Our traditional business model as we known is at a crossroads considering the emergence of the Internet of Things (IoT), artificial intelligence and blockchain. We live in an era of disruption, and we need to redefine our business models.
We need to accept that almost every sector — from banking and utilities to entertainment and agriculture — can expect to experience major business model disruption as blockchain technologies take hold.
Because blockchain technology originated as the core mechanism of the bitcoin digital currency, there is a widespread belief that its potential is greatest in – or even limited to — the financial sector, but a different reality is unfolding.
Blockchain extends to the core of commercial activity, of wealth creation, and goes to the heart of innovation and what makes an economy work. It raises the prospect of changing the fundamental structure of the corporation, of how we orchestrate capability in society, innovate to create goods and services, and engage with the rest of the world. There are far-reaching business models already emerging that are creating ripples on our traditional models, far from the known Internet we use today.
Musicians will be able to reclaim much of the value they cede to record companies by offering their music directly to fans, movie-makers and broadcasters; individual investors will be able to deal directly with companies they hold shares in rather than go through stock markets; and the exclusive use of cars will start to dwindle as such assets are shared over peer-to-peer networks, just to name a few potential applications.
Further, in five to 10 years, the financial services industry will be unrecognizable.
Banks have a simple business model: they move value, they store value, they lend value, they exchange value, they account for value, they attest to value. Every one of those could be disrupted profoundly by this technology.
Blockchain has made the whole financial services industry sit up and pay attention. But it’s not just the threat – there’s a bigger opportunity if you look closely enough.
Japan’s Mizuho Bank together with technology company Fujitsu have conducted an operational trial focused on cross-border securities transaction settlements, which would ensure it is practically impossible for anyone to tamper with transaction histories, as well as shortening the processing time for cross-border securities transactions from the current three days to same-day settlement.
Such distributed disruption moves will have a liberating effect on consumers and small businesses. A customer tapping his or her card in a small retail store would find a blockchain-based settlement would be instant rather than taking several days to occur, as the process simply invokes a change in the blockchain distributed ledger.
One-third of the revenue of accounting companies is derived from audits. But with blockchains, you not only have double-entry accounting — credit and debit — but automatically make a third entry in the blockchain, a time-stamped record of every transaction that has occurred. So rather than an expensive annual audit, it could be instant and real-time. That would in turn free up the resources of forward-thinking accounting companies to invest in more high-end, value-added activities.
As we take stock of the global landscape, we can see every industry, in every major economy, is starting to see big disruptions occur.
The concept of hyper ledger, as we sometimes call blockchain, can provide answers to issues of transparency and so much more. Nevertheless, as with all technology, we need to be wary of how we design the solutions. We will have unequivocal risks, as with the introduction of virtually any technology, but the implementation of blockchain can revolutionize business activities for enterprises across many industries. Designing a blockchain solution with the right controls in place can easily transform many of the models we have come to accept.
Editor’s note: For more ISACA resources regarding blockchain – including a new research report, tech brief and e-learning course – visit www.isaca.org/blockchain.
During the risk analysis process, information is availed through internal reports, external reports, surveys and face-to-face meetings during risk workshops. The amount of information to be analyzed depends on the risk maturity of an organization, as some risk managers continuously collect information that they deem relevant to improving the risk process. The question is, to what level is the information used objectively? How much reliance is placed on what we remember or what we deem as being important?
Behavioral physiologists believe the amount of information we remember has an impact on how we analyze and rate risks. Prior to analyzing risks, we identify events or threats that can exploit vulnerabilities identified in organizations’ processes and systems. It is during the “What can go wrong?” stage that we need to be careful. In his book “Thinking, Fast and Slow,” Daniel Kahneman notes three factors that can manipulate our minds:
A salient event. Get a team of executives and ask them what is an important asset to their organization. I bet you will get different responses. The level of importance on organizational assets differs, and this bears the most influence on the agenda each executive is pushing. As part of environmental reviews, I have come across some organizations (especially small enterprises) that do not carry out fire drills or train employees on any natural disasters. When reviewing risk registers of such organizations, it is normally not surprising to note that there are no risks pertaining to employees in those organizations.
How were employees’ lives not regarded as critical? At the time of the assessment, memory on what is important shifted to assets management. Risk managers should be mindful that what is deemed important influences which assets are identified as vulnerable, subsequently shaping the risk profile of the organization.
