OE6 Due in 36 hours
2 3 9
9 foRming a CybeR
seCuRiT y CulTuRe
Introduction
Much has been written regarding the importance of how companies deal with cyber threats. While most organizations have focused on the technical ramifications of how to avoid being compromised, few have invested in how senior management needs to make security a priority. This chapter discusses the salient issues that executives must address and how to develop a strategy to deal with the various types of cyber attack that could devastate the reputation and revenues of any business or organization. The response to the cyber dilemma requires evolving institutional behavior patterns using organizational learning concepts.
History
From a historical perspective we have seen an interesting evolution of the types and acceleration of attacks on business entities. Prior to 1990, few organizations were concerned with information security except for the government, military, banks and credit card companies. In 1994, with the birth of the commercial Internet, a higher volume of attacks occurred and in 2001 the first nation-state sponsored attacks emerged. These attacks resulted, in 1997, in the development of com- mercial firewalls and malware. By 2013, however, the increase in attacks reached greater complexity with the Target credit card breach, Home Depot’ s compromise of its payment system, and JP Morgan’ s exposure that affected 76 million customers and seven million busi- nesses. These events resulted in an escalation of fear, particularly in the areas of sabotage, theft of intellectual property, and stealing of money. Figure 9.1 shows the changing pace of cyber security
24 0 InForMAtIon teChnolo GY
Pr e-
19 90
19 94
19 97
20 00
20 01
20 14
B ir
th o
f co
m m
er ci
al
In te
rn et
Fi
re w
al ls
a nd
m
al w
ar e
Y 2K
In cr
ea se
d nu
m be
r of
a tt
ac ks
w
it h
gr ea
te r
co m
pl ex
it y
Fe ar
fa ct
or
es ca
la te
s. S
ab ot
ag e,
th
ef t o
f i nt
el le
ct ua
l pr
op er
ty a
nd m
on ey
be
co m
e a
co ns
ta nt
th
re at
. D ai
ly h
ea dl
in e
ri sk
is a
n ew
r ea
li ty
.
C om
m er
ci al
iz ed
c yb
er
se cu
ri ty
:
19 94
: N et
sc ap
e D
ev el
op s
se cu
re s
oc ke
ts
la ye
r en
cr yp
ti on
, co
m m
er ci
al ly
a va
ila bl
e se
cu ri
ty s
of tw
ar e,
to
se cu
re o
nl in
e tr
an sa
ct io
ns .
Fe w
g ro
up s
co nc
er ne
d w
it h
in fo
rm at
io n
se cu
ri ty
e xc
ep t
go ve
rn m
en t,
m ili
ta ry
, ba
nk s
an d
cr ed
it c
ar d
co m
pa ni
es .
9/ 11
Ev ol
ut io
n of
c yb
er a
tt ac
ks :
H ig
he r
vo lu
m e
of
at ta
ck s:
20 01
: N
at io
n st
at e-
sp on
so re
d at
ta ck
s em
er ge
in a
m
ea ni
ng fu
l w ay
.
20 13
– 20
14 : T
ar ge
t h as
7 0
m ill
io n
cu st
om er
s’ c
re di
t ca
rd s
br ea
ch ed
.
20 13
: B oo
z A
ll en
em
pl oy
ee a
nd c
on tr
ac to
r fo
r th
e N
SA , E
dw ar
d Sn
ow de
n st
ea ls
a nd
le ak
s de
ta ils
o f s
ev er
al to
p- se
cr et
U
.S . a
nd B
ri ti
sh g
ov er
nm en
t m
as s
su rv
ei lla
nc e
pr og
ra m
s to
th e
pr es
s.
T im
el in
e of
e ve
nt s
20 14
: H om
e D
ep ot
s uff
er s
a 6-
m on
th b
re ac
h of
it s
pa ym
en t s
ys te
m a
ffe ct
in g
m or
e th
an 5
3 m
ill io
n cr
ed it
an d
de bi
t c ar
ds .
20 14
: JP
M or
ga n
C ha
se s
uff er
s a
br ea
ch a
ffe ct
in g
76 m
ill io
n cu
st om
er s
an d
se ve
n m
ill io
n bu
si ne
ss es
.
Fi gu
re 9
.1
T he
c ha
ng in
g pa
ce o
f c yb
er s
ec ur
it y.
(F ro
m R
us se
ll Re
yn ol
ds A
ss oc
ia te
s 20
14 p
re se
nt at
io n.
)
241ForMInG A CYber seCurIt Y Culture
The conventional wisdom among cyber experts is that no business can be compromise proof from attacks. Thus, leaders need to realize that there must be (1) other ways beyond just developing new anti- software to ward off attacks, and (2) internal and external strategies to deal with an attack when it occurs. These challenges in cyber security management can be categorized into three fundamental components:
• Learning how to educate and present to the board of directors • Creating new and evolving security cultures • Understanding what it means organizationally to be
compromised
Each of these components is summarized below
Talking to the Board
Board members need to understand the possible cyber attack expo- sures of the business. They certainly need regular communication from those executives responsible for protecting the organization. Seasoned security executives can articulate the positive processes that are in place, but without overstating too much confidence since there is always risk of being compromised. That is, while there may be expo- sures, C-level managers should not hit the panic button and scare the board. Typically, fear only instills a lack of confidence by the board in the organization’ s leadership. Most important is to always relate secu- rity to business objectives and, above all, avoid “ tech” terms during meetings. Another important topic of discussion is how third-party vendors are being managed. Indeed, so many breaches have been caused by a lack of oversight of legacy applications that are controlled by third-party vendors. Finally, managers should always compare the state of security with that of the company’ s competitors.
Establishing a Security Culture
The predominant exposure to a cyber attack often comes from care- less behaviors of the organization’ s employees. The first step to avoid poor employee cyber behaviors is to have regular communication with staff and establish a set of best practices that will clearly protect the business. However, mandating conformance is difficult and research
24 2 InForMAtIon teChnolo GY
has consistently supported that evolutionary culture change is best accomplished through relationship building, leadership by influence (as opposed to power-centralized management), and ultimately, a presence at most staff meetings. Individual leadership remains the most important variable when transforming the behaviors and prac- tices of any organization.
