By Robert F. Brammer, Ph.D., Chief Strategy Officer at Brainloop, Inc.
The growth of digital business, information risks, and regulatory requirements are major global business trends that have an immense impact on cybersecurity. These trends are prevalent throughout a broad range of industries – including the financial, aerospace and defense, and retail sectors, among many others – and present many opportunities and threats.
Realizing the potential benefits from digital business requires significant transformation involving greater collaboration with customers, suppliers, partners, and regulators. Performing this collaboration in a timely, cost-effective, and secure way in compliance with necessary laws and regulations is a necessary competency for many organizations.
Protection of information assets is a dynamic and significant topic for many enterprises. For example, Lloyd’s Risk Index for 2013 lists cyber risk as #3 on its list of 50 corporate risk priorities among business, economic, political, environmental, and natural hazard risks. While cyber threats from external organizations are very serious, many types of information risks also arise from lack of training and awareness of regulations and business practices or from errors in implementation.
Risk and compliance are increasingly important areas for corporate executives and board members in many industries, notably including those discussed here.
The Global Growth of Digital Business and Distributed Collaboration
Five years ago, Forrester and Adobe published a report on the future of business collaboration. In that report they state “Today’s collaboration requirements are only a midpoint on a trend line toward a highly distributed, digitally connected, partner-fueled, and customer-driven future.” In the past five years, the world has accelerated significantly toward that future.
Last year the McKinsey Global Institute published a report in which they predict that within a decade there will be more than 2 billion people with Internet access and that we will see $5T-$7T of economic impact from automation of knowledge work. Another recent McKinsey paper stated, “Digitization is rewriting the rules of competition.” The authors also observe, “For businesses, digitization is transforming even physical flows of people into virtual flows, enabling remote work through tools for global collaboration.”
In January, Accenture published a survey of “500 C-level executives from 10 economies (both developed and emerging) about the key influence on their corporate strategy over the next five years.” There are two results to cite here. First, “the ability of technology and innovation to reshape industry norms and boundaries was most commonly cited as the most important structural shift that businesses will face over the next five years.” Second, “60 percent plan to pursue growth in, or in collaboration with, other industries, and “80 percent are planning growth via new business models.”
Similar analyses and examples like the incredible growth of new technology-driven companies like Google and Facebook all show the accelerating pace of digital business and the importance of connected collaboration in the business environment.
The Global Growth of Information Risks
A recent report by the World Economic Forum contains this conclusion:
“Despite years of effort, and tens of billions of dollars spent annually, the global economy is still not sufficiently protected against cyberattacks — and it is getting worse. The risk of cyberattacks could materially slow the pace of technology and business innovation with as much as $3 trillion in aggregate impact.”
These cyber threats are very diverse. Incidents within the past 12 months arising from diverse external threats include:
- The Heartbleed incident exploiting vulnerabilities in the Internet infrastructure
- The Target breach exploiting supply chain vulnerabilities
- CryptoLocker (and further generations of ransomware) exploiting software default and human behavior
- The JP Morgan breach exploiting web server vulnerabilities
As noted earlier, many other types of information risks arise from lack of training and awareness of regulations and business practices or from errors in system or process implementation. For example, the most recent Verizon Data Breach Report notes that “miscellaneous errors” (e.g., sending email messages with sensitive information to incorrect recipients) cause more than 25% of data breaches. The report states collaboration with external partners about sensitive information can often lead to problems without proper management attention: “…business processes involving sensitive info are particularly error prone. It’s also noteworthy that this pattern contains more incidents caused by business partners than any other.”
By 2020, threats to critical infrastructure will be even more significant than what we face today. With industries accelerating digitization to improve services and reduce costs, there are many new cyber threats to sectors, such as electric power, oil and gas, national security, and transportation. These threats are not only to financial and information security, but to operations and safety. Examples such as Stuxnet and Shamoon have damaged operations in significant ways. These cases are modest compared to what could happen this decade.
The Global Growth of Regulatory Compliance Requirements
The US regulatory environment has grown steadily in the past several decades. While measuring the scale and economic benefits is uncertain and controversial, some metrics give insight into this growth. Data from the Mercatus Center at George Mason University shows that the total word count for federal regulations now exceeds 100 million. Moreover, the growth of this total has exceeded the growth of the US GDP since this analysis began in 1997. The US Office of Management and Budget produces an annual report on the costs and benefits of regulation but acknowledges the large uncertainties and omissions in their estimates. However, there is no doubt that costs in the US alone are in the $100’sB annually. Compliance elsewhere is also significant, notably in the European Union.
There are many types of sensitive personal and corporate information protected by thousands of regulations. These include regulations for personal health and financial information, export control, intellectual property, Board proceedings, public company filings, mergers and acquisition plans, etc.
The growth in the size of corporate compliance staffs and in their compensation illustrates the increasing importance of regulatory compliance. Failures have led to significant fines and imprisonment. As a result, many new Chief Compliance Officers have direct reporting relationships to top executives and their boards. Because demonstrating regulatory compliance often requires providing sensitive corporate information to government and service provider organizations, the increase in secure compliance and collaboration platforms is another indicator of the growth of this area.
Policies for control of sensitive information are particularly important for organizations with complex supply chains. These supply chains may include raw materials, finished parts, and outsourced business processes. As diverse as today’s supply chains are, they all involve sensitive information whose handling requires policies that recognize current cyber threats, regulatory requirements, and the needs to protect intellectual property. For example, Registration, Evaluation, Authorization, and Restriction of Chemicals (REACH) is a European Union Regulation for controlling production and use of chemicals and their potential impacts on health and environment. Companies involved in registering a chemical have the obligation to share data about it with government agencies and other specified organizations. Data in the registration documents is valuable intellectual property, and enterprise policies must ensure proper protection.
Addressing the Combined Impact of These Trends on Strategic Business Planning and Operations
Together these trends add up to the following conclusions:
- The growth and trajectory of key areas of information technology – cloud, mobility, social media, big data, etc. are having inescapable impacts on business plans and operations. These are now C-Level and Board issues with significant operational impact.
- Information risks have also become C-Level and Board issues. For example, the recent Target breach was a key factor in the resignations of the CEO and other executives and in litigation filed against several Directors for lack of proper oversight.
- While the global net value of regulatory compliance may be debatable, the requirements for enterprise compliance are not. The growth of digital business with larger information risks will lead to further types of regulation.
Since executives and Boards must address these issues, what are some key factors to include in the business policies, processes, and systems? We’ll discuss this and more in the second part of this blog series coming soon.
About the Author
Dr. Robert F. Brammer is the Chief Strategy Officer, Americas for Brainloop, Inc., a leading provider of SaaS solutions for secure collaboration and regulatory compliance. He also serves as the President and CEO for Brammer Technology, LLC and recently retired as vice president and chief technology officer for Northrop Grumman’s Information Systems Sector.