Tag Archives: trust

Organizational Resilience:   Compliance risk strategy for 2023

05 Thursday Jan 2023

Posted by in Uncategorized

Leave a comment

Tags

, , , , , ,

Photo by Anca Dorneanu on Pexels.com

One of the two key areas of research focus for me this year is organizational resilience.  In 2023, a number of regulations have been updated, creating new requirements for businesses to follow, new areas of risk, and more money and time spent adjusting to these changes.

Compliance strategies help cement trust in professional partnerships and vendor relationships.  If your firm is trying to qualify for cyber insurance, or simply looking to obey the law and avoid fines, your business is up against increasingly tough compliance measures. It is no longer sufficient to be compliant only once per year, scramble in the two weeks before the audit, and then forget about it for the rest of the year.

What compliance tech trends should IT management adopt as they build and refine their technology roadmaps?  

Let’s start with some of the regulatory drivers for these trends.

Regulatory Issues to watch

European Union Digital Operational Resilience Act (DORA)

The EU is applying regulatory pressure in the financial sector with its Digital Operational Resilience Act (DORA)DORA is a “game changer” that will push Financial Services (FS) firms to fully understand how their ICT, operational resilience, cyber and TPRM practices affect the resilience of their most critical functions as well as develop entirely new operational resilience capabilities.

One key element here is that DORA introduces a Critical Third Party (CTP) oversight framework, expanding the scope of the FS regulatory perimeter and granting the European Supervisory Authorities (ESAs) substantial new powers to supervise CTPs and address resilience risks they might pose to the FS sector.


German Supply Chain Due Diligence Act (SCDDA)

On January 1, 2023, the German Supply Chain Due Diligence Act took effect. It requires all companies with head office, principal place of business, or administrative headquarter in Germany – with more than 3,000 employees in Germany – to comply with core human rights and certain environmental provisions in their supply chains. SCDDA is far-reaching and impacts multiple facets of the supply chain, from human rights to sustainability, and legal accountability throughout the third-party ecosystem. It will addressing foundational supply chain issues like anti-bribery and corruption diligence.

From 2024, the number of employees will be lowered from 3,000 to 1,000. And Switzerland, The Netherlands, and the European Union also have drafts of this type of regulation in the books.

PCI DSS 4.0

Payment Card Industry Data Security Standard (PCI DSS) is the core component of any credit card company’s security protocol.  In an increasingly cashless world, card fraud is a growing concern. Any company that accepts, transmits or stores a cardholder’s private information must be compliant.  PCI compliance standards help avoid fraudulent activity and mitigate data breaches by keeping the cardholder’s sensitive financial information secure.

PCI compliance standards require merchants to consistently adhere to the PCI Standards Council’s guidelines which include 78 base requirements, more than 400 test procedures and 12 key requirements.

When looking at the changes in how PCI has evolved over the years up to PCI 4.0, there is a departure from specific technical requirements and toward the general concept of overall security.  PCI 4.0 requirements were released in March 2022 and will become mandatory in March 2024 for all organizations that process or store cardholder data.

The costs of maintaining compliance controls and security measures are only part of what businesses should budget for PCI certification. Businesses should also account for audit costs, yearly fees, remediation expenses, and employee training costs in their budgets alongside technical upgrades to meet compliance standards.

Tech Trend changes

Zero Trust presents a shift from a location-centric model to a more data-centric approach for fine-grained security controls between users, systems, data and assets. Zero Trust as a model assumes all requests are from an open network and verifies each request this way. PCI 4.0 does not mention zero trust architecture specifically, but it is evident that the Security Standards Council is going that way as a future consideration.

Passwordless authentication gained a lot of attention and traction this year. Major companies, such as Google, Apple, and Microsoft, are introducing passwordless authentication based on passkeys. This is a clear sign that the game is about to change.  As the PCI DSS focuses on avoiding fraudulent activity, so does newer authentication protocol approaches to verify and confirm identity.

