Digital Transformation Success Requires Looking Inward First and Never Wearing Blinders

By Gordon Tucker, Managing Director
Technology, Media and Communications Industry Leader




To stay relevant in the digital economy, technology, media and communications companies must evolve on two fronts: externally and internally. The trick is that they must do both in tandem — and many find this difficult.

External evolution relates to the role the company is playing to help propel the digital wave forward. Namely, what new and game-changing digital products, services and business models is the company innovating and bringing to market successfully? This type of evolution is also about how the business positions itself among its competitors in the digital market and responds to new market demands and rapidly changing consumer expectations. Are those approaches effective? How does the company know?

Internal evolution, meanwhile, is about the ability of the organization to strategically transform its business processes, technology infrastructure, workforce culture and more to compete effectively in an increasingly digital age. Evolving internally is vital to supporting the company’s external evolution. Yet business leaders don’t always make that association.

At some companies, external dynamics — shareholders’ views, consumers’ sentiments, market perceptions about the company’s brand or reputation — are the impetus for external evolution. To respond, these businesses are constantly channeling resources into developing new products, services or campaigns, often at the expense of addressing internal issues that could cause the business to falter, or even fail, over time. Siloed business processes and weak cybersecurity practices are examples of such issues.

In other organizations, too much change is undertaken too quickly, both internally and externally. These businesses launch sweeping digital initiatives that aren’t backed by well-thought-out strategies. They also fail to evaluate the competitive landscape thoroughly. They focus on trying to outpace known and well-established rivals, and overlook or underestimate emerging players that have the potential to disrupt the marketplace and erode their market share.

In both examples, these businesses are making digital journeys with blinders on. One group is focused on short-term wins that don’t spark meaningful or lasting change. The other group is barreling toward a finish line in a race without an end, paying little or no attention to emerging threats and changing conditions in the field around them. In either case, the decisions these companies make are unlikely to position them for long-term digital success. I suggest a better approach below.

Look inward first

Using technology to improve operations internally is one way for companies to further their digital transformation and bring it to a broader scale. Evolving internally builds a safe foundation that can support their external evolution. For example, a business that has the right digital processes in place and is not burdened by legacy IT systems undermining its agility can score a number of operational successes — from simplifying or automating repetitive or labor-intensive business processes to implementing new tools to enhance workforce communication and collaboration. These successes can then be translated externally into the ability to innovate quickly, deliver better service to customers and meet the expectations of stakeholders.

I recommend reading Protiviti’s white paper, Catching the Digital Wave of Change, which explains how the way a business embraces technology can, in turn, help to change the way employees and customers perceive the organization. Change from the inside shines to the outside.

Tear off the blinders

When setting the strategy for a digital initiative, businesses must analyze the markets in which they are operating, as well as the competitor landscape. In their quest to achieve digital transformation, they must be careful not to miss what’s happening in the “ecosystem” around them.

Ron Adner, a professor of strategy and entrepreneurship at Dartmouth College’s Tuck School of Business, explained in a 2016 Harvard Business Review article that the “nature of disruption is changing … [and now] occurring at the level of ecosystems,” rather than at the product or service level. He posited that businesses need to “approach their competitive strategy with a wide lens that captures ecosystem dynamics” if they want to succeed in an Internet of Things world.

Adner pointed specifically to the example of a well-known company that produces imaging products with its historic basis in photography. That company’s long and painful journey to becoming a digital company as an example of what can happen when leadership “does not appreciate the dynamics of the broader ecosystem around it.” The company did not respond fast enough or appropriately to changes in the digital imaging ecosystem, and it cost the company dearly. Adner wrote that the “lesson for today’s leading firms is that risk lies not only in a lack of attentiveness to disruptive change but also in embracing the wrong part of the change.”

I don’t have much more to add to Adner’s insight other than to say that wearing blinders — not looking at the whole picture — in the digital era is likely to cause a company to lose or never find its way. Businesses may miss the right moment to pursue transformation or make the wrong decision about how and what to change. And no matter how innovative the business may be today, if it’s focused only on achieving one type of change or pursuing only one goal blindly, it’s bound to be overtaken or pushed off the track by competitors in the future.

