I’ve spoken to a few corporate boards on IT governance and risk management, and I’ve one question that I always ask — but first let me clarify this Target CISO tweet with my twitter handle on it.
In an internal Gartner e-mail thread about the Target CIO resigning, I added some irony, writing: “Another good reason to have CISO — so the CISO can resign.” Violating all manner of e-mail and twitter etiquette, my good friend and colleague Doug Laney blasted my snarkiness to the world in a tweet — thanks, Doug! I mean it — thanks — wish I’d thought to tweet it.
But it’s really not funny, is it, when a CIO must resign her post over something she probably had been trying to fix for some time. I’ve no special inside knowledge of Target, but we’ve all seen other large organizations that have had big security, risk management, or compliance failures, and typically someone, somewhere has made the problem known, but other business priorities — making a project deadline, opening new big box stores in an emerging market, or closing the deal for a merger — seem more tangible to the powers-that-be (PTB) than dealing with security or risk issues. ‘We’ve lived with it so far — how do you know something bad will happen, anyway, Ms CIO?’ It’s a real stumper when the PTBs just don’t get it — especially when one fail after another is in the news!
Two factors often emerge when there is a big failure — 1) There’s no one outside of IT who acknowledges ownership of the risk; 2) There’s no one coordinating and providing oversight of the many different risk silos.
Target is just the latest in a long line of consumer giant security fails — remember TJX, remember Sony?
So, after the fail, they all get religion. The answer lies not just in getting a real corporate CISO, but also requires getting true business leader ownership of the risks. That can only come from the very top, from those who are truly responsible to the shareholders for governance — the Board. Tone at the top is the one ingredient of risk management that even when you are just a pinch short, your recipe will end in disaster.
So besides running an effective coordinated security program, there’s another role for a CISO in a large dynamic enterprise, and that’s working with the leadership of the company and ensuring that IT risk management issues are addressed in business initiatives. For large organizations, the CISO will have her hands full running a corporate-wide IT security program and organization, and to have that kind of oomph, she must have a direct line to the board.
So, if you’re a corporate director, I have just one question for you: ‘Can you tell me the name of your CISO?’
In an amazing and truly surprising decision to neglect ecommerce Target missed a huge opportunity to take Canada by storm by creating a customer centric and completely integrated multichannel experience. In an age of increased international retail expansion this should serve as an important lesson. Entering a new market is always challenging but you cannot ignore certain basic factors. Just as you expect to build stores and warehouses you must be prepared to deal with the realities of the multichannel consumer. This is especially true in a market such as Canada, where Target may have a fresh perspective on merchandise but is competing with a core of sophisticated retailers.
Consumers are much less forgiving than they used to be. With much of the Canadian population living in areas adjacent to the United States they are already familiar with Target, and will expect that it will live up to the experince provided to US customers. As retailers expand into new markets there is an opportunity to take the best of what they have to offer and combine it with new blue field strategies. In this case Target failed to grasp the opportunity and is now running behind its competitors. Just think of the possibilities to try new in store experience technologies, in store fulfillment of ecommerce orders, new mobile applications, click and collect, same day home delivery, to name a few. Sadly they missed opportunity to be seen as the new and innovative retailer. You don?t get a second chance to make a good first impression.
So the lesson here is simple. Customer experiences in the new digital economy must be understood and become as much an integral part of expansion plan as the physical store and supply chain network. Expansion brings with it the opportunity to invest in new technologies, reinvent customer experiences and lead change for the entire organization. Many markets around the globe are actually even more driven by new technologies such as mobility, and eager to experience brands that can deliver on high expectations.
I read this article a few weeks ago and set it aside to revisit. In it, the author states that “Risk management used to be someone else’s job.” and then later concludes that “…in a global business arena that is increasingly unforgiving when it comes to missteps, the message is clear: Everyone?including you?now has to be a vigilant risk manager.” Yes, well, sort of, maybe, kind of… hmmm…
During RSA 2013 (last year) I had the opportunity to sit in on a half-day event around IT risk management. When I joined the closing panel, I asked how many people in the audience had “risk manager” in their titles, and then asked them to leave their hands up if they actually made decisions based on their risk analysis, or if they simply made recommendations. Unsurprisingly, the vast majority (possibly all) of the hands went down. You’re not “managing” anything if you’re not empowered to make a decision. And, inevitably, that means you’re going to be one of those people contributing to the “risk register,” which is the place where all good risk conversations seem to go to die.