Understanding What It Means to Be Compromised
Every organization should have a plan of what to do when security is breached. The first step in the plan is to develop a “ risk” culture. What this simply means is that an organization cannot maximize protection of all parts of its systems equally. Therefore, some parts of a company’ s system might be more protected against cyber attacks than others. For example, organizations should maximize the protection of key company scientific and technical data first. Control of network access will likely vary depending on the type of exposure that might result from a breach. Another approach is to develop consistent best practices among all contractors and suppliers and to track the move- ment of these third parties (e.g., if they are merged/sold, disrupted in service, or even breached indirectly). Finally, technology execu- tives should pay close attention to Cloud computing alternatives and develop ongoing reviews of possible threat exposures in these third- party service architectures.
Cyber Security Dynamism and Responsive Organizational Dynamism
The new events and interactions brought about by cyber security threats can be related to the symptoms of the dynamism that has been the basis of ROD discussed earlier in this book. Here, however, the digital world manifests itself in a similar dynamism that I will call cyber dynamism .
Managing cyber dynamism, therefore, is a way of managing the negative effects of a particular technology threat. As in ROD, cyber strategic integration and cyber cultural assimilation remain as distinct categories, that present themselves in response to cyber dynamism. Figure 9.2 shows the components of cyber ROD.
24 3ForMInG A CYber seCurIt Y Culture
Cyber Strategic Integration
Cyber strategic integration is a process that firms need to use to address the business impact of cyber attacks on its organizational processes. Complications posed by cyber dynamism, via the process of strategic integration, occurs when several new cyber attacks overlap and create a myriad of problems in various phases of an organization’ s ability to oper- ate. Cyber attacks can also affect consumer confidence, which in turn hurts a business’s ability to attract new orders. Furthermore, the problem can be compounded by reductions in productivity, which are complicated to track and to represent to management. Thus, it is important that orga- nizations find ways to develop strategies to deal with cyber threats such as:
1. How to reduce occurrences by instituting aggressive organi- zation structures that review existing exposures in systems.
Cyber attacks as an independent
variable
Organizational dynamism
Requires
How to formulate risk- related strategies to deal
with cyber attacks
Symptoms and implications
Cyber cultural
assimilation
Requires
Cyber strategic
integration
Figure 9.2 Cyber responsive organizational dynamism. (From Langer, A., Information Technology and Organizational Learning: Managing Behavioral Change through Technology and Education , CRC Press, Boca Raton, FL, 2011.)
24 4 InForMAtIon teChnolo GY
2. What new threats exist, which may require ongoing research and collaborations with third-party strategic alliances?
3. What new processes might be needed to combat new cyber dynamisms based on new threat capabilities?
4. Creating systems architectures that can recover when a cyber breach occurs.
In order to realize these objectives, executives must be able to
• Create dynamic internal processes that can function on a daily basis, to deal with understanding the potential fit of new cyber attacks and their overall impact to the local department within the business, that is, to provide for change at the grass- roots level of the organization.
• Monitor cyber risk investments and determine modifications to the current life cycle of idea-to-reality.
• Address the weaknesses in the organization in terms of how to deal with new threats, should they occur, and how to better protect the key business operations.
• Provide a mechanism that both enables the organization to deal with accelerated change caused by cyber threats and that integrates them into a new cycle of processing and handling change.
• Establish an integrated approach that ties cyber risk account- ability to other measurable outcomes integrating acceptable methods of the organization.
The combination of evolving cyber threats with accelerated and changing consumer demands has also created a business revolution that best defines the imperative of the strategic integration component of cyber ROD. Without action directed toward new strategic integration focused on cyber security, organizations will lose competitive advan- tage, which will ultimately affect profits. Most experts see the danger of breaches from cyber attacks as the mechanism that will ultimately require the integrated business processes to be realigned, thus provid- ing value to consumers and modifying the customer- vendor relation- ship. The driving force behind this realignment emanates from cyber dynamisms, which serve as the principle accelerator of the change in transactions across all businesses.
24 5ForMInG A CYber seCurIt Y Culture
Cyber Cultural Assimilation
Cyber cultural assimilation is a process that addresses the organiza- tional aspects of how the security department is internally organized, its relationship with IT, and how it is integrated within the organiza- tion as a whole. As with technology dynamism, cyber dynamism is not limited only to cyber strategic issues, but cultural ones as well. A cyber culture is one that can respond to emerging cyber attacks, in an optimally informed way, and one that understands the impact on business performance and reputation.
The acceleration factors of cyber attacks require more dynamic activity within and among departments, which cannot be accom- plished through discrete communications between groups. Instead, the need for diverse groups to engage in more integrated discourse and to share varying levels of cyber security knowledge, as well as business-end perspectives, requires new organizational structures that will give birth to a new and evolving business social culture.
In order to facilitate cyber cultural assimilation, organizations must have their staffs be more comfortable with a digital world that contin- ues to be compromised by outside threats. The first question becomes one of finding the best structure to support a broad assimilation of knowledge about any given cyber threat. The second is about how that knowledge can best be utilized by the organization to develop both risk efforts and attack resilience. Business managers therefore need to consider cyber security and include the cyber staff in all decision- making processes. Specifically, cyber assimilation must become fun- damental to the cultural evolution.
While many scholars and managers suggest the need to have a specific entity responsible for cyber security governance; one that is to be placed within the organization’ s operating structure, such an approach creates a fundamental problem. It does not allow staff and managers the opportunity to assimilate cyber security-driven change and understand how to design a culture that can operate under ROD. In other words, the issue of governance is misinterpreted as a problem of structural positioning or hierarchy when it is really one of cultural assimilation. As a result, many business solutions to cyber security issues often lean toward the prescriptive instead of the analytical in addressing the real problem.
24 6 InForMAtIon teChnolo GY
Summary
This section has made the argument that organizations need to excel in providing both strategic and cultural initiatives to reduce exposure to cyber threats and ultimate security breaches. Executives must design their workforce to meet the accelerated threats brought on by cyber dynamisms. Organizations today need to adapt their staff to operate under the auspices of ROD by creating processes that can determine the strategic exposure of new emerging cyber threats and by establish- ing a culture that is more “ defense ready.” Most executives across indus- tries recognize that cyber security has become one of the most powerful variables to maintaining and expanding company markets.
