Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
The 6 Most Important Qualities of a SAP Implementation Partner

Larry AltonIf you’re not seeing the results you want, you may need to switch SAP implementation partners. SAP implementation is becoming more important than ever, with revenues from enterprise resource planning (ERP) software expected to reach $84.1 billion by 2020, according to Apps Run the World. Not only does this technology help your organization become more efficient, but your top competitors are following suit – so you’ll need to increase your pace and attention if you want to keep up.

What happens if your chosen SAP implementation partner isn’t giving you what you need? What qualities should you look for in a new provider?

Signs It’s Time to Switch
If you notice any or all of the following signs, it’s a good indication that it’s time to switch providers:

  • Significant delays. According to Clarkston Consulting, it may be time to switch if your partner is a cause of significant (or frequent) delays. Delays happen to everyone from time to time, but excessive delays are usually a product of failure to plan and/or a lack of sufficient resources to finish the job.
  • Budgetary constraints. If your partner keeps running over budget, or if pricing has changed significantly, you may wish to find a partner better able to project – and maintain – previously estimated pricing.
  • Lack of availability. How hard is it to get in touch with the leadership at your implementation partner’s organization? There should be an open line of communication at all times. If you feel like you’re in the dark, it may be time to switch.
  • Significant shifts in vision. Has the implementation vision changed significantly from what it was at the outset? You may want a new partner who can more reliably achieve and sustain the current vision.

Qualities to Look For
These are the qualities you should look for in a new partner:

  1. Size. Size may not seem like an important feature in an implementation partner, but it has a few different effects. A bigger firm will be able to provide you with greater resources and a more reliable guarantee that your implementation will go smoothly, thanks to backups and more specialists on staff. However, a smaller firm might be less expensive and could provide you with a more personal experience. There’s no right answer here, so consider all size options and pick the one best suited to your company’s needs.
  2. History. According to Angela Nadeau, your implementation partner should have a track record of success. Certainly, talented new firms and partners may be perfectly capable of successfully partnering with you. However, for a large-scale implementation, it’s safer to choose a firm that has been around for years – and has the client testimonials and reviews to prove it.
  3. Areas of expertise. Not all implementation partners have the same areas of expertise. For example, some may specialize in certain types of software, while other may specialize in specific industries. You may need a specialist, or you may need a “general” implementation partner with a wider range of specialties that can flexibly serve a variety of different needs.
  4. Culture and personality fit. You’ll work closely with your partner throughout the implementation process, so make sure they’re a good culture and personality fit. Ideally, they’ll have the same core values as you and your firm, and their representatives will be able to work closely with your staff with no issues.
  5. Cost. Obviously, consider the cost of your implementation partner as well. If you pay more, you may gain access to better systems, more specialists and more experienced representatives – but if you don’t need all that, you’ll be able to save money with a less expensive option. If your budget has a hard limit, your decision will be much easier.
  6. Understanding. Finally, you’ll need to choose a partner that can understand your enterprise’s unique needs. Implementation shouldn’t be a one-size-fits-all, cookie-cutter approach. Talk to multiple candidates and lean toward the options that hear and are willing to address your specific circumstances.

Choosing a new SAP implementation partner doesn’t have to be a painful experience even though there are many options available. With enough research, you’ll inevitably find one that can serve your specific needs. Before you begin the process, outline the specific qualities that are most important to your organization, and start weeding out the candidates that can’t meet those criteria.

Talking Poker – and Risk – with EuroCACS Keynoter Caspar Berry

Caspar BerryEditor’s note: Motivational business speaker Caspar Berry will bring his unique poker player’s perspective on risk to his opening keynote address at EuroCACS 2018, which will take place 28-30 May in Edinburgh, Scotland. Berry recently visited with ISACA Now to discuss topics such as overcoming the fear of failure and the dynamics of risk-aversion. The following is an edited transcript:

ISACA Now: You contend that all decision-makers are investors. What do you mean by that?
I mean that all decisions are investment decisions when you break them down. All decisions are resource allocation decisions. Allocations of money, yes, but often time. Sometimes we measure time in hours, but sometimes in less tangible units of passion or patience or dedication. All these resources are limited, and all are being allocated in a world of inherent uncertainty. By that, I don't mean the next five years. The next five minutes are uncertain … So, we're all investors, because everything we do is an allocation of a scarce resource in an uncertain world with a view of getting some kind of return on that investment by a variety of different criteria. That’s what investment is, at a fundamental level, and that's what we're all doing thousands of times a day.