My opinion is not necessarily shared by the rest of Gartner, or even by the rest of my team, but I want to make a few points about these risk registers and why I think they’re a faulty concept that needs to be deprecated within our environments. Similarly, I think these surveys (like the one noted in the article referenced earlier) are also silly. “What are your top concerns?” If you’re a business, it’s going to be “staying in business” and “growing revenue” and “avoiding foolishness.” The specifics of each of these varies year-to-year, but let’s be honest for a moment and admit that, at least within the US, this is really what execs are “worried” about (if you can even call it that – I’m convinced most really don’t think too much about it, instead preferring to focus on making good decisions that lead to up-side realization).
Here are three reasons why I think the risk register is really a silly notion:
Shouldn’t risk findings be driving actual remediation activities?
One of the reasons I hate risk registers is because, as a former consultant, auditor and assessor, I’ve often seen the same items maintained on the list year after year after year. What’s the point of that list? If you have a risk finding worth recording on the “really important scary things” list, then you doggone well better have a remediation plan or compensating controls. Your risk management program serves to inform, as well as to drive good decision-making. Risk registers don’t meet this need at all. I would far prefer that enterprises resolve to have a clear “register” every year (or quarter!) so that all risk assessment findings either drive directly to remediation or are summarily managed through compensating controls or are summarily dismissed as unconcerning. Failing to take action strikes me as an indefensible approach that will some day land your business in hot legal waters.
What exactly are you trying to accomplish with it, anyway? (it’ll never be complete)
You’ve built a risk register, probably over the course of a few years. Now what? What was the objective of making this list? Are you trying to give your executives a migraine? Or, maybe you secretly hope that hackers will find the list and start taking advantage of your weaknesses? I’ve heard of enterprises that make these lists and then keep them super-secret, but to what end? More importantly, though, is that these lists will never be complete. “Risk” evolves over time. Moreover, a lot of operational risks, particularly under IT, get short shrift and are underrepresented within risk registers. Or, even worse, they get rolled up into meaningless aggregate statements like “cybersecurity risk is high” (whatever that means?!). If your goal is prioritization, then improve your risk analysis and risk assessment capabilities. If your goal is to make better decisions, then turn that data into something actionable. But, know that the list is temporal and should always be in flux. If it’s not… if your risk register tends to be very static… then I submit you’re not truly doing something useful.
Risk registers reinforce the really bad idea of the “annual risk assessment.”
One of my other pet peeves around risk registers is that it tends to reflect the fatally flawed notion of the “annual risk assessment.” I’ll address this topic in-depth in another blog post, but suffice to say, if you’re only “assessing risk” on an annual basis, you’re doing it wrong. Risk assessment and risk management are ongoing activities that should be leveraged to make good decisions throughout the business calendar, rather than just ahead of the annual budget cycle. All meaningful decisions should be supported by at least a lightweight risk assessment that helps analyze key factors toward ensuring that due diligence is performed and that a reasonable standard of care is met.
When all is said and done, the risk register typically becomes a dumping ground for “things we don’t know how to manage” or “things we don’t care enough about to manage.” This is unacceptable, and often a cop-out. Any finding worth listing is worth listing in an action plan for remediation. Can’t do everything this year? No problem, put it on your strategic roadmap, documenting how you’re going to address it. Or, document your compensating controls (like insurance) and then move on. Yes, documentation should exist, but not as a list of “really scary things.”
These notes have just been published after lots of long but productive work. As far as I know we have not reviewed 26 storage arrays before. 12 High end General Purpose arrays and 14 Midrange General purpose arrays. Which leads onto the philosophical question. What is the difference between a high end and a midrange array ? a) Discount level, b) Several glasses of wine at a marketing lunch, c) IEC 309 jumbo connector ? I have to thank my colleagues Arun Chandrasekaran, Roger Cox and Stan Zaffos who helped compile these notes and last but not least, my dog who also provided advice and support during the late hours.
As you might have heard, today is my last day at Gartner. The last years have been an amazing ride. I have had the opportunity to work for so many great customers in different industries and geographies. I?ve had the pleasure to work with some incredibly sharp minds and good souls. And for that I simply wanted to say thanks.
I am staying in the identity industry and I am sure our paths will cross soon.
The rocket ship of big data analytics is launched and on its way to orbit. Data and analytics are gaining importance with a cosmic speed. The rocket ship is fueled by cloud, mobile and social forces. Information is a single force that gets to the foreground over time while cloud and mobility, once implemented, become less visible. Then big data and analytics turn into a long-lasting focus of enterprises. Information architects and analytics gurus, get ready for a much greater demand for your expertise within next several years!