Organizational Learning and Application Development
Behavioral change, leading to a more resilient cyber culture, is just one of the challenges in maximizing protection in organizations. Another important factor is how to design more resilient applications that are better equipped to protect against threats; that is, a decision that needs to address exposure coupled with risk. The general con- sensus is that no system can be 100% protected and that this requires important decisions when analysts are designing applications and sys- tems. Indeed, security access is not just limited to getting into the sys- tem, but applies to the individual application level as well. How then do analysts participate in the process of designing secure applications through good design? We know that many cyber security architec- tures are designed from the office of the chief information security officer (CISO), a new and emerging role in organizations. The CISO role, often independent of the chief information officer (CIO), became significant as a result of the early threats from the Internet, the 9/11 attacks and most recently the abundant number of system compro- mises experienced by companies such as JP Morgan Chase, SONY, Home Depot, and Target, to name just a few.
The challenge of cyber security reaches well beyond just archi- tecture. It must address third-party vendor products that are part of the supply chain of automation used by firms, not to mention access to legacy applications that likely do not have the necessary securities built into the architecture of these older, less resilient technologies. This
247ForMInG A CYber seCurIt Y Culture
challenge has established the need for an enterprise cyber security solu- tion that addresses the need of the entire organization. This approach would then target third- party vendor design and compliance. Thus, cyber security architecture requires integration with a firm’ s Software Development Life Cycle (SDLC), particularly within steps that include strategic design, engineering, and operations. The objective is to use a framework that works with all of these components.
Cyber Security Risk
When designing against cyber security attacks, as stated above, there is no 100% protection assurance. Thus, risks must be factored into the decision-making process. A number of security experts often ask business executives the question, “ How much security do you want, and what are you willing to spend to achieve that security?”
Certainly, we see a much higher tolerance for increased cost given the recent significance of companies that have been compromised. This sec- tion provides guidance on how to determine appropriate security risks.
Security risk is typically discussed in the form of threats. Threats can be categorized as presented by Schoenfield (2015):
1. Threat agent: Where is the threat coming from, and who is making the attack?
2. Threat goals: What does the agent hope to gain? 3. Threat capability: What threat methodology, or type of
approach is the agent possibly going to use? 4. Threat work factor: How much effort is the agent willing to
put in to get into the system? 5. Threat risk tolerance: What legal chances is the agent willing
to take to achieve his or her goals?
Table 9.1 is shown as a guideline. Depending on the threat and its associated risks and work factors,
it will provide important input to the security design, especially at the application design level. Such application securities in design typically include:
1. The user interface (sign in screen, access to specific parts of the application).
24 8 InForMAtIon teChnolo GY
2. Command-line interface (interactivity) in online systems. 3. Inter-application communications. How data and password
information are passed, and stored, among applications across systems.
Risk Responsibility
Schoenfield (2015) suggests that someone in the organization is assigned the role of the “ risk owner.” There may be many risk owners and, as a result, this role could have complex effects on the way sys- tems are designed. For example, the top risk owner in most organiza- tions today is associated with the CISO. However, many firms also employ a chief risk officer (CRO). This role’ s responsibilities vary.
But risk analysis at the application design level requires different governance. Application security risk needs involvement from the business and the consumer and needs to be integrated within the risk standards of the firm. Specifically, multiple levels of security often require users to reenter secure information. While this may maximize safety, it can negatively impact the user experience and the robust- ness of the system interface in general. Performance can obviously also be sacrificed, given the multiple layers of validation. There is no quick answer to this dilemma other than the reality that more secu- rity checkpoints will reduce user and consumer satisfaction unless cyber security algorithms become more invisible and sophisticated. However, even this approach would likely reduce protection. As with all analyst design challenges, the IT team, business users, and now the consumer must all be part of the decisions on how much security is required.
As my colleague at Columbia University, Steven Bellovin, states in his new book, Thinking Security , security is about a mindset. This mindset to me relates to how we establish security cultures that can
Table 9.1: Threat Analysis
THREAT AGENT GOALS RISK TOLERANCE WORK FACTOR METHODS
Cyber criminals Financial Low Low to medium Known and proven
Source : Schoenfield, B.S.E., Securing Systems: Applied Security Architecture and Threat Models , CRC Press, Boca Raton, FL, 2015.
24 9ForMInG A CYber seCurIt Y Culture
enable the analyst to define organizational security as it relates to new and existing systems. If we get the analyst position to participate in setting security goals in our applications, some key questions accord- ing to Bellovin (2015) are:
1. What are the economics to protect systems? 2. What is the best protection you can get for the amount of
money you want to spend? 3. Can you save more lives by spending that money? 4. What should you protect? 5. Can you estimate what it will take to protect your assets? 6. Should you protect the network or the host? 7. Is your Cloud secure enough? 8. Do you guess at the likelihood and cost of a penetration? 9. How do you evaluate your assets? 10. Are you thinking like the enemy?
The key to analysis and design in cyber security is recognizing that it is dynamic; the attackers are adaptive and somewhat unpredictable. This dynamism requires constant architectural change, accompanied with increased complexity of how systems become compromised. Thus, analysts must be involved at the conceptual model, which includes business definitions, business processes and enterprise stan- dards. However, the analysts must also be engaged with the logical design, which comprises two sub-models:
1. Logical architecture : Depicts the relationships of different data domains and functionalities required to manage each type of information in the system.
2. Component model : Reflects each of the sub-models and appli- cations that provide various functions in the system. The component model may also include third-part vendor prod- ucts that interface with the system. The component model coincides, in many ways, with the process of decomposition.
In summary, the ROD interface with cyber security is more com- plex than many managers believe. Security is relative, not absolute, and thus leaders must be closely aligned with how internal cultures must evolve with changes environments.
2 5 0 InForMAtIon teChnolo GY
Driver /Supporter Implications
Security has traditionally been viewed as a support function in most organizations, particularly when it is managed by IT staff. However, the recent developments in cyber threats suggest, as with other aspects of technology, that security too has a driver side.
To excel in the role of security driver, leaders must:
• Have capabilities, budgets and staffing levels, using benchmarks.
• Align even closer with users and business partners. • Have close relationships with third parties. • Extend responsibilities to include the growing challenges in
the mobile workforce. • Manage virtualized environments and third-party ecosystems. • Find and/or develop cyber security talent and human capital. • Have a strategy to integrate millennials with baby boomer
and Gen X managers.
