Software risk has historically been overlooked as a security concern by business leaders, and companies have paid a high price as a result. Remember the JPMorgan hack of 2014? That cost the bank more than $6 billion. RBS has paid £231 million for their IT failures as of two years ago. The Target breach? The retailer posted a write down of $152 million. Or, more recently, Jeep controls being taken over by hackers, and a similar incident with Toyota-Lexus having to fix a software bug that disabled cars’ GPS and climate control systems? That costs the manufacturers valuable consumer confidence points and can seriously damage sales.
So I was thrilled to know that the topic for the first annual Software Risk Summit in New York was indeed just that, software risk. I had the pleasure of moderating the panel discussion with esteemed guests from BNY Mellon, the Software Engineering Institute at Carnegie Mellon, the Boston Consulting Group and CAST. But beforehand, I was able to sit-in on the keynote by Rana Foroohar.
As a regular on CNN and an economics analyst, Rana made a very important connection between America’s post-recession recovery and the role software risk will play in companies’ ability to create real, sustainable growth. According to Rana and her book Makers & Takers, we are entering a period of volatility with lower long-term growth, an unstable U.S. election cycle and a growing wealth divide. Because of this, the private sector is going to take on a bigger role in turning technology and infrastructure into tangible value that will carry the country through a period of “public sector slump.”
She shared an interesting statistic, noting that pre-2008, companies and consumers held the majority of the country’s debt. Now that paradigm has shifted, with consumers and corporations becoming more debt-averse, leaving the U.S. government to carry the vast majority of our debt burden. In this coming era of increased dependence on the private sector to create and sustain a thriving economy, it is more important than ever for business executives to take software risk seriously, take stock of their technology investments and prepare for future waves of innovation.
Following Rana’s inspiring keynote, our panel discussion dove-in head-first to the tactical application of software risk mitigation. Here is a brief summary of our Q&A:
Why is Software Risk a Problem?
Benjamin Rehberg, Managing Director, BCG: The biggest responsibility lies at the CEO and board level. Many leaders may realize they’re becoming a technology company, but they’re not quite sure what to do about it. Most CEOs want to focus on boosting revenue, but they fail to recognize technology as a strategic enabler of the business.
Early technology was originally used to run internal systems, so the incentive for developers to write resilient code was very low. Only 20 years ago with initial exposure to the Internet did we start to see the need to worry about risk in systems that are directly end-customer facing. So there’s still a lot of digital risk buried in millions of lines of code.
Kevin Fedigan, Head of Asset Servicing and Broker Dealer Services, BNY Mellon: Leadership must take a progressive attitude toward risk and treat it as a core organizational value. For example, BNY measures three levels of risk: 1) general employees, 2) traditional compliance roles, 3) internal and external auditing. The financial services industry, in particular, has a reputation to uphold. We need ensure customer trust in our systems.
Dr. Paul Nielsen, CEO of SEI: Some CEOs are uncomfortable with risk, so they delegate it to their CIO. But even then, they can’t rid themselves of the responsibility. This creates more of a stigma around risk and fosters an environment where it can grow and lead to bigger problems down the line.
It’s interesting to see us all rushing to the Internet of Things, but most of the technology supporting this shift was designed with code written before the Internet. We clearly still have some catching up to do.
Vincent Delaroche, CEO of CAST: Security must be under the umbrella of software risk. This may seem like a paradox, because there is high demand for security and not so much for resiliency and efficiency…things that are software risk measures that also help with security. I think within the next six months to one year, we are going to reach a tipping point where there is going to be a spike in demand for risk prevention tools that also help leaders set clear objectives.
What does culture have to do with software risk? Do we have a communication issue? What is IT not doing to get the business and the board’s attention?
BNY Mellon: We make the business own the risk, so risk is not removed from business outcomes. For example, with high priority items, that risk must be removed within a 30 day window. Our CEOs report to the Chief Risk Officer to ensure we aren’t putting risk and security to the wayside. We’re doing the best we can to remove those communication barriers and increase transparency between operations and the business.
SEI: There are too many risks to address them all, so you have to figure out what really matters. By setting benchmarks, it’s easier to measure your investment and prove ROI. There is a set of specific risk issues that have been identified as important by the Consortium for IT Software Quality, an organization we’re involved in, along with a standard measurement framework.
BCG: Financial risk is a big topic for many of our clients. Financial institutions are constantly being hammered by regulators to comply, but they have such a broad range of technologies to manage. Because of this, we’re seeing that most outages are actually due to the “plumbing in between” various components of core systems and business processes. Very few technologists are actually looking at the transaction level between the technologies, and that’s a big place we see clients get messed up.
What is the correlation between costs and risk?
SEI: Effective leaders will balance cost with productivity. It’s important to determine what is vitally important to your business and make sure those systems don’t degrade, but you must also prioritize where the investment goes. Many leaders still don’t understand where the risk comes from. The industry would benefit from a “genetic testing of software.”
BCG: The earlier you catch risks, the less it will cost to repair. What we’ve seen work well is creating a culture of incentives for high quality code. There’s a big push for IT organizations to become more agile and set up code peer reviews to help create more robust software.
CAST: Let’s say a development team for a large enterprise has about 1,000 engineers. Each year, an IT department this size will have to deal with about 20,000 software defects in production. When we look at these defects, we typically see that 90% cost very little, maybe a few hundred dollars. 9% of defects cost the business an average of $5,000, and only 1% of defects are severe enough to cost the business upwards of $50,000. So, individually, these errors are small. But when we look at them together, we see enterprise CIOs writing off upwards of $20 million per year and not thinking twice.
Conversely, if you look at the top 1% of the 1% of severe defects, this is where you see the massive breaches and glitches that sometimes end up in the press (like RBS, HSBC and others). These outages can cost companies an average of $600 thousand, according to the most recent KPMG Risk Radar, and very quickly catch the attention of senior leaders and CEOs.
At CAST, we help illuminate and prevent the 1% catastrophic risks and some of the “hidden” costs of the 99%, showing CIOs how to get more from their IT departments. Left unchecked, these common issues can consume more than 20% of ADM budget and keep developers from focusing on delivering new, innovative value to the business.
The good news is that we have concrete data points and studies that show the correlation between product defects and software flaws. There are currently about 60 critical flaws documented by the Consortium for IT Software Quality that need to be addressed, so this is manageable for CIOs and IT departments. And, the same set of flaws that reduce the risk of newsworthy incidents also lower the unseen cost of glitches.
As the Software Risk event would indicate, it’s clear that some companies are leading the way forward by integrating IT innovation with strategic business outcomes. But many are still stuck trying to justify IT expenditures that don’t necessarily correlate to growth. Organizations that link software risk performance with executive objectives will fare better than others.