A dramatic event. The majority of risk managers come to the table with a list of serious events for a period, audit reports and market intelligence information. Some events tend to come to mind more quickly than others, especially political events over which the organization does not have control. Deciding which event might translate to one asset being more vulnerable than another can be influenced heavily by recent media or internal incident reports if these reports are not scrutinized carefully.
Personal experiences. We can never divorce our personal experiences from the analysis process. It is indeed every risk manager’s dream that some of the employees can divorce themselves from such during risk workshops, but risk managers also are guilty of bringing along databases of risks they have been compiling for years from different organizations, particularly so for consulting risk managers, who tend to influence their organizations to focus on the risks they identified in similar organizations. However, strategies, policies, processes, organizational structure and culture all change the risk landscape of every organization.
Kahneman further contends that effort is required to reconsider impressions and intuitions by asking questions. Simply because a risk has been identified in an audit report does not mean the risk manager needs to include it in his risk register. Simply because a charismatic executive says everything in his department is on fire does not mean every asset in that department is critical. Risk managers need to develop questions that they can ask to eliminate natural bias. Every report’s merits should be verified.
Without nullifying the importance of the systematic approach risk managers take to identify and analyze risks, it is equally important that risk managers take the cognitive human element into account to develop objective lists of risks and ratings.
It is no secret that in today’s world, information is more at risk than ever before. Unfortunately, we now must deal with the realization that it’s not if an attempted breach will occur on your network, but rather when. Despite an organization’s best efforts to secure networks and information, human error and system vulnerabilities will continue to exist. Considering that reality, organizations must be sure to prepare an actionable plan for when the worst-case scenarios play themselves out.
Incident response is the process of establishing a plan for responding to these worst-case scenarios. The ability of an organization to react to and contain incidents in a prompt and efficient manner is equally as important as the tools and procedures that are put in place to prevent such scenarios. This means not only having the tools in place to detect potential threats, but also having the personnel on hand to respond and react efficiently.
Who needs incident response?
In short: everyone. All businesses have intellectual property, personally identifiable information (PII), financials or some form of sensitive information that can be dangerous when in the wrong hands. Establishing an actionable plan will result in faster response times and minimize damages as a result of an incident.
The potential risks your organization faces as the result of poorly responding to an incident are vast and may vary based on industry. That said, below are some of the more common risks to consider when evaluating the value of your organization’s incident response plan:
Operational risks. An incident such as a system breach could result in critical systems and applications becoming inoperative. This may lead to a loss of core business functions (such as a production line being shut down) as well as potential security vulnerabilities.
Reputational risks. Responding poorly to an incident can have severely negative impacts on your organization’s public image, as well as in the eyes of your current and potential customers/clients.
Compliance risks. In some instances, an incident may result in an inability to meet regulatory requirements and introduces the potential for fines and/or penalties from governing bodies.
Financial risks. All the previously mentioned risks have the potential to result in negative financial impact to your organization. These, along with the potential for lost assets, the cost of repairs, legal fees and other unexpected costs should be considered.
Determining the components of a successful incident response plan will vary from business to business, but at its core should deliver the following:
- An executive commitment and endorsement of the incident response initiative
- An Incident Response Team (IRT) comprised of members with varying areas of expertise ranging from IT to legal and communications
- A defined communication plan
- A plan to support, maintain and test the incident response plan on a regular basis
- An organized, structured approach that clearly defines the roles and responsibilities for all parties involved
- A clearly stated definition of what an incident means to your organization and how incident response aligns with existing organizational security efforts, such as business continuity and disaster recovery plans
- A well-defined plan on how to monitor and analyze potential threats to the environment
- An operation plan that defines how incidents are declared and initial steps for information gathering
- A post-incident process for lessons learned and process improvement
A successful incident response program should align with standards set forth by the National Institute of Standard and Technology (NIST), the International Organization for Standardization (ISO) and the Information Technology Infrastructure Library (ITIL).
Adults don’t really like new ideas, and while cyber risk may have been born around the time of the first mainframes, it can still feel new today. CEB reported last month that 66 percent of business leaders don’t understand the cyber security information that goes to the board. This isn’t a failure of business leaders but of the messages they’re receiving.
While children consume and learn voraciously, adults struggle with finding context, skepticism, and social conditioning. Overcoming these cognitive biases to drive your company toward more risk-savvy behavior means you’re going to have to deliver a pretty clear and effective message. Keep in mind these three rules of thumb to improve how well your risk reporting is understood.