ISACA Now: In an enterprise context, how can decision-makers push past their fear of failure?
In any context, the key to pushing through fear of failure is to understand what fear of failure is and where it comes from. Actually, what we colloquially call fear of failure is the product of two – arguably three – very prosaic psychological phenomena acting on us all the time. At the basic level is what we call “loss aversion,” a product of the diminishing marginal utility we get from most things we consume. Then there's time preference, which encourages us to seek short-term rewards and thus eschew long-term investments or delayed gratification. Then there's our judgment, which makes us pessimistic that new things can work compared to old things that apparently do.

In pretty much all these cases, the trick is to think long-term. In many contexts, that is an act of overriding our basic psychological hardwiring, which is still mostly – though not totally – designed to get us home safely at the end of each day. But, a poker player is not concerned about results at the end of any particular day. It’s irrelevant to us. We're concerned with maximizing our long-term expected value. If you do the right thing, then the law of large numbers gives you what you deserve at the end of the long term.

ISACA Now: Do you believe that millennials and other younger members of the workforce are any more or less risk-averse than those who came before them?
I don't think there is any data that proves this either way, per se. A lot of metrics for measuring risk tolerance are bunkum, anyway. Much of what we call risk tolerance is actually a product of the timeframe of judgement that people are thinking of the consequences of failure within ... don't get me started.

My gut, however, says that broadly speaking, millennials are inherently no more or less risk-tolerant than older generations. I hate the brushes with which a lot of people tar the millennial generation. That video on YouTube of Simon Sinek saying how short-term they all are and how they're all the beneficiaries of nepotism are also bunkum. (That’s logically impossible by the way; how can they all be beneficiaries of nepotism over people of their own generation??) Not a single statistic is cited. You may as well ask a man in a pub.

The reality is that risk tolerance is a product of genetics (which won't have changed noticeably between boomers and millennials) and circumstance. So, for example, if someone sees less future in following the tried-and-tested path of university and then a corporate job, they may be inclined to take more risk in their life, but no more than their parents would have done had they been in that situation. Indeed, look at my grandparents’ generation. They put their lives literally on the line every day in a way that we would never think of doing, but only because the alternative was Nazi occupation. They weren't genetically different; they just had different situations producing different upsides and downsides, or what economists call incentives.

ISACA Now: How does one become a professional poker player? What set you on that path?
Oh, that's easy. Poker is the easiest career in the world to get into. You just go to Las Vegas ... put your money on the table, and ta da!

Enterprise AR is Going to ‘Get Real,’ and More Predictions for 2018

Kris KoloGoogle, Amazon, Facebook, Apple, Samsung and Microsoft all want a piece of the VR/AR pie – not to mention Magic Leap, whose first consumer product is “coming soon.” VR/AR is about extension, engagement and monetization. Not since the 1980s have all the big tech players been battling for consumer attention and dollars. So, what is on deck in 2018, and why should we care?

These are the trends highlighted by ARtillry Intelligence for 2018:

Enterprise pulls ahead
Enterprise AR is going to get real in 2018, with companies capitalizing on ROI in both efficiencies and error reduction. Think processes, and how interdisciplinary teams can work better together.

Mobile AR rebounds
Mobile AR is set for big wins in 2018! With everybody owning better and higher-resolution phones, the adoption of mobile AR is a natural evolution. AR app revenue is due to increase because companies will start creating AR apps to sell their products and further extend and engage their customers.

Mobile AR standards develop
With both Google and Apple introducing AR offerings into their lineups, coupled with increased demand from retailers, native AR and AR-first mobile app experiences will rule 2018. As a result, AR standards are set to be solidified this year. User experience will be top-of-mind for product managers.

Consumer VR gets a jolt
With Oculus Go set to release in mid-2018 and reportedly to be sold at $199, consumers will happily buy in to provide a jump in the VR market.