Third-party risk management is quickly evolving into third-party trust management (TPTM), with the SCDDA creating a clear line in the sand for global organizations. TPTM is a critical consideration when standing up an enterprise trust strategy. Enterprise trust is a driver of business development that depends on cross-domain collaboration.  It goes beyond cybersecurity and focuses on building trusted and lasting third-party relationships across the core critical risk domains: security, privacy, ethics & compliance, and ESG.

Final thought – Cyber Insurance in 2023

If some of these compliance drivers lead to a desire for financial protection,  cyber insurance is one mitigation element for strategy to address C-level concerns.   But wait – this is not as easy as it used to be.

Five years ago, a firm could fill out a one-page cyber insurance application and answer a handful of questions. Fast forward to ransomware and other cyber threats and now getting insurance with favourable terms, conditions, pricing coverage and low retention is tough.

Insurance companies prefer enterprises that are instituting robust security controls and incident response plans — especially those prepared to deep dive into their cybersecurity architectures and planned roadmaps. In terms of compliance strategy development,  there needs to be a risk-based led approach to cybersecurity to allow an insurer to offer a favourable insurance option.

Advertisement

Networking with networks – our virtual organisations and ambiguity

25 Tuesday May 2021

Posted by in Uncategorized

Leave a comment

Tags

, , , , , ,

Photo by Pixabay on Pexels.com

Navigating virtual organisations – building a virtual network roadmap

I have worked for three organisations that were mainly remote with a small HQ.  And one of the first things you have to do remotely is get the lay of the land.   Who is the glue that keeps the place moving?   Who knows the internal mapping of who gets what done?    What person becomes a dead-end in your quest to get something published?  I really feel for someone who started a new job in the last year who does not have that organisational capital investment behind them in making their way through an organisational network.

I have seen the same in graduate school groupwork, both successes and failures in communication and reaching common goals.

Networks are relationships, based on equity and mutual trust, that enable dialogues to prosper and bear fruit.  These are the links within teams or departments that are built on patterns of interaction. One of the challenges in the last year is using previously built organisational capital to get things done.   So how do we do that?

Creating white space for creativity

Organisations actually create ambiguity on how things are done so that members of the team can create their own pathway by experimenting and improvising.   The kinds of characteristics that can be found in a networked organisation that allows this kind of creative white space are:

Common goals and objectives:   There is a common pull in the team towards an acknowledged activity.  When you see this being not as clear (like in a pandemic), then some of that white space for creativity disappears as well.

Shared knowledge:  Synergies are created where team thinking can be applied by several members of the group together.   Ideas are seen as complementary and challenging for the organisation to achieve.  That shared knowledge can rejuvenate the organisation when things get stagnate.

Shared work and building of trust:  As I saw personally yesterday, a networked organisation encourages shared work.  And giving that white space for growth between participants in the network allows a building of trust and cooperation.   And that grows the opportunities for even more creative expression.

Shared decision making:  If culturally the organisation allows its members to have a say in decisions, then the networked organisation knows who to call on when a shared decision needs to be made.  That networked trust between virtual participants means that there is an understanding of intellectual wealth in the network and how to leverage that wealth in the decision making process.

Dealing with ambiguity

When ambiguity is excessively high, people are confused and anxious, because they lack a frame of reference to interpret their work and actions within the organisational network. However when ambiguity is suppressed, people become complacent and unwilling to experience or change as they are shielded from the need to have to adapt.

One way to deal with ambiguity is not through explicit instructions, but shared rewards.  If a virtual team is pulling to the same finish line with the same shared priorities and shared timing, then a structure is formed that enables the virtual team to have those necessary reference frames to reduce anxiety and conflict.

Summary

Dynamic relationships are key to networked organisations, and our new normal in organisational development is how to enable those networks to be built and supported within a framework that is neither physical or experiential.

Content is not King

28 Saturday Dec 2019

Posted by in Uncategorized

Leave a comment

Tags

, , , ,

Photo by Ashton Mullins on Unsplash

Content is not King.   Content is more like microplastic, everywhere and in volume.  Content is not curated anymore, on the contrary.  Content is everywhere, sprayed like a firehose.

