The columns I have written since last September have been focused on the new capabilities spawned from the cloud compute revolution – such as AI (Artificial Intelligence) – and my experience of the change processes that the contemporary enterprise can draw on to exploit them effectively.
My key word for 2018 is Assurance – Independently Auditable Assurance. The exploitation of these new capabilities has become sufficiently all-encompassing in the modus operandi of the contemporary enterprise that an additional capability is now required to give the CIO operational confidence in this challenging new world of the virtual.
As I write, the headlines in the Financial Times (5th Jan 2018) dramatise my choice of key word. ‘Companies warned to replace all hardware or risk ‘Spectre’ attack’: ‘Race begins to find patches before hackers strike’. A fundamental flaw in chip design has been exposed: ‘a ‘meltdown’ has happened between different processes inside a computer that are meant to remain distinct and separate – specifically, the operating system’s memory and the programmes that are running on the hardware. The potential for data leakage across that boundary amounts to a gaping hole: anyone able to plant a piece of malware on a computer could theoretically tap into the core system memory’ [Richard Waters, FT 5th Jan 2018].
As ICI plc’s new CIO in 1993 I inherited a corporate datacentre and global telecoms network – all ICI’s own ‘stuff’. The annual assurance required by the ICI Board was conducted by the auditors KPMG. The (physical, operational) boundaries were defined as the ICI ‘stuff’ so KPMG’s task was simply scoped. And as the technology operations of the time (of the datacentre, of the networks) were well established, the tools employed by KPMG to do their auditing work were equally well proven and tested.
Consider today’s contemporary enterprise with its operations substantially ‘in the cloud’: a hybrid compute infrastructure exploiting the public cloud, extensive use of cloud-sourced SaaS capabilities interfaced with the systems of key clients and suppliers to automate service delivery, a family of web-based capabilities to manage sales development along channels to market…. This contemporary enterprise significantly operates in the virtual! And its boundaries?
The request to the contemporary auditor is: ”assurance, please, of our cybersecurity, of our regulatory compliance(s) (do not forget the looming GDPR), of our business continuity capabilities, of protection of our key IP. And please define the systems boundaries that you are auditing within. Given our hybrid compute operations, what confidence can you give in your audit for that part in the public cloud where we are dependent on shared infrastructure – especially given the current news of the Spectre vulnerability – ‘a ghostly vulnerability that makes it possible for an application running on a chip to look at data being used by another. Any chip running many processes at once – just about any general purpose computing system, from smart phones to the complex server farms of the Public Cloud – is potentially vulnerable’ [Richard Waters, FT 5th Jan 2018]. “
“And, incidentally, we are using an AI capability to conduct first round interviewing of potential new recruits – the system interviews them via their laptops / tablets /smart ‘phones. As our auditors can you give us assurance that the AI capability we are using is free of any discriminatory biases – that it promotes gender equality and full cultural diversity in our pool of potential recruits.”
All this points to a challenging new agenda of the CIO in 2018. Not just the CIO – the CISO, the CDO, the CTO… In fact it is a vital Board agenda. The challenge to putative auditors: do you have the proven tools to deliver assurance in this new world of the virtual?
AI is one example. If the interview capability outlined above has been developed by a massive exercise in machine learning based on data collected from thousands of historic interviews, what confidence can one have that historic discriminatory biases have been excluded? Does the putative auditor have the tools to penetrate the AI ‘black box’ and vet for discriminatory bias?
Discussion with a young British venture focused in the AI space (Rainbird) suggests that such an AI capability is better developed in conjunction with a panel of interview-specialised experts – a demanding commitment of real human resource. Machine-learning alone will not spot discriminatory bias.
To reiterate: one major consequence of the development of cloud computing has been the rapid evolution of the great diversity of new business capabilities. The public cloud, the Internet, Social Media, Machine Learning, the Internet of Things (IoT), Robots, Big Data, Big Analytics, Artificial Intelligence (AI)…
How does the CIO, the Board ensure it can access effective independently auditable assurance of its full business operations in this new world?
Thus my key word for 2018 – Assurance.