In the era of digital transformation initiatives, it’s easy to view the myriad of jobs that computers perform in a myriad of industries as magic. Many employees can’t look at a program or other digital tools and know-how it does what it does or how difficult it can be for everything to work the way it should. When encountering a problem, an employee will typically venture over to information technology (IT) and state their problem. IT will take a look at the said problem and fix it with a minute of typing and a snap of their fingers, again, just like magic.
Of course, this is not the reality of what happens. Cybersecurity and IT professionals have years of experience with the systems and the issues to solve many of the day-to-day problems employees face with ease. However, with industries across all sectors embracing bold digital transformation efforts, the new threats that businesses and IT professionals face are becoming more varied, and the risks of operating in these spaces are becoming compounded by inadequate risk assessment. This is because it can be a struggle to align IT with business objectives, especially when the problems are ‘invisible’ or not easily quantitative.
It is hard to put a tangible, measurable return on security investment for cybersecurity, integrated risk management, or risk assessment. For many higher-level executives, these aren’t the sorts of problems that will pop up on their desk multiple times a day, demanding attention. Instead, if the job is being done correctly, it may never pop up. The ‘invisibility’ of risks becomes an issue when going over budgets and business processes, and C-level executives may be wondering why there’s been so much investment in these areas when there isn’t anything to ‘show’ for it. Yet, when these budgets are slashed, cybersecurity professionals find themselves with even more areas to oversee but not enough bandwidth to manage it all. This can be catastrophic and touch every area of the company when there is a big data breach. Then, it becomes a game of catch-up and a PR nightmare as organizations try to retroactively manage the threat and the sensitive information that’s been compromised, especially if it affects customer experiences.
So how can IT and risk departments combat this? How can CISO’s make sure their other C-level executives understand that these aspects of their business need continuous investment for continued success and the safety and longevity of the security of the company’s assets? There are a few key things CISO’s can focus on to highlight the value of these programs and stop digital disruption. There are several KPI’s they can show to stakeholders that bring focus to how valuable it is to stay on top of threats and vulnerabilities in their systems.
Risk management departments can start by creating a value story to guide C-level executives and the rest of the company through the importance of the process. IT is often viewed as more of a cost center than a sales enabler, and that frame of mind can be detrimental to managing risk company-wide. One way to combat this is by documenting corporate and leadership objectives that the IT organization can directly impact. To create have a significant impact, value stories must keep the audience intended in mind and when there is a lack of supporting data. Gartner predicts that by keeping the messaging clear and concise when walking high-level executives through value stories, CIO’s could increase funding approval rates by 30% over current levels.
According to Gartner, through 2025, CIOs who successfully communicate their organizations’ business value will maintain 60% higher funding levels than their market peers. Initial questions to start the conversations on this can include, what does your audience (the organization’s leadership) value most? How does/can IT impact that value? What metrics should I share with my executive team to demonstrate the value IT has contributed?
After asking these questions to start the conversation and give departments a starting point, you can create a message that will resonate with executives. By mapping technology dependencies that the company faces and how IT supports them, teams can choose a limited number of KPI’s, focus in on those, and demonstrate how they contribute to the value story, ensuring that the metrics chosen can help inform decision making and show the value chain.
Your company's value supply chain could look something like this: you’re a clothing company. You order the fabric online in bulk through a secure payment app (value added), that fabric goes to the designers and seamstresses, who use tracking apps to track where the fabric is (value added) and when it will be delivered. The designers use artificial intelligence software to determine how many garments they can create out of a single roll (value added), and when those clothes are finished they go to an online store that utilizes machine learning to keep track of customers and the products that leave or enter their cart (value added). Clients can then rate their customer service experience on a secure, tamper-proof review site (value added).
By presenting a tangible narrative for organizations to connect to and demonstrate what is influenced, you’re showing how your IT department touches many aspects of your operation and industry and how valuable they are to every step of the process. This allows the work and effort the IT department puts in to be more ‘visible’ and allows higher-level executives to easily view the value of the investment into the departments that manage risk and digital transformation initiatives.
To learn more about folding integrated risk management into your organization and aligning your business and IT goals, contact us.