This is why the streaming wars on broadcast media content is reasonably meaningless.  Because when you see how much people can make from YouTube and the advertising model there, you wonder why Netflix, Amazon, Disney, etc is spending so much money and time creating “original content”.

Because we are all now self-important, as shown by our need to create our own narratives (Instragram, TikTok) and our own self-fiction.  Heck, some even want to test their DNA to create their own biological narrative.

In the early era of broadcast media, we had both content creation and network curation.  People in media became trusted sources of information.  Right now, it takes personal effort to curate what is true, and what is not.  And much like the concerns when portals were created, many personal curation attempts end up filtering all but what they want to hear, not necessarily what is true.

Because of this, we get other people’s detritus.  And the effort to filter, to listen, to critically think – is beyond many people’s capacity. (Unfortunately, I see this in working in higher education.  I also see a great deal of mental health issues, which I believe is tied to this.) And I also see less people willing to read, which may be a function of time.

Trust now is a function of curation.  And the instinct to trust is built on experience and wariness, not openness and willingness to listen.

This stream of thought came to me this morning when I realized that I was not reading new authors, having bought a new book from an author I had not read before.  I have been reading blogs and articles using tools such as Medium but finding less and less relevant content for my personal interests.

So how do you go about finding new relevant and honest content in (nearly) 2020?   Where do you apply a trust factor in terms of sourcing relevant material?  I watch less TV, listen to less broadcast media, and generally have less media entertainment in my life at present.  I no longer find it that relevant or entertaining.  But I see myself in the minority, given how many people are attached to small or large screens, or with headsets or earbuds on.

I am highly critical of content now and limit myself to infrastructure providers that are not going to make me uncomfortable with their efforts to sell my data in exchange for access.  Have we all become more wary?

Where do you find yourself in this next decade finding relevant and interesting content?

GDPR for Marketers – Distraction or Opportunity?

25 Monday Mar 2019

Posted by in Uncategorized

Leave a comment

Tags

, , , , , ,

On March 28th at 11am EDT (4pm CET), Dr. Alea Fairchild will participate in a webinar on “How to Thrive in the World of Data Protection and Privacy for Marketers”. Registration is still available via this link.

Post-GDPR – how does your marketing team deal with data privacy now?

GDPR came into force on May 25th of last year, and for many marketers, it was a wake-up call to reexamine internal procedures and processes.  

GDPR as a regulation takes a wide view of what constitutes personal identification information. Companies now need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and national ID number. The GDPR carries provisions that require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. And it also regulates the exportation of personal data outside the EU.

Since its implementation last May, marketers are still not clear on how it is enforced, what the penalties are, and how best to tackle compliance for those small and medium size businesses without an internal legal team. And since May, we have seen other regions refocus their efforts on privacy and consumer data rights.

So is GDPR taking time from other priorities, like cybersecurity or data protection policy, or does it bring a benefit to better engaging the customer? Or are the two related?

According to a recent Ovum report, about two-thirds of U.S. companies believe that the GDPR will require them to rethink their strategy in Europe. Even more (85 percent) see the GDPR putting them at a competitive disadvantage with European companies.  That last figure is puzzling, but culturally telling, as I believe from my experience that U.S. companies view customer and prospect data differently than in other regions of the world.  So how can data handling be transparent and create a climate of trust in the business ecosystem?

Let’s highlight some of the topics we will be discussing on March 28th in the webinar.

How did consumers react prior to GDPR last May?  Businesses were confused on how to reach out to prospects and customers in their data systems, so many marketers did mass mailings to notify people that they held data on as to ask permission to continue communicating with them. This provided a terrific opportunity to cement a closer relationship with prospects and customers.   And of these many marketers blew it, and instead gave reason for people on their mailing lists to opt-out with pleasure.  Why?  Because instead of telling people how important they are and how you plan to interact with them going forward, these mails just reminded them they were signed up to a mailing list that was no longer relevant to them.

