Security and Disruptive Innovation Part IV: Embracing Disruptive Innovation by Mapping to a Strategic Innovation Framework
This is the last of the series on the topic of "Security and Disruptive Innovation."
In Part I we talked about the definition of innovation, cited some examples of general technology innovation/disruption, discussed technology taxonomies and lifecycles and what initiatives and technologies CIO’s are investing in.
In this last part, we
will explore how to take these and future examples of emerging
disruptive innovation and map them to a framework which will allow you
to begin embracing them rather that reacting to disruptive innovation after the fact.
21. So How Can we embrace disruptive technology?
Most folks in an InfoSec role find themselves overwhelmed juggling the day-to-day operational requirements of the job against the onslaught of evolving technology, business, culture, and economic "progress" thrown their way.
In most cases this means that they’re rather busy mitigating the latest threats and remediating vulnerabilities in a tactical fashion and find it difficult to think strategically and across the horizon.
What’s missing in many cases is the element of business impact and how in conjunction with those threats and vulnerabilities, the resultant impact should drive the decision on what to focus on and how to prioritize actions by whether they actually matter to your most important assets.
Rather than managing threats and vulnerabilities without context and just deploy more technology blindly, we need to find a way to better manage risk.
We’ll talk about getting closer to assessing and managing risk in a short while, but if we look at what entails managing threats and vulnerabilities as described above, we usually end up in a discussion focused on technology. Accepting this common practice today, we need a way to effectively leverage our investment in that technology to get the best bang for our buck.
That means we need to actively invest in and manage a strategic security portfolio — like an investor might buy/sell stocks. Some items you identify and invest in for the short term and others for the long term. Accordingly, the taxonomy of those investments would also align to the "foundational, commoditizing, distinguished" model previously discussed so that the diversity of the solutions sets can be associated, timed and managed across the continuum of investment.
This means that we need to understand how the intersection of technology, business, culture and economics intersect to affect the behavior of adopters of disruptive innovation so we can understand where, when, how and if to invest.
If this is done rationally, we will be able to demonstrate how a formalized innovation lifecycle management process delivers transparency and provides a RROI (reduction of risk on investment) over the life of the investment strategy.
It means we will have a much more leveraged ability to proactively invest in the necessary people, process and technology ahead of the mainstream emergence of the disruptor by building a business case to do so.
Let’s see how we can do that…
This model is what we use to map the classical adoption cycle of disruptive innovation/technology and align it to a formalized strategic innovation lifecycle management process.
If you look at the model on the top/right, it shows how innovators initially adopt "bleeding edge" technologies/products which through uptake ultimately drive early adopters to pay attention.
It’s at this point that within the strategic innovation framework that we identify and prioritize investment in these technologies as they begin to evolve and mature. As business opportunities avail themselves and these identified and screened disruptive technologies are vetted, certain of them are incubated and seeded as they become an emerging solution which adds value and merits further investment.
As they mature and "cross the chasm" then the early majority begins to adopt them and these technologies become part of the portfolio development process. Some of these solutions will, over time, go away due to natural product and market behaviors, while others go through the entire area under the curve and are managed accordingly.
Pairing the appetite of the "consumer" against the maturity of the product/technology is a really important point. Constantly reassessing the value brought to the mat by the solution and whether a better, faster, cheaper mousetrap may be present already on your radar is critical.
This isn’t rocket science, but it does take discipline and a formal process. Understanding how the dynamics of culture, economy, technology and business are changing will only make your decisions more informed and accurate and your investments more appropriately aligned to the business needs.
This slide is another example of the various mechanisms of managing your innovation pipeline. It is a representation of how one might classify and describe the maturation of a technology over time as it matures into a portfolio solution:
In a non-commerical setting, the last stage might be described as "blessed" or something along those lines.
The inputs to this pipeline as just as important as the outputs; taking cues from customers, internal and external market elements is critical for a rounded decision fabric. This is where that intersection of forces comes into play again. Looking at all the elements and evaluating your efforts, the portfolio and the business needs formally yields a really interesting by-product: Transparency…
I didn’t invent this graph, but it’s one of my favorite ways of visualizing my investment portfolio by measuring in three dimensions: business impact, security impact and monetized investment. All of these definitions are subjective within your organization (as well as how you might measure them.)
The Y-axis represents the "security impact" that the solution provides. The X-axis represents the "business impact" that the solution provides while the size of the dot represents the capex/opex investment made in the solution.
Each of the dots represents a specific solution in the portfolio.
If you have a solution that is a large dot toward the bottom-left of the graph, one has to question the reason for continued investment since it provides little in the way of perceived security and business value with high cost. On the flipside, if a solution is represented by a small dot in the upper-right, the bang for the buck is high as is the impact it has on the organization.
The goal would be to get as many of your investments in your portfolio from the bottom-left to the top-right with the smallest dots possible.
This transparency and the process by which the portfolio is assessed is delivered as an output of the strategic innovation framework which is really comprised of part art and part science.
Andy Jaquith, champion of all things measured, who is now at Yankee but previously at security consultancy @Stake, wrote a very interesting paper that suggested that we might learn quite a bit about managing a security portfolio from the investment community on Wall Street.
Andy suggested, as I alluded to above that, this portfolio management concept — while not exactly aligned — is indeed as much art as it is science and elegantly suggested that using a framework to define a security strategy over time is enabled by a mature process:
"While the analogy is imperfect, security managers should be able to use the tools of unique and systematic management to create more-balanced security strategies."
I couldn’t agree more 😉
26. How Are you doing?
If your CEO/CIO/CFO came to you today and put in front of you this list of disruptive innovation/technology and asked how these might impact your existing security strategy and what you were doing about it, what would your answer be?
Again, many of the security practitioners I have spoken to can articulate in some form how their existing technology investments might be able to absorb some impact this disruption delivers, but many have no formalized process to describe why or how.
Luck? Serendipity? Good choices? Common sense?
Unfortunately, without a formalized process that provides the transparency described above it becomes very difficult to credibly demonstrate that the appropriate amount of long term strategic planning has been provided for and will likely cause angst and concern in the next budget cycle when monies for new technology is asked for.
27. Ranum for President
At a minimum, what the business wants to know is whether, given the investment made, they are more or less at risk than they were before the investment was made (see here for what they really want to know.)
That’s a heady question and without transparency and process, one most folks would — without relying purely on instinct — have a difficult time answering. "I guess" doesn’t count.
To make matters worse, people often confuse being "secure" with being less at risk, and I’m not sure that’s always a good thing. You can be very secure, but unfortunately make the ability for the business to conduct business very difficult. This elevates risk, which is bad.
What we really seek to do is balance information sharing with the need to manage risk to an acceptable level. So when folks ask if the future will be more "secure," I love to refer them to Marcus Ranum’s quote in the slide above: "…it will be just as insecure as it possibly can, while still continuing to function. Just like it is today."
What this really means is that if we’re doing our job in the world of security, we’ll use the lens that a strategic innovation framework provides and pair it with the needs of the business to deliver a "security supply chain" that is just-in-time and with a level — no less and no more — than what is needed to manage risk to an acceptable level.
I do hope that this presentation gives you some ideas as to how you might take a longer term approach to delivering a strategic service even in the face of disruptive innovation/technology.