The two most important attributes all organization must carefully protect is their revenue and good reputation. Both are a result of people and processes, diligently creating assets over many years of hard work, which have produced proprietary “data”, which gives rise to “value”, which sustains organizations, allowing them to grow, move forward, with direction and vision.
It is said that this resulting data is the new oil, or gold. It represents the commitment, achievement and conviction, which produced the organization’s success. This enabled the organization to be where it is today. Since many of these assets are best monetized through digitization, by being online, there are tethered risks, including the organization’s most important asset—people, and their online behavior. Therefore, organizations are compelled to do everything possible to protect themselves, both from ever-evolving external risks and threats, as well as a new set of internal vulnerabilities.
Critical Questions:
- How best to protect the organization’s revenue and reputation?
- What is needed to be spent to achieve this optimized level of protection?
- How not to spend one dollar more than is necessary?
- So, how much to spend?
- What is needed? Alignment
- What is alignment?
Identifying Organizational Processes and Goals:
Technology supports an organization’s business processes, which serves the organization’s people, which define and drives an organization’s goals and vision. It is the people, which marshal and manage the necessary resources to bring the future to fruition, for the organization.
Initially, therefore, a discussion regarding alignment must start at a high level: what are the most critical business processes and resources, which allow an organization to generate revenue on a consistent and dependable basis? What could disrupt these processes? What would build greater resiliency into these processes? What is the critical data that is generated from these processes? Where does it flow within the organization? Who touches it? When does it leave the organization? How does it return? Is the return confirmed? Where does it rest? How is it protected? How might it be better protected?
Put more simply and pointedly: what and where are the organization’s most critical money flow streams? Is the organization adequately protecting these monetization streams, each and every step of the way? Are there single points of failure? How are they being addressed? What are the organization’s contingency plans? Are they documented shared, distributed, and updated? Perhaps, said another way: what keeps senior management up at night? Or, maybe, what should be keeping senior management up at night? Bottom line: are there steps that could be taken for the organization to perform better, faster, cheaper—or, more securely? Where could the organization add needed layers of protection and improve resiliency?
To answer such questions, is to understand how the technology function of an organization aligns with and supports the business functions of the organization: are they congruent and aligned, or are there gaps? If gaps, how are these vulnerabilities being addressed and remediated?
Planning Ahead:
This is accomplished through the Business Impact Analysis (BIA), which is a methodical process of examining how an organization identifies risks and manages those risks, across all functional areas. The process is one of pro-actively anticipating unwanted future events, through a rigorous discovery process.
The BIA process leads to Incident Response (IR) planning. It is conducted through “table top” exercises, overseen by either an internal leader, or an outside resource brought in, which includes the organization’s team members from different departments, to participate in how to effectively respond and recover from these hypothetical events.
IR planning exercises transition to Business Continuity (BC) initiatives, which produce one or more documented game plans, enabling the organization to land on its feet when an unwanted, but planned for, incident actually occurs.
In essence, pro-active planning entails coming to grips with potentially disruptive events, and cutting them down to size, beforehand, so when things go awry, the organization is not paralyzed, it stays in command, effectively directing internal and external resources, firmly planted in the driver’s seat, steering ahead with a clear field, using playbooks distributed to the organization’s employees and relevant stakeholders, containing individualized step-by-step action plans, for designated roles to be performed, which have been trial tested ahead of time, through the Incident Response planning process, for identified potential incidents.
By going through periodic successive Incident Response table top exercises, results in revised Business Continuity playbooks, with valuable iterative feedback gained, leading to updated playbooks, providing improved overall organizational and individual resiliency.
What’s the Spend:
At this point, when a significant level of understanding and alignment has come into focus, between business drivers and the technical resources required to support these business functions, it is now time to re-ask the question: how much should be spent to adequately protect the organization?
These discovery processes result in becoming helpful alignment roadmaps, as to which business processes are most vulnerable, and thus to be prioritized in additional needed protection, leading to where and what to budget for initially and how much resulting spend will be needed. Further, the roadmaps will point to follow-on next steps over the next 18-24 months with resulting needed budgets.
While these processes (BIA, IR, BC) are fundamental and need to be initiated sooner than later to gain organizational 360° risk exposure situational awareness, there is an equally important initiative to protect the organization’s revenue and reputation.