Unifying technologies emerge
As platforms and fragmentation continue to evolve, consumers and enterprises alike will look to tech that provides seamless execution. Enter WebVR/AR. In addition, expect to see more tools for developers and options for enterprises.

Ultimately, it will be a race to 100 million VR/AR units sold. According to ARtillry Intelligence, “That’s the size of the installed base that will be a key milestone and turning point for VR. It’s the number that attracts content creators and supporting functions, as well as a network effect.”

What is the unit price that drives the market? $200-$400. How many years until VR/AR reaches the magic 100-million mark? Three years.

We already know that games with in-app purchase business models are proven revenue generators. So, companies in 2018 will try to tap into ROI success experiences and experiment with location-based promotions and sponsorships. Overall, with investment dollars continuing to flow, the market is not slowing down.

The year 2018 will bring more strategic investment, business development and spend in VR/AR. Some unicorns should expect to see their rainbows narrowed – but more established businesses will begin to taste the ROI of user-based VR/AR experiences.

Risk Professionals Pave the Way for Transformational Smart Contracts

Jack FreundIn 1999, Harvard Law professor Lawrence Lessig wrote in Code and Other Laws of Cyberspace that code is law. His writing nearly two decades ago was inspired by the US Digital Millennium Copyright Act (DMCA), but in reviewing his work today as we sit on the cusp of a blockchain revolution, it’s easy to see it as nothing short of prescient.

Smart contracts are simply computer code that is designed to automatically negotiate, verify, and/or enforce contractual terms; so quite literally, the code is the contractual “law” that dictates behaviors. The intersection of smart contracts and other burgeoning technologies can be quite profound. For example, if you were looking to lease an apartment, you could identify the terms around which you would accept a lease. A software agent could search a housing marketplace for monthly rent, deposits, apartment features and other criteria. The apartment complex could similarly advertise its conditions and apartment features.

When a match is made, you could automatically accept the terms and conditions and enter into a contract. A software “key” could be issued to your smartphone that grants you access to the apartment via a Bluetooth-and IoT-enabled lock. Further, if you fail to meet the terms of the lease (such as missing a payment), the smart contract could trigger a lock to disable access for you. This kind of hyper-efficiency can accelerate marketplaces everywhere.

The confidentiality and availability implications of such a configuration are legion, but I want to focus on integrity for this post. The convenience and risk with smart contracts has a lot to do with the automatic commitment. So long as you are able to articulate your criteria sufficiently and completely, then there should be no concerns. However, anyone who has spent any time at all doing software development knows that complete business requirements prior to the start of a project is a rare occurrence. As a result, it is incumbent on risk professionals to ensure that any smart contract vehicle has been reviewed by all the stakeholders (especially attorneys) to ensure their requirements are properly codified.

But after that, how do we ensure that the code pushed out into the marketplace is what was approved by the stakeholders? We would not want to find out that despite having stakeholder reviews and approvals in place, the contract to which we are bound is not what was agreed upon. Software- and hardware-based integrity checking methods must be employed to ensure end-to-end consistency of the contract code.

Lastly, when combined with IoT technology like in the above example, one must be sure of the terms and conditions in the code, and that they are consistent with the enforcement actions being taken. Residents would not want to find themselves locked out of their apartment despite having met all the requirements of occupancy. Technology is not infallible, and human overrides will be necessary to ensure customer service levels are in line with business goals.

Smart contracts will undoubtedly usher in an era of highly efficient marketplaces enabled by code that meets the conditions of both parties. Such technology can reduce sourcing costs for firms and increase the reach of many smaller organizations. Surely the risk of not participating in these marketplaces outweighs any concerns, yet as risk professionals, it is incumbent upon us to ensure that our firms have controls in place to successfully mitigate risk to acceptable levels, and pave the way for game-changing impacts that smart contracts will bring to our marketplaces.

Author’s note: Jack Freund, Ph.D., CISA, CISM, CRISC, is Sr. Manager, Cyber Risk Framework for TIAA, member of the CRISC Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, and IAPP Fellow of Information Privacy.

Cyber Risk List Has a New No. 1 for 2018

Raef MeeuwisseI recently presented the predictions for the Top 10 2018 Cyber Risks at the Whitehall Media, Enterprise Security and Risk Management conference in London.