2 51
10 Dig iTal TRansfoRmaTion
anD Chang es in ConsumeR behavioR
Introduction
Digital transformation is one of the most significant activities of the early twenty-first century. Digital transformation is defined as “ the changes associated with the applications of digital technology in all aspects of human society” (Stolterman & Fors, 2004, p. 689). From a business perspective, digital transformation enables organizations to implement new types of innovations and to rethink business processes that can take advantage of technology. From this perspective, digital transformation involves a type of reengineering, but one that is not limited to rethinking just how systems work together, but rather, that extends to the entire business itself. Some see digital transformation as the elimination of paper in organizations. Others see it as revamp- ing a business to meet the demands of a digital economy. This chapter provides a link between digital transformation and what I call “ digital reengineering.” To explain this better, think of process reengineering as the generation that brought together systems in the way that they talked to one another— that is, the integration of legacy systems with new application that used more robust software applications.
The advent of digital transformation requires the entire organization to meet the digital demands of their consumers. For some companies, the consumer is another company (B2B, or business-to-business), that is, the consumer is a provider to another company that inevitably supports a con- sumer. For other businesses, their consumer is indeed the ultimate buyer. I will discuss the differences in these two types of consumer concepts later in this chapter. What is important from an IT perspective is that reengi- neering is no longer limited to just the needs of the internal user, but rather the needs of the businesses consumer as well. So, systems must change,
2 5 2 InForMAtIon teChnolo GY
as necessary, with the changes in consumer behavior. The challenge with doing this, of course, is that consumer needs are harder to obtain and understand, and can differ significantly among groups, depending on variables, such as ethnicity, age, and gender, to name just a few.
As a result, IT managers need to interact with the consumer more directly and in partnership with their business colleagues. The con- sumer represents a new type of user for IT staff. The consumer, in effect, is the buyer of the organization’ s products and services. The challenge becomes how to get IT more engaged with the buyer com- munity, which could require IT to be engaged in multiple parts of the business that deals with the consumer. Below are six approaches, which are not mutually exclusive of each other:
1. Sales/Marketing : These individuals sell to the company’ s buy- ers. Thus, they have a good sense of what customers are look- ing for, what things they like about the business, and what they dislike. The power of the sales and marketing team is their ability to drive realistic requirements that directly impact revenue opportunities. The limitation of this resource is that it still relies on an internal perspective of the consumer; that is, how the sales and marketing staff perceive the consumer’ s needs.
2. Thirdparty market analysis/reporting : There are outside resources available that examine and report on market trends within various industry sectors. Such organizations typically have massive databases of information and, using various search and analysis tools, can provide a better understand- ing of the behavior patterns of an organization’ s consumers. These third parties can also provide reports that show how the organization stacks up against its competition and why con- sumers may be choosing alternative products. Unfortunately, if the data is inaccurate it likely will result in false generaliza- tions about consumer behavior, so it is critical that IT digital leaders ensure proper review of the data integrity.
3. Predictive analytics : This is a hot topic in today’ s competitive landscape for businesses. Predictive analytics is the process of feeding off large data sets (big data) and predicting future
2 5 3dIGItAl tr AnsForMAtIon
behavior patterns. Predictive analytics approaches are usually handled internally with assistance from third-party products or consulting services. The limitation is one of risk— the risk that the prediction does not occur as planned.
4. Consumer support departments: Internal teams and external vendors (outsourced managed service) have a good pulse on consumer preferences because they interact with them. More specifically, these department respond to questions, hande problems and get feedback from consumers on a reg- ular basis. These support departments typically depend on applications to help the buyer. As a result, they are an excel- lent resource for providing up-to-date things that the sys- tem does not provide consumers. Unfortunately, consumer support organizations limit their needs to what they expe- rience as opposed to what might be future trends of their consumers.
5. Surveys: IT and the business can design surveys (question- naires) and send them to consumers for feedback. Using surveys can be of significant value in that the questions can target specific issues that the organization wants to address. Survey design and administration can be handled by third- party firms, which may have an advantage in that the ques- tions are being forwarded from an independent source and one that does not identify the interested company. On the other hand, this might be considered a negative— it all depends on what the organization is seeking to obtain from the buyer.
6. Focus groups: This approach is similar to the use of a survey. Focus groups are commonly used to understand consumer behavior patterns and preferences. They are often conducted by outside firms. The differences between the focus group and a survey are (1) surveys are very quantitative based and use scoring mechanisms (Likert scales) to evaluate outcomes. Consumers sometimes may misinterpret the question thus resulting in distorted feedback, and (2) focus groups are more qualitative and allow IT digital leaders to engage with the consumer in two-way dialogues.
2 5 4 InForMAtIon teChnolo GY
Figure 10.1 reflects a graphic depiction of the sources for under- standing consumer behaviors and needs.
Table 10.1 further articulates the methods and deliverables that IT digital leaders should consider when developing system strategies.
Requirements without Users and without Input
Could it be possible to develop digital strategies and requirements for a system without user input or even consumer opinions? Could this be a reality for future design of strategic systems?
Perhaps we need to take a step back historically and think about trends that have changed the competitive landscape. Digital trans- formation may indeed be the most powerful agent of change in the history of business.
Product requirements
Sales/marketing Staff
competitive analysis
Surveys Internal/external
targeted consumers
Consumer support departments
Internal support groups, third-party
call centers, shared services
organization
�ird-party studies and databases
Trends Data analysts
Predictive analytics
Focus groups Internal/external
consumer sessions
Figure 10.1 Sources for understanding consumer behavior.
2 5 5dIGItAl tr AnsForMAtIon
We have seen large companies lose their edge. IBM’ s fall as the leading technology firm in the 1990s is an excellent example, when Microsoft overtook them. Yet Google was able to take the lead away from Microsoft, particularly in relation to analytical consumer com- puting. And what about the comeback Apple made with its new array
Table 10.1 Langer’ s Methods and Deliverables for Assessing Consumer Needs
ANALYST’ S SOURCES METHODS DELIVERABLES
Sales/ Marketing
Interviews Should be conducted in a similar way to typical end user interviews. Work closely with senior sales staff. Set up interviews with key business stakeholders.
Win/loss sales reviews
Review the results of sales efforts. Many firms hold formal win/loss review meetings that may convey important limitations of current applications and system capabilities.
Third-Party Databases
Document reports reviews
Obtain summaries of the trends in consumer behavior and pinpoint shortfalls that might exist in current applications and systems.
Data analysis Perform targeted analytics on databases to uncover trends not readily conveyed in available reports.
Predictive analytics
Interrogate data by using analytic formulas that may enable predictive trends in consumer behavior.
Support Department
Interviews Interview key support department personnel (internal and third party) to identify possible application deficiencies.
