This article explores the rise of Privacy by Design (PbD) from the basic framework, to its inclusion in the GDPR, to its application in business practices and infrastructure especially in the wake of Artificial Intelligence.
We had the pleasure of sitting down with Dr. Ann Cavoukian, former 3-Term Privacy Commissioner of Ontario, and currently Distinguished Expert-in-Residence, leading the Privacy by Design Centre of Excellence at Ryerson University in Toronto, Canada to discuss this massive shift that will upend current business practices. We’ve also sought responses from top execs from AI start-ups, and enterprise to address the current hurdles and future business implications of Privacy by Design. This article includes contributions from Scott Bennet, a colleague researching privacy and GDPR implications on emerging technology and current business practices.
I call myself an anti-marketer, especially these days. My background has predominantly come from database marketing and the contextualization of data to make more informed decisions to effectively sell people more stuff. The data that I saw, whether it be in banking, loyalty programs, advertising and social platforms — user transactions, digital behaviour, interactions, conversations, profiles — were sewn together to create narratives about individuals and groups, their propensities, their intents and their potential risk to the business.
While it was an established practice to analyze this information in the way that we did, the benefit was largely to businesses and to the detriment of our customers. How we depicted people was based on the data they created, based on our own assumptions that, in turn, informed the analysis and ultimately, created the rules which governed the data and the decisions. Some of these rules unknowingly were baked in unintended bias from experience and factors that perpetuated claims of a specific cluster or population.
While for many years I did not question the methods we used to understand and define audiences, it’s clear that business remained largely unchecked, having used this information freely with little accountability and legal consequence.
As data becomes more paramount and as AI analyzes and surfaces meaning at greater speeds, the danger of perpetuating these biases becomes even more serious and will inflict greater societal divisions if measures are not put in place and relentlessly enforced.
Recently, I met my maker. Call it atonement for the many years I manipulated data as a marketer. We had the honour of talking Privacy with an individual I had admired for years. Dr. Ann Cavoukian, in my view, will drive a discussion across industry that will make business stand up and listen.
Remember when Canada’s Privacy Commissioner took on Facebook?
Ann Cavoukian has been an instrumental force in spreading awareness of Privacy, which brought her front in centre on the world stage, pitted directly against Facebook in 2008. Back then the federal Privacy Commissioner alleged that 22 practices violated the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA). This eventually led to an FTC settlement with Facebook that mandated an increased transparency with its users, requiring their explicit consent before “enacting changes that override their privacy settings.”
Ann Cavoukian is a household name in technology and business. As a three-term Privacy Commissioner of Ontario, Canada, she has jettisoned the privacy discussion for a few decades. Today that discussion has reached a fever pitch as the EU General Data Protection and Regulation (GDPR), which came into effect May 25, 2018, includes Cavoukian’s long-advocated creation, Privacy by Design (PbD). This will raise the bar dramatically and any company or platform who does business with the EU, will need to comply with these standards. At the heart of GDPR are these guiding principles when collecting, storing and processing personal consumer information:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
Privacy by Design’s premise is to proactively embed privacy at every stage in the creation of new products or services in a way that’s fair and ethical. Cavoukian argues that by implementing PbD, companies would, in effect, be well on their way to complying with the GDPR.
What Makes this Moment Ripe for Privacy by Design?
In the 90’s the web was growing exponentially. Commerce, online applications, and platforms were introducing a new era that would dramatically change business and society. Ann Cavoukian, at this time, was in her first term as Privacy Commissioner of Ontario. She witnessed this phenomenon and was concerned it was going to grow dramatically, and in an era of ubiquitous computing, increasing online connectivity and massive social media, she surmised that privacy needed to be developed as a model of prevention, not one which simply “asked for forgiveness later.”
Imagine going to your doctor, and he tells you that you have some signs of cancer developing and says, “We’ll see if it gets worse and if it does, we’ll send you for some chemo”. What an unthinkable proposition! I want it to be equally unthinkable that you would let privacy harms develop and just wait for the breach, as opposed to preventing them from occurring. That’s what started PbD.
