue to improve their incident prevention, detection and response procedures while maintaining a state of readiness for potential data breaches.
#5: After the hype, what comes next?
As the GDPR hype starts to wane, organizations should not lose sight of the wider benefits that can be derived from an improved attitude toward data protection.
For example, there will continue to be opportunities to improve data governance and unlock business insights from the personal data they lawfully process if organizations maintain their discipline around personal data collection and processing.
As informed consumers continue to exercise their enhanced consent rights under the GDPR, available inventories of user data are likely to come under pressure. By focusing on data quality (including processing data that is “adequate, relevant and limited to what is necessary”) rather than scale, organizations can improve engagement at different points within the customer journey.
The Privacy & Electronic Communications Regulations (soon to be ePrivacy Regulation) remains a hot topic and the next keenly anticipated regulation from Europe. Correctly implementing GDPR requirements should have placed most organizations in a good position to adopt the requirements within the ePrivacy regulation.
While senior executive support for GDPR remains warm, Data Protection Officers need to test their newly minted powers and ensure that their independence (including avoiding conflicts of interest with other tasks and duties) goes beyond qualities and responsibilities listed in a job description.
There is no turning back
The reality for many organizations is that GDPR program funding and resources will move elsewhere. Data privacy champions will change roles. Vendors will come and go. Applications will be developed and retired. Meanwhile, more countries and jurisdictions (like California) are likely to strengthen their own data privacy laws. The journey never ends.
Somewhere in all of this, care must be taken to avoid the slow erosion of data protection controls arising from negligence and poor governance and a return to the old ways. Seeing the GDPR not as a checklist but as an opportunity to transform corporate attitudes and embed good data protection practices will help organizations thrive under the new privacy regime in the long-term.
Editor’s note:For more GDPR insights and resources, visit www.isaca.org/gdpr.