Last fall, my fellow analysts (covering social, mobile and cloud) and I (big data coverage) interviewed 33 people from truly innovative companies that have implemented social, mobile, cloud and information together (a.k.a. the Nexus of Forces). These were the brilliant innovators who were not just thinking about it, but those who have already done it. They were not implementing each force individually, but were taking advantage of technologies in combination. One visionary told us,
The secret sauce is optimization and trade-off to achieve the best whole, bringing it all together for a unique user experience.
Fascinating things are happening: companies in different industries think of themselves as data companies, information quality is ripe for disruption, everybody is craving for information governance, personal analytics is born and growing quickly (my colleague Angela McIntyre predicts, By 2016, wearable smart electronics in shoes, tattoos and accessories will emerge as a $10 billion industry). Convergence of forces surfaces my favorite subjects: big data, open data, crowdsourcing, and the human factor in technology.
We will talk about Lessons Learned From Real-World Nexus Innovators in a webinar on 11 March.
Three research notes describe our findings, in this order:
And here is a quote from one of the interviews about the state of big data analytics:
“It’s not just about finding the needle, but getting the hay in the stack.”
The rocket ship is launched. Get ready for orbit.
Follow Svetlana on Twitter @Sve_Sic
Simplicity. The mere sound of the word is musical.
Listen to your buyers.
If there?s one thing people don?t need in a world of sensory overload, it?s complexity, a sentiment that rings loudly in a survey conducted by IBM?s Institute of Business Value. Consumers say in the study that marketers try too hard to engage with them over social media.
Moreover, they push out too much information. The result? Buyers overthink purchase decisions, which drive them into buyer?s remorse before they?ve even purchased the product. This often causes them to change their minds and abandon the path to purchase altogether.
Help buyers think less about the decision.
In another study by the Corporate Executive Board, consumers expressed, rather begged, marketers to ?simplify the decision process? to the point where they think less about the decision. Sounds counter intuive right? It?s actually consistent with other research.
In one study about choice, a grocery store had two display tables of fruit juice products. One table had 12 choices (which drove more traffic) the other had four (which drove more sales).
You can read lots of stories similar to this one in a fascinating book by Dr. Robert Cialdini titled, Influence and the Power of Persuasion.
For another example, consider the State of Kentucky, lauded for its smooth healthcare rollout, also known as Kynect.
?Kentucky seems to have a smoother rollout than some other states,? said Jennifer Tolbert, director of state health reform at the Kaiser Family Foundation. When she visited various exchange websites she said, ?the one I got through most easily on to get prices and comparisons was the Kynect site.?
Though Ms. Tolbert said she wasn?t certain why the Kentucky site functioned more effectively, she speculated it was likely its pared-down design. It ?doesn?t have all the bells and whistles that other states tried to incorporate, like interactive features,? she said. ?It?s very straightforward in allowing consumers to browse plans without first creating an account.?
The program manager for the initiative, Chris Clark commented, ?We spent an enormous amount of time making it functional,? commenting further that the goal was to provide the most relevant information in under 10 seconds.
Get out of the way
Take a look at your own path to purchase; get the obstacles out of the way. According to the CEB study, brands that simplify decisions are:
The Zero Moment of Truth describes the moment after a consumer sees an ad, content or other stimuli that kicks off their buying journey. Thanks to digital technology?the web, mobile devices, social media, advertising on wearable devices?this moment can occur anywhere and anytime. As people filter through a seemingly endless stream of content that follows them from laptops, to smartphones, to connected cars and beyond, much of what they see and hear gets dismissed as they quickly sort through noise to find the signal that is tuned to their needs at that moment.
To ensure that the content, context and timing of your marketing is attune to customers? needs, it?s critical that you understand their journey. A recent article challenged ad agencies to immerse themselves in their clients? products and services in order to better market and sell to consumers on their a brands? behalf. True. Marketers, both in-house and external, need in-depth, first-hand knowledge before they can tell an authentic story about a product or convince someone else to buy what they?re selling.
But understanding your customers? journey extends beyond the way they buy and use your product. It extends to how they think, what they believe, how they live, the challenges they face each day and the things that inspire them to keep going. I know it sounds hokey, but making a meaningful and sustainable impact on marketing and sales at the ZMOT involves walking a mile in your customers shows. If you analyze even the most basic purchase, laundry detergent, for example, you?ll uncover deep seeded reasons why people make purchase decisions.
I buy a specific brand of laundry detergent, and I always have. I strayed once, in college, out of severe price sensitivity. I hated the smell and couldn?t wait to finish the bottle and return to what was familiar. Why? It?s not the brand?s marketing. That?s either a prompt to check supplies and add detergent to the grocery list if we?re low, or an unwelcome reminder that laundry loom ahead. I have bought the same brand of laundry detergent for nearly twenty years because my grandmother bought it, and whether or not it?s the best in class, it makes me feel closer to her and like half the mother she was.