So, what had changed since the 2017 list of Top 10 Cyber Risks that I presented at ISACA’s EuroCACS event back in May?

At number 5 in the chart, digital transformation makes an appearance. When we apply technology to activities where it was not traditionally used, we get all kinds of great innovations, but it also opens up a wealth of new vulnerabilities.

At number 4, malware (including ransomware) is still riding high in the charts. This is still a significant and widely used component in many breaches and cyberattacks. Notably, since the start of 2017, there has also been a substantial increase in the use of fileless malware (malicious software that exists only in memory or as appended functions to existing files).

Although phishing and web application attacks are also up in the top five, there is a surprise new entry straight in at number one. The number one spot is occupied by the new EU General Data Protection Regulation (GDPR) that carries with it a maximum potential fine of up to 4% of global revenue for non-compliance.

So, why is this at number one?

For most enterprises, the consequences for non-compliance with this regulation have made GDPR a boardroom priority. Although cybersecurity is only one component within the regulation, it is expected that the first investigations and fines will probably be driven by the really large personal data breaches that emerge after the regulation becomes effective in May 2018.

If you think about recent incidents, such as the Uber data breach, if they happen once GDPR is active, the consequences will be much greater than in the past.

That fact can also be used by hackers. If a hacker stole personal information from a company before GDPR, they could only ransom the data for the potential brand damage or inherent data value, but after GDPR is in place, if you don’t pay the hackers, you will likely be facing a GDPR investigation by a supervisory authority – with a potentially massive fine attached.

GDPR has made personal information a lot more valuable than before, so cybersecurity departments will face challenges not only assisting and consulting on the process changes required by GDPR but also with increased targeting of personal information because the ransom value will have risen substantially.

Editor’s note: The video of Meeuwisse’s full presentation is available on YouTube via this link.

Fortune Favors the Tech-Savvy: A Portrait of Tomorrow’s Digital Transformation Enterprise Leaders

Matt LoebToday’s digital economy sees established enterprises competing against start-ups, all enterprises worried about risk, and smart enterprises deploying digital technologies capable of transforming their enterprise, and enabling better business-to-customer interactions and relationships.

Opportunity abounds; our global digital economy presents new possibilities almost daily. The problem is, not every enterprise is taking advantage of those opportunities. ISACA’s recently released Digital Transformation Barometer research shows that slightly less than a third of enterprises are making it a priority to evaluate the opportunities emerging digital technologies might bring on a frequent basis. That means more than two-thirds of enterprises aren’t realizing their full potential in the digital economy.

Some of that may be due to a lack of familiarity; it is difficult for some who serve on boards and as C-suite leaders to have confidence in technologies with which they lack background. Absent that confidence, it is difficult to put forth a vision for an enterprise rooted in digitally transformative technologies. For many enterprises, this means passing up opportunities to explore tools such as artificial intelligence, big data and analytics, sensor-defined networks and Internet of Things devices, and distributed ledger technologies like blockchain. This, too, was borne out by ISACA’s research; enterprises without tech-savvy leadership don’t explore opportunities as often as enterprises with tech-savvy boards and C-suite leaders.

Unexplored opportunities mean unexplored new revenue streams or customer bases, and new revenues and customers are the lifeblood of nearly all enterprises. Years ago, it might have been acceptable for the head of the IT department to be the only leader who truly grasped the significance of a transformative emerging technology, digital or otherwise. Today, such an approach is not only antiquated, but unacceptable. Risk is an enterprise-level concern; evaluating that risk is every leader’s concern, from the boardroom to every corner of the C-suite.

To evaluate that risk, however, the digital fluency of all enterprise leaders needs to increase, even among enterprises that have already successfully begun—or completed—digital transformations. The reason for this is simple: things change, and they always will. New technologies will arise, old ones will fade away. Advances in technology will bring with them risks and expansion of the threat landscape. It is not enough to create tech-savvy leaders now; a pipeline of such leaders must be cultivated within an enterprise to ensure that the digital fluency of leadership does not wane.

