The failed app used in the Iowa Caucuses revealed the “danger of deploying digital infrastructure without rigorous testing” and a huge cybersecurity risk that no one seems to be talking about—the Census.
Many of the CEOs and board members with whom I’ve talked cite cybersecurity as a big concern for them, too. Part of the challenge is that the nature of the risk seems to evolve continually—which can be even more difficult to assess for the huge number of companies that rely on technology, yet for whom technology is not a core business.
In 2020, most families will contribute their Census data online. Albert Fox Cahn and Zachary Silver (the authors of the Fast Company article that caught my eye) point out the myriad ways in which Census data is vulnerable and what that might mean for a variety of stakeholders. The potential impacts also vary, in both nature and magnitude for each stakeholder group. Further, the authors share how some leaders—shockingly few, unfortunately—are taking action now to mitigate the risk.
CEOs and boards can take a similar approach to manage their exposure to and the impact of potential risks (like cybersecurity) in executing their strategy. Consider these three questions:
1. Have you sufficiently identified the various aspects of technology that might be vulnerable? Most of us immediately think of personal data or sensitive information that can be stolen or exploited. In addition, think broadly about the technology-enabled tools or systems you use to deliver products and services to your customers.
2. To what extent have you explored the potential impacts of these threats to your strategy? As with the Census, you have a variety of stakeholders. Identify which stakeholder groups – beyond and including your customers and staff – may suffer most from a cyber or technology breakdown. Then, characterize the magnitude of that impact for each stakeholder, and the scope or scale of potential harm to your business. What is most likely to derail your strategy or make it harder to meet stakeholder expectations?
3. Have you defined and deployed the resources you’ll need to mitigate or eliminate the highest impact risks? Cahn and Silver assert that too few resources have been defined or deployed to alleviate the broad risks associated with putting the Census online. They also provide examples of how some locales are enlisting the aid of other stakeholder groups to mitigate the risks. For your business, perhaps identify partners, advisors, or programs that may work with you to manage your risk exposure and its impact. In that way, you increase the resource pool available to manage the risk to you and your stakeholders.
Having considered your potential vulnerabilities from various perspectives, establish and institute a plan to monitor the risks regularly. The constantly evolving nature of technology in particular (especially cyber tools) requires that kind of discipline just to stay current. It is then up to the CEOs and boards to assure that regular, rigorous risk assessment is a key component of their management process timeline. Unlike the decennial Census, your business and strategy can’t afford to assess and address risks only once every decade.