Board-Level Cybersecurity Discussions Must Be Proactive, Have Substance, and Inspire Real Change

By Gordon Tucker, Managing Director
Technology, Media and Communications Industry Leader




Cybersecurity is a hot topic in most boardrooms today. Not a shocking revelation, certainly. But keep in mind that, in many organizations, it has taken a long time for this issue to even become an agenda item for the board. Among them are technology, media and communication companies, which should be helping to set the standard for cybersecurity best practices. Many of these companies are doing that, of course, but others still have a lot of work to do.

While it is good news that more boards of directors are talking about cybersecurity, there is a problem: These discussions are too often prompted by a headline-grabbing data breach or hack that has rattled the business or its peers in the industry. This reactionary approach needs to change if boards and executive management truly want their organizations to be prepared to weather a cyberattack or other disruptive cyber event, and its potential consequences.

Success in a digitized world hinges on effective cybersecurity

Taking a more proactive view toward cybersecurity will also help businesses to succeed in a digitized and hyperconnected Internet of Things (IoT) world. At the World Economic Forum’s annual summit in Davos, Switzerland, this year, cybersecurity experts discussed how this rapidly emerging world will help businesses to reach new heights of productivity — provided they build effective cybersecurity.

This future is not far off, which is why there is an urgent need for boards and executive management to change how they talk about cybersecurity. They need to focus less on worrying about the potential reputational or financial risks of a single embarrassing cyber incident, like a phishing campaign that targets the CEO, and focus more on helping the business define and develop an overarching set of activities that will help it create a stronger, more resilient security environment.

Board engagement as a cybersecurity success factor

For those boards that still view cybersecurity as primarily an “IT problem” — and they are still out there — Protiviti’s 2017 Security and Privacy Survey presents some findings that should help to change at least a few minds. The research found that organizations that are top performers in terms of adhering to security and privacy best practices have two critical success factors present:

  • Their boards of directors have a high level of engagement in, and an understanding of, information security risks that the organization faces.
  • They have a comprehensive set of information security policies in place, including acceptable use policies, data encryption policies, and social media policies.

One-third of businesses surveyed describe their boards as highly engaged with information security risks. This is a five-point increase from the 2016 survey. Protiviti’s survey report notes that this positive trend “reflects the fact that the [information security] issue is not merely about technology, but rather represents a top strategic risk” for today’s businesses.

Fostering more meaningful discussions

In addition to seeing security as just an IT’s problem, another reason many boards fail to have meaningful cybersecurity discussions is the sheer complexity and tremendous scope of the issue. Technology touches almost every aspect of the business, and cyberthreats that target systems and data are growing in sophistication. IT teams themselves struggle to understand the rapidly evolving cyber risk landscape.

Another problem: Boards are often provided information about cybersecurity risks that is far too technical. Cyber risks and recommended solutions for addressing them are not being described by technology leadership in business terms that the board can swiftly analyze and make decisions on.

In our 2017 Security and Privacy survey report, we recommend that technology leaders take care to clearly communicate relevant security matters to all stakeholder audiences. For boards, in particular, they should provide information in nontechnical terms to the extent possible, and prioritize discussion of issues based on the business risks that each risk poses to the organization.

By the same token, Protiviti’s security experts who authored the survey report advise boards to start “asking more, and more detailed, questions about organizational security efforts.” These questions, which should be posed to business, technology and internal audit leaders alike, should include:

  • Do we know how the company’s critical data is collected, stored and analyzed?
  • What framework or activities does the business have in place, or is it developing, to help protect our data and our intellectual property?
  • How is the success of those activities measured?
  • If the organization experiences a significant breach, what is the response plan?
  • How are employees trained on cybersecurity issues, how often and by whom?

These are just some examples of baseline questions that can help boards at technology, media and communication companies begin to have more productive and forward-looking conversations about cybersecurity with the business. More important, these questions will help to lay the groundwork for proactive discussions about emerging risks around digitization and the IoT — the next major technological challenges that technology, media and communication businesses must be fully prepared to face if they are to survive.

Staying Agile a Top Concern for Technology, Media and Communications Companies in 2017

gordon-tucker-3By Gordon Tucker, Managing Director
Technology, Media and Communications Industry Leader




The phrase “innovate or die” has long been a mantra for businesses in the technology, media and communications (TMC) industry. As Satya Nadella wrote to employees on his first day as CEO of Microsoft, “Our industry does not respect tradition — it only respects innovation.”

