Who would have ever thought that a recruiter, hiring manager, or HR-related being writing a job description could create reputation risk? Well, as luck would have it, a tumblr site “Tech Companies That Only Hire Men” is maintaining a list of companies and their respective “gender biased” postings. While this is an amateur example, it highlights the power of the ease of access related to all of the following tasks: mining data, drawing inferences, and publishing content.
With all the buzz around Big Data, Analytics, Data Science, etc. this type of activity is exploding. And mind you, it’s not just within the walls of big institutions that were once the privileged few to afford the resources required to perform such work. The consumer-ization of such enterprise endeavors and techniques is gaining pace rapidly. For examples, just look around you – Coursera offers massive open online courses (MOOCs) on data science; Microsoft provides an easy-to-use online online functional programming tool, as well as a marketplace for data to go along with it.
What does this imply for information risk? Quite simply, the field is coming into sharper focus. Traditional notions and practices surrounding security and privacy are being challenged like never before. Virtually every living and non-living entity becomes a stakeholder in these debates, which means scope and complexity will grow exponentially. These are good developments. Overall, as uncomfortable or tenuous our predicaments may become in the near-term, my vision for the industry spells greater investment, better talent, and consequently more elegant outcomes. This is just the beginning.
The new year seems to have ushered in a slew of cybsersecurity efforts the world over. While there is plenty of debate around the motivations for the level of attention this topic is receiving, I believe most of it is warranted due to the converged nature of commerce, information, and society. 1’s and 0’s are leveling the playing field like never before and digital connectedness is giving rise to either (a) unexpected consequences that force institutions into action or (b) realization of virtual turfs that need to be claimed and protected like physical analogues. Here’s a summary:
(US) January 9 – Business Roundtable Trade Group calls for “More Intelligent, More Effective Cybersecurity Protection”
(India) January 11 – Government wants every piece of computer hardware to ship with a “Cyber Security Awareness Brochure”
(Singapore) January 14 – Parliament passes amendment to Computer Misuse Act increasing government’s preemptive options as well as consequences for non-compliance
(Australia) January 23 – Julia Gillard heralds a new national security strategy, including setting up of a new cyber security center
There has been a recent spate of premature earnings releases, thanks to what I’m going to call the “early click”. It is evident that even the world’s biggest and well-managed companies have not accounted for a risk with reasonably high likelihood in the technology space and significant impact in the financial space. Chances are, as the earnings release process moved from a purely manual set of tasks to an automated workflow, nuances relating to control were missed. The inadvertent mistakes result in some real and measurable impact, as in the case of Google, which lost more than $22 billion from its market capitalization due to the sudden drop in share price. So, what can or should companies do about this?
- Authorization – guessing that most organizations have this in-place by virtue of allowing only designated individuals or third parties filing such releases or having the ability to “click” the necessary buttons
- Authentication – this is the part that is probably missing and needs to be bolstered. To “click” is simple, fast, instantaneous. But, to validate it, is not. Build in a password interrupt, segregate it between 2 human beings, or time-delay its real-world impact
In hindsight, it’s amazing to observe that single individuals have the power to push out material information, with seemingly no other checks and balances. In addition to the above steps, organizations should continually “Assess” their current processes and consider “Advance Staging” to simulate the release process in a sandboxed environment. No doubt, there are a lot of things that need happen before updates hit the wire – continue those practices in a virtual space and have everything ready before that final click to the real world.
This is a long, but essential read, especially for those of us in positions involving direct risk management responsibility. While it may be argued that every leader or senior executive is accountable for risk management and faces similar repercussions, the irony of potential career risk impact cannot be greater than those who own and manage such functions day-to-day. I’m referring to Chief Risk Officers, Chief Security Officers, Chief Information Security Officers, and their likes. To cut to the chase, this paragraph from the article sums up the point about managing career risk:
“For a few years, one of Drew’s friends had been talking to her about retiring. For that friend, it was yet another matter of risk calculation: If she was going to retire soon enough anyway, her friend advised, do it while she was still on top, before time stopped being on her side. Wait long enough, and someone else might decide for her. Or something might go wrong, as things do.”