• United States



Risk Mitigation through Collaborative Innovation

Jan 28, 20104 mins
Business ContinuityData and Information SecurityIT Leadership

Did you innovate today?

Let’s say that you did! Good job! Did you get the idea from a podcast or webinar? Maybe. Odds are that you got wind of an interesting idea when you sat with a different team during lunch. Perhaps you attended a presentation by the business analysis group after the cancellation of an audit meeting. In either case, a synergy occured between new and acquired knowledge – eureka!Imagine if you could institutionalize this process! Not possible? SAP did it. Their employees were able to create a network of teams focused on the creation of knowledge to drive value for their customers. This innovative approach expanded SAP’s knowledge base and improved the efficiency of business units effected by this information.

How does this connect with the security of the organization? According to Wharton University’s Andrea Matwyshyn, security is no longer sole responsibility of IT. “Security needs to have a process approach, coming from the top layers of a company and a culture of security,” said Matwshyn.  All levels of a company have information assets that are used in the conduct of business.  Collaborating with these groups allows for improved knowledge of operational factors in the environment which in turn enhances the quality of the data used in selecting risk control solutions.

John Hagel and John Seely Brown proposed the idea of “creation spaces” – a system of teams that leverage the power of organizational networks towards the creation of new knowledge. Their article in the Harvard Business Review suggests that this approach value innovation over the cataloging of existing knowledge. Creation spaces have the following three components.


SAP created “communities of innovation” that were focused on company and individual work-related challenges. This network included not only representatives from these areas, but also those from support functions such as developers and business analysts. It was managed by a single manager, thus reducing the silo effect of political agendas from each participant. According to Zia Yusuf, Executive VP of SAP’s Global Ecosystem & Partner Group, “when individual functions or business groups have responsibility for segments of the ecosystem, these segments tend to become silos and reflect the interests of the groups sponsoring them, rather than serving the needs of customers. By bringing all of the elements together in one place, we can more effectively focus on the customer and mobilize all of the resources relevant to the customer.”

This approach could be leveraged by involving security team members in these networks. They could benefit from the business knowledge shared in these discussion. The network would likewise benefit from the business risk perspective.


Having teams is a great start, but interaction between the teams is needed. Additionally, this network model must interact with stakeholders within the company and with its customers in order to stay current on the issues at hand.

A common pattern in my NPO engagements is requests to focus my assessments on network security. While this is an important component to examine, the usual risk factors fall into areas of policy compliance and security awareness. These companies would benefit from the formation of technical, staff, and volunteer teams that would address the business risks from varying perspectives. The end product – a 360 degree view of the organizational risk issues and control strategies that make sense to all the stakeholders.


Teams need focus of purpose, the tools with which to realize their goals, and an environment that enable their value proposition. SAP’s environment was formed around identifying customer needs and coming up with solutions that met those needs while positioning SAP competitively. This required management to design incentives and forums that supported this objective. Similarly, security leaders must create environments where security and business practitioners can benefit from collaborative information sharing.


Steven F. Fox provides security guidance to ensure compliance with Federal standards and requirements as a Senior Security Architecture and Engineering Advisor for the IRS. Fox contributes to multiple working groups including the IPv6 transition team, Developer Security Testing workgroup and the Security and Privacy workgroup. He brings a cross-disciplinary perspective to the practice of information security; combining his experience as a security consultant, an IT Auditor and a systems engineer with principles from behavioral/organizational psychology to address security challenges. He is a syndicated blogger covering IT Governance, Risk Management and IT-Business fusion topics. He also volunteers his time to the Ponemon Institute and Security BSides Detroit. Follow him on Twitter - Join his LinkedIn network -