Data/reports Review call logs and recorded calls between consumers and support personnel to expose possible system deficiencies.
Surveys Internal and external questionnaires
Work with internal departments to determine application issues when they support consumers. Use similar surveys with select populations of customers to validate and fine-tune internal survey results.
Use similar surveys targeted to consumers who are not customers and compare results. Differences between existing customer base and non-customers may expose new trends in consumer needs.
Focus Groups Hold internal and external sessions
Internal focus groups can be facilitated by marketing personnel. Select survey results, that had unexpected results or mixed feedback can be reviewed. Internal attendees should come from operations management and sales. External focus groups should be facilitated by a third-party vendor and held at independent sites. Discussions with customers should be compared with internal focus group results. Consumer focus groups should be facilitated by professional third-party firms.
2 5 6 InForMAtIon teChnolo GY
of smart phone-related products? The question is, Why and how do these shifts in competitive advantage occur so quickly?
Technology continues to generate change and that change is typically referred to today as a “ digital disruption.” The challenge in disruption is the inability to predict what consumers want and need; furthermore, the consumer may not know! The challenge, then, is for IT digital leaders to forecast the changes that are brought about by technology disruptions. So, digital transforma- tion is more about predicting consumer behavior and providing new products and services, which we hope consumers will want. This is a significant challenge for IT leaders, of course, given that the profession was built on the notion that good specifications accurately depicted what users want. Langer (1997) originally defined this as the “ Concept of the Logical Equivalent.” So, we may have created an oxymoron— how do we develop systems that the user cannot specify? Furthermore, requirements that depict consumer behavior are now further complicated by the globaliza- tion of business. Which consumer behavior are we attempting to satisfy and across what societal cultural norms? The reality is that new software applications will need to be built with some uncer- tainty. That is, some business rules may be vague and risks will need to be part of the process of system functionality. To see an example of designing systems based on uncertainty, we need only to analyze the evolution of the electronic spreadsheet. The first electronic spreadsheet, called VisiCalc, was introduced by a com- pany called VisiCorp. It was designed for the Apple II and eventu- ally the IBM personal computer. The electronic spreadsheet was not designed based on consumer input per se, rather on perceived needs by visionary designers who saw a need for a generic calcula- tor and mathematical worksheet. VisiCorp took a risk by offer- ing a product to the market that consumers would find useful. Of course, history shows that it was a very good risk. The electronic spreadsheet, which is now dominated by Microsoft’ s Excel product has gone through multiple product generations. The inventors of the electronic spreadsheet had a vision and the market responded favorably. Although VisiCorp’ s vision of the market need was cor- rect, the first version was hardly 100% accurate of what consumers would want in a spreadsheet. For example, additional features, such
2 5 7dIGItAl tr AnsForMAtIon
as a database interface, three-dimensional spreadsheets to support budgeting and forward referencing, are all examples of responses from consumers that resulted in new product enhancements.
Allen and Morton (1994) established an excellent graphic depic- tion of the relationship between technology advancements and mar- ket needs (Figure 10.2)
Figure 10.2 shows an interesting life cycle of how product innovations relate to the creation of new products and services. The diagram reflects that innovations can occur as a result of new technology capabilities or inventions that establish new markets— like the electronic spreadsheet. On the other hand, the market can demand more features and functions the technology organizations or developers need to respond to that— like the upgrades made over the years to spreadsheet applications. Responding to market needs are what most organizations have practiced over the past 60 years, usually working with their end user populations (those internal users that supported the actual consumer). The digital revolution; how- ever, is placing more emphasis on “ generic” applications that resemble the object paradigm (one that requires applications to be able to fit into any business application). This trend will drive new and more advanced object- driven applications. These applications will reside in a more robust object functioning library that can dynamically link these modules together to form specific applications that can support mul consumer devices (what is now being called the “ Internet of Things” ).
Another useful approach to dealing with consumer preferences is Porter’ s Five Forces Framework. Porter’s framework consists of the following five components:
1. Competitors : What is the number of competitors in the market and what is the organization’ s position within the market?
Technology
Market
Innovation
Figure 10.2 Technology, innovation, and market needs.
2 5 8 InForMAtIon teChnolo GY
2. New entrants : What companies can come into the organiza- tion’ s space and provide competition?
3. Substitutes : What products or services can replace what you do? 4. Buyers : What alternatives do buyers have? How close and
tight is the relationship between the buyer and seller? 5. Suppliers : What is the number of suppliers that are available,
which can affect the relationship with the buyer and also determine price levels?
Porter’ s framework is graphically depicted in Figure 10.3. Cadle et al. (2014) provide an approach to using Porter’ s model as
part of the analysis and design process. Their approach is integrated with Langer’ s Analysis Consumer Methods in Table 10.2.
Concepts of the S-Curve and Digital Transformation Analysis and Design
Digital transformation will also be associated with the behavior of the S-curve. The S-curve has been a long-standing economic graph that depicts the life cycle of a product or service. The S-curve is shown in Figure 10.4
New entrants
Suppliers
Consumer support dept.
Buyers
Industry competitors
(sales and marketing)
Substitutes
New products or services
Sales and marketing
Figure 10.3 Porter’ s Five Forces Framework.
2 5 9dIGItAl tr AnsForMAtIon
The left and lower portion of the S-curve represents a growing market opportunity that is likely volatile and exists where demand exceeds supply. As a result, the market opportunity is large and prices for the product are high. Thus, businesses should seek to capture as much of the market share at this time before competitors catch up. This requires the business to take more risk and assumes that the mar- ket will continue to demand the product. The shape of the S-curve suggests the life of this opportunity (the length of the x-axis repre- sents the lifespan of the product).
As the market approaches the middle of the center of the S-curve, demand begins to equal supply. Prices start to drop and the market, in general, becomes less volatile and more predictable. The drop in price reflects the presence of more competitors. As a product or service approaches the top of the S, supply begins to exceed demand. Prices begin to fall and the market is said to have reached maturity. The uniqueness of the product or service is now approaching commodity.
Table 10.2 Langer’ s Analysis Consumer Methods
PORTER’ S FIVE FORCES CADEL ET AL’ S APPROACH LANGER’ S SOURCES OF INPUT
Industry competitors How strong is your market share?
Third-party market studies
New entrants New threats Third-party market studies Surveys and focus groups
Suppliers Price sensitivity and closeness of relationship.