In 2010, at the International Conference of Data Protection Authorities and Privacy Commissioners in Europe, Cavoukian advanced the resolution that PbD should complement regulatory compliance, to mitigate the potential harms. It was unanimously passed. The reason?
Everyone saw this was just the tip of the iceberg in identifying the privacy harms, and we were unable to address all the data breaches and privacy harms that were evading our detection because the sophistication of perpetrators meant that the majority of breaches were remaining largely unknown, unchallenged and unregulated. As a result, PbD became a complement to the current privacy regulation, which was no longer sustainable as the sole method of ensuring future privacy.
These days the issue of data security has gotten equal, if not more, airplay. Cavoukian argues:
When you have an increase in terrorist incidents like San Bernadino, Charlie Hebdo attacks in Paris, and in Manchester, the pendulum spins right back to: Forget about privacy — we need security. Of course we need security — but not to the exclusion of privacy!
I always say that Privacy is all about control — personal control relating to the uses of your own data. It’s not about secrecy. It drives me crazy when people say ‘Well, if you have nothing to hide, what’s the problem?’ The problem is that’s NOT what freedom is about. Freedom means YOU get to decide, as a law-abiding citizen, what data you want to disclose and to whom — to the government, to companies, to your employer.
Pew Research conducted an Internet Study post-Snowden to get a consumer pulse on individual privacy. Key findings cited:
There is widespread concern about surveillance by both government and business:
• 91% of adults agreed that consumers had lost control over their personal information;
• 80% of social network users are concerned about third parties accessing their data;
• 80% of adults agreed that Americans should be concerned about government surveillance.
Context is Key:
And while there are those who understand they are trading their information for an expectation of value, they should be fully informed of how that value is extracted from their data. Cavoukian cautions:
Privacy is not a religion. If you want to give away your information, be my guest, as long as YOU make the decision to do that. Context is key. What’s sensitive to me may be meaningless to you and vice versa… At social gatherings, even my doctors won’t admit they’re my doctors! That’s how much they protect my privacy. That is truly wonderful! They go to great lengths to protect your personal health information.
The importance of selling the need for privacy includes persistent education. Unless people have been personally affected, many don’t make the connection. Does the average person know the implications of IoT devices picking up the “sweet nothings” they’re saying to their spouse or their children? When they realize it, they usually vehemently object.
Context surfaces the importance of choice. It is no longer an all-or-nothing game subsumed under a company’s terms and conditions where one click, “Accept” automatically gives full permission. Those days are over.
And while some can object to analyzing and contextualization for insurance purposes, they may allow their personal health history to be included in an anonymized manner for research to understand cancers endemic to their particular region.
Context is a matter of choice; freedom of choice is essential to preserving our freedom.
Privacy Does Not Equal Secrecy
Cavoukian emphasizes that privacy is not about having something to hide. Everyone has spheres of personal information that are very sensitive to them, which they may or may not wish to disclose them.
You must have the choice. You have to be the one to make the decision. That’s why the issue of personal control is so important.
I extracted this slide from Ann Cavoukian’s recent presentation:
The <ahref=”https://www.wired.co.uk/article/china-social-credit” target=”_blank” rel=”nofollow noopener noreferrer noopener”>Chinese Social Credit System was created to develop more transparency and improve trustworthiness among its citizens. It’s a dystopia we do not want. China is a clear surveillance society that contradicts free society’s values. Cavoukian crystalizes the notion that privacy forms the foundation of our freedom. If you value freedom, you value privacy.
Look at Germany. It’s no accident that Germany is the leading privacy and data protection country in the world. It’s no accident they had to endure the abuses of the Third Reich and the complete cessation of their privacy and their freedom. And when that ended, they said, ‘Never again will we allow the state to strip us of our privacy — of our freedom!’ And they have literally stood by that.
Post-Snowden, I wrote this: The NSA, Privacy and the Blatant Realization: Nothing You Do Online is Private and referenced a paragraph written by Writynga in his response to Zuckerberg’s view at the time 2012 that privacy was no longer a social norm:
We like to say that we grew up with the Internet, thus we think that the Internet is all grown up. But it’s not. What is intimacy without privacy? What is a democracy without privacy?…Technology makes people stupid. It can blind you to what your underlying values are and need to be. Are we really willing to give away our constitutional and civil liberties that we fought so hard for? People shed blood for this, to not live in a surveillance society. We looked at the Stasi and said, ‘That’s not us.