So, who will lead tomorrow’s digital transformations? When we speak of digital fluency, and C-suite and boardroom leaders who are tech-savvy, a specific cohort comes to mind: digital natives. The Millennials and Gen Zers of today will be in the C-suites and boardrooms of tomorrow, and the level of digital fluency and tech-savviness of those leaders will be far more widespread than in the current global digital economy. The problem is, today’s enterprises can’t wait that long.  They need to innovate now, to ensure Millennials’ roles as future enterprise leaders.

To do so, risk from new and emerging technologies must be mitigated to levels an enterprise finds acceptable, and this requires resources. Specifically, adequate resources, focused in key areas. Innovation, customer interactions and overall business performance all benefit from robust, effective governance programs for technology and information. Likewise, a hardened information and cyber security workforce—well-trained, and up-to-date on the latest developments in their respective fields—is an asset of vital importance as enterprises seek to maximize their returns on investments in digital and other technologies. For enterprises producing products, services, or solutions, implementing strong innovation governance, and ‘baking in’ security during the design and development stages of a new offering, should be considered mandatory.

However, even with these safeguards in place—strong governance of information and technology, coupled with an exceptional workforce of professionals—things may not always go as planned. It is possible to mitigate risk when embarking upon a digital transformation, but it is not possible to eradicate risk. Tech-savvy leaders will realize this, and empower their operational units to take calculated risks, knowing that failure isn’t truly failure if something is learned from it.

If an enterprise seeks a prosperous near-term future, it lies in digital transformation. Enterprises with tech-savvy leadership already know this, and are making such transformations cornerstones for their respective envisioned futures. The most forward-focused of those enterprises are already building the pipelines of future leaders to ensure that enterprise leadership maintains its digital fluency for years to come.

Editor’s note: This blog post by ISACA CEO Matt Loeb originally appeared in CSO.

Risk Analysis Inputs Critical in Assessing Vulnerabilities

Dominic SellittoThe fact is, new vulnerabilities come to light every day. Unfortunately, staying ahead of these new vulnerabilities, or otherwise addressing them promptly, has proven to be incredibly difficult (not to mention costly). The good news is, not all vulnerabilities impact every organization. But, for vulnerabilities that do apply, it often is difficult to make risk-based decisions to address them – do we mitigate, avoid, transfer, or accept them?

These decisions become a great deal easier when organizations include the likelihood of an exploit along with a vulnerability's impact as risk analysis inputs. In these cases, impact is often relatively straightforward. For example, we might consider legal, strategic, financial, operational, or reputational impacts or, as Common Vulnerability Scoring System (CVSS) does, we might consider impact to classic objectives like confidentiality, integrity and availability.

Likelihood seems softer than impact and, as a result, we might think it is harder to determine. To get there, we have to think about the threats that could take advantage of a vulnerability. To exploit a vulnerability, there first must be a related threat. As it turns out, CVSS has sorted out quantifying likelihood by prompting for easier-to-answer questions like the origin of a threat, the difficulty of an exploit and the need for a victim's involvement. One of the common shortcomings with vulnerability management processes is in their often-limited understanding of applicable threats.

So, what is a threat?

We think of a threat scenario as a threat agent acting against a target to accomplish an objective. For example, a hacker targeting an e-commerce website to steal credit card data. A vulnerability creates a point of entry through which the attacker can reach the target. In a more complex attack, a hacker might work through a series of layers, exploiting various vulnerabilities along the way.

We worry about threats from thieves, hackers, malware and ransomware, social engineers and phishers, and natural disaster. However, the definition of a threat can encompass more than just these common actors. For example, an organization might view regulatory compliance as a threat. After all, an audit can have a significant impact – fines and penalties.

Why does understanding threats matter?

Regardless of your organization, addressing vulnerabilities is a business decision. As with any other business decision, risk and cost are a factor. Understanding a vulnerability in the context of the threats that might exploit it makes it easier to plan a course of action and prioritize your response.

Editor’s note: For more on this topic, download ISACA’s new white paper on vulnerability assessment.

Five Mistakes to Avoid When Deploying Emerging Technology

Jose Angel AriasWhen I finished my proof-of-concept presentation to the CIO of a prospective client at a recent meeting, he was more than surprised – he was upset. He almost yelled at me: “How did you do it?”