Consumer support and end user departments
Buyers Alternative choices and brand equity.
Sales/marketing team
Substitutes Consumer alternatives Surveys and focus groups Sales and marketing team Third-party studies
Figure 10.4 The S-curve.
2 6 0 InForMAtIon teChnolo GY
Typically, suppliers will attempt to produce new features and func- tions to extend the life of the curve as shown in Figure 10.5
Establishing a new S-curve, then, extends the competitive life of the product or service. Once the top of the S-curve is reached, the product or service has reached the commodity level, where supply is much greater than demand. Here, the product or service has likely reached the end of its useful competitive life and should either be replaced with a new solution or considered for outsourcing to a third- party who can deliver the product at a very low price.
Langer’ s Driver/Supporter depicts the life cycle of any application or product as shown in Figure 10.6
Organizational Learning and the S-Curve
When designing a new application or system, the status of that product’ s S-curve should be carefully correlated to the source of the
Figure 10.5 Extended S-curve.
Mini loop technology enhancementsTechnology driver
Evaluation cycle
Driver maturation
Support status
Replacement or outsource
Economies of scale
Figure 10.6 Langer’ s drive/supporter life cycle.
2 61dIGItAl tr AnsForMAtIon
requirements. Table 10.3 reflects the corresponding market sources and associated risk factors relating to the dependability of require- ments based on the state of the consumer’ s market. Leaders engaged in this process obviously need to have an abstract perspective to sup- port a visionary and risk-oriented strategy. Table 10.3 includes the associated complexity of staff needed to deal with each period in the S-curve.
Communities of Practice
As stated in Chapter 4, Communities of Practice (COP) have been traditionally used as a method of bringing together people in orga- nizations with similar talents, responsibilities and/or interests. Such communities can be effectively used to obtain valuable information about the way things work and what is required to run business opera- tions. Getting such information strongly correlates to the challenges of obtaining dependable information from the consumer market. I dis- cussed the use of surveys and focus groups earlier in this chapter, but COP is an alternative approach to bringing together similar types of consumers grouped by their interests and needs. In digital transforma- tion we find yet another means of obtaining requirements by engaging in, and contributing to, the practices of specific consumer communities. This means that working with COP offers another way of developing relations with consumers to better understand their needs. Using this
Table 10.3 S-Curve, Application Requirement Sources, and Risk
S-CURVE STATUS ANALYSIS INPUT
SOURCE RISK FACTOR
Early S-curve Consumer High; market volatility and uncertainty. High S-curve Consumer Lower; market is less uncertain as product becomes
more mature. End users Medium; business users have experience with
consumers and can provide reasonable requirements. Crest of the
S-curve End users Low; business users have more experience as product
becomes mature. Consumer High; might consider new features and functions to
keep product more competitive. Attempt to establish new S-curve.
End of S-curve End user None; seek to replace product or consider third-party product to replace what is now a legacy application. Also think of outsourcing application.
2 6 2 InForMAtIon teChnolo GY
approach inside an organization, as we saw in Chapter 4, provides a means of better learning about issues by using a sustained method of remaining interconnected with specific business user groups, which can define what the organization really knows and contributes to the busi- ness that is typically not documented. IT digital leaders need to become engaged in learning if they are to truly understand what is needed to develop more effective and accurate software applications.
It seems logical that COP can provide the mechanism to assist IT digital leaders with an understanding of how business users and con- sumers behave and interact. Indeed, the analyst can target the behavior of the community and its need to consider what new organizational structures can better support emerging technologies. I have, in many ways, already established and presented what should be called the “ community of IT digital leaders” and its need to understand how to restructure, in order to meet the needs of the digital economy. This new era does not lend itself to the traditional approaches to IT strategy, but rather to a more risk-based process that can deal with the realignment of business operations integrated with different consumer relationships.
The relationship, then, between COP and digital transformation is significant, given that future IT applications will heavily rely on infor- mal inputs. While there may be attempts to computerize knowledge using predictive analytics software and big data, it will not be able to provide all of the risk-associated behaviors of users and consum- ers. That is, a “ structured” approach to creating predictive behavior reporting, is typically difficult to establish and maintain. Ultimately, the dynamism from digital transformations creates too many uncer- tainties to be handled by sophisticated automated applications on how organizations will react to digital change variables. So, COP, along with these predictive analytics applications, provides a more thorough umbrella of how to deal with the ongoing and unpredictable interac- tions established by emerging digital technologies.
The IT Leader in the Digital Transformation Era
When we discuss the digital world and its multitude of effects on how business is conducted, one must ask how this impacts the profession of IT Leader. This section attempts to address the perceived evolution of the role.
2 6 3dIGItAl tr AnsForMAtIon
1. The IT leader must become more innovative. While the business has the problem of keeping up with changes in their markets, IT needs to provide more solutions. Many of these solutions will not be absolute and likely will have short shelf lives. Risk is fundamental. As a result, IT lead- ers must truly become “ business” leaders by exploring new ideas from the outside and continually considering how to implement the needs of the company’ s consumers. As a result, the business analyst will emerge as an idea bro- ker (Robertson & Robertson, 2012) by constantly pursuing external ideas and transforming them into automated and competitive solutions. These ideas will have a failure rate, which means that companies will need to produce more applications than they will inevitably implement. This will certainly require organizations to spend more on software development.
2. Quality requirements will be even more complex. In order to keep in equilibrium with the S-curve the balance between quality and production will be a constant negotiation. Because applications will have shorter life cycles and there is pressure to provide competitive solutions, products will need to sense market needs and respond to them quicker. As a result, fixes and enhancements to applications will become more inherent in the development cycle after products go live in the market. Thus, the object paradigm will become even more fundamental to better software development because it provides more readily tested reusable applications and routines.
3. Dynamic interaction among users and business teams will require the creation of multiple layers of communities of prac- tice. Organizations involved in this dynamic process must have autonomy and purpose (Narayan, 2015).
4. Application analysis, design, and development must be treated and managed as a living process; that is, it never ends until the product is obsolete (supporter end). So, products must con- tinually develop to maturity.
