4 tips for embracing board optimism for emerging technology
In this monthly column, I’ll be sharing my thoughts on some of the latest insights from Diligent Institute and what they mean for the C-suite and senior leaders. Don't miss a single column — subscribe here.
According to the U.S. public company directors surveyed in the What Directors Think 2024 report, most external (or systemic) risks had a negative impact on businesses last year. Our results showed one outlier – emerging technology – which very few directors listed as having had a negative impact on their business in 2023.
Anyone who has ever done the job of an IT professional knows that this seems suspect, leading us to think that the board may not understand the volatility and risk in emerging technology. After all, to most IT pros, the board’s optimism seems like a disconnect between the promise of acceleration of the business, and the real risk of emerging technology.
May I suggest that instead of fear, uncertainty and doubt, it’s time for CISOs to embrace the board’s optimism regarding technological advancement.
Source: What Directors Think 2024 by Diligent Institute, Corporate Board Member and BDO
How CISOs can embrace board optimism for emerging technology
Also in the What Directors Think 2024 report, respondents listed AI as the top emerging risk their board was closely monitoring. Why, might you ask, is that upside? Well, it is a terrifying prospect to think of AI as having almost no downside. Instead of letting your eye twitch, what if you talk about emerging technology the way the board thinks about it? If emerging technology has the potential to have such a positive impact on the business, and if it has the visibility and optimism of the board, CISOs should take advantage of that opportunity.
To do this, consider the following:
- Implement risk intelligence data everywhere you can for automation. You will thank me later for this one. We spend 80% of our time validating 20% of our risks. Instead, we should be leveraging risk intelligence (both external data and your own data) to create an exception-based compliance environment for the things that can be automated. In addition, regulatory change management solutions, data feeds and human intelligence gathering can help manage geopolitical risks, and third-party audit solutions help oversee risks associated with supply chain. Automate all this so you have time to consider the security implications of emerging technology trends. Check out some of our solutions for more insight into how to manage and minimize the impact of these risks.
- Align your current needs to the emerging technology trend. Let’s face it, if you aren’t good at identity management, data storage and collection, and continual controls monitoring, you shouldn’t be exploring AI. According to a recent KPMG survey, AI is seen as the best solution to the short-term goals of the business. CISOs and security teams should embrace that attitude and remind the business that the total cost of that implementation includes single-sign on (SSO), identity access and management (IAM) and strong data governance and management, making it a win-win for the organization, customers and regulatory obligations. How exciting for EVERYONE!
- Important trends deserve their own CISO marketing plan. There is a reason the security industry names zero-day exploits like hurricanes. There is power in marketing. CISOs should start to brand what they do with the board and the business. If the trend is AI, then CISOs should brand an AI readiness plan that includes all kinds of upgrades to the IAM program. Taking this approach links the current need with the excitement of the future, rather than what may sometimes seem like a Blade Runner-style dystopian present that we all live in.
- Make sure the board knows that the opportunity is not all upside. There is a total cost of ownership of emerging technology, and that includes both a security review and update (if necessary) as part of the deployment or adoption of new technology in the environment. A CISO’s seat at the table with the board was the regulatory governance solution to including security in board-level decisions. With great power comes great responsibility, and CISOs must use their seat at the table to ensure total cost of ownership includes security.
Ultimately, ITGRC (information technology governance, risk and compliance) is the key to a CISO’s successful execution of strategic priorities. All the board-level strategies highlighted in the What Directors Think 2024 report have security risks that require mitigation. But as you can see, there are also good opportunities for an improved employee experience, an improved customer experience and upside in other parts of the business.
By leveraging ITGRC to track technology and security risks and incidents, the security team can meet the needs of the business on their own terms in a language that the business is fluent in – risk management.
Prepare for the future of risk management by attending our Virtual ERM Summit on March 20, where I’ll be moderating a panel on future-proofing your business with strategies that build long-term resilience.