Digital Transformation: Technology and the C-Suite/Board
Article 37: Do you understand the ‘ities’?
Even without Digital Transformation as a challenge, business people still need to be comfortable with what technology can do. The ‘ities’ are probably the most important technology areas for the Board and C-Suite to ensure that they understand the impact of. The problem, of course, is that most non-technologists don’t know about the ‘ities’ and if they do, they think they are 100% the CIO’s responsibility.
There are a lot of different ‘ities’ that can be considered, but I think these seven are a good start (they are not listed in any particular order):
Cybersecurity
Reliability
Scalability
Maintainability or Flexibility
Availability
Interoperability
Usability
The ‘ities’ then are the non-functional requirements. These are not what a system does, instead they are how it does it. However, while these attributes contribute to the user experience, the product team often has no input into the decisions. Technical teams put in place contractual agreements to set standards and expectations. Too often, though, they make these agreements in a vacuum. There are always going to be tradeoffs of cost and time against improving the ‘ities’. It’s impossible (or at least impossibly expensive) to make everything ‘perfect’. But these tradeoffs need to be made in collaboration across the organization, not in a technology silo.
Let’s dive into why each of these is so important to have a good business perspective on.
Cybersecurity
No store owner would keep their inventory in a store without a locked door. However, in today’s world, much of the value of a company is digital and many CEOs and boards are doing the equivalent of leaving all of their company assets sitting on the sidewalk in front of the business.
Let’s be clear, there is no way to make something 100% secure and keep it usable at the same time. In the same way that Danny Ocean successfully emptied vaults by putting together teams with the best of the best, hackers can break even the best cybersecurity plans and implementations with enough time and money.
Therefore, it’s critical for the business leaders to be part of the risk discussion. They need to partner with the IT team to decide what the right balance is between risk and investment. Your reaction may be that this is either already happening or is unnecessary. This is demonstrably not the case.
Let’s look at a case that made headlines again last week. I would assume that everyone is familiar with 23andMe the genetic testing company. We’re going to talk about a breach that happened in October but which they are only slowly providing impact information on. They say that only 0.1% of accounts (14,000) were hacked, however, due to their system design this means that hackers actually got information on ~6.9million users.
If we think about 23andMe’s business, it may seem at first glance that what they’re selling is DNA testing. This, however, would not be the full picture. In fact, they are selling trusted DNA testing. And that trust is not just in the accuracy of the data. The people taking the tests trust that:
The DNA results are accurate
The DNA results are confidential
The DNA results are used transparently and ethically
The DNA testing complies with regulations
The business leaders may know that the company is selling this package of trusted services, but the IT team likely does not. Or at least does not fully comprehend what that entails.
If the IT team had truly understood the risk to the company business of any hack, they should have insisted that all sensitive data (and DNA data would definitely fall into this category) should be encrypted end-to-end. Technology has evolved to where it is possible, though more expensive, to store and use data while it is encrypted. For any company whose existence would be threatened by a breach, end-to-end encryption is a sensible option. It’s even possible that the marketing department understood this, which would beg the question of why they say the data was encrypted and yet exposed data in the hack.
Without the trust of their customers, 23andMe doesn’t have a business. Risking the future of their business on the hope that hackers weren’t good enough is not a good strategy for a business this tied to trust.
Summary
Decisions on what is acceptable for non-functional requirement are critical business decisions that are too often made as technical or accounting decisions. The trade-off between risk/customer satisfaction and investment is not an easy one to make and one that needs to be prioritized by the entire executive team. There is no right answer when you’re looking at risk, but there are plenty of wrong answers.
Every company needs to have comprehensive agreement across the organization on the appropriate level of risk from a cybersecurity perspective. And the business leaders need to understand how that risk is being mitigated (not the technology architecture, but how the technology strategy mitigates the risk). As 23andMe demonstrates, the wrong strategy can be truly devastating.
Tune in next week for a deeper dive into the next ‘ities’ as we look at how you can make sure that your business is prioritizing the right investments.