One message at a time. Yes, IT risk is complicated and often there are many steps between a threat and the preventative actions needed to keep them from happening. Keep those connections in your appendix for later questions. Instead, focus your reports on the actions needed to be taken. Don’t contrast vulnerability scans with failures in change management controls on the same page. The risk is different, the response is different, and you’re inviting confusion.
A single message has another benefit: if you are only trying to change one behavior, you’ll have a much easier time tracking the effectiveness of your message and adjusting in the future.
Risks become consequences. A focus on threat vectors, incidents and trends is good for figuring out where controls are weak or strong, but sometimes bad for grounding the danger in something meaningful for a non-cyber savvy professional.
Focus on the consequences of the risks being reported. Phishing simulations may show an increase of management clicking on suspicious links, but other than potentially receiving a scolding, why should people care? Link phishing to a particularly painful data loss event, or laptops held ransom, and include recovery time as well. There may be no effective recovery from ransomware, and reparations for exposed personal information could cost millions and take years. The Anthem data breach from February 2015 is still in the courts.
Consider your audience. One kind of message will rarely work for everyone. Not only will managers, VPs and executives all have different perspectives on the world and the work that IT security is doing, but they all have different backgrounds and interests.
Take a look at your audience. Will executive management be making decisions about change control check gates? Generally not, so your one message to them shouldn’t be to get them to improve the sign-off process in application development. Maybe the better message is that investments in release management software haven’t been effective in reducing production failures.
Tailoring risk reporting to the people receiving it is the best way to increase the odds that your message is received. It’s cumbersome, but this is the heart of risk management: to reveal connections between sometimes esoteric events and business opportunities so that leaders can make the right calls at the right time.
Editor’s note: Adam Leigh will present on “Consequences That Matter – IT Risk” at North America CACS 2017, which will take place 1-3 May in Las Vegas, Nevada, USA.
More than four in five global IT professionals (82 percent) see vulnerabilities in Internet of Things (IoT) devices as significant security concerns for organizations.
Those concerns, highlighted in ISACA’s annual IT Risk/Reward Barometer, are reflective of insufficient security measures by IoT device manufacturers.
One of the main culprits is IoT devices running old versions of Linux – sometimes as much as 10 years old. This happens for a variety of reasons, such as the version becoming outdated while the device is in development, or manufacturers building on top of existing devices and sticking with the old software to speed up development time. The result is devices hitting the market with easily anticipated vulnerabilities.
IoT manufacturers also need to make sure their devices have the capability to automatically and reliably run security updates. This should be considered a must-have feature by consumers and businesses when making their purchases. If the devices are able to be updated, without it being a time-intensive process for users, security threats can be addressed much more quickly and effectively.
Making some of these adjustments will be critical, or trust in IoT devices’ security among professionals and consumers will be further damaged, given the threat landscape in 2017 and beyond. The proliferation of IoT devices will result in escalating instances of DDoS attacks this year, according to Deloitte – potentially along the lines of the massive Mirai DDoS attack that used infected IoT devices to cause widespread disruption in October.
That attack, while certainly a wakeup call to some device manufacturers, might not have resonated with many consumers, who did not see a direct impact on their lives, even if their own device was infected and part of the attack. But there is little doubt more and more individuals will be affected by IoT security shortcomings as the devices – and the related threats – grow at a staggering rate.
That could include the emergence of IoT ransomware threats. Ransomware exploded on PCs in 2016, resulting in estimates of about US $1 billion in payments. Given how lucrative the attacks have proven to be, it’s not much of a stretch to anticipate that criminals will explore how they can target IoT devices in their ransomware schemes. For example, imagine a smart lock on your home or car that won’t open until you pay a small ransom. From a criminal perspective, ransomware attacks on IoT devices could make for an efficient strike, with the possibility of holding customers’ device or data hostage and extracting money from the same individual or organization in a single step.
As attacks on IoT devices continue to evolve, none of us will be able to say we didn’t see them coming – 80 percent of professional respondents in the Risk-Reward Barometer survey expressed a high or medium belief in the likelihood of an organization being breached through an IoT device. Enterprises can use network segmentation to isolate IoT devices from their production network. Consumers also recognize the security threats; more than 75 percent of consumer respondents in each of five regions surveyed – Australia, India, Singapore, the US and the UK – expressed concern that augmented reality enhancements could make their IoT devices more vulnerable to a breach. Home IoT network security devices like Dojo by BullGuard, CUJU, and BitDefender BOX can help consumers protect their IoT devices from cyber attacks – some even have enterprise-like network segmentation capability.
