• Managing Information, Security, and Data in the Modern Business

    Information strategy is a critical element of businesses today. For this reason, managers need to have a thorough understanding of their information systems in order to make knowledgeable business decisions. Principal Almudena Arcelus spoke with affiliate Keri Pearlson of the MIT Sloan School of Management about how managers can better align their information and business strategies, and strengthen their cybersecurity and data management in the process.

    The new edition of your coauthored book Managing and Using Information Systems: A Strategic Approach uses an information systems (IS) strategy framework to describe the interactions of a business’s various components. What is the framework, and how can it be used by managers in their objective-setting process?

    Keri Pearlson - Headshot

    Keri Pearlson: Executive Director and Research Scientist, Cybersecurity at MIT Sloan, MIT Sloan School of Management

    Businesses today are systems in which people, processes, and technology come together to create value for customers, stakeholders, and employees. Our book was written to provide businesspeople with a vocabulary and a set of frameworks, management issues, and real-life examples that can help them build appropriate strategies for their organization. Managers must be knowledgeable participants in technology discussions to ensure that technology decisions do not create unintended consequences for the business.

    In the book, we model these interactions using the IS strategy triangle framework. This framework describes the alignment and mutual dependencies among three strategic components: the business strategy (how the business will add value), the organizational strategy (how people, processes, culture, control, and leadership are structured), and the information strategy (how the business’s platforms, data, devices, network, and information architecture are assembled and maintained).

    Several critical leadership principles follow from this simple framework. The most important principle is that in a successful company, IS strategy affects and is affected by changes in business strategy and organizational strategy. This means that if a change is made in an information system but not in the organizational or business strategies, there will be unforeseen consequences.

    To give a simple example: If an information technology (IT) system is suddenly upgraded from single login to dual authentication, but the team members (as well, potentially, as other stakeholders such as customers and suppliers) are not aware of this upgrade, they may no longer be able to access the system. The unintended consequences could include business disruption or, worse, a domino effect on relationships, cash flow, or other aspects of the business. This does not mean that the IT change was bad or ill-advised. Rather, it suggests that IT changes affect organizational and business strategies, and that means that general managers must be part of the IT conversations to understand the direct and unintended consequences of these changes.

    Conversely, any change in the business or organization will have an impact on IS. For example, moving all workers out of the office to remote locations without also changing the IT to accommodate this new business design could have unintended consequences, which many companies experienced in the first half of 2020 when they sent their workforces home during the coronavirus pandemic.

    IT leaders must be part of the business conversations to make sure IT systems are aligned with business goals and policies. Successful organizations design all three components of the IS strategy triangle to complement each other, and leaders must consider this entire strategic framework when they make decisions that alter any one of these components.

    For the most part, though, general managers and business leaders are not IS specialists, and, in turn, IS leaders are mostly technology leaders and not general managers. How, then, should these leaders work together so as to implement this mutually dependent framework?

    You’re correct that many general managers aren’t IS specialists, but they must still be knowledgeable participants in IS discussions. The interdependence of technology and business in modern organizations makes it impossible to make a technology decision that does not impact business, and vice versa. Twenty years ago, perhaps, one might have argued that there were technology businesses and non-technology businesses. After all, running a financial services firm where information was the key asset was very different from running a consumer product business where physical products made at production plants were the key asset. Today, however, even the production plant is dependent on IS for scheduling, inventory, raw materials, supply chain, and automated production. So IS decisions affect businesses in real terms.

    A key consequence of this shift is that general managers must know enough about IS to work as partners with technology and IS professionals in order to build a successful business. Conversely, technology professionals must know enough about the business side, as it were, and its context in order to manage IT. This kind of mutual expertise is essential for a team to be successful in today’s environment.

    Data governance and the strategic use of analytics have recently become a major focus for many companies. What are your thoughts on these issues?