5. Organizations should never outsource a driver technology until it reaches supporter status.
2 6 4 InForMAtIon teChnolo GY
How Technology Disrupts Firms and Industries
The world economy is transforming rapidly from an analogue to a digital-based technology-driven society. This transformation requires businesses to move from a transactional relationship to one that that is “ interactional” (Ernst & Young, 2012). However, this analogue to digital transformation, while essential for a business to survive in the twenty-first century, is difficult to accomplish. Langer’ s (2011) theory of responsive organizational dynamism (ROD), as discussed earlier in this book, is modified to show that successful adaptation of new digi- tal technologies called Digital Dynamisms requires cultural assimila- tion of the people that comprise the organization.
Dynamism and Digital Disruption
The effects of digital dynamism can also be defined as a form of disruption or what is now being referred to as digital disruption . Specifically, the big question facing many enterprises is around how they can anticipate the unexpected threats brought on by technologi- cal advances that can devastate their business. There are typically two disruption factors:
1. A new approach to providing products and services to the consumer.
2. A strategy not previously feasible, now made possible using new technological capabilities.
Indeed, disruption occurs when a new approach meets the right conditions. Because technology shortens the time it takes to reach consumers, the changes are occurring at an accelerated and exponen- tial pace. As an example, the table below shows the significant accel- eration of the time it takes to reach 50 million consumers:
Radio 38 years Television 13 years Internet 4 years Facebook 3.5 years Twitter 9 months Instagram 6 months Poké mon GO 19 days
2 6 5dIGItAl tr AnsForMAtIon
The speed of which we can accelerate change has an inverse effect on the length of time the effect lasts. We use the S-curve to show how digital disruption shortens the competitive life of new products and services. Figure 10.7 represents how the S-curve is shrinking along the x-axis, which measures the length or time period of the product/ service life.
Figure 10.7 essentially reflects that the life of a product or service is shrinking, thus enterprises have less time to capture a market oppor- tunity and far less time to enjoy the length of its competitive suc- cess. As a result, business leaders are facing a world that is changing at an accelerating rate and trying to cope with understanding how new waves of “ disruptive” technologies will affect their business. Ultimately, digital disruption shifts the way competitive forces deliver services, requires change in the way operations are managed and mea- sured, and shortens the life of any given product or service success.
Critical Components of “ Digital” Organization
A study conducted by Westerman et al. (2014), who interviewed 157 executives in fifty large companies, found four capabilities that were key to successful digital transformation:
1. A unified digital platform : Integration of the organization’ s data and processes across its department silos is critical. One reason why web-based companies gain advantage over tradi- tional competitors is their ability to use analytics and customer personalization from central and integrated sources. Thus, the first step toward a successful digital transformation is for companies to invest in establishing central repositories of data and common applications that can access the information.
Figure 10.7 The shrinking S-curve.
2 6 6 InForMAtIon teChnolo GY
This centralization of digital data is key to competing globally since firms must be able to move data to multiple locations and use that data in different contexts.
2. Solution delivery : Many traditional IT departments are not geared to integrating new processes into their legacy opera- tions. A number of firms have addressed this problem by establishing independent “ innovation centers” designed to initiate new digital ideas that are more customer solution ori- ented. These centers typically focus on how new mobile and social media technologies can be launched without disturb- ing the core technology systems that support the enterprise. Some of these initiatives include partnerships with high-tech vendors; however, a number of executives have shown concern that such alliances might result in dependencies because of the lack of knowledge inside the organization.
3. Analytics capabilities : Companies need to ensure that their data can be used for predictive analytics purposes. Predictive analytics provide actors with a better understanding of their consumer’ s behaviors and allow them to formulate competi- tive strategies over their competitors. Companies that inte- grate data better from their transactional systems can make more “ informed and better decisions” and formulate strate- gies to take advantage of customer preferences and thus, turn them into business opportunities. An example is an insurance company initiative that concentrates on products that meet customer trends determined by examining their historical transactions across various divisions of the business. Analytics also helps organizations to develop risk models that can assist them to formulate accurate portfolios.
4. Business and IT integration : While the integration of the IT department with the business has been discussed for decades, few companies have achieved a desired outcome (Langer, 2016). The need for digital transformation has now made this integration essential for success and to avoid becoming a vic- tim of disruption. True IT and business integration means more than just combining processes and decision making; but rather, the actual movement of personnel into business units so they can be culturally assimilated (Langer & Yorks, 2013).
2 6 7dIGItAl tr AnsForMAtIon
Assimilating Digital Technology Operationally and Culturally
When considering how to design an organization structure that can implement digital technologies, firms must concentrate on how to culturally assimilate a new architecture. The importance of the architecture first affects the strategic integration component of ROD. Indeed, the actor-oriented architecture must be designed to be agile enough to react to increased changes in market demands. The consumerization of technology, defined as changes in technol- ogy brought on by increased consumer knowledge of how digital assets can reduce costs and increase competitive advantage, have created a continual reduction in the length of any new competitive products or services life. Thus, consumerization has increased what Eisenhardt and Bourgeouse (1988) define as “ high-velocity” market conditions.
This dilemma drives the challenge of how organizations will cope to avoid the negative effects of digital disruption. There are four over- all components that appear to be critical factors of autonomy from disruption:
1. Companies must recognize that speed and comfort of service can be more important than just the cost: our experience is that enterprises who offer multiple choices that allow con- sumers to choose from varying levels of service options are more competitive. The more personal the service option, the higher the cost. Examples can be seen in the airline indus- try where passengers have options for better seats at a higher price, or a new option being offered by entertainment parks that now provide less wait time on shorter lines, for higher paying customers. These two examples match the price with a desired service and firms that do not offer creative pricing options are prime for disruption.
2. Empower your workforce to try new ideas without over con- trols. Companies are finding that many young employees have new service ideas but are blocked from trying them because of the “ old guard” in their management reporting lines. Line managers need to be educated on how to allow their staffs to quickly enact new processes, even though some of them may not be effective.
2 6 8 InForMAtIon teChnolo GY
3. Allow employees and customer to have choice of devices. Traditionally IT departments desire to create environments where employees adhere to standard hardware and software structures. Indeed, standard structures make it easier for IT to support internal users and provide better security across systems. However, as technology has evolved, the relation between hardware and software, especially in mobile devices, has become more specialized. For example, Apple smart- phones have proprietary hardware architectures that in many cases require different versions of application software as well as different security considerations than its major competi- tor, Samsung. With the consumerization of technology, these IT departments must now support multiple devices because both their customers and employees are free to select them. Therefore, it is important to allow staff to freely integrate company applications with their personal device choices.