But the results of a recent survey, Executive Perspectives on Top Risks for 2017, from Protiviti and North Carolina State University’s ERM Initiative, suggest that many executives in the TMC industry group now consider “innovate or die” to be more of an urgent warning than a motivational slogan. They are concerned that their firms will struggle to sustain the agility needed to compete in an increasingly complex and dynamic technology landscape.

According to the survey, executives’ top concern for 2017 continues to be the same as the two previous years: Rapid speed of disruptive innovations and/or new technologies may outpace our organization’s ability to compete and/or manage the risk appropriately, without making significant changes to our business model.

There are two key reasons this risk continues to preoccupy the minds of executives and directors at many TMC companies:

  • Rapid changes are becoming routine for organizations. More important, these so-called “changes” are anything but ordinary; rather, they are industry-shifting innovations, especially in the areas of digital transformation: mobility, data analytics, artificial intelligence and robotics, 3D printing and sensors, that require more than a mere adjustment to one or two parts of the business. These are shifts that have executives thinking more about how — and if — they can effectively harness these forces of disruption to shift their own internal operations and those of their partners in the supply chain to maintain a competitive position.
  • Disruptive companies that are created today are launched with systems and processes incorporating current digital capabilities; often, these companies enjoy an “out of the gate” advantage over more established companies that must make substantial changes to legacy systems and processes to compete.

The way for TMC companies to keep pace with agile competitors is, of course, to become more agile themselves. Following are strategies these organizations should consider adopting so they can compete effectively in the rapidly evolving digital economy while managing risk appropriately:

  • Make innovation a top — and ongoing — priority for the entire organization; an innovation mindset should be deeply engrained in the corporate culture.
  • Strive to become an “early mover — e.g., become adept at detecting early signs of market shifts that affect the validity of the enterprise’s critical strategic assumptions and make decisions on whether to act on those signs.
  • Encourage cross-departmental collaboration on technology and innovation initiatives, especially at the C-level, so that the business, IT and internal audit leaders understand and are actively discussing potential risks and opportunities.
  • Ensure discussions about technology risks are happening at the board level.

A final suggestion for TMC organizations to consider as they work to become more agile: Make sure employees are engaged and committed to new corporate strategies, which increases the likelihood of gaining a sustainable competitive advantage.

To this end, TMC companies should take the advice of Pat Wadors, senior vice president of LinkedIn’s global talent organization, who wrote recently: “Leaders in today’s organizations [must] figure out the best ways to identify, reward, and motivate top agile talent while supporting the constant need to learn. To atrophy is to lose in the market.”

2016 Was an Eventful Year – This Is How We Covered It

As 2016 comes to a close, I want to look back on the events that made this year unique in ways both rewarding and challenging – and summarize the topics Protiviti professionals discussed, and our readers engaged with, here on The Protiviti View.

Perhaps the most seminal events of 2016 with the biggest implications were Brexit and the election of Donald Trump as president. The Brexit was brought about by sovereignty and immigration issues as those who voted to leave the European Union believed the UK – and no one else – should address UK-related decisions and control over its own borders. The U.S. presidential election arose from many issues such as immigration, trade, healthcare reform and jobs, among others.

We covered the implications of these events, both general and industry-specific, in special reports (here and here) and on the blog (here and here). But other events made waves too – record-setting security breaches across industries, including massive unauthorized release of financial data from offshore accounts, and DDoS attacks enabled by the Internet of Things.

In technology, Google’s AI robot AlphaGo defeated GO champion Lee Sedol, and Uber launched its fleet of driverless cars despite some opposition. Both of these events speak to the future of artificial intelligence, an emerging risk we continue to track in our PreView newsletter). Also in technology, the financial services industry seems poised for change and excited by the possibilities of new financial technology in payments, compliance and more.

Finally, natural disasters and viral diseases like the Zika virus created real economic damage, raising questions about resource availability and business continuity planning. We summarized the potential implications of these unpredictable business disruptors here.

Given the flavor of events this year, it is not surprising our top two most read blog posts had to do with cybersecurity and cyber awareness. Our third most popular blog had to do with money laundering and increased regulatory scrutiny in that area.

