In the wake of the Equifax data breach, IT departments everywhere scrambled to check and double-check their own security plans. And while many turned their lonely eyes to the Chief Information Security Officer, what of the CEO? At Equifax, Richard Smith took the fall, as he should. His crime: Smith is an “insurance guy” not a “tech guy.”
In a world where technology sits at the center of every business, all executives must become tech people. That may sound scary, but despite tech’s complexity there are tools that can help nontechnical CEOs get a much better understanding of the risks and rewards associated with the software on which they are betting their companies.
It has always amazed me how big of a gulf there is between executives and the reality on the ground—and how willing business leaders are to delegate the responsibility for software risk to their developers and vendors.
True, it does get technical to understand the software, the database and the network, but, executives cannot afford to delegate responsibility when it entails the risk of poor IT execution and the many problems that can result. There is a sort of industrywide, willful helplessness. Leadership doesn’t really track how well they do IT or how good their systems are. This disconnect doesn’t happen with operations, sales, marketing, supply chain, or any other part of the business. It should not be the case with IT.
Every part of the business is hard for leadership to fully understand. What does the CEO know about inventory management and reorder point algorithms, for example? Or about logistics optimization? Probably about as much as they understand software development. Business intelligence tools like Tableau, SAP, and others, have transformed the way business people look at complex operations and technical capabilities with colorful and easy-to-understand visualizations and pictures of data. Gartner reports the BI market has now topped $18 billion.
Software intelligence and analytics tools that can give comparable clarity to IT are not far behind. We’re entering a new era of software intelligence where standards, analytics, and automation are conspiring to turn the discipline into a true business operation. It’s a pretty poor excuse that one is “not technical” when you could easily ask for scorecards of your software reliability and security risk from your IT leaders. It’s truly amazing how many organizations allow IT to continue running as if it’s a black art.
New regulatory measures are starting to show up that will require the C-suite to pay closer attention. I’ve written before about GDPR and NYS DFS—two new regulatory regimes that are raising the bar in terms of data protection and security. Penalties for noncompliance for both these regulations are far more severe than the current system, where it’s cheaper to pay a penalty than to do the right thing.
This is only the beginning. More regulatory pressure is on the way. The Senate Banking Committee wrote a letter to Jay Clayton, the current SEC chairman, telling him that current disclosure rules on cyber risks are not sufficient. The SEC will be examining whether all publicly listed corporations need to be more transparent about their cybersecurity and risk profile. Catching wind of this change in the regime, cyber insurance providers are reacting, shooting premiums up 30 to 50 percent per year. The day is not far away when it will be worth a lot of money in saved premiums to track cyber risk and be able to prove that your company has proper cyber hygiene.
Executives must start to hold themselves accountable for the safety and soundness of their software—and that starts with the simple acknowledgement that in many cases the biggest risk they are managing is their own ignorance.
[Techonomy has argued that “every company is a tech company” and “all leaders are technologists” since our founding in 2011. See for instance this session from 2011 entitled Every Company is a Software Company.]
Lev Lesokhin is EVP of Strategy and Analytics at CAST. Before joining CAST, Lev was Director, Global SME Marketing at SAP and, prior to that, was a consultant at McKinsey & Co.