4. Similar to (3), organizations who force staff to adhere to strict processes and support structures are exposed to digital dis- ruption. Organizational structures that rely on technological innovation must be able to integrate new digital opportuni- ties seamlessly into their current production and support pro- cesses. Specifically, this means having the ability to be agile enough to provide services using different digital capabilities and from different geographical locations.
Conclusion
This chapter has provided a number of different and complex aspects of digital transformation, its effects on how organizations are struc- tured and how they need to compete to survive in the future. The technology executive is, by default, the key person to lead these digi- tal transformation initiatives because of the technical requirements that are at the center of successfully completing these projects. As such, these executives must also focus on their own transformation as leaders that allows them to help form the strategic goals to meet the dynamic changes in consumer behavior.
- Cover
- Half Title
- Title Page
- Copyright Page
- Contents
- Foreword
- Acknowledgments
- Author
- Introduction
- 1: The “Ravell” Corporation
- Introduction
- A New Approach
- The Blueprint for Integration
- Enlisting Support
- Assessing Progress
- Resistance in the Ranks
- Line Management to the Rescue
- IT Begins to Reflect
- Defining an Identity for Information Technology
- Implementing the Integration: A Move toward Trust and Reflection
- Key Lessons
- Defining Reflection and Learning for an Organization
- Working toward a Clear Goal
- Commitment to Quality
- Teaching Staff “Not to Know”
- Transformation of Culture
- Alignment with Administrative Departments
- Conclusion
- 2: The IT Dilemma
- Introduction
- Recent Background
- IT in the Organizational Context
- IT and Organizational Structure
- The Role of IT in Business Strategy
- Ways of Evaluating IT
- Executive Knowledge and Management of IT
- IT: A View from the Top
- Section 1: Chief Executive Perception of the Role of IT
- Section 2: Management and Strategic Issues
- Section 3: Measuring IT Performance and Activities
- General Results
- Defining the IT Dilemma
- Recent Developments in Operational Excellence
- 3: Technology as a Variable and Responsive Organizational Dynamism
- Introduction
- Technological Dynamism
- Responsive Organizational Dynamism
- Strategic Integration
- Summary
- Cultural Assimilation
- IT Organization Communications with “ Others”
- Movement of Traditional IT Staff
- Summary
- Technology Business Cycle
- Feasibility
- Measurement
- Planning
- Implementation
- Evolution
- Drivers and Supporters
- Santander versus Citibank
- Information Technology Roles and Responsibilities
- Replacement or Outsource
- 4: Organizational Learning Theories and Technology
- Introduction
- Learning Organizations
- Communities of Practice
- Learning Preferences and Experiential Learning
- Social Discourse and the Use of Language
- Identity
- Skills
- Emotion
- Linear Development in Learning Approaches
- 5: Managing Organizational Learning and Technology
- The Role of Line Management
- Line Managers
- First-Line Managers
- Supervisor
- Management Vectors
- Knowledge Management
- Change Management
- Change Management for IT Organizations
- Social Networks and Information Technology
- 6: Organizational Transformation and the Balanced Scorecard
- Introduction
- Methods of Ongoing Evaluation
- Balanced Scorecards and Discourse
- Knowledge Creation, Culture, and Strategy
- 7: Virtual Teams and Outsourcing
- Introduction
- Status of Virtual Teams
- Management Considerations
- Dealing with Multiple Locations
- Externalization
- Internalization
- Combination
- Socialization
- Externalization Dynamism
- Internalization Dynamism
- Combination Dynamism
- Socialization Dynamism
- Dealing with Multiple Locations and Outsourcing
- Revisiting Social Discourse
- Identity
- Skills
- Emotion
- 8: Synergistic Union of IT and Organizational Learning
- Introduction
- Siemens AG
- Aftermath
- ICAP
- Five Years Later
- HTC
- IT History at HTC
- Interactions of the CEO
- The Process
- Transformation from the Transition
- Five Years Later
- Summary
- 9: Forming a Cyber Security Culture
- Introduction
- History
- Talking to the Board
- Establishing a Security Culture
- Understanding What It Means to Be Compromised
- Cyber Security Dynamism and Responsive Organizational Dynamism
- Cyber Strategic Integration
- Cyber Cultural Assimilation
- Summary
- Organizational Learning and Application Development
- Cyber Security Risk
- Risk Responsibility
- Driver /Supporter Implications
- 10: Digital Transformation and Changes in Consumer Behavior
- Introduction
- Requirements without Users and without Input
- Concepts of the S-Curve and Digital Transformation Analysis and Design
- Organizational Learning and the S-Curve
- Communities of Practice
- The IT Leader in the Digital Transformation Era
- How Technology Disrupts Firms and Industries
- Dynamism and Digital Disruption
- Critical Components of “ Digital” Organization
- Assimilating Digital Technology Operationally and Culturally
- Conclusion
- 11: Integrating Generation Y Employees to Accelerate Competitive Advantage
- Introduction
- The Employment Challenge in the Digital Era
- Gen Y Population Attributes
- Advantages of Employing Millennials to Support Digital Transformation
- Integration of Gen Y with Baby Boomers and Gen X
- Designing the Digital Enterprise
- Assimilating Gen Y Talent from Underserved and Socially Excluded Populations
- Langer Workforce Maturity Arc
- Theoretical Constructs of the LWMA
- The LWMA and Action Research
- Implications for New Pathways for Digital Talent
- Demographic Shifts in Talent Resources
- Economic Sustainability
- Integration and Trust
- Global Implications for Sources of Talent
- Conclusion
- 12: Toward Best Practices
- Introduction
- Chief IT Executive
- Definitions of Maturity Stages and Dimension Variables in the Chief IT Executive Best Practices Arc
- Maturity Stages
- Performance Dimensions
- Chief Executive Officer
- CIO Direct Reporting to the CEO
- Outsourcing
- Centralization versus Decentralization of IT
- CIO Needs Advanced Degrees
- Need for Standards
- Risk Management
- The CEO Best Practices Technology Arc
- Definitions of Maturity Stages and Dimension Variables in the CEO Technology Best Practices Arc
- Maturity Stages
- Performance Dimensions
- Middle Management
- The Middle Management Best Practices Technology Arc
- Definitions of Maturity Stages and Dimension Variables in the Middle Manager Best Practices Arc
- Maturity Stages
- Performance Dimensions
- Summary
- Ethics and Maturity
- 13: Conclusion
- Introduction
- Glossary
- Organizational Learning Definitions
- References
- Index