The fundamental changes to the way in which professional services can be delivered through the Internet were described in Chapter 1. They introduce a new business model where the focus is on providing value-added services to clients, and the professional charges according to the value of services, rather than time spent.
The Internet also introduces new types of risk requiring a new approach. These risks affect all areas of an organisation at all levels. The rapid pace of change in Internet technologies means new risks are constantly evolving and, therefore, need constant control, management, monitoring, audit and review. The introduction of a team of skilled personnel influencing the management of key areas has implications for the overall framework governing the strategies and operations of an organisation.
An organisation’s strategy is its overall plan for successful management and performance. Its operations are the mechanisms in place to achieve its objectives.
Strategic change involves three key stakeholders: the Directors or Partners of the organisation, its clients and its strategic allies.
The approach of directors or partners is critical to managing cyber risks. As the use of Internet technologies increases, they must become familiar with the various risks arising within the organisation and the fact that these risks develop and change in irregular patterns. The risks are not structured and are difficult to anticipate because that is the nature of Internet technologies.
They need to become familiar with the concept of relying upon a team of experts for the development of strategies which, formerly, might have been their own responsibility. This consultative approach should be extended to clients and strategic allies who also need to be considered in the implementation of solutions.
They may be concerned about the viability of introducing a cyber risk management project and will want to identify some tangible benefits. They will have to understand the need for, and be willing to fund, new technology and any new personnel and services that may be involved, particularly as the initial investment may increase overheads significantly through the import of technology and the salary demands of skilled personnel.
Clients and consumers
Internet technologies empower clients and consumers in the relationship with a supplier. The consumer has the capability to be much more demanding. This will continue in an increasingly consumer-led market. Organisations need to address this as part of their client relationship management strategy. Clients should be involved in the implementation of security strategies, both in terms of their deployment and their compatibility.
The introduction of new ways of delivering services and their management has certain implications. Clients may eventually want routine access to professionals’ information technology systems. The introduction of an e-mail policy may have implications for the way instructions are received from, and implemented for, certain clients. If the organisation proposes to introduce encrypted e-mail communications, consideration will need to be given to clients’ systems and any interoperability issues.
Clients need to appreciate that their own interests are protected. Standards of legal compliance (for example, data protection), technology systems (for example, the employment of encryption systems) and operational management (for example, the management of e-mail communications) need to conform to levels that are acceptable to clients.
Strategic allies
Internet technologies enable online strategic alliances to be formed. Extranets enable parties to a transaction to be privately networked for exchanging information, as well as document sharing, and conducting transactions. Many professional organisations create these networks for the more convenient servicing of large commercial clients. These collaborations are sometimes referred to as ‘virtual deal rooms’.
There is considerable potential for this type of network to penetrate all areas of professional practice, where accountants, financial services providers and surveyors might comprise a team or a ‘supply chain’ for providing services to specific consumer sectors.
Organisations need to address the security concerns of others in the supply chain as these strategic alliances develop. Agreement will need to be reached over suitable solutions. Strategic allies will almost certainly require some assurance in respect of the organisation’s security policy before introducing new work.
Operational issues arise from the activities that the organisation undertakes in developing and delivering its services. There are two key operational functions for which a cyber risk management strategy has implications – information technology and the firm’s personnel.
Information technology
Traditionally, information technology has been a tool for the more efficient performance of an organisation and the more effective delivery of its services to clients. While this still remains the case, Internet technologies also change this perspective because they change the model for provision of the services.
Through the Internet, information technology becomes a tool upon which an organisation is likely to depend for its survival in an increasingly competitive marketplace. Poorly managed technology systems will not only affect the organisation’s competitive advantage but also expose it to considerable risk. Effective management of information technology operations becomes critical. The approach must be to use technology not simply to provide a more effective service, but proactively to anticipate and manage client needs. Management of cyber risks is one aspect of proactive management.
Personnel
As electronic services become all-pervasive, personnel at all levels of the organisation are likely to be involved in some way, whether they are providing services, communicating with clients, or concerned with support services, for example administering electronic payment systems. The traditional model in which departments tend to operate autonomously will not help in the management of cyber risks – where a collaborative approach is required.
The efficiently managed organisation ensures that all personnel understand the principles required for the handling of personal data. Marketing personnel collecting personal data from an organisation’s website need to liaise with the IT department to ensure secure data storage and with the legal department to ensure data protection compliance. Those in the IT department responsible for posting content on the firm’s website need to work closely with the legal department to ensure regulatory compliance. The finance department needs to co-ordinate its operations with the IT department over the introduction of new technology. This introduces the need for a knowledge-sharing culture within the organisation – moving away from the hierarchical structure, towards a team-based approach.
A methodical, carefully planned approach to change is more likely to succeed than a strategy developed in reaction to an unforeseen crisis requiring drastic action. The process of change differs between organisations, and individual organisations should devise strategies for managing change that fit most comfortably with their structure, culture and client base.