The will of the people has demanded more transparency.
But we don’t want a state of surveillance that eerily feels like we’re living in a police state. There has to be a balance between ensuring the security of the nation and the containment of our civil liberties.
People will have Full Transparency… Full Control… Anytime
Since the passing of Privacy by Design (PbD) as an international standard in 2010 to complement privacy regulation, PbD has been translated into 40 languages. The approach has been modified to include the premise that efforts to ensure individual privacy can be achieved while developing consumer trust and improved revenue opportunities for business within a Positive Sum paradigm. Cavoukian is convinced this is the practical way forward for business:
We can have privacy and meet business interests, security and public safety … it can’t be an either/or proposition. I think it’s the best way to proceed, in a positive-sum, win/win manner, thereby enabling all parties to gain.
Privacy by Design’s Foundational Principles include:
- Proactive not Reactive: preventive not remedial
- Privacy as the default setting
- Privacy embedded into design
- Full functionality: positive sum, not zero-sum
- End-to-end security: full lifecycle protection
- Visibility and transparency: keep it open
- Respect for user privacy: keep it user-centric
Cavoukian contends that Principle #2, Privacy by Default is critical and, of all the foundational principles, is the hardest one since it demands the most investment and effort: with explicit requirements that change how the data is collected, used and disclosed, and will result in data policy and process alterations including new user-centric privacy controls.
Article 21 also states individuals have the “right to object” to the processing of their personal information at any time. This includes for use in direct marketing and profiling:
“The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject.”
The business must be more explicit and go much further, beyond the traditional disclosure and terms of service. Purpose specification and use limitation require organizations to be explicit about the information it requires, for what purpose, and must elicit consent specifically for that purpose and that purpose alone. Later on, if a secondary use transpires, the organization will require the user consent once again. If disclosure is key to transparency, businesses will need to find a way to do this while mitigating consent fatigue.
Article 17 suggests a much stronger user right that belies current business practices: The Right to Erasure (“the right to be forgotten”)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay.
While this statute will have exceptions like data that establishes the data subject as an entity: through health records and banking information, behaviour, transactions, future analysis in profiling, and contextual models are fair game for “the right to be forgotten.” The advent of the GDPR has provided business a glimpse of the potential impacts where companies experienced customer record volumes drop an average of 20% for customers who did not explicitly opt-in.
This is a truly user-centric system. Make no mistake, Privacy by Design will challenge current practices and upend current infrastructures.
This privacy UI simulation (IBM: Journey to Compliance) displays how potential user controls will work in real time and the extent to which the user can grant consent based on different contexts. This level of user access will require a data repository to purge user information, but must be configured with the flexibility to redeploy the data into systems down the road, should the user decide to revert.
Can Privacy by Design Create a Positive-Sum Existence for Business?
If you had asked me a year ago, I would have argued that Privacy by Design
is not realistic for business adoption, let alone, acceptance. It will will upend process, structure and policy. However, within the mandate of GDPR this is an inevitability.
We asked Ann Cavoukian to consider business practices today. Both Google and Facebook have received enormous fines in wake of the GDPR to the tune of $9.3 billion. Because of the recent Cambridge Analytica data breach, Facebook is investing millions in tools and resources to minimize future occurrences. It’s recent Q2 stock plummet took the market by surprise but for Zuckerberg, he made it clear they would be taking a performance hit for a few quarters in order to improve the platform for its users… not for its shareholders. While they are a beacon of how companies should behave, this clear “ask forgiveness later” model negated any appearance that this strategy was nothing less than altruistic.
We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. In the run up to GDPR we asked people to review key privacy information which was written in plain language, as well as make choices on three important topics. Our approach complies with the law, follows recommendations from privacy and design experts, and is designed to help people understand how the technology works and their choices.
Cavoukian pointed to a study by IBM with the Ponemon Institutethat brought awareness to the cost of data breaches: It reports that the global average cost of a data breach is up 6.4 percent over the previous year to $3.86 million per incident. On a per record basis, the average cost for each record lost rose by 4.8% to $148. As Cavoukian points out, these costs will continue to rise if you maintain Personally Identifiable Information (PII) at rest.
