Mission Critical Low Priorities

Ask any CEO or leader of an organisation what their top worries are and they'll probably tell you that they're related to technological disruption or cyber security. In a recent PWC report, cyber security ranked in the top five concerns of surveyed CEOs. Yet despite the perceived importance of the issue, time and again it is the simplest vulnerabilities that catch companies out. Whether it's falling for an email impersonation or not patching systems, it's clear that talking about these issues is a lot easier than doing anything about them.

Costas Markides from the London Business School has talked about the problem of senior leaders saying "we need to do something about innovation". If you were at home and your partner said "we need to do the washing up" who exactly do they mean? The phrase is non-descript and non-directional, meaning that the dishes would inevitably languish in the sink. In these cases the rhetoric itself becomes dangerous. Rather than prescribing a course of action like hiring a Chief Information Security Officer or growing an innovation department, most companies default to continuing with business as usual.

Cyber security and innovation are hugely important but rarely acted upon

There are a number of reasons that I've seen which result in this behaviour. By recognising the common traps it becomes easier to align your areas of high perceived importance with your high priorities.

1. It won't happen to me

There is often an underlying feeling that instances of tech disruption or cyber security won't happen to you or your company. "My people are too smart to fall for a phishing attack" or "It's a hard market to break into really, what damage can a start up do?" Like global warming, it's only after the damage has been done that it becomes clear that these sorts of things can happen to anyone.

By creating scenarios about the future - as the packaging manufacturer DS Smith has done with their 2025 scenarios - you can bring some level of reality to these hypotheticals. Assessing what actual damage might be done, and documenting who would face the repercussions you can reframe the debate.

2. Where's the ROI?

The other problem about hypotheticals is that it's hard to build a business case around them. The recent WannaCry ransomware outbreak could have been prevented by a simple patch to NHS computers; yet justifying a significant spend on a security update is difficult when there are pressing funding needs in other areas of the organisation. Making a business case for an unknown is only possible when you accept that occurrences like a hack or disruption are not just likely but inevitable. To help stakeholders understand just how likely this is, things like company wide phishing tests can be used to demonstrate vulnerabilities.

3. Innovation Stigma

"I'm just going to spend the next two hours doing some innovation." Imagine if one of your colleagues said this to you? You'd probably picture them sitting on a beanbag doodling on a pad of paper. Though innovation is critical to business today, finding the time and space to do it is difficult - especially when it's often not criteria in someone's performance review. It's only by promoting innovation as a tangible activity within a company - through a lab or investments for example - that "innovation activity" can happen without it looking like people are wasting their time.

4. Fear of failure

Underlying all of these issues is the problem that admitting to failure is incredibly difficult it today's business environment. Both innovation and cyber security have a high probability of failure - even if you invest significantly in both areas it's still possible that you will be disrupted and hacked. It's a game of probability, though, and therefore it's important to be transparent and communicative about the risks involved.