Realize the benefits of technology innovation by managing the risks

Organizations today face an acute need to mitigate threats to profitability and revenue, and ensure that cost structures are as lean as possible. Today, addressing enterprise risk means balancing interrelated organizational priorities, such as technology innovation and information technology (IT) cost reduction, in the context of an overall risk management strategy.

Pressure to save money means IT cost structures must evolve because technology spending is often a ripe target for reduction measures. Fortunately, technology innovation can assist with reducing costs, but the challenge for chief information officers (CIOs) is that such innovation typically also fosters risk and complexity. For this reason, innovative projects must be undertaken hand in hand with security initiatives.

Key Technology Trends Impacting Information Security

Cloud computing and SaaS: Sourcing IT solutions from multiple content and service providers-using either a cloud computing or software-as- a-service (SaaS) approach-unlocks data held in IT silos. This can increase risk by enabling sensitive data to cross organizational boundaries. Since their core business is based on securing customer data, major cloud providers have made progress in this area. However, there are still many open issues such as data control and certification. The pace of uptake will depend heavily on how soon these issues are resolved and when cloud providers will be able to obtain official certification of their security practices from independent third parties.

Collaboration technologies: Taking advantage of Web 2.0-based collaboration tools, including 'mashups' that combine disparate data stores in easy-to-use interfaces, can be an innovative way to improve productivity. Unfortunately, such user participation can lead to an increase in employees sharing sensitive enterprise data- anytime, anywhere, via any device.

CIO as data custodian: Conflict of interest among consumers, governments and companies leads to an ever-increasing and constantly shifting group of data-protection laws and regulations at a local, state and national level. It is a challenge to interpret and adhere to regulations that address areas as diverse as mergers and acquisitions, non-public information disclosure, financial reporting and data privacy. In response, CIOs must address diverse commercial priorities via myriad compliance, governance and risk measures; enterprise policy management; and secure business process management – protecting the organization and the privacy rights of its stakeholders.

How Effective Are Current Data Security Practices?

It is an opportune time for CIOs to proactively and strategically advise on safeguarding data assets and adopting new technology while encouraging their organizations to meet compliance, IT cost reduction and risk-management goals. A crucial task for CIOs is to institute airtight approaches to security. This is particularly important so that organizations can quantify risk in step with cost-reduction imperatives and corresponding technology innovations.

Accenture recommends CIOs examine the effectiveness of their security strategy and manage data as a strategic asset. Organizations collect vast amounts of data to support business processes, and employee, customer, partner and supplier interactions. To effectively protect this critical asset, organizations should apply security as closely as possible to the data itself (versus only the application or the infrastructure) as well as their business processes. Doing so helps protect data as it travels both within the organization and beyond to constituents, business partners and vendors.

What to Do Now? Five Ways to Improve IT Security and Mitigate Risk

Accenture has five recommendations for organizations seeking to manage data as a strategic asset and ensure secure business processes.

1. Ensure cloud security

The most important concerns inhibiting organizations from progressing with their enterprise cloud strategies relate to the security of data transmission, the physical security of cloud vendor assets and the transmission of data via the Internet beyond the enterprise firewall.

As a result, enterprises that are progressing with enterprise cloud strategies and deployments need to focus on service providers who:

• Can offer them secure connectivity
• Are willing to undergo independent audit and certifications of their security practices in the extra-enterprise cloud
• Can be fully compliant with the organization's compliance, auditing and security policies
• Can comply with the official standards for cloud computing (though these standards are still evolving)

2. Design security for mass collaboration

Organizations will need to increasingly push decision making and process control out to the edges of the organization's traditional boundaries to business partners, vendors, employees and customers, delivering information with the appropriate level of protection to the broadest possible base of constituents.

3. Anticipate IT asset diversity

As the number of applications and users surge, so too does the complexity of managing associated identity and access management rules. For each additional application to which users gain access, organizations must provide fine-grained entitlement, including a user interface, data and business logic.

4. Incorporate alternate digital identity styles

Organizations should determine how to maintain order in a society where people are increasingly online; identity information cannot be centralized for privacy reasons; and resources that do not belong to a single domain and common identifiers, such as country of birth and social security numbers, are overused. Incorporating alternate styles of digital identity includes allowing users to have more control of their digital identity, while enabling security claims to cross domains by being portable and interoperable. For organizations, this means also ensuring that users continue to have a digital identity for clearly bounded domains-for example, expense management, finance and human resources applications-that are administered centrally.

5. Apply security to the data itself

Organizations should create a set of global data privacy and protection standards that delineate which data must be protected, set the rules for legitimate access to and use of sensitive data and define how to protect such information.

About Accenture

Accenture has worked with clients for decades to make sense of technology innovation - harnessing its rewards and mitigating possible risks. Accenture collaborates with clients using an approach that includes investigating an organization's risk profile, regulatory compliance challenges and IT governance issues, then segmenting areas suitable for intervention, such as discrete business divisions. To learn more, contact floris.van.den.dool@accenture.com.

Click to download the following Risk Campaign paper:

Managing the Risk of Technology Innovation
Security approaches that keep pace with innovation and contribute to high performance.
By Paul O'Rourke, Alastair MacWillson and Bjørn Arne Berge