For my demo, my client had to complete a paper application form used by his company’s sales force. He needed to do this by hand, as would any customer, but using a digital pen equipped not only with an ordinary ink cartridge, but also with a micro-camera that captured each trace of the pen on the paper. When he had finished the application, he checked one box at the end of it that read “Transmit.” While explaining the features of the digital pen, I opened my laptop and remotely connected to our demo server. From there, just a few seconds after he had completed the application, I could show to him not only a high-quality scan of the completed application, but also all the data already translated into usable fields: numbers, dates, addresses, ready for ERP integration. He stood up in astonishment and asked: “How did you do it? How??”

This appears to be a nice example of a presentation that went so well that I took my audience completely by surprise with an emerging, unexpectedly beautiful technology. But the truth is, less than two years after launching our work with digital writing, we had to completely write off two years of work and investment put in an offering that appeared to be “The Next Big Thing.”

Talking about our digital transformation successes is always nice, but I would like to share these five innovation facts that, from my experience, should be understood to avoid failing in this era where all of us are at the brink of launching The Next Big Thing, whether on top of blockchain or IoT or AI or machine learning technologies.

1. “Innovation Chasm” does exist. I am sure that many of you have seen the Technology Adoption Lifecycle graph that describes the Innovators, Early Adopters, etc. Well, in that graph, there is a chasm between being loved by technology fans and getting a growing majority of users that will make your product the next iPhone. In the case I described, we could not convince owners of the intellectual property in a timely fashion to simplify the pricing model to accelerate the creation of a minimum user base. Check your business model for scenarios where the chasm is bigger than anticipated.

2. Platforms and ecosystems matter. The possibilities of emerging technologies are immense but decisions need to be made in relation to the platform or ecosystem you want to belong to or create for others. No one cares for a solution that cannot integrate and evolve for future needs. Our digital writing offering did use industry standards like XML or GMS but relied heavily on proprietary technology within the core product.

3. The “Innovator’s Dilemma” is real. Professor Clayton Christensen has said that companies are designed for the status quo and innovation efforts are killed by design. This is, although companies may not say it, they do not really want to disrupt themselves. So, your presentation to whoever approves your innovation effort needs to avoid a collision trajectory and rather explain the complementary nature of business and customer bases that you are bringing to the table.

4. Being a maverick is cool, but … In the end, a successful launch of an emerging technology needs to be on good terms with the leading powers that will put your product in front of users. It needs to integrate seamlessly with dominant social platforms as well as with online and app stores, and be designed to quickly open its features to the newcomers that will play a dominant role in your marketplace. That is why you see such collaboration among companies that otherwise would be rivals to create the future ecosystems for blockchain, machine learning, etc.

5. ITBMS! I have a blog post called It’s the Business Model, Stupid. We have seen for several years that, in the end, all successful technology companies have managed to build a credible business model that will turn around years of losses (sorry, capital investments) by creating value for an ever-growing number of users. So, be bold in pursuing your dreams for a better world, but keep close your friends that can make sense of it in terms of a sustainable, long-term business model.

Author’s note: Jose Angel Arias has started and led several technology and business consulting companies over his 30-year career. In addition to having been an angel investor himself, as head of Grupo Consult, he participated in TechBA’s business acceleration programs in Austin and Madrid. He transitioned his career to lead the Global Innovation Group in Softtek for four years. He is currently technology audit director with a global financial services company. He has been a member of ISACA and a Certified Information Systems Auditor (CISA) since 2003.

Enterprise Leaders Should Steer Organizations on Path to Digital Transformation

Matt LoebEmployees are at their best when they are encouraged to take calculated risks, rather than becoming complacent with what they know and what has become comfortable. The same holds true for enterprises.

Some of the best risks enterprises can take in our technology-driven business landscape involve deploying transformative technologies that allow them to connect with customers in new and innovative ways. Yet, in many cases, organizations are failing to capitalize on the widening array of opportunities.

ISACA’s new Digital Transformation Barometer research shows that only 31% of organizations frequently evaluate opportunities arising from emerging technology. Given the swift pace with which technology is introduced and refined, this shows that most enterprises are undercutting their ability to seize marketplace opportunities and better serve their customers.