    The IS strategy triangle framework can provide insights into data management, governance, and analytics as well. Data are valuable assets for organizations and must be managed accordingly. Companies today use analytics to mine their data to create competitive advantage. As they modify their processes to take advantage of what is often many years’ worth of data from customer relations, managers must consider the organizational and technological impacts this strategic evolution will have. Among the questions business leaders must consider are:

    • What is our data strategy?
    • Who will manage the data and ensure their integrity, security, and accessibility?
    • What are our processes for using, storing, governing, and preparing data for use in analytics models and methods?

    In other words, a company’s organizational structures, roles, and processes must match up with its technologies, platforms, and systems.

    In addition, we have seen a change in sentiment around the use and ownership of data that has resulted in a number of new rules and regulations affecting organizations’ use of this information. It’s critical for both business leaders and IT professionals to ask themselves, for example, who owns the data being analyzed – the company, or the people or organizations who shared the data with the company? In strategizing about the use of these data, managers must consider whether their plans fit regulations such as the General Data Protection Regulation (GDPR) in the EU, as well as similar rules governing the retention or destruction of data. This is a new world for many managers, especially when their companies’ data were collected prior to these regulations, and there are many gray areas to be sorted out and clarified.

    Almudena Arcelus - Headshot

    Almudena Arcelus: Principal, Analysis Group

    Cybersecurity has grown in prominence over the past decade, and the proliferation of cyberattacks over the last few years has brought into focus the role of technology in the organization today. How does the IS strategy triangle framework address these challenges that companies are facing today?

    An important distinction exists between information security and cybersecurity. Information security emphasizes technologies and behaviors that comply with an established policy within an organization to protect information and IS. Cybersecurity is much broader. It encompasses not only information security but also the security of all of an organization’s digital components, including a serious commitment to organizational cybersafety by individuals, supply chain partners, and other stakeholders. One of the most underrated risks to cybersecurity, and one that’s especially difficult to control, is the human factor. Most hackers gain access to an organization’s IS from an employee clicking a phishing email. Technology and information security policy only go so far in protecting an organization from a cybersecurity breach; employee behavior is just as important.

    This is why guiding employee behavior on cybersecurity is becoming a key strategic initiative for companies. This goal can be achieved by a deliberate application of the IS strategy triangle framework. Organizational strategy can address some of the challenges of cybersecurity by altering the attitudes, beliefs, and values of individuals within the organization. Furthermore, organizational structure, control, and culture are important management levers for effecting this change. Leaders can rely on organizational mechanisms such as performance evaluation processes, internal communications, leadership models, and other tools to shape organizational values, attitudes, and beliefs; this, in turn, minimizes the behaviors that create cybersecurity vulnerability and encourages behaviors that protect the organization.

    Often in litigation, contract disputes arise involving a company that outsourced the development of its IS to a third party. For instance, the contracting company does not believe that the contractor’s final product aligns with its specifications; the contractor claims instead that the company did not meet its performance obligations under the contract. How do you think these disputes should be resolved?

    Outsourcing typically presents a host of challenges, given the complexities involved in supporting a firm’s IS requirements. Outsourcing organizations provide IS services, but as the IS strategy triangle framework suggests, the impact of these services can greatly impact a business’s ability to deliver on its promises to customers. Relationships with outsourcers are a delicate balance between contracted services and evolving business needs. Contracts are written to clarify as much of this relationship as possible, but contract authors on both sides of the table may not have anticipated all the changes that may occur as the business’s needs change.

    When a dispute arises based on different views of the IS services provided under the contract, it can quickly devolve into finger-pointing rather than constructive exchange. To resolve the dispute, the first step is to return to the part of the process where there was agreement and work from there. Important steps include:

    • Understanding what the contracting company sought, and how it communicated what was sought
    • Understanding what the contractor agreed to provide and how it intended to provide those products or services
    • Evaluating the process by which the two sides worked, such as who was involved; the frequency of the communication; the form and content of the information; and, perhaps most significantly, what feedback was provided and how

    In situations like these, leaders need to look at the overall business relationship, from the point at which there was agreement between the contractor and contracting company through any and all changes that occurred during the duration of the contract. ■