The PbD solution requires a full end-to-end solution which includes both privacy and security:
- IT systems;
- accountable business practices; and
- networked infrastructure.
How Do You Address the Advertisers Who Successfully Monetize Data Today?
What do you say to advertisers and publishing platforms who play in this $560-billion industry? We can’t stop progress. The more data out there, the more demand from willing buyers to extract meaning from it. On the other hand, given the fallout from Facebook, some advertisers have been grey or black listed from advertising on the platform because of questionable practices or content. The platform changes have also significantly curbed ad reach opportunities for current advertisers. This domino effect is now compounded with mandates from GDPR to garner explicit consent and create greater transparency of data use. Ann Cavoukian said this:
The value of data is enormous. I’m sorry but advertising companies can’t assume they can do anything they want with people’s data anymore. I sympathize with them. I really do; their business model will change dramatically. And that is hard to take so I genuinely feel bad for them. But my advice is: that business model is dying so you have to find a way to transform this so you involve your customers, engage them in a consensual model where benefits will accrue to customers as well. Context is key. Give individuals the choice to control their information and gain their consent to exchange it for something they value from you.
Mary Meeker’s “Paradox of Privacy” points to the consumer’s increasing demand for products and services that are faster, easy, convenient and affordable. This requires systems that can leverage personal information to make this a reality for the consumer. Increased customization is the expectation but brings with it increased business risk. As long as current business practices persist, according to Cavoukian, it leaves their business vulnerable to, as we’ve witnessed, incessant data breaches and cyber attacks. Equifax and Target are two cases in point.
Communication with the data subject needs to be a win/win (positive sum). Can the business provide the necessary value, while respecting the choices dictated by the individual? When AI becomes more pervasive this will become even more challenging as streaming data will require more real-time interfaces and applications that allow access and individual configuration of data types across various contexts and vertical uses.
I asked a few executives from various data start-ups and from established enterprise businesses, who have had considerable business to consumer experience from advertising to social technology to network platforms, to weigh in on the privacy debate:
Josh Sutton, CEO of Agorai, was also former Global Head for Data and AI at Publicis.Sapient. In an advertising industry which drives hundreds of millions in revenue, the quest to build consumer relevance comes at a cost. This proliferates as more companies look to artificial intelligence to drive precision:
Data is clearly one of the most valuable assets in the world today — especially with the growing importance of artificial intelligence (AI) which relies on massive amounts of data. Data privacy needs to be incorporated into the fabric of how these technologies work in order for society to get the most benefit from AI. To me, data privacy means having the ability to control when and why data that you own is used — not the ability to keep it secret which is a far easier task. For that to happen, there needs to be open and transparent marketplaces where people and companies can sell data that they create, as well as a consistent set of regulations for how companies can use data.
Dr. Nitin Mayande, PhD, Chief Scientist of Tellagence, and former Data Scientist at Nike concurs with Josh Sutton. Nitin had been studying social network behavior for years and understands the need to transform current approaches:
Sooner or later I envision a data marketplace — a supply side and a demand side. Today, companies leverage data at the user’s expense and monetize it. The end user does not experience any real economic benefit. Imagine a time when data becomes so valuable the individual can have full control and become the purveyor of his/her own information.
For Dana Toering, Chief Revenue Officer at Yroo and former Managing Director at Adobe Advertising Cloud, his career saw the emergence of ad platforms, which heavily relied on treasure troves of data to gain increasing granularity for ad targeting:
As an entire ecosystem I feel we are just now coming to terms with the evolution of value exchange that was established between end users and digital publishers and software developers starting in October 1994 when Hotwired.com ran the internet’s first banner ad. The monetization of audiences through advertising and wide-spread data harvesting of the same audiences in exchange for ‘free’ content or software has enabled the meteoric growth of the internet and the businesses that are built around it but has also enabled massive amounts of fraud and nefarious activity. Thankfully we are at a tipping point where corporations/brands and users alike are taking back data ownership and demanding transparency, as well as consent and accountability. Defining and managing the core tenets of this value exchange will become even more important (and complex) in the future with the rise of new technologies and associated tools. So the time is now to get it right so both businesses and users can benefit long term.