That is my zero moment of truth. There is no way a brand can know that by looking at surface level, demographic data. That level of in-depth knowledge would require them to go beyond demographic, and even psychographic data, to look at ethnographic research or connect with me individually. While this is a daunting task when multiplied by millions of customers, there are third-party research providers and social marketing and analytics tools to help marketers gather customer insight, to identify influencers, understand what drives decisions, to improve their chances of winning at the ZMOT.
This month’s Strategy and Business had this article:
Would Your Employees Work for Free? Leaders who manage volunteer work forces have much to teach leaders who manage employees.
I suppose they are suggesting that a measure of employee engagement is whether I as an employee would still do the job for free…
So I am reflecting on experiences where that were born out:
1) The hospital: hospitals (up until recently) paid much less than other sectors for IT help ? to the point where they would just train low paid clinicians to do IT. The typical CIO salary was 1/2 to 1/3rd what he/she could earn at a comparable for profit. The up side was ?the mission? ? helping save lives vs. creating a system that optimizes sales is a compelling legacy and (sometimes) makes up for a lot of comp
2) The college radio station: EVERYONE in a typical college radio station works for free. I ran one as station manager for two years and technical director for one. Through administration budget meetings, student strikes, sit-ins, and precarious race relation negotiations. And always wondered why I (or any of the other 100+ volunteers) would put up with it for nothing. Music and drugs helped It also provided a good work experience to be used later.
3) The start-up: this was more a case of delayed gratification ? if I work for free or near free now, maybe I?ll be filthy rich in the future and not have to work at all. It?s a Las Vegas crap shoot, but still something many employees (and ITers) buy into.
So ?delayed gratification? could be the underlying motivator in all these ?ideal engagement? scenarios?whether its feeling good about what you did with your life, recognizing skills that could come in handy later, or just hoping for the big payout at the end of the time you put in. If it’s no $, then it may be that employees have to see other visible results?or risk the perception that their time is wasted.
The fallacy with equating positive employee engagement with ?working for free? is that humans often put up with a lot of hassle for a period of time for a variety of motives ? and it may not reflect true ?engagement?; also finding someone with charismatic qualities to follow may also be a factor ? playing on that need for security and shared purpose. That works for cult leaders, at least for a while.
There’s also a fallacy with equating employee satisfaction with engagement, or the fact that people will work under duress for free? for a while? until they find something else; or the need to achieve an organizational goal for a higher cause – sometimes you have to put up with a lot to accomplish a noble goal — like in a just war (e.g. the Greatest Generation).
Even more importantly – it’s not about top down leadership, but what Tom Friedman recently wrote about in an interview with Laszlo Bock at Google. He called it “emergent leadership” — the ingrained motivation within all of us, components of which are humility, responsibility, ownership. That’s what I’m talking about when I mean “engagement”.
During our changing IT career research we found the CIO who was not competing for employees on pay, but competing on career development. He found out what each one wanted to pursue and helped them do it. He gave them assignments knowing that eventually they would leave out of necessity to find more pay, but while they were there they got the opportunities to improve their career. Now THAT?S engagement!
For those of us in IT, these are not academic topics — and that’s why Mike Rollings and I are focused on them in our professional effectiveness research at Gartner.
Let me start off my stating how little I like the term ?Internet of Things.? My take is that this phrase?which represents the grand concept of using IP technology to link together associated products to facilitate a behavior or action?overhypes yet undersells the promise in a connected world. It?s a brilliant idea whose time is now, but turning it into a market wide technology panacea sets it up to fall short of wild expectations. As I jokingly discussed with a colleague at last year?s Gartner Symposium, this IoT deal has been around since the ?90s when telemetry was used to let the local Coke bottler know when a dorm?s soda machine was out of caffeine-laden goodness. IoT circa 2014, however, has greater buy-in from more constituencies?indeed, entire ecosystems?than that these first iterations and those with any sort of future vision can see its manifest destiny.
Sure, there are all sorts of Thingy applications that can better the greater good?from controlling traffic flow using in-car signals and roadside sensors to monitoring your home?s energy remotely to save money and lessen the burden on the local grid?but it?s the commerce Things that catch my eye. Case in point, the GE Social Fridge, which will be on display at the upcoming South by Southwest (SXSW) which is held this week and next in my adopted home town of Austin, TX. The fridge opens to offer beer and soda to passersby only after 10 people have checked in via Foursquare. A simple yet thought-provoking way for retailers to create in-store excitement and engagement as they marry Social Things with Crowds/Mobs to build cool, commerce promotions. Taking the fridge example to its next level: after 10 people check in, uncap your beer or soft drink to enter a contest for your own IP/sensor-driven fridge. Also, that cap could include a coupon off our next purchase of Shiner Beer or Jones Soda. Now, we?re talking cross-promotion.