The posts that saw the most love on social media were submitted by our fraud investigation experts and focused on fraud prevention and fraud risk management. 2016 was a big year in fraud, as the much-awaited Fraud Risk Management Guide was released by COSO and the FCPA launched its Pilot Program. (Also, SEC gave six out of its 10 highest whistleblower awards this year).

Also widely shared was anything related to cybersecurity and the protection of personal identity, an issue that continues to affect billions of people and to which no company or entity seems to be immune.

This is plenty to look back on and think about in planning for the new year. Once again, I want to thank both our readers and contributors for their participation and engagement. We look forward to continuing these conversations in 2017.

Jim DeLoach

Technology Leaders Worry That Their Companies May Be Too Resistant to Change

Protiviti and North Carolina State University’s ERM Initiative teamed at the end of last year to survey directors and executives across a wide spectrum of industries for our fourth annual Executive Perspectives on Top Risks report. We are drilling down, over a series of blog posts, to provide insight into these executive perspectives within key industries and how these risks may have evolved since the survey was conducted. This post focuses on technology, media and communications.


gordon-tucker-3By Gordon Tucker, Managing Director
Technology, Media and Communications Industry Leader




“Only the paranoid survive.” – Andy Grove, former Intel CEO

Companies in all industries face a number of risks these days, ranging from volatility in equity markets, falling oil prices, global terrorism, expanding regulation and oversight, and technological disruption. The technology, media and communications (TMC) industry is no exception to these trends. But while TMC leaders remain concerned, they appear to be less so than they were last year – with one exception.

While it appears surprising, at first, that TMC respondents were somewhat less concerned than they were last year about four of the top five risks identified in the survey, on further thought, it makes sense: The intrinsic technological nature of these companies requires them to stay ahead of the curve, and many have made serious efforts, after recognizing the risks back in 2014, to address them, including cyber threats, disruptive innovations and privacy concerns. They are also less worried about economic conditions restricting their growth.

I found it really interesting that the one risk that keeps technology leaders awake at night this year more than last is their concern that resistance to change in their companies may be standing in the way of necessary adjustments to their business models.

What to make of this? The survey did not delve into precisely why leaders were feeling differently, but it does stand to reason that with the speed of technological disruption, they are becoming more aware of the need to keep up by being agile and open-minded. I’ve heard it said that disruption is great – if you happen to be the one disrupting. It’s obviously less advantageous when you are the one being disrupted – and the finding underscores this awareness.

Case in point is the industry’s grand exodus from the old world of packaged software and hardware to the new world of software/platform/infrastructure as a service (S/P/IaaS). If you are an established player, the migration from the box to the cloud means fundamentally changing your entire business model.

These days, the threat to established technology companies – and there are many – comes from newer companies that were “born” in the cloud, so to speak – companies for which migration was never an issue. And while some, like Amazon and Microsoft, have demonstrated their ability to not just adapt but reaffirm their market dominance, others are still in the process of getting there – and they worry they may not get there fast enough if their organizational mindset lags behind.

Managing the risk that comes with change in business model is a concern too. A cloud provider, for example, assumes the cybersecurity risk on behalf of its customers. If you are a born-in-the-cloud company, you likely have the effective organizational mindset and the resources to address this risk. Others will need considerably more preparation in that regard – and may worry that resistance from the inside may hinder the imperative to innovate.

What’s the takeaway point? Companies in the technology sector must stay on top of their enterprise risk management (ERM) planning. They want to have access to the right information about emerging risk from their risk committees and management teams, so they can adjust quickly. These are things that should not be left to chance.

It’s important to remember that risk is a moving target. Executives are going to react differently at different times, depending on what’s going on in their markets and with their customers. But self-examination and honesty are hallmarks of this industry – and rest assured, industry leaders are continually examining their businesses and striving  to ensure they have the best practices with which to face change. Let’s just call it healthy paranoia.

Core Competency: The Case for FSI IT Modernization

Ed Page - Protiviti ChicagoBy Ed Page
Managing Director, FSI IT Consulting Practice Leader




In the financial services industry (FSI), “too big to fail” has a corollary that applies to core data systems. Call it “too big to fix.”

FSI companies are technology businesses. Every product and service they offer is technology-enabled, and the rapid evolution of mobile banking and digitization of processing makes technology even more critical.

