Access Risk Management Blog | Courion
This spring's Gartner Security and Risk Summit drew 2,000+ attendees to the Gaylord Resort just outside of Washington DC. The event repeated at the same location as years past, and there were other repeats as well. One of the central themes of the conference and a topic that has been reiterated through a consistent drumbeat by Gartner for the past several years has been that security, as well as IT executives, must be productive participants in growing the business, or they will be relegated to the technology closet and dismissed as non-strategic. Gartner’s IT Symposium two years ago stated – there is no IT, just the business. Consider IT as integrated with the business like Finance, not separate.
The opening keynote session used the Dickens classic, A Christmas Carol, as a metaphor to communicate two different approaches to securing an organization. The Scrooge-like character preached doom and gloom, acting as the IT or security professional who is incapable of engaging in business level dialog. This character would prefer to lock down the organization to all access in the name of security, while also surreptitiously building a power base. After all, in this scenario, who holds the keys? When challenged by the business, this individual predictably becomes more technical, digging his own grave by distancing himself from the business, spouting techno-babble in an attempt to baffle other executives with BS.
A different character with a more positive disposition presented a world enabled by technology, viewed through wearable technology glasses. His world seamlessly blended personal, professional and family life, drawing from each in an efficient and informed technology palette. The applications represented vastly different worlds for the user but behaved in an interoperable way. The message was clear – here is a technical nirvana that blurs the lines between personal and professional, private and public. Also clear were the security and risk implications of living in a world so open.
While one approach attempts to secure leverage and power through scare tactics and intimidation, the other presents a world of the possible and asks, “What is required to pull off such a scenario?” with a positive, enabling tone. Gartner’s point – be a positive contributor to the dialog in order to help grow the business, not a negative Nancy.
That begs questions, such as – what are the priorities of the business and what are CEOs focused on today? How do IT and security factor into those issues and strategies? I attended another session titled, CEO Concerns 2013 and the IT Implications, to find out what IT should be focused on. Here are some of the highlights (tweeted accordingly, @dougmow):
- The main concerns of CEOs are the economy, regulations and compliance, market strength and the role of government.
- Growth is the number one priority for CEOs. Gartner interprets this as meaning that sales and marketing technology requirements should be given highest priority.
- Cutting cost is second by a sizable margin – 48% to 30%.
- 54% of CEOs say they have a digital strategy. In 2013, that seems incredibly low. Why don’t all companies have a digital strategy in the age of smartphones and tablets?
- While growth is the primary goal, sales and marketing professionals generally do not have risk at the top of their minds.
- CEOs’ top two technology-enabled capabilities are business analytics and enhanced business reporting, and by a wide margin.
- For most CEOs, access risk is an afterthought. Not good.
One other message relative to the digital strategy issue is the role of the Chief Digital Officer. Gartner suggests that CIOs quickly claim the role to assure proper risk consideration for the company. I would debate that position, saying that a digital strategy should be much broader and encompass more than just the information technology department. It includes strategic decisions of market identification and acquisition, operational decisions, financial issues, and shareholder value strategies. Classifying it as belonging only in the IT world because digital is binary and runs on servers is ludicrous.
What’s your view? Is security and IT doing enough to help grow the business? Does the digital strategy belong in IT?