Innovation Management: Learning How to Fail is the CISO’s Advantage

By Dr. Viktor Polic, CISO, Head of Information Security and Assurance Services, International Labour Organization and Computer Science professor at Webster University Geneva

Innovating at work. This is probably something we are encouraged to do as individuals from the moment we accept our first post of employment. It’s  not however something we are inherently supported to do; ironically the traditional hierarchical structure of the mainstream workplace effectively discourages most individual contributions to meaningful innovation. Fortunately, digital development is turning this on its head as it gives more and more people the visibility, connections and tools to be innovators for their organisations. For those of us working in information and cybersecurity particularly, we have a huge opportunity to lead the way.

Gone are the days where we need to be assessed as the naysayers. Our position in the midst of the assessment of risk, the review of product roadmaps and the like, and the resolution of crises actually positions us to become leaders within our organisations in the effort to embed innovation processes throughout. Many of us in the CISO community can see the value of the CISO’s dataset for the organisation as a whole. With the application of a little ‘design thinking’, I believe we can recognise and take advantage of it more fully.

It starts with a change of mindset, particularly in the assessment of what we do, to create a culture of management that truly appreciates innovation.   People need to be confident that it is ok for them to try and fail with their projects, and to admit that they lack knowledge. Their effort should in fact be fully recognised as the pursuit of knowledge, particularly in the midst of disruptive change that most companies are now beginning to accept.  The setting of goals and metrics must have failure written in to them and above all we need to get away from the concepts of absolute success or failure.  Outcomes are never so black and white.   Every outcome contributes to the digital transformation process that we are all undergoing at the moment.

Measuring the Real Value

Consider the development of Artificial Intelligence (AI) today. It is perhaps the most obvious example of the challenge we face in acting as innovators. Ninety-nine percent of us can claim that we are using some form of AI in information security solutions but very few understand the process of innovation well enough to be happy to apply it to risk management.  We remain in the early stages of acceptance, particularly in the reliance on AI to make judgement calls, even though we know that as humans, we can’t possibly work with as much information as AI can, as much information as we have thrown at us every day. It’s the early adopters that are trying it out and pushing this level of development forward. Failures are inevitable while the value in what is learned along the way is immense.

The bad guys are exploring and being innovative as well. CISOs have a very structured way of looking into threats, which creates the game of cat and mouse that is so common for us all. While our community remains focused here, early adoption of new technologies such as deep fake, are fundamentally changing the game. Not every attack succeeds, but every success undermines trust. Failure is the cost to achieving the outcome.

Creative Confidence

In my career, initially in developing and integrating business systems and for the last 15 years within information security, I have built dynamic teams that can break out of their organisational siloes to drive and maintain this culture of innovation. Part of this effort has been a defined focus on innovation management—in terms of talent, goals, resources, communications—as an embedded aspect of the development of our Information Security Management Systems (ISMS). A key aspect comes from understanding how to communicate so-called ‘failures” to the investors and business champions. Not every innovation is a success, but there is always creative value to be realised. Understanding and assuring confidence in this value underpins the capacity to truly become an enabler.

There is a growing body of references for design thinking that can guide the development of your overall process from how to secure funding and business adopters, to the drafting of concrete steps, the development of innovation workshops, and tactics to help people who may not be focussed on your project understand and contribute in a meaningful way. Across organisations, particularly larger ones, the process inevitably leads to discovery and motivation of input from subject matter experts and others that can bring significant value. As a member of Swiss Silicon Valley Association, I had a chance to visit Stanford University’s Dschool back in 1993 where I discovered the Design Thinking Bootleg which remains my favourite source of inspiration.

My current effort builds on the concept of open data, to create an “open innovation” approach within my organisation. It is being developed using internal crowd -sourcing techniques and a ticketing system that allows anyone the opportunity to contribute, not just the people on my team or formally associated with the listed projects.  It works to attract very practical questions and levels of insight, from the administrative to the strategic.

I count myself as lucky to be working within an organisation that allows such initiative and hope to see more organisations do the same.  I am sharing my own experience in the belief that my professional colleagues in cyber and information security are well positioned, even competitively positioned to make this happen.

The conversation is set to continue at the upcoming CISO 360 Asia in Singapore on 25-26 September at The Westin Singapore, part of the international CISO 360 series of conferences that are developed and hosted by Pulse Conferences. Join us if you can. The more experience, the closer we get to resolution and move the agenda forward as communities.