The character of change depends on the style of management, the culture of the organisation and the rights or privileges enjoyed by the workforce.
Where particular individuals or groups have exercised influence, or have superior skills, account should be taken of possible changes of status, responsibility and accountability.
Directors and Partners will have most knowledge of the culture of their organisations. The shifting characteristics of Internet technologies mean that other personnel may have a greater knowledge of, for example, legal and IT issues.
The organisation must develop a flexible, proactive, measured response, but because of the pace of change must also be aware of the need to act collaboratively and with speed as the need arises.
Change needs to be planned. The most effective method is to present details of the plans to all concerned and inform them fully of the implications.
An implementation plan can be devised with a chronological outline of the various steps to be taken. The plan should explain the new responsibilities and accountabilities of the personnel involved. It is helpful – and practical – to discuss the implementation process with those most affected. It is they who will have the greater understanding of the day-to-day impact of the changes upon their positions.
It is particularly important to take account of representations and comments made by personnel who have regular contact with clients or strategic allies. There will be no benefit if the plan alienates clients or agencies upon whose goodwill the organisation depends.
Those charged with introducing change must identify the key issues to be addressed, and ensure acceptance by both by those responsible for implementing it and those upon whom it will impact.
In respect of cyber risks, these features operate at board, partnership and cyber risk team level. The Directors and Partners define the plan at strategic level and the cyber risk team will be concerned with implementation at management level. There may be a strong case for change, but how can change be sold to those to whom the changes may be most inconvenient or even threatening? The introduction of a skilled and influential team of individuals at senior level could lead to a number of problems.
One analogy is the introduction of specialist financial management, marketing and IT professionals into law firms in recent years. Law firms now realise that their skills lie in providing legal advice and expertise, and accept that other professionals have greater expertise in their own areas.
A holistic approach to change is important in respect of cyber risks. Nothing will be gained by importing sophisticated technology to meet information security needs if corresponding investment is not made in educating and training personnel in its use and application. A broad view is required. Departmental hierarchies must be discouraged and personnel must become accustomed to working in teams with new ideas, concepts and performance standards.
The management of people in the context of managing change needs special attention. It is almost inevitable that there will be resistance to change from certain quarters. A key factor in successfully managing people during a period of change is the provision of timely and relevant information so there is a greater understanding and awareness of the aims and objectives of the project and a greater willingness to participate in its implementation.
Perhaps the easiest approach to implementation is the adoption of one or more of three methods. The first is a time-based trial. The project is introduced for a short period of time, during which areas of difficulty are identified and corrected before the project is launched substantively.
The second approach is to launch a pilot project. Defects in the project plan can be eradicated at an early stage.
The third approach is to adopt a phased implementation. The project should be implemented by acceptable stages over a period of time. Once each stage is reached and completed satisfactorily, the project continues to the next stage. This approach can be most useful where the success of the project depends upon the acquisition of new skills by personnel or perhaps where large numbers of personnel are involved. The value of the third approach lies in the ability to retain control of the changes that are being implemented on a bite-sized basis.
As the influence and use of Internet technologies develop, organisations face rapid change. Internet technologies are mercurial. Their development is rapid and uncontrolled – almost anarchic. Organisations must create and develop flexible strategies, supported by commitment and resources, which are implemented by those with adequate skills.
Six key characteristics are likely to develop in organisations adopting a comprehensively effective cybersecurity strategy. These are the ability to:
• manage increasingly demanding client expectations;
• form and manage online relationships;
• assemble and manage a multi-skilled professional team;
• comply with domestic and international law;
• harness the skills of personnel at all levels;
• develop collaborative strategies.
It is from meeting client expectations that cyber risks arise. Internet technologies enable clients to demand instant, global service. They will expect professional services to be available constantly because Internet technologies afford this facility and clients themselves employ the technologies within their own enterprises.
Commercial clients are, in general terms, more advanced in their use and understanding of technology. Large, but increasingly smaller, commercial clients use Internet technologies routinely. They have the same expectations of professionals who compete for their business, The cybersecure organisation needs skills and working practices to manage this demand, and reduce or avoid the risks to which the competition for business expose it.
Organisations need to develop confidence in forming online relationships. These include relationships and associations with strategic allies which may be global. As this confidence develops, organisations will widen their services, devising ways of using Internet technologies to improve delivery of existing services and create new services.
A cyber risk management strategy will be structured upon individuals and teams, according to the size of the organisation, highly skilled in specific areas. For example, the skills of the IT team might include experts in security issues to introduce new solutions to technology risks, offer new facilities to clients and, in so doing, present new business opportunities.
The global feature of Internet technologies requires a strategy to ensure that within the organisation there is adequate knowledge, or access to such knowledge, of international law and its implications for the organisation’s Internet strategy. As the Internet enables clients to develop their businesses internationally, they will expect professionals to be able to provide responsive services.