Boards of directors and the C-suite should be challenging their operational teams to research, pilot and ultimately become experts in emerging technologies capable of transforming their enterprises. Big data, artificial intelligence, Internet of Things devices and blockchain are just a few examples of technologies capable of delivering transformational change. To lead effectively, senior leaders have to be able to articulate the future vision for their companies in the context of the technologies that will get them there.

There isn’t a board chair or CEO on the planet who would not be thrilled to open new revenue streams or reach new customers – some of the top motivators for pursuing digital transformation. So, what is holding so many organizations back? A shortage of digitally fluent leaders is one impediment. Only a little more than half of survey respondents expressed confidence that their organizations’ leaders have a solid understanding of technology and its related benefits and risks. ISACA’s research shows that those organizations lacking digitally fluent leadership are less likely to evaluate technology opportunities.

Even those organizations that perform their due diligence in vetting new technologies often develop reservations once more is learned about the associated risks. A whopping 96% of survey respondents believe there is high or medium risk in deploying IoT devices, and more than 9 in 10 respondents also categorized public cloud and AI/machine learning/cognitive technology as posing medium to high risk.

The reality is every new technology introduced expands the attack surfaces and presents new risks. Organizations must move beyond that inherent discomfort and devote the necessary resources to mitigate risk to acceptable levels. Enterprises with effective information and technology governance programs can deliver better customer experiences, innovate more, and improve their business performance and profitability. Investing in well-trained, highly skilled professionals in areas such as audit, risk, governance and cyber security can provide enterprises the confidence they need to effectively and securely leverage their technology. Organizations should also resist the urge to take shortcuts in pilot testing or research and development when evaluating new technologies.

It’s important to have realistic expectations about digital transformation. Not every turn of the wheel on an enterprise’s journey can be a smashing success, and organizational leaders must give their team members the freedom to take a well-reasoned risk that may – or may not – yield the anticipated results. Those failures can provide unparalleled learning opportunities.

Organizations that remain committed to digital transformation can reap great rewards. From telecommunications giant Sprint tapping into big data, to a town in North Carolina, USA, shedding the yoke of legacy applications, there is no shortage of examples of enterprise large and small successfully harnessing digital transformation.

As the Latin proverb goes, fortune favors the bold. Enterprise leaders should embrace that mindset and make digital transformation a centerpiece of their organizations’ roadmaps toward a prosperous future.

Getting Digital Transformation Right: The Fundamental Three

Phillimon Zongo Natasha BarnesEmerging technologies – such as machine learning, artificial intelligence (AI), blockchain, Internet of Things (IoT), augmented reality, and 3-D printing – are swiftly disrupting several industries. To paraphrase Klaus Schwab, co-founder of the World Economic Forum, these mind-boggling innovations are redefining humanity, pushing the thresholds of lifespan, health, cognition, and capabilities in ways previously considered to be preserves of science fiction.

The possibilities presented by digital transformation are indeed captivating. The uses are as varied as the organizations putting them to use. Sensors attached to jet engines are transmitting signals mid-flight, enabling airlines to promptly detect sub-optimal performance and conduct pre-emptive maintenance, boosting safety and minimizing downtime. Physicians are replicating flesh and bones using 3-D technology to simulate high-risk surgical operations, lifting patients’ confidence and shortening their anaesthesia durations. Meanwhile blockchain – an open source, distributed ledger of everything – is being used to develop self-executing contracts, eliminating record labels and enabling artists to interact directly with consumers, maximizing their ingenuity rewards.

The benefits of digital transformation are unquestionable, but enterprises must manage these programs carefully. Here are three key recommendations:

Drive cultural change
Digital transformation transcends IT – it’s an enterprise-wide matter that requires unwavering commitment from the C-suite to front-line staff. To succeed, enterprises must place cultural change, not technology, at the core of their strategies. This requires eliminating unnecessary barriers to innovation, agility and change that exist within organizations, including breaking down functional silos and revising bureaucratic governance structures. As Jeffrey R. Immelt, CEO of General Electric, said, “You can’t have a transformation without revamping the culture and the established ways of doing things.”