I have had curious discussions with Dr. Sukant Khurana, Scientist heading the Artificial Intelligence, Data Science, and Neurophysiology laboratory at CSIR-CDRI, India. As an entrepreneur also working on various disruptive projects, he had this to say, echoing the above sentiments:
The debate between privacy and security is a misleading one, as the kind and amount of data shared with private companies and the government need not and should not be the same. AI has been vilified in data privacy issues but the same technology (especially the upcoming metalearning approaches) can be used to ensure safety while preventing unwanted marketing and surveillance. If the monitoring tools (by design) were made incapable of reporting the data to authorities, unless there was a clear security threat, such situation would be like having nearly perfect privacy. It is technologically possible. Also, we need to merge privacy with profits, such that by and large, companies are not at odds with the regulatory authorities. This means there needs to be smarter media and social platforms, which present more choices for data sharing, choices that are acceptable between the end customer and the platforms.
Alfredo C. Tan, Industry Professor, DeGroote School of Business at McMaster University has extensive experience on B2C advertising platforms, and understands the need for fair exchange, baked in trust:
If there was better control and understanding of how personal data is being used, I believe people would be willing to be more open. The balance is ensuring there is a fair value exchange taking place. In exchange for my data, my experiences become better, if not in the present but in the future. And as long as this is a trusted relationship, and people understand the value exchange then people are open to sharing more and more information. I am happy that Facebook, Amazon, and other platforms are aware that I am a male between 35–45 with specific interests in travel and pets, but no interest in hockey or skateboarding. Or that based on certain movies I watch, Netflix makes recommendation on what other types of content I would be interested in to keep me more entertained. And maybe that data is used elsewhere, with my permission to make experiences better on other platforms. The battle for data in an increasingly competitive consumer landscape is to increase engagement using personalized insight they have gleaned about their customers to ultimately create better experiences. I am certain many people do not want to go back to the anonymous web where all of us are treated largely the same and there was no differentiation in the experience.
Everyone agrees the regression to anonymity is not plausible nor tenable.
Privacy, Security, Trust and Sustainability
This is the future and it’s critical that business and government develop a stance and embrace a different way of thinking. As AI becomes more pervasive, the black box of algorithms will mandate business to develop systems and policies to be vigilant against the potential harms. Cavoukian understands it’s an uphill battle:
When I have these conversations with CEOs, at first they think I’m anti-business and all I want to do is shut them down. It’s the farthest thing from my mind. You have to have businesses operating in a way that will attract customers AND keep their business models operating. That’s the view I think you should take. It has to be a win/win for all parties.
Do you have a data map? I always start there. You need to map how the data flows throughout your organization and determine where you need additional consent. Follow the flow within your organization. This will identify any gaps that may need fixing.
TRUST: it takes years to build… and days to lose…
Perhaps this is the view that companies should take. Ann Cavoukian maintains that those who have implemented PbD say it builds enormous trust. When you have a trusted business relationship with your customers, they’re happy to give you additional consent down the road. They just don’t want the information flowing out to third parties unknown.
I tell companies if you do PbD, shout it from the rooftops. Lead with it. Tell your customers the lengths you’re going to to protect their privacy, and the respect you have for them. They will thank you in so many ways. You’ll gain their continued loyalty, and you’ll attract new opportunity.
I say to companies who see privacy as a negative, saying that it stifles creativity and innovation: ‘It’s the exact opposite: Privacy breeds innovation and prosperity, and it will give you a competitive advantage. It allows you to start with a base of trust, which steadily enhances the growth of your customers and their loyalty. Make it a win/win proposition!
Ann Cavoukian has recently launched Global Privacy and Security by Design: GPSbyDesign.org, an International Council on Global Privacy and Security. For more information on Ann Cavoukian, please go to Privacy by Design Centre of Excellence, at Ryerson University.