Organisations must develop skills in personnel management. Internet technologies involve personnel at all levels because the incidence of cyber risks has the potential to occur within all departments at almost every level. The cybersecure organisation must ensure that risks are managed at all levels, and personnel are encouraged to recognise risks and to take an interest in their identification and management.
Both internally and externally, collaboration is a key feature of the cybersecure organisation, demanding an increasing dependence upon teamwork. The composition of the cyber risk team itself is an illustration of the need to develop strategies collaboratively. It comprises individuals from different areas within and beyond the organisation, working together to develop and implement cyber risk strategies. It is dependent upon others for its information and upon collaboration with the partners and consultants for its effectiveness.
The cybersecure organisation’s strategy will rest upon the formation of collaborative relationships. Internet technologies provide an opportunity for collaboration among all participants in the supply chain, similar to the principle upon which the ‘one-stop-shop’ operates. Collaboration already arises in terms of marketing, as is evidenced by the importance of linking to the websites of strategic allies. In all collaborative arrangements, there are common ways of working, reciprocal arrangements and integrated systems. The particular interest of the organisation will be to ensure that there is appropriate integration and employment of compatible security measures throughout the supply chain for any given transaction.
Critical though a comprehensive cyber risk management framework is to any organisation using Internet technologies, it must also operate as part of the organisation’s overall management infrastructure and perform as a logical and rational component of the organisation’s business strategy.
In order to ensure this, the adoption of good governance principles and processes is necessary, so that the activities of the cyber risk management team remain aligned with the organisation’s strategic goals. Chapter 5 explained the three components of governance of most importance to cyber risk management.
Corporate governance requires clearly defined roles of responsibility and accountability, transparent decision making, recognition of stakeholder interests, and a cohesive and relevant risk management strategy.
IT governance is a subset of corporate governance and requires the adoption of corporate governance principles with the objective of ensuring that an organisation’s IT strategy remains aligned and operates to achieve organisational goals.
Project governance is also a subset of corporate governance and sits alongside IT governance – most IT activities are, in effect, individual projects. Project governance also embraces corporate governance principles and adds to them the need to identify resources to implement the project; monitor, review and audit the progress of implementation; deploy resources so as to obtain maximum value and benefit; adopt a formal risk management strategy; and ensure the project remains aligned with the strategic objectives of the organisation.
How does the cyber risk team integrate itself into the overall corporate, IT and project governance principles and procedures of an organisation?
The cyber risk team itself should adopt governance principles in the course of its operations. This is particularly important for establishing order and logic in the implementation and execution of the many projects it may face. Internet technology risks are anarchic in nature, emerging suddenly and without warning, and often requiring urgent and comprehensive solutions. The application of sound governance principles will help the team provide a coherent and relevant response.
The responsibility for setting the strategy (including the Internet risk strategy) is that of the Board of Directors or Partners and this responsibility should be undertaken with the application of corporate, IT and project governance principles at the outset. Below the Directors and Partners, management teams or committees ensure that the Directors’ and Partners’ strategies are overseen according to plan. Below management teams, executive teams or committees attend to implementation, monitoring, review and audit processes, then report back to management which, in turn, is accountable to the Directors and Partners.
The level at which the cyber risk team finds itself is that of a management team. It will receive strategic directions from the Board, the implementation of which it will delegate to appropriate teams or individuals within the organisation, from whom it will receive progress reports.
However, in view of its specialist knowledge, particularly in the area of Internet risk technology and legal compliance issues, it may also provide advisory services to the Directors and Partners on the management of existing cyber risks and management strategies for the adoption of emerging risks.
The size and composition of the cyber risk team will depend on the size, nature and activities of the organisation. A small organisation might confine itself to members comprising a director or partner, the head of the IT department, an external consultant for legal compliance issues, the head of personnel, a risk manager or officer and an external consultant in respect of information security issues.
Medium-sized and larger organisations will require a more complex framework. The cyber risk team(s) would recommend and, if authorised, adopt relevant governance tools and methodologies in implementing its various projects.
Internet technologies emerge and develop at a rapid pace and have revolutionised the way in which business, commerce and professional services are conducted, both domestically and globally. No trade or profession can escape their all-pervasive influence and for many organisations they have produced the considerable benefits of rapid expansion, increasing economies of scale and consequential profitability.
However, such a glittering scenario can only be achieved at a price – effective and comprehensive management strategies to address the sudden, unforeseen and anarchic range of risks that Internet technologies alone can present to organisations. These risks are many and various and are emerging continuously.
The prudent organisation should keep a vigilant watch because the consequences of not doing so are potentially catastrophic. At a stroke, the Directors and Partners may find the reputation of their organisation in ruins, quite apart from being exposed to criminal proceedings or civil claims for damages for illegal activities by their employees.
The prudent organisation that harnesses Internet technologies by engaging the necessary skills, adopting suitable governance frameworks and applying the correct governance tools for managing cyber risks will surely be assured of remaining well protected and competitive in its market.
18.190.253.43