Connected devices are becoming increasingly prominent in our daily lives. It is up to consumers and organizations to send the message to device manufacturers that insufficient security design will be a deal-breaker when it is time to consider a purchase.
The IoT, or “Internet of Things” (everyday objects and systems that have connections to a network to provide data-sharing and virtual control), is a fast-growing arena of technology growth. The potential uses of the IoT to build a “smart world” of connected devices is enormously convenient and brings a whole new level of mobile management to every aspect of consumer and business activities. We are now able to start our cars from our phone, lock our front doors from our PC, or turn on the crockpot in our kitchen from a tablet in the office. Who knows what we will be able to do in the very near future?
Unfortunately, the IoT brings with it not just convenient access for users of the “things” on the IoT, but also convenient access for those wanting to exploit those things. More access points mean more places for attackers to get in. More remote control means more ability to hijack that control. All that leaves big problems for the organizations that design, build, and sell, or buy, implement, and use these products. With HVAC systems, point of sale systems, communications systems, manufacturing lines – entire organizations, in fact – tied into the connected world, the IoT is opening increasing risk (security and operational) every day to businesses whose operations are more and more often tied into the network, whether they are making or using IoT devices.
Dealing with Risks on the IoT
The key to dealing with the changes in the security risk environment brought about by the ongoing evolution of the IoT is to focus, not on a detailed plan for any specific risks (which are ever-changing), but more on organizational resilience and risk-principle-based security management in general. The protection and continuation of business operations in the risk environment of the IoT goes beyond the scope of just information security. The risks associated with these networked devices transcend technology and reach deep into the realm of overall business resiliency and, as such, must involve stakeholders from across the business.
Organizational resilience enables enterprises to respond nimbly, pivot on a dime to change focus and alter activities, and keep fulfilling their mission no matter what is happening around them. It’s a philosophy that relies more on an attitude of preparedness – on understanding that a crisis is likely to occur no matter how many mitigation plans you put in place – than on hard-and-fast rules for responding to a crisis event. Organizational resilience is a team approach that allows the risk managers and business leaders to work together in a partnership to ensure that critical functions can continue no matter what. It’s an outlook that enables a quick response to events that can quickly escalate – exactly the type of events we can expect when dealing with a fast-changing environment like the IoT.
Enterprise Security Risk Management (ESRM) is a security paradigm that is gaining significant traction in the security world and is a perfect response to the kinds of changing risk environments associated with the IoT. It’s a risk-based security management philosophy that is based on building partnerships across the business to manage security risk and to ensure that business leaders are making educated risk decisions for their assets and critical functions. ESRM embraces risk identification and mitigation while at the same time recognizing that businesses need to sometimes take risks to succeed. It enables business owners and security practitioners to work together to find the best solution for protecting the company while not stifling its ability to get the job done.
Using the two complementary philosophies of enterprise security risk management and organizational resilience, the business organization is in a better place to both protect itself from harm and embrace positive change due to uncertainty in the business environment. Resilience works both ways in an enterprise, to flexibly adapt to good or bad risk outcomes – both are highly possible when dealing with the IoT universe.
These philosophies drive all parts of the business to recognize and proactively deal with security risk, not simply put the responsibility solely on the technology or security department. ESRM is a security management system that any organization can take and adapt to its needs to build out a flexible and business-based program that will help it along the path to true organizational resilience, no matter what risks it is exposed to in the present or the future. Now is the time for security leaders to embrace these philosophies and strengthen the resilience of their enterprises, because the future of the IoT is already here.
One of the hottest emerging technology topics surrounds the Internet of Things (IoT), or as some have characterized it, the Internet of Everything. A McKinsey Global Institute report estimates that by 2025, the global financial impact of the IoT could reach between $3.9 trillion to $11.1 trillion a year.
Every industry will potentially benefit from this technology that relies on small sensors communicating among themselves and providing data that will drive exceptionally huge big data.