Hessie Jones is the Founder of ArCompany advocating AI readiness, education and the ethical distribution of AI. She is also Director for the International Council, Global Privacy and Security by Design. As a seasoned digital strategist, author, tech geek and data junkie, she has spent the last 18 years on the internet at Yahoo!, Aegis Media, CIBC, and Citi, as well as tech startups including Cerebri, OverlayTV and Jugnoo. Hessie saw things change rapidly when search and social started to change the game for advertising and decided to figure out the way new market dynamics would change corporate environments forever: in process, in culture and in mindset. She launched her own business, ArCompany in social intelligence, and now, AI readiness. Through the weekly think tank discussions her team curated, she surfaced the generational divide in this changing technology landscape across a multitude of topics. Hessie is also a regular contributor to Towards Data Science on Medium and Cognitive World publications.
This article solely represents my views and in no way reflects those of DXJournal. Please feel free to contact me firstname.lastname@example.org
4 ways to plan for the post-pandemic normal
When the crisis eases, we will have entered a new digital normal. Your strategies need to reflect this shift: Consider these factors as you plan for the longer term.
When I sat down to write this article, a follow-on to my previous article on common leadership oversights on the path to digital transformation, the coronavirus’s threat to global business had not reached the magnitude that we feel and see today. In a few short weeks, the pandemic has forced a new virtual work reality on businesses and entire operating models have been shifted – and in many cases, upended.
A business environment that is changing so dramatically and rapidly requires speed, innovation on the fly, and the need to scale thinking beyond anything we might have previously imagined. Now is not the time to back-burner digital initiatives but to ramp them up.
Now is not the time to back-burner digital initiatives but to ramp them up.
When the crisis eases, we will have entered a new digital normal. The strategies we use to run, change, and staff the business will need to reflect this shift. Consider the following factors as you plan for the longer term:
1. The right financials
Any business that isn’t digital by now likely won’t be a business for long. Learning to embrace and adjust is imperative. Continuing – or starting – a digital transformation will be more important than ever, and you’ll need to rethink your business’ capital allocation strategies for digital initiatives and the staffing that supports them.
To figure this out, become best friends with your finance team and think for both the short- and long-term. In the current climate, it can be easy to be either too short-sighted or too far-sighted, but you need to plan for the next week, month, quarter, year, three and five years.
Become best friends with your finance team and think for both the short- and long-term.
Consider how your company may bounce back from the pandemic when stay-at-home orders are lifted, kids go back to school, and consumers begin to mobilize again: We will have entered an entirely different digital world, with new digital expectations from consumers. Is there potential for a rapid and significant surge, followed by a normalization? Will you be facing a slow rise? Digital transformation funds need to be allocated to react appropriately to these various scenarios; staffing discussions should follow based on these decisions.
2. The right tools
It is likely that at least some of your employees will remain virtual, even when the majority can get back into the office. How will you support them? You may have sacrificed some tools or technologies in your move to quickly get employees out of your building and into their homes; you may have also overpaid for the sake of quick deployment.
You’ll need to rework your strategy for the long term. This could include better or more consistent access to networks and servers, the capacity to host formal business meetings online, new portable equipment, virtual collaboration and communication software, and more.
For many, this will require working with your corporate legal team to change their thinking. Where they may have once been risk-averse for the sake of the business, they will now need to take smart risks, also for the take of the business. State your case, find common ground, and move forward.
In some particularly dire situations, you may even need to become comfortable with making decisions first and asking for permission later.
3. The right staffing
You’ll need to continue to make smart staffing decisions – quickly. You likely have three types of talent available:
- Employees who are great at running the business
- Employees who are hungry for more
- New talent that may not yet exist in your business but needs to be brought in
Unfortunately, this global crisis may have created gaps in your workforce.
Identify the individuals in the first two groups and work with your talent management team to assess whether you need to advance digital investments previously planned for. Do these individuals have the right type of skills for their teams? Are they collaborative and communicative? IT cannot work in a silo, and team members need to be able to communicate what they are doing and why, and be clear on how their actions are aligned to larger goals.
When you’ve completed this review, identify the additional skills you will need for the future. This might include teams familiar with building out cloud deployments or working with microservices, etc. Push the rest of your leadership team to break through capital allocation constraints to bring in new employees who not only have the right experience but also can quickly teach your existing teams on new tools organically.
