Home Posts tagged readiness

Tag: readiness

Posted on Posted in Digital transformation, General topics Tagged with , , , , , , , , , , , , ,

This article was co-authored by Katherine Kennedy, an Associate at Metis Strategy.

For years, ESG has been little more than a sub-bullet or appendix slide in most CIOs’ strategy decks. But changing consumer sensibilities and heightened investor scrutiny have swept ESG, and technology’s role in it, to the top of the agenda. Corporate strategies hinge on it.

ESG is new territory for many technology leaders and getting up to speed quickly is essential. In a recent survey conducted by Lenovo, 45% of respondents said the CIO should play a critical role in executing the enterprise’s ESG mission. While the scope of ESG is of course much broader than environmental sustainability, the need for speed here is particularly heightened as the SEC moves to enact rules that will require publicly traded companies to disclose their emissions data as early as 2024. For many CIOs today, the first question often is: Where do I start?

Nick Colisto, SVP & CIO, Avery Dennison

Avery Dennison

Nick Colisto, SVP & CIO of Avery Dennison Corporation, has some ideas. ESG has been a priority for him since he joined the company, which designs and manufactures a variety of labeling and functional materials, like tapes and bonding solutions. Over the past several years alone, his team launched a web application that powers AD Circular, a program for recycling used paper and filmic label liners. The team also developed an enterprise-wide system for tracking ESG metrics, like Scope 1 and 2 GHG emissions. Insights from that system are highlighted regularly in the company’s sustainability reports.

Below, Nick suggests a few areas CIOs can start on the journey to creating a proactive ESG agenda that anticipates compliance requirements:

Dedicate a sustainability leader to the CIO organization

A dedicated sustainability expert focused on how data can drive the enterprise agenda while satisfying relevant ESG policies and guidelines is essential, Nick says. “Data is essential to a modern ESG strategy, and you won’t make strides of any respectable length if you’re constantly fighting for the time of the company’s shared ESG resource.”

If your search comes down to hiring someone with ESG policy knowledge versus technical expertise, prioritize the former, Nick says. That way, the person can narrow the scope of ESG use cases to those that will drive the most meaningful results before involving the technical talent responsible for delivery.

Of course, finding the right person is only half the battle. CIOs must set sustainability leads up for success. That means giving them visibility and access. Nick’s leader sits on Avery Dennison’s sustainability council, where he has visibility into the enterprise ESG agenda. He also has a mandate to engage business leaders to collect requirements for any initiative the council pursues, which he then translates into technical specifications and tracks from start to finish.

Focus on data governance

Data governance is vital to ESG initiatives. At minimum, it will form the backbone of your ESG reports, which will command much of your focus at the start of your ESG journey. In addition to ensuring compliance, data will also inform which goals your organization pursues and how it tracks them. Thus, the quality of your data must be exemplary.

Securing that high-quality data, Nick says, starts with establishing a single source of truth. This has been on many a CIO’s docket for a while, but the work often is not prioritized because the value of the data was relatively low, used mostly for historical reporting to support brand positioning and annual sustainability reports. “As investors demand increasingly detailed data to assess climate-related risk, data quality is critical,” Nick says.  “Disparate data will not work for ESG as it’s too difficult to analyze and report on. Also, consolidated ESG data has increased operational and strategic value.”

Once a single source of truth has been established, it must be maintained with robust data governance and management policies. These policies will become especially critical once the scope of regulatory reporting expands to include Scope 3 emissions, those a company generates indirectly, through its supply chain, products, and partners, which are particularly hard to track, says Nick.

Drive accessibility and transparency

Once a lead has been established and a clear governance process put in place, the next step is to make your data accessible and transparent. That means making sure anyone who needs the data can get their hands on it and, once they do, easily understand it. That task is harder than it sounds, but it’s worth your while. ESG programs are unlikely to gain momentum if every routine compliance report requires employees to endure a scavenger hunt for the necessary data. More importantly, people are less likely to invest themselves in a cause that is opaque or poorly understood. Knowing your ESG goals, who they involve, what data they rely on, and what activities will move the needle will make your employees feel they are part of the process. Our team sees four key ways to do this:

Publish a dashboard of the ESG metrics your organization values most: It might include metrics such as carbon offset, DEI ratings, or aggregate scores published by a third-party ESG rating provider. To drive adoption, involve leaders from various departments early in the dashboard design process.Contextualize ESG data and share it with the enterprise: ESG metrics are frequently affected by operational decisions. Yet, the people making those decisions often lack the skills to analyze and interpret ESG data effectively. Provide employees access to low/no-code analytics tools such as PowerBI and Tableau to help them understand their impact on each metric.Incentivize teams to make ESG-smart decisions: Moving the needle on ESG goals requires leaders and their teams to change the way they work. To do that, they need a reason. Give leaders incentives to get smart on the company’s ESG vision, the core metrics, and the role each team plays in realizing the future. For instance, Bank of America’s My Environment® employee program offers, among many incentives, to reimburse a portion of the cost of an employee’s electric vehicle or charger.