Smart sensors integrated into buildings could monitor and collectively control environmental conditions. Miniature medical sensors could keep healthcare workers informed and alerted about patients in hospitals or as they go about their normal activities. Manufacturing processes could self-control production providing instantaneous correction as sensors collaborate throughout the production of a product. Our self-driving cars will communicate with other vehicles and the roadway, navigating safe and quick transit to a desired location while providing city-wide information about traffic patterns to city planners.
IoT has the potential to dramatically change how things are done while significantly enhancing the quality of life for everyone. Our small experiments with home automation and building control are nothing compared to the automation we will see integrated into daily life and work.
The concept behind the IoT seems relatively simple. Multitudes of miniscule sensors will collect specific information, share information with neighboring devices, and communicate data to a repository where control can be coordinated or information massaged, giving never-before-seen insights. While this description is the basis for the IoT, it is not clear how devices will communicate and coordinate. It is not clear how innovative thinking could evolve new uses and business models around IoT that will result in significant levels of market disruption.
The most promising intra-device communication and data record among devices could well be blockchain. Blockchain is essentially a secure, distributed, peer-to-peer implementation of a ledger system that is most often associated with bitcoin monetary transactions.
The truth is that the blockchain ledger can contain any information, including heath records, identity, and non-financial transactions. A really interesting use is developing smart contracts using blockchain as the organizing infrastructure. Smart contracts could bind individuals, or for IoT, sensors that share information, and when a certain condition is met that is a metric included in the e-contract, a pre-programmed response is initiated. This could be a payment in the case of business-to-business relationships.
Between devices, smart e-contracts could be associated with carbon credits, power creation and consumption, or any number of other device-to-device activities. At an even higher level of organization, IoT sensors could be implemented within a Distributed Autonomous Organization (DAO) to achieve some end result but governed completely within the smart contract that established the DAO.
The genius of the IoT is not that there are multitudes of small sensors creating terabytes of data, but that there is a system of devices sharing information in an intelligent and controlled manner that achieve a result within a self-governing structure. The thing that binds these sensors, providing both governing and the ability to act intelligently, will come from the blockchain.
For a moment think about these statements:
- Technology has evolved and is evolving faster than ever before.
- My enterprise is facing unknown competitive threats.
After considering these statements, how would you answer the question of whether your business will be competitive in 10 years?
With the countless factors that exist across every sector, the question is very difficult to answer. The pace of positive, negative and unclassified technological advancements is exponentially greater than ever before. How will your enterprise and IT governance structure survive these exciting times?
Consider Your Enterprise’s Risk Appetite
Information technology is now a core component in achieving business objectives. So if we look at it from a business growth point of view while anticipating current trends, your strategy may have to shift to focus on digital channels. What this means for your business is that you need a digital footprint that is both secure and user-friendly. With every new strategy you may have new risks, so your company’s risk appetite has to be considered.
What type of IT service and infrastructure would you need to deal with multiple types of digital connections that deliver standard functionality across these channels? How would this impact your resources and IT management options? Do you need to move to the cloud? Broadening the enterprise’s digital footprint can create the possibility of multiple connections to your services via numerous known hardware (e.g., tablet, watches, laptops, cell phones), along with anything that can be digitized. Your traditional business structures are now expanded with newer delivery options, so supporting demand now requires a rethinking of traditional network structure to handle the new scales. This can become an issue for many enterprises.
The security aspect of the future cannot be overlooked because you now have a wider attack surface and crippling ransomware to deal with. If your security fails, this affects customer perception, and you will not be able to honor the confidentiality and integrity of the user experience. Ransomware is quite destructive because not only does it affect the availability of the infected data, you also have to pay hefty sums to get back access to your data if there is no mitigation plan in place. Can your enterprise continue to meet the current industry regulations and maintain a secure infrastructure into the future?
GEIT Can Get You There
Within the next 10 years your enterprise will face the growing Internet of Things (IoT) landscape, with faster, more convenient delivery methods, harboring both increased risk and lucrative opportunities.
With a flexible governance of enterprise IT (GEIT) model, you could construct a relevant framework that looks at how the enterprise’s strategic plans and IT work together. You could look at continuous improvement actions and keep this alive within the enterprise. You could ensure IT risk management is aligned with the enterprise’s risk appetite and that security is considered at all points. You could consider various means to optimize your IT resources and capabilities required, as all these are key to helping your enterprise adapt and remain relevant in the future landscape.
