Have our institutions become too complex to secure?
At a recent board meeting, the chief information officer (CIO) of a major global corporation led a wide-ranging discussion about the tools and practices needed to fortify the company’s data and systems against breaches. The board encouraged heightened investment and vigilance then moved on to its next agenda item, a financial committee presentation leading to a board vote on acquiring shares to consolidate ownership in an enterprise in which the company held a minority stake. To the surprise of the CIO, who was still in the room, there was no discussion of cybersecurity, even though the acquiree was operating in a region where cyberbreaches and criminal hacking were endemic. Happily, the CIO’s fortuitous presence enabled a proper discussion of the effect of the decision on the company’s cyber risk profile and a change in the acquisition approach aimed at bringing the acquiree more fully into the corporation’s information-technology (IT) and operational infrastructure.
The board had not connected the dots between the two agenda items because its view of cybersecurity, as well as that of the chief executive officer (CEO), was more focused on risk dashboards and surveillance than on the security implications of business decisions. It is an issue that has had many variations on for years. Simply put, far too many boards and CEOs see cybersecurity as a set of technical initiatives and edicts that are the domain of the CIO, chief security officer, and other technical practitioners. In doing so, they overlook the perils of corporate complexity—and the power of simplicity—when it comes to cyber risk. We propose, in fact, that leaders who are serious about cybersecurity need to translate simplicity and complexity reduction into business priorities that enter into the strategic dialogue of the board, the CEO, and the rest of the C suite.
Questions such as the following can help catalyze this conversation:
- How does a full accounting of cyber risk affect our business model’s attractiveness, and does that suggest the need for a “simplification agenda?"
- How transparent are the cyber risks and trade-offs associated with our external partnerships, and what would be the pros and cons of simplifying our ecosystem to make them more manageable?
- How risky are our IT-enabled legacy processes, and how should we prioritize investments to secure, simplify, and transform them to achieve competitive advantage?
Leadership teams who grapple with questions like these and embrace simplicity boost their odds of making the entire enterprise securable.
Even a decade or so ago, the technical operations, systems, and footprints of many large companies had become extremely costly and complex. Breakneck digitization in the smartphone era has exacerbated matters, as companies have increasingly created ecosystems with a variety of new partners to help expand their reach and capture new, profitable growth. They range from supply chain relationships across goods and services (including IT services) to partnerships for data, distribution, marketing, and innovation. Even more recently, the business challenges of the COVID-19 pandemic have spurred faster adoption of digital solutions that rely on data, digital networks, and devices that are most often operated by companies outside the organization’s borders.
The technology architecture of many organizations, often made up of layers of legacy systems with multiple constraints on their flexibility, represents an ever-expanding dimension of complexity. (By contrast, many digital native companies of more recent vintage have a simplicity advantage. These companies are built digital from the ground-up, using more recent generations of IT, standards, and techniques meant to create increased interoperability across systems.) Legacy structures are often riddled with open seams and soft connections that can be exploited by attackers, whose capacity to infiltrate sprawling systems has grown. The pressures on these legacy structures have intensified as companies have pushed their current IT to keep pace with the digital natives. Mergers often multiply risks by connecting already complex networks of systems, which makes them exponentially more complex.
As a result, complexity has driven cyber risks and costs to dangerous new heights. The numbers of significant cyberattacks globally are increasing and include potentially devastating criminal ransomware attacks and nation-state activity targeting government agencies and defense and high-tech systems by, for example, breaching IT network-management software and other suppliers. Each major incident exposes thousands of users (at both companies and government agencies) to risk and can go undiscovered for months.