Today, wearing a seat belt is commonplace, but not long ago, it was a rarity. In the United States, this society-wide change in behavior unfolded in a series of stages. The creation of the National Highway System led to an acceleration in travel and automobile use — and to greater concern over traffic fatalities. The federal government responded with a requirement that cars include seat belts as standard equipment. Unfortunately, actual use of the devices lagged, which led to state legislation mandating seat belt use backed up with aggressive enforcement. While traffic tickets and fines provided powerful reinforcement to change behavior, on another front, automobile designers attacked safety as an engineering and usability problem and introduced airbags, antilock brakes, electronic stability control, collision sensors, and so on.
Seat belt use thus went from being something that impinged on the driving experience to being an integral part of it. Even more importantly, people began to focus beyond seat belts and approach the entire issue of traffic safety with greater consciousness, leading to sizable drops in pedestrian deaths and bicycle fatalities.
Figure 1 illustrates the risk management cycle we can generalize from this string of events: Network effects accelerate the use of a new technology, bringing numerous benefits but risks as well. As those risks gain more attention, the government responds with regulation focusing on implementation of tactical, low-level solutions. Public acceptance is slow, so enforcement becomes more aggressive, raising awareness. At the same time, product design begins to tackle safety as integral to improved usability. A safer product emerges for a more conscious consumer, who despite all the engineering improvements, remains a critical element of the risk equation. The cycle is then free to start again, further refining both user behavior and the product itself. (The advent of the self-driving car and the range of policy, risk management, engineering and usability questions it raises is merely the latest and most disruptive iteration of this process in the automotive industry.)
Ingraining Safety into Your Business
I would argue that cybersecurity is today where traffic safety was in the early 1970s. Instead of looking at security holistically and as an integral part of the digital experience, we still focus on top-down organizational control and on compartmentalized solutions like email safety and privacy regulations – the seat belts of information security. But for information-intensive organizations, this reactive and siloed approach will prove increasingly insufficient. Like traffic safety, information risk management will improve not through incremental responses and brute force, but through iterations of regulation, enforcement, design and awareness that result in safer tools and users that take responsibility into their own hands. While we can’t know exactly how the risk management cycle will unfold for information risk management, we can speculate on some possibilities:
- Functional platforms like CRM systems will have more “smart” features that identify and flag potential information security risks, requiring action from the user (think of Gmail’s prompt if you use the word “attached” in an email but don’t attach a file).
- Information risk management will become part of professional training across functions, from university curricula on through company development programs.
- Slogans, mnemonics, and other aids will be developed to help guide non-professionals in their information risk management decision making.
- Information risk management will become part of an executive’s career narrative, one more factor in hiring, promotions and incentives.
As information/data continues to become untethered from the technology that moves it and instead is seen as simply a corporate asset (albeit a significant one), responsibility for the safe handling of that asset will no longer be assigned to a particular person on the organizational chart. Instead, the duty of care becomes part and parcel of the data asset itself and falls to whomever handles it. Executives across an organization should ask themselves questions like these as we move to cybersecurity’s more holistic, ingrained approach:
- When the chief marketing officer designs a new social media campaign, are information security considerations and best practices part of the plan?
- Is the head of human resources ensuring that the vast stores of confidential information in employee management systems are being handled with appropriate care?
- Does the CFO have verification processes in place to thwart unauthorized requests for capital transfers?
- Has the head of sales ensured that personally identifiable information is siloed in a facility with a certification such as SSAE 16?
By making themselves an integral part of the solution, executives outside the cybersecurity realm will thus move the risk management cycle forward into another iteration.