There are some technologies that seem to have their own “gravitational pull.” By this, I don’t just mean technologies that are interesting, compelling to the business, or likely to be considered by businesses. Instead, I’m referring to those technologies that exert a steady, near-continuous and (one might argue) irresistible pressure across multiple areas of the organization to adopt.
Cloud, mobile, and social media are all examples of technologies like this. Say “no” to the sales team’s request to use a Software as a Service (SaaS) tool today, and chances are you’ll be talking to the marketing team about a similar tool next week. These technologies, when they arise, are usually highly advantageous to the business, have a diverse potential use base, low barriers to adoption and a high degree of awareness among end-user customers.
It’s important to pay attention when new technologies like this land on the scene for a few reasons.
First, the potential for shadow adoption is high. Compelling usage, coupled with low barriers gating that usage, mean that individual business units (or individual employees) might take it upon themselves to employ it without thinking to inform or engage with technology (let alone security or assurance) teams. As a consequence, a given assurance, security or risk practitioner might not know the usage is there until after it is entrenched.
Second, adoption changes the risk dynamics of the organization. New risks are potentially introduced while old ones are potentially reduced and business value potentially increases. From a holistic risk perspective, therefore, it is imperative that practitioners evaluate these technologies and understand their risk impact even though they may have limited time to do so in light of shadow adoption.
While still relatively new, application containerization is demonstrating many of the above properties.
Application containerization represents a mechanism that allows the creation of modularized, packaged application functionality that contains the application as well as any configuration or underlying support software required for the application to run. By virtue of them being small and componentized, the containers are portable between environments; they leverage the segmentation features of the operating system on which they run to enforce segmentation between different containers on the same OS instance. The portability offered helps enable development while the comparative efficiency (relative to, for example, OS virtualization) offers potentially increased allocation density of applications per physical device.
In light of these factors, ISACA has issued a pair of white papers on application containerization. The first volume outlines what application containerization is: the business drivers causing its popularity, the value proposition for developers and datacenter managers, and a description of what the technology offers, and how it works. The second volume outlines the practitioner impact: why the security, assurance, risk, or governance practitioner should care and what they can do to help prepare for risk and control decisions that involve application containers.
It is our hope that this guidance will assist practitioners as they approach risk decisions relative to containers within their environments and assist them in evaluating usage scenarios as containers and micro-services rise in prominence. By laying out the value proposition to the business and providing a working understanding of its technical operation, as well as outlining some of the risk considerations, we hope to arm practitioners with the information they need to approach these decisions with confidence.
It may not be on the mind of every CEO, CIO or CTO but the rise of disruption is of major concern. Disruption itself has always been a part of business theory under Michael Porter’s five forces and classified as “the threat of new entrants”; but this threat has continued to evolve.
Barriers to entry in various markets have been in place to control competition. However, modern disruption can occur outside these barriers with the “disruptors” changing the very way the market sector operates thereby out manoeuvring and altogether eliminating existing big market players who could not anticipate this risk.
The difficulty in anticipating and mitigating disruptive risk is extreme since they may not actually exist at the moment but can exist in the future. Can your business survive after the disruption has happened? With the evidence of the impact of disruption all around, it should be evident that it is no longer a small issue, since the very survival of the enterprise may depend on it.
When Disruptions Occur
With this being the case, flexibility, speed and adaptability come to mind. However, many enterprises and their internal IT departments cannot offer those characteristics fast enough when disruption occurs, leaving the enterprise at a competitive disadvantage. This is because the “things always work this way” and “resistance to change” mentalities exist within all enterprises. By looking at the governance of enterprise IT (GEIT) and the importance of IT to support the enterprise, it may be wise to consider reinventing your IT.
By reinventing your IT you should consider the possibility of disruption as a major fact and readjust your current work models to offer some best case resistance/adaptability towards this. To take it a step further, you should streamline the enterprise to become the market disruptor itself, thereby giving your enterprise a head start against your current and potential competition.
One consistent view that remains is that security itself is of the uttermost importance and must be considered even though there is no single way to achieve the reinvention of your IT. We are in the age when digitization and connectivity play major roles for consumers. Customer demand and market conditions drive business strategy; however, reinvention can also be found in creating systems that change how business itself is done, to the benefit of customers, thereby driving habits and behaviors surrounding these.
Disruption should be discussed and considered as a new expectation rather than an impossibility. All strategy considers risk, but the question is: how does one prepare for the unforeseen disruptive risk that has not happened yet? Is your enterprise ready?