Leadership from the top is essential to establish vision, institute appropriate governance structures and drive cultural change during any major change, and digital transformation is no exception. Executive messages must be clear and consistent, persuading employees that creating a nimbler enterprise that can swiftly respond to market needs is an existential matter; status quo is untenable. This fosters an environment of trust and spurs employee engagement, prerequisites for success.

On the contrary, inconsistent messages fuel doubts, forcing employees to work in silos and resent change. This risk looms large when transformation is perceived as a threat to people’s jobs. Consistent with this view, the majority of respondents to the ISACA’s Digital Transformation Barometer rated AI and public cloud as top candidates to face organizational resistance. While initial reservations about public cloud are waning, migration efforts and radical process changes can pose such organizational challenges.

Embed security
In the race to keep up with competitors, enterprises often have a disproportionate emphasis on the pace of transformation. Often, security and infrastructure considerations are afterthoughts, but such missteps can have lasting business repercussions.

Emerging technologies are exerting enormous pressure on traditional security models. For instance, billions of IoT devices with glaring vulnerabilities are integrating with critical infrastructure, creating numerous backdoors for malefactors to exploit. Cloud is enabling employees to bypass IT governance processes and export volumes of sensitive data to unsanctioned environments, aggravating the enduring shadow IT problem. At the same time, location-based applications collect troves of personal data, raising safety and privacy concerns. Each emerging technology presents new security issues, many of which have not been sufficiently evaluated nor understood.

To thrive, businesses need to make security an inescapable facet of digital transformation programs, considering implications early during business case evaluations. Enterprises also must have a nuanced understanding of each technology, carefully balancing pace of adoption, security and convenience.  Traditional one-size-fits-all models don’t cut it anymore. Securing an implanted cardiac pacemaker that can resuscitate a faltering heart, for example, requires more rigor when compared to securing a wearable device that tracks steps.

As this revolution unfolds, several jurisdictions are also tightening privacy laws. For instance, the EU’s General Data Protection Regulation (GDPR) will impose fines up to $20M EUR or up to 4% of the annual worldwide turnover, whichever is greater. Businesses must have a strong grasp of applicable privacy laws to ensure compliance and retain customers’ trust.

Consider the impact of legacy applications
As digitization gains pace, several enterprises are finding themselves saddled by jumbles of complex, aged and proprietary applications, referred to as “legacy spaghetti.” Several of these decades-old digital workhorses have developed a reputation for reliability and still underpin vital operations. But they can also be daunting obstacles to digital transformation. Specifically, they are not designed to handle the flexibility, speed and performance demanded by today’s digital enterprise. Furthermore, they don’t have well-defined interfaces, sufficient documentation and available subject matter experts.

To manage this risk, business leaders should ask the following questions:

  • Which legacy applications can be cost-effectively modernized as part of the transformation program?
  • Which applications must remain untouched to mitigate risks to the stability of core operations?
  • Which skillsets are required to seamlessly integrate novel applications with existing infrastructure and support mission-critical applications that cannot be feasibly decommissioned?

An effective digital transformation strategy, therefore, carefully balances the need to rejuvenate customer experiences with the steadiness of core processes. None of these can be dealt with in isolation.

Looking ahead
This wave of digital transformation calls for enterprises to deeply rethink their strategies. Those that stick their heads in the sand may soon be irrelevant to their customers. 

About the authors
Phil Zongo is a head of cyber security for an Australian investment management firm. He is the 2016-17 winner of the ISACA’s Michael Cangemi Best Book/Article Award, a global award that recognizes individuals for major contributions to publications in the field of IS audit, control and/or security. Phil has more than 13 years of technology risk consulting experience, advising executives on how to manage critical risk in complex technology transformation programs across multiple industries.

Natasha Barnes, CISA, is a manager with a global consulting firm, based in the Washington D.C. metro area. She has provided IT risk and compliance consulting services within both public and private sectors for more than seven years. Natasha helps her clients to optimize their control environments and address evolving cyber security challenges. Natasha is also a member of ISACA and a career coach with Careerly, where she mentors aspiring cyber security professionals by providing students with practical guidance to make informed career decisions.

1 - 10 Next