Big Print Giveth, Small Print Taketh Away:
To state the obvious, organizations operate in a complex and ever evolving ecosystem of informal environments, with unspoken norms, and formalized marketplaces, with described laws, standards, rules and regulations.
Organizations swim in an eclectic mix of cultures, customers, vendors, regulators, employees, agents, consultants, competitors, and other external variables (natural disasters, geo-political forces, etc.)—often operating on different levels of multi-faceted relationships, with other organizations, both public and private. Many of these relationships are formally defined, hence legally contractual, and therefore mutually binding.
Beyond the explicitly defined operating clauses in various sections in these formalized agreements, there are other significant clauses, regarding: cybersecurity requirements, breach reporting, data security, data privacy, data ownership, data life cycles, intellectual property protection, compliance standards and adherence, use of ai and other cutting-edge technologies, cyber insurance requirements, and other diverse topics, which an organization’s counterparties fully expect and demand to be met. If not, there are potential consequences, to be paid.
Golden Data:
This compliance to a counterparty’s seemingly benign sections and clauses is a growing area of significant concern and potential peril. These exposures are not going away, nor will they be minimized, nor waived. They are not trivial, and will only grow in importance, in an ever more tightly connected and interdependent online world!
Why?
For many reasons: similar to your organization, your counterparties are exchanging their precious data—their “gold”—with your organization and they want to make sure that your organization is adequately protecting it. Not only do they want it back untarnished and intact, but even, in some instances, enhanced or further monetized, for mutual benefit!
If not adequately protected, their data might become corrupted and unusable; or worse, end up in the hands of a competitor. They could be sued by a regulator, or another supply chain counterparty, as part of a larger data breach, or ransom attack, because of your inattentiveness, or negligence. As a result, your organization also could be sued!
Evolve with the Threat Landscape: Stay Informed and Adaptive:
Monitoring the language of what is specified in these agreements, on an ongoing basis, normally falls outside the purview of an attorney, or CPA, or an IT company. Nevertheless, each organization bears direct and full liability for adherence to all such provisions in these agreements. This responsibility is not able to be delegated away.
When all is running smoothly, this is the perfect world all desire, or simply put: life is good, no problems! However, the real world is that things do go south—and increasingly so–this is when organizations better have their house in order, or at least have a defensible reason as to why they are not in good order!
Therefore, someone, or some entity, preferably knowledgeable and experienced, with access to needed tracking and supporting resources, will need to serve in a role of monitoring these contractual provisions, and assist to ensure that they are being adhered to and enforced by the organization, on an ongoing and accountable basis. Further, the organization must be able to provide documented evidence of such enforcement, in a form acceptable to outside requesting entities, when requested to do so.
Measure What Matters: Define and Track Success Metrics:
This monitoring entity is not providing legal counsel, or accounting, financial, or management advice. This is not their function, nor are they qualified to do so. Rather, they are acting in an advisory capacity to the organization, not as managers or employees of the organization. By not being employed by the organization, it gives this advisory entity the distance and objectivity, to effectively discharge their defined duties, without interference or influence, to be able to act and report objectively and apolitically to senior management and/or the board. Having outside independence–beholden to no specific individual affiliated with the organization–gives them creditability, which, in the long run, serves the best interest of the organization.
These sections and clauses in the agreements involve many moving parts, almost all intertwined and interdependent, which must be able to be tracked and managed holistically. Being able to monitor these wide-ranging elements, and bring timely resolution and return to normalcy, when discrepancies and variances occur, is of utmost importance to the organization. Of further significance, is the ability to document how such resolutions occur, both for internal and external reporting purposes.
When mishaps do occur, failure to intervene quickly and decisively, may lead to a breach of contract, giving way to lost revenue, resulting in tarnished reputations.
A Glimpse into the Future:
The federal government recognizes the supreme value of its “data” and the extreme danger of it falling into the wrong hands. DOD contractors are now having to adhere to an expanded and rigid set of data standards (CMMC), which tightly protects controlled government information. If they wish to continue to contract with DOD, or to be a sub or supplier to a DOD prime contractor, contractors are required to go through a rigorous and lengthy certification process.
These tightened measures, protecting the control and use of data, in due time, will spread across to other federal agencies, and be further codified in to federal contracting clauses. Eventually, such stringent data and cyber protection standards will undoubtedly flow down into the private sector.