Have we seen a business impact? Let’s face it, data privacy is a business issue with strong implications on customer experience, brand reputation, and personalization. Trust, transparency and reputation are all on the line every time we engage with a prospect or customer. Those that took this as an opportunity worked on addressing this as a benefit to the relationship by pointing out how they handled data, why they collected it and how it was used, as well as how they plan to use it going forward.

Were there any early adopter benefits? Firms that were first to embrace GDPR consistently report improvements in their business outcomes, including their customer experience and data strategies. GDPR has also been pushing firms to innovate and prepare to deliver services of the future, in line with compliance and transparency. GDPR can be an opportunity to more clearly engage the prospect or customer as a trusted provider of service.

Where is data protection and privacy headed next? Tech companies cannot require that to receive value from their products and services, you must give up your data. If you want to ask for data, there should be a reason for it and there must be an option to revoke the information if requested. To be precise: Consent must stand out, be clear and include the reasons for collection.

Where should we focus our DPP efforts? Decide the purpose for collecting the data, and the manner in which it is collected.Make the necessary process investments, supported by good tools, to know the state of your data protection efforts beyond a dashboard. DPP efforts should include internal data protection awareness workshops, privacy impact assessments (PIAs), managed breach detection and response, and breach notification policy.  Get the necessary tools for a data audit, as data discovery, mapping, and protection technologies are all key aspects to protecting consumer data and privacy. Cybersecurity monitoring, threat detection, and alerting systems are necessary to ensure GDPR compliance. Because under current GDPR requirements, organizations have to report a breach within 72 hours of discovery.

What can I do to proactively make this an opportunity for our marketing team?  Privacy protection compliance should be enforced through not only business processes and strategies but also investment in technologies and incident response management.  Data breaches are not only expensive but erodes trust in the brand.

Which hurts worse – to lose your wallet or to lose your mobile device?

29 Tuesday Jul 2014

Posted by in Uncategorized

Leave a comment

Tags

, , , ,

I was reading the investment news that VISA has a strategic investment in LoopPay.
LoopPay claims to have “invented Magnetic Secure Transmission™ (MST) technology which leverages existing point-of-sale infrastructure to receive contactless payments from mobile devices of all kinds with no hardware changes required by merchants”, information sourced from their website.

I found this an interesting investment from two perspectives:

  1. Here in Belgium, almost everything in terms of card is chip and pin, including our national ID card, bank cards, national insurance cards, etc. Loyalty cards are barcode, not magnetic strip. I rarely ever see a magnetic swipe option on a card reader, although I am sure they are still there, but I never look for them anymore. The pin for online payment is part of a larger process involving a digipass that generates a one-time code for authentication. So I want to hear more about the authentication and encryption processes on this one.
  2. At present, I would never pay using my mobile phone for anything. I do not trust 1) the phone, 2) the apps and 3) the network provider’s security. There is no encryption method obvious to me as a user to increase my trust, and the permission asked by most apps have turned me off from ever using them. What kind of trust mechanism(s) are they going to put in play to address this?

For me, my wallet is in my purse, and that is in a protected space in my office usually locked up. My phone, however, is in my pocket, on my desk, on a conference room table, etc. If I lose my wallet, I have the details stored elsewhere and a set of phone numbers to call to protect myself and my rights as a consumer. If I lose my phone, I can deactivate the SIM card via my mobile network provider. But I cannot wipe the contents of the phone remotely, just deactivate any privileges by changing passwords. I would have to make those calls again, assuming I have the written details backed-up somewhere. A bit of a process change for the consumer here….

I think part of this is cultural on how we use our mobile device here on the Continent, as well as what is accepted in the stores as a payment option. Our payment network is too ingrained in the consumer culture – alternative options face a steep learning curve. But I do wish them well to provide us options!

Would you want your wallet and your phone to be the same device? Which one is the worst one to lose for you right now? #justasking