In my previous blog I set out the case for digital resilience being a step up from cybersecurity and described the need to convince organizations of its importance in a business context.
At its core, digital resilience represents a fundamental change in the way we understand digital technology, risk and opportunity.
In my blog I proposed the following definition:
Digital resilience – an organization’s ability to maintain, change or recover technology-dependent operational capability.
Assuming organizations heed the warnings and take on board the need for digital resilience, how do they go about building organizational capacity?
I would suggest the starting point is to hold an internal audit to identify and address digital resilience issues within the organization. As with any cybersecurity-related matter, this should be led from the top-down, with all departments involved. This is a crucial issue and one that needs to be discussed by the leadership team and not just seen as something for the IT department to deal with.
In a recent blog post, U.S. consultancy firm McKinsey says achieving digital resilience requires the involvement of multiple stakeholder groups. “Oversight from the board and senior management is essential to ensure that cybersecurity programs are rigorous and effective,” it adds. This is further supported by the Digital Resilience white paper published by the Shearwater Group, in which the extent of the risk is exemplified in the very public demise of Kodak, once a giant in its day, and a relatively recent example of a failure to embed and foster digital resilience: “Within a decade [Kodak] had gone from a technology leader to bankrupt.” After all, the roots of the failure to build digital resilience capabilities lie not in technology but in organizational culture.
The first question an organisation should ask itself should be ‘do we understand digital resilience?’ It is important to know not only what it means but also how it is different from cybersecurity. Organizations must also understand how dependent they are on digital technology, and be sufficiently aware of the opportunities and risks that carries.
The next question should be ‘how digitally resilient are we?’ Organizations must assess if their level of resilience is appropriate, decide what level of digital weakness they consider acceptable, and assess their capacity to innovate.
Next, “have we assessed our digital resilience exposure?” Organizations must look at how a lack of resilience will harm their business, processes and people, and work through potential consequences and build scenarios for how these may evolve.
The final question should be “do we have an active program to build and embed digital resilience thinking and practice throughout our organization?”
If the answer to the final question is “no,” then remedial work must be carried out immediately.
It is important that any strategies or solutions implemented to build digital resilience within an organization must be done so in the knowledge that the challenges and opportunities arising will change constantly. They must also be done in the knowledge that there is no going back – pre-digital strategies simply will not work in a digital environment.So, what does a digitally resistant organization look like? In a recent column, Ray Rothrock, a CEO who has written a book on Digital Resilience, says: “Instead of cowering behind a wall and hoping for the best, those who lead digitally resilient businesses ensure that they know the strengths, weaknesses, gaps and vulnerabilities of their networks.”
Rothrock equates the traditional practices of cybersecurity with the way “misers protect their money” – by putting it in a safe and keeping it out of the reach of thieves. However, he makes the point that this approach also puts an organization’s most vital assets beyond any possibility of growth through exchange or investment.
“The resilient approach to cyber security is to defend data dynamically and actively while also making it work for you,” he adds. But I believe digital resilience encompasses a whole lot more.
In the previously-mentioned blog, McKinsey makes the point that organizations face the tough task of protecting their most important information without making it so difficult to access that it slows down their operations.
I firmly believe CEOs and their boards need to build resilience-by-design capabilities, both for themselves and their organization at the appropriate level. This includes:
Ensuring the entire organization incorporates resilience thinking with regard to both threats and opportunities.
Understanding that the effects of risk can be both negative and positive, and that taking or ignoring opportunities presents different types and levels of risk.
Understanding that discovering, creating and understanding new opportunities and threats requires cross-functional working and a multidisciplinary approach. Ensuring the organizational culture and capabilities to enable decisions to be made and implemented within relevant timeframes and then adapted as required in response to resilience threats and opportunities. Encouraging and empowering senior individuals to critically discuss existential threats, with appropriate management mechanisms to collect and analyze these in combination. A culture where the potential impacts of digital weakness are communicated early to boards so that mitigation can be incorporated into strategy where they may actually end up creating opportunity – and with opportunity, don’t forget, comes competitiveness. Assessment exercises that test the ability of the organisation and its management to respond, and highlight where decision-taking and capability gaps exist. I am in no doubt that digital resilience will eventually come to be seen as one of the most important long-term assets of an organization, perhaps even the most important. For that to happen CEOs need to start having serious conversations about digital resilience now to ensure their organizations are fully prepared to face the digital future. It is easy for me to say what needs to be done, words oft come cheap, but implementing a digital resilience strategy is a different matter.
So in a future digital resilience blog, part 3, I will look at mapping out a generic framework that can be used as a starting point for your very own digital resilience audit.
Contribution by Dr Debbie Garside, as originally published in CSO Online: https://www.csoonline.com/article/3302369/backup-recovery/how-do-we-build-digitally-resilient-organizations.html#tk.twt_cso