The principles above, when applied in earnest, can do much more for companies than simply earn them a sticker for compliance. Nick’s focus on ESG at Avery Dennison demonstrates the central role CIOs can play in asserting IT’s role not only as a service provider, but also an active contributor to an organization’s ESG mission and, ultimately, its growth.

CIO, Green IT, IT Strategy

Posted on Posted in Digital transformation, General topics Tagged with , , , , , , , ,

With the threat landscape evolving to be more dangerous and sophisticated, board members may wonder where their own organizations stand when it comes to cybersecurity readiness against threats such as ransomware and data breaches. After all, board members have a duty to ensure their organization protects itself against cyberattacks and accidental data leaks. 

Here’s a list of questions CIOs should be prepared to answer to ensure the organization is making the right strategic investments in cybersecurity.

Questions for CIOs about cybersecurity readiness

1. Have we prioritized our objectives and our risks?

Risks are uncertainties about outcomes. Risks matter most when they pertain to the outcomes an organization prioritizes. Is there a risk management practice in place that identifies its highest-level objectives? For most organizations, those objectives will include:

Business continuityData confidentiality, integrity, and availability (data “CIA”)Regulatory comp

2. Have we identified the IT resources and processes that support our objectives?

Besides identifying key objectives, an organization needs to identify the IT resources and processes that support those objectives. For example, if business continuity depends on an eCommerce website, which IT assets, processes and teams does that website depend on? What are its most valuable assets? Do they include intellectual property, financial data, physical infrastructure, or something else? Where are those assets stored, and who has access to them?

3. Have we identified the risks associated with each of those IT resources and processes? 

Board members and the executive team need to understand what makes the IT resources, processes and teams supporting each key objective vulnerable to attack. Unpatched software? Unreliable hardware? Lack of training? Have governments or industry groups adopted new regulations that will require redesigning and redeploying software and hardware?

4. Have we assessed the likelihood of these risks? 

If the organization estimates the odds of a data breach to be just 1%, that’s too low to be realistic. If the odds are 80%, then it isn’t making the right investments in cybersecurity. What is our confidence level in our cybersecurity posture, and how does that compare to those of our peers? Has the organization assessed the combined likelihood and severity of each risk, so that risks can be compared and prioritized?

5. Have we developed a software Bill of Materials (SBOM) for all our key applications and software services?

An SBOM is a catalog of all the software components and their versions that goes into an application or software service. By compiling SBOMs, organizations make it much easier to identify applications and services that are at risk when new vulnerabilities are announced, such as the Log4j vulnerability that was announced in December 2021. Has the organization begun the practice of automatically compiling SBOMs for key applications and services? What’s the plan for doing so? How far along is the process now? How is this work being automated so it’s always up to date?

6. Do we have a real-time inventory of all our IT assets, including laptops, desktops, servers, and IoT devices?

You can’t secure something if you don’t know you have it. An organization needs a comprehensive inventory of all its IT assets as part of its cybersecurity program and recognize that this inventory changes continually. How are we compiling this inventory? How regularly is it updated? How are we determining that it really is complete and accurate

7. Have you identified likely adversaries and their goals?

Doing this helps an organization focus its investments on cybersecurity. Are there specific parties such as cybercriminal gangs, nation-states or activists who are likely to attack us? If so, what are their goals? Are they hoping to steal information, inflict a ransomware attack and demand funds, cause mayhem, or somehow damage the organization’s brand? How is this knowledge shaping our cybersecurity strategy?

8. How are we prioritizing our spending on risk?

Trying to eliminate all risks would be cost-prohibitive. How are we prioritizing our investments? Who is involved in making decisions about spending? How often are those decisions reviewed and, if necessary, adjusted?

9. What plans do we have in place to mitigate risks if attacks or other undesirable outcomes occur?

Do we have teams ready to respond to our most serious risks? Are communication channels in place? Do team members have the tools they need to act quickly and effectively? Have teams practiced responses to attacks to ensure that people, processes and tools are ready for action?

Learn how Tanium can help you make the right strategic cybersecurity investments here.

Security