So, you want to introduce a new cloud service into your company?
Surely it must be a super quick now that everything is on tap and delivered “as-a-service”? You get a contract in place, the vendor provisions the service, a login screen becomes available and off you go.
After all, as the saying some attribute to Peter Drucker goes, “Innovate (quickly) or die….”
A recent project with a manufacturing company got me thinking about whether there is a right balance between risk and reward when it comes to technological innovations. Furthermore, could a technology platform like Decision Focus help strike the right balance?
Managing risks around new technology introduction
Working with the security assurance team at a large FTSE-100 company has given me great insight into the importance of risk management in these early stages of new technology introduction.
The team had a well-established review process designed to establish security governance over new workstreams and technology introduction. During the review, typical clarification points included:
- What kind of PII will be handled?
- How is data protected?
- What integrations are planned?
- How will users authenticate?
- Have the right compliance documents been supplied?
The responses received from the project team highlight the risks of proceeding with the project and what, if any compensating controls would need to be in place.
The process was well thought out, but the team were struggling with the sheer volume of emails and spreadsheets that each security assurance review generated.
Projects needed to be reallocated to balance workload, valuable information was often locked away in e-mails or hard to find on shared storage sites. Furthermore, team members were all following the process but in slightly different ways which made tracking adherence to published SLAs a very labour-intensive activity.
Establishing a Security Assurance Portal
The Security Assurance team first encountered the Decision Focus platform when they were assessing the solution as a new cloud service requested for the organisation’s vulnerability management programme.
Whilst conducting the security due diligence, the team saw that the GRC capabilities around Risk Management combined with the flexibility the tool demonstrated in adapting to project-specific workflow and data management needs could be leveraged to address the collaboration and reporting challenges the team themselves were facing.
Security assurance (of the future security assurance platform!) was streamlined since the platform had already passed the stringent security checks that were part of the initial service introduction project. The business case was also enhanced due to reuse of the platform and cost savings from a shared licence pool.
After a short implementation project following a rapid prototyping approach, the Excel-based Security Self-Assessment spreadsheets were archived, and the team’s email inboxes breathed a sigh of relief.
Key aspects of the solution:
- Single source of ‘truth’ which removed the previously disparate data and established a single lens through which to track progress of the Security Assurance Programme.
- Role-based access for Project Managers, Security Assurance Staff, Internal Audit and Security Management.
- Support for an escalation process to ensure processing assessments adhered to published SLAs
- Metrics and dashboards to improve visibility into the number of assessments being received and the time taken to reach decisions.
- Creation of a portfolio risk heatmap for new technology introduction
Balancing Risk and Reward
This project has given me first-hand insight into the importance of early security assurance when executing an organisation’s risk management programme. The assurance team need to be involved to think of new technology from a risk perspective. The team needed the Decision Focus platform as enabling technology to help make the whole process run smoothly.
When it comes to finding the right balance between risk and reward my opinion is that benefits and concerns should be of equal importance when introducing new technology. The reality is that without considering the risks of new technology projects you can innovate AND die. Just Google “Theranos” if you need proof.