Let?s look at the bigger picture that rests at the intersection of Things and Commerce. Let?s stay with the fridge and overlay the world of predicative analytics and commerce. Amazon, among others, hope to use predictive analytics to pinpoint and plan for customer demand for products and services. If my fridge sensor realized I was running short of eggs, a message could be sent to my local grocery store to deliver a dozen to my home. Perhaps a subtle notification to that same grocery store which could allow that merchant to understand my egg consumption pattern so it could maintain a more precise inventory of goods based on the collective needs of its customers.
Digital marketers are faced with the need to have a vision that looks at the past, the today and the tomorrow. The past and present represent fuel to drive today?s campaigns but the future offers excitement that not only inspire cool ideas but ensure ongoing relevance to your peers and your customers.
Como nos enteramos en octubre de 2013, AMC renovó quinta temporada de The Walking Dead, una de las series de televisión más populares del momento. Ahora el canal de televisión AMC anunció en su blog oficial que antes de que se estrenen los nuevos capítulos, los seguidores de esta trama podrán tener en sus dispositivos […]
Una de las mejores opciones con las que usted cuenta con celular conectado a 4G es la de compartir su conexión de alta velocidad con otros dispositivos. Todos los smartphones contemporáneos le permiten al usuario la posibilidad de funcionar como ‘hotspots’ de Wi-Fi, lo que en la práctica se traduce en que los usuarios podrán […]
El valor de cada voto en estas elecciones es alto. El porcentaje de abstención en las últimas votaciones para elegir el senado y la cámara de representes fue de 55.6%. También hubo muchos votos anulados, la mayoría porque las personas no entienden cómo utilizar el tarjetón. El video que compartimos a continuación explica lo […]
El festival de cultura digital más importante del mundo acaba de comenzar, y en ENTER.CO nos encontramos en el Centro de convenciones de Austin para contarles los detalles de la fiesta geek que se celebra en este momento. Tecnología, música y cine se unen en un solo lugar para presentarnos debates, conferencias, estrenos de películas, […]
Sony confirmó, a través de un comunicado de prensa, que el presidente de la división de Sony Computer Entertainment America renunció y será reemplazado por Shawn Layden, el jefe de operaciones de ‘Network Entertainment’. Tretton llevaba trabajando en la compañía desde los inicios de PlayStation en 1995. Estuvo en la llegada de las últimas consolas […]
Uno de los requerimientos de una oficina es la conectividad. Es relativamente fácil poner un router inalámbrico y conectar todos los dispositivos. Sin embargo, esto es poco óptimo y dejará de aprovechar las ventajas que tiene tener una red local en su oficina. Durante esta tecnología vamos a explicar cómo montar un red local para […]
Varias mujeres hoy en día tienen puestos muy importantes en la industria de la tecnología. Para celebrar el día de la mujer, miraremos quiénes son estas heroínas de la tecnología que han cambiado la industria. Marissa Mayer Desde sus inicios en Google, Mayer abrió los ojos de todo el mundo. Ella fue la artífice del […]
Muchos se están preguntado cómo es que Sony está haciendo una película de un juego que ya parece una. Sony acaba de anunciar que está sacando adelante el proyecto junto a Naughty Dog y Screen Gems. Los directores del juego, Nel Drcukman y Bruce Stanley, estarán involucrados con el desarrollo del filme, de la misma […]
Día a día, los blogs, sitios empresariales y páginas de noticias buscan imágenes en la red para poder usar en sus contenidos digitales. Para alegría de muchos, Getty, el sitio de imágenes más grande del planeta, realizó un movimiento sorpresivo. A partir de esta semana las fotos del sitio podrán ser usadas libremente, como cuenta Mashable. Cuando […]
En ENTER.CO sabemos que tenemos muchas lectoras que nos siguen porque les gusta la tecnología, en especial de las aplicaciones móviles que hacen más fácil la vida. Como se acerca el día de la mujer, quisimos darle un pequeño regalo a las chicas que, además de ser seguidoras de la cultura digital, son amantes de […]
Bogota, D.C., Colombia / PBX (571)616-1526/ 386-0994. Movil (57) 315 331-1740
Miami, FL., E.U. / Phone:(786)3804924
Copyright Â© 2013. All Rights Reserved.
Designed by ETRADE GROUP SAS.