4. The right brand permission
As you work through your accelerated digital transformation, you’ll start to think about your business as a truly digital brand. In fact, you might already think so, simply because you’ve been able to get your staff up and running remotely.
But is this the perception all your stakeholders have? According to the Yale School of Management, “Brand permission defines the limits of customers’ willingness to accept a familiar brand name in new marketplace situations.” For example, you can’t simply say, “We are digital now, world!” and expect your market to immediately accept that if you haven’t been digital historically. You need to earn this right.
You can’t simply say, “We are digital now, world!” You need to earn this right.
Brand permission is something you and the rest of the company will need to work on – largely focused on delivering useful and impactful digital products and services – in order to attract the new talent you need. Start thinking about this now.
The global pandemic has thrown us into an entirely new world. Business leaders can no longer rest on their laurels and, certainly, can no longer put off or draw out a digital transformation. Making the right decisions now will help to ensure your business is positioned well when this crisis passes.
As Chief Digital Officer of Agero, Bernie Gracy brings more than 30 years of technology experience helping drive new product/platform introduction, client delivery, and the establishment of new software-enabled business models.
In his role, Gracy is responsible for all aspects of product and technology development, architecture, infrastructure, and innovation for a rapidly evolving ecosystem powered by digital, mobile, the cloud, location-based services, and IoT.
Five key trends shaping the application landscape
According to application services/application delivery company F5 Networks, 98% of organizations depend on applications to run or support their business — hardly surprising considering that most organizations have some version of a digital transformation plan.
In their new 2020 State of Application Services Report, F5 has found that most organizations have entered the second phase of DX, defined as the integration of automated tasks, “and taking advantage of cloud-native infrastructures to scale the process with orchestration.”
As Lori MacVittie, Principal Technical Evangelist, Office of the CTO at F5 Networks explains in a blog post about the rise of cloud-native architectures, the average enterprise app portfolio is now at 15% modern, microservices-based applications.
“That’s now more than the stalwart 11% of monolithic / mainframe-hosted applications,” she adds. “Considering reports of extreme backlogs for new applications in every industry, that modern apps have consumed such a significant percentage of the corporate portfolio is nothing short of impressive.”
Based on a global survey of nearly 2,600 senior leaders from various industries, company sizes, and roles, F5’s report outlines five key findings on the trends shaping the application landscape, “and how organizations around the world are transforming to meet the ever-changing demands of the digital economy.”
1. 80% of organizations are executing on digital transformation—with increasing emphasis on accelerating speed to market.
As organizations work to scale their DX efforts via a digital footprint with cloud, automation, and containers, “it is time to manage the application portfolio like the business asset it is.”
“Organizations able to harness the application (and API) data and insights generated will be rewarded with significant business value.”
2. 87% of organizations are multi-cloud and most still struggle with security.
27% of respondents reported that they will have more than half of their applications in the cloud by the end of 2020.
But despite the crucial importance of applications to business strategy, “organizations are much less confident in their ability to withstand an application-layer attack in the public cloud versus in an on-premises data center.”
When F5 asked how organizations decided which cloud is best for their applications, 41% responded that it was on a “case-by-case, per application” basis — an important strategy, given the uniqueness of each application and the purpose it serves for the business.
“It is imperative to have application services that span multiple architectures and multiple infrastructures,” outlines the report, “to ensure consistent (and cost-effective) performance, security, and operability across the application portfolio.”
3. 73% of organizations are automating network operations to boost efficiency.
Process optimization is a key motivation for DX efforts, which makes it unsurprising that most organizations are automating their network operations. The goal? Consistent automation across key pipeline components: app infrastructure, app services, network, and security.
“Despite the fact that network automation continues to rise, we are still a long way from the continuous deployment model necessary for business to really take advantage of digital transformation and expand beyond optimization of processes to competitive advantage in the marketplace.”
Respondents report that the most frequent obstacles to continuous deployment are “a lack of necessary skill sets, challenges integrating toolsets across vendors and devices, and budget for new tools.”
4. 69% of organizations are using 10 or more application services.
With the maturation and scaling of cloud-and container-native application architectures, “more organizations