1. Narrowing the business/IT gap
In our report, we emphasize the distinction between security risks and business risks. The former can be greatly reduced; the latter really can’t. Business and risk are inseparable, especially in fast-moving markets, and thus firms that become too risk-averse will inevitably see their competitive position erode over time. Business people are used to trading off potential rewards against losses as the basis for taking calculated risks, but in the end they know that a certain amount of risk must be accepted. In contrast, Enterprise IT has too often viewed risk and security as nearly synonymous. This is one reason why it is often seen as the land of “No” – that is, no PCs, no LANs, no internet access, no iPhones, no Facebook etc.
Recent events appear to be narrowing this gap. On the one hand, the ongoing recession as well as the financial and oil spill disasters have seriously dented business confidence and appetite for risk, making many business leaders much more likely to just say “No”. At the same time, accelerating technological progress and related business pressures for smarter, cheaper and more connected organizations are making it necessary for Enterprise IT to learn to say “Yes” more often. Taken together, these shifts suggest that the traditional separation between the lands of “Yes” and “No” could shrink considerably and perhaps permanently – an important step toward the true co-evolution of business and IT.
One thing both business and IT agree upon is that the word ‘risk’ is being used with increasing frequency inside their organizations, and that because of the financial and oil spill disasters, societal tolerance for business failures and trust in business values have been seriously shaken. A decade ago, the dot.com crash and the scandals at Enron, Worldcom and others led directly to Sarbanes-Oxley. The net effect was burdensome, but not transformative, regulation. Exactly what will come of today’s debacles remains to be seen, but the consequences will likely be much more significant. Companies, especially in America, are already preparing for a more regulated and punitive environment. This will have serious effects on both business and IT.