“The whole is greater than the sum of its parts.” ~Aristotle
Even in the 4th Century BC, it was understood that functions within an organization working together for a common goal produced better results than working independently. Somewhere between Aristotle and the modern MBA program this lesson seems to have been lost as functional excellence became a key criteria for bonuses and promotions. As a result of the recent movement towards digital transformation and organizational agility, the importance of enterprise integration is only now being rediscovered. Yet most organizations are hardwired for functional thinking, with budgets and recognition systems as heavy influencers of silo behavior.
Take the example of the Three Mile Island Nuclear Accident, where strong silo behavior and a focus on functional excellence led to poor information flow between departments that needed to work together. The result? Lack of communications, internal competition and poor trust compounded a technical fault into a major accident. In their excellent book, Meltdown: Why Our Systems Fail and What We Can Do About It, Chris Clearfield and Andras Tilcsik clearly point out how in complex systems small mistakes and communication blockages can lead to catastrophic results.
Today’s businesses and organizations are becoming increasingly complex. And the rush towards integrating digital technologies into every aspect of the organization dramatically increases that complexity. Supply chains have become massively complex and often harbour significant business risks. And in many cases these critical supply chain risks are invisible to management. And manufacturing is no longer isolated from marketing and sales, since the customer experience is becoming a significant competitive advantage in many industries.
We are working in ever increasingly complex organizations and it seems that the only person who cuts across the silos and looks after the “big picture” is the CEO. But with the increasing external demands on the time of the CEO, efforts at enterprise integration and getting multiple functions to work together for a common enterprise objective often take a back seat.
Organizational silos are a significant business risk!
An Important Role for the CSIO
The growing tsunami of attacks from cyber criminals and nation-state bad actors is seen as one of the top business risks by business leaders. A single breach could wipe billions off market value, cost millions in loss of downtime and system recovery, plus significantly damage both customer and employee trust in the company.
While cyber security lies squarely in the job description of the cyber security department, seeing cyber security as a functional responsibility is both naive and extremely risky. With 80% of cyber breaches the result of employee mistakes and behaviour, cyber safety becomes an enterprise issue, not a functional issue. And all employees, from the C-suite to the night cleaning crew, and from the Call Center to the outsourced staff are important links to cyber security.
At a recent workshop on cyber security culture and risk mapping for a large European based global bank, it quickly became apparent that cyber safety was an enterprise issue. The culture and risk mapping exercise revealed several key departments that have a significant impact on overall cyber safety, but had few significant interactions with the Cyber Security department. These were Physical Security, Information Technology, and Human Resources. Each have their own functional objectives, budgets and challenges, yet in many ways all have a direct and significant impact on cyber security inside the organization. And the C-suite also stood out as critical to overall cyber security; not just for their contribution to “tone at the top”, but for the significant number of cyber security exceptions generated by this group.
Silo focus and lack of overall alignment on key enterprise objectives often lead to sub-optimization, and hidden business risks.
In our experience, the CISO is in the perfect position to be the catalyst for organizational alignment since cyber security risks reside in every function and every individual employee action. The CISO is one of the few in an organization that has an enterprise-wide perspective on security risks and could effectively act as the enterprise integrator, helping to mitigate current and potential cyber risks to the organization. A breach may happen in one area or from one action, but its impact is enterprise wide and effects everyone. While market risk or operational risk are impacted by one or two functions, cyber security risk is inherent in every function and every employee.
Currently the role and responsibilities of the CISO is not well defined, and there is much discussion as to where the CISO should report and the breadth of their remit. Those companies that fully understand the enterprise and business risks of a cyber breach tend to have the CISO sitting on the senior leadership team. But in most cases, the cyber security function is still seen as a secondary technology cost center reporting to the CIO or in some cases the Chief Risk Officer, CFO COO or even the Legal Counsel. According to a study by Georgia Tech Information Security Center, 40 percent of CISOs reported to the CIO or CTO. And the Global State of Information Security Survey 2018 estimated the financial losses as a result of reporting relationship of the Chief Security Officer.
We believe that seeing cyber security as a business issue and not a technology issue is key to putting in the proper organizational structure and reporting relationships to allow the CISO to act as an enterprise integrator.
It is impossible to determine when or where many business risks come from, but cyber attacks are continuous, growing and a serious business risk.
John R Childress. Chairman, CulturSys, Inc.