The technology at the core of many of these companies, however, is outdated – layer upon layer of aging information technology (IT) systems, including mainframe computers dating back to the 1960s.

This dinosaur-age infrastructure (in technological ages) means high maintenance costs, ever-decreasing supply of knowledgeable staff to support it, and degraded business agility, among other things.

Add to this mix next-generation financial companies and businesses, which enter the market unburdened by legacy systems and ready to reap the competitive advantages of new technology from day one, and you, the bank with an outdated core system, now face the very real risk of being left behind.

With this state of affairs, one would think banks are scrambling to modernize their cores. Not exactly: Less than one-third of companies are considering core modernization, according to the latest Protiviti research. This is understandable: Core modernization projects can last years and cost hundreds of millions, even billions, of dollars. An IT executive wishing to make a business case for a project of this size, when the old systems continue to chug along, faces an uphill battle, to say the least.

Instead, many financial institutions forced to meet current market challenges do so by wrapping the old core in new functionality. While this practice costs less in the short run, it just adds complexity, and kicks the outdated infrastructure issue can down the road for someone else to deal with later.

There is reason for hope, however. FSI respondents to Protiviti’s 2015 IT Priorities Survey identified some important catalysts driving them to replace core systems. The three main ones are risk mitigation (aging technology and/or aging workforce): 64 percent; cost savings: 20 percent; and revenue generation (e.g., greater product/service innovation, time-to-market): 15 percent.

As FSI IT managers, aided by these catalysts, seek to make the case for core modernization, there are several approaches they can take to reduce sticker shock and minimize the risk of service disruption associated with an all-in core upgrade.

The lowest-cost option, and a good starting point for any IT transformation, is to clear the underbrush. The evolving nature of IT infrastructure, over time, can lead to an accumulation of redundant and non-productive technology. Simplification can streamline processes without affecting customer-facing services, improve performance, and lay the groundwork for more aggressive core modernization.

When it comes to actual replacement, a phased approach is another way to ease the pain. The phased approach consists of launching new functionalities incrementally and slowly replacing portions of the core over time. This beats “big bang,” or full, core replacement in terms disruption and cost, and although maintenance of old systems will continue to be needed for a while, the problem is not pushed indefinitely into the future. A recent Protiviti white paper on the subject covers these and other core modernization options.

Managing change takes skill and courage. By developing a well-reasoned plan for IT core migration you can help your organization cut costs, increase revenue, and mitigate the growing risk of an embarrassing IT-driven strategic crisis. And while doing nothing is certainly an option, I wouldn’t suggest you stake your career on it.

Create IT Internal Controls as Unique as Your Startup

Steve Hobbsby Steve Hobbs
Protiviti Public Company Transformation Solution Leader and Managing Director



With all the challenges startups face just to get off the ground, is it any wonder if thoughts of compliance requirements are not top-of-mind? Nevertheless, as the board and CFO know all too well, IT controls must become a top priority as the company matures and considers an IPO. Without proper IT controls, you run the risk of hurting both the top line and the filing deadlines.

Traditional internal controls, however, can run counter to the company’s culture and competitive mindset. To satisfy control and compliance requirements without disrupting the company’s culture of independence and innovation, we suggest that startups create their own IT general controls (ITGC). Our point-of-view paper, Agile Technology Controls for Startups – a Contradiction in Terms or a Real Opportunity?, discusses these matters at length.

While setting up your unique ITGC framework, here are key items to address:IT controls graphic

  • Analyze the system environment. It’s important to focus on the necessities. Understand which systems and processes are in scope for the purpose of the compliance audit and determine if some systems can be excluded. Identify owners of each process, and eliminate unnecessary redundancies by aggregating processes under common owners when possible.
  • Identify and support key corporate data activities. Utilize existing development operations (DevOps) and agile process activities to eliminate unnecessary, unaligned and ineffective control activities. DevOps and agile process activities should be the basis for identifying and defining key ITGCs, such as test case coverage or automation of regression testing. Add additional control activities as necessary and consider alternative approaches to mitigating risk.
  • Define a future-state vision. Create a road map to envision easily how all the processes fit together. Rather than adding new manual activities, you may find that there are automated controls that can be leveraged for ITGCs to increase efficiency. Don’t forget to keep an eye on a “backlog” of improvement opportunities and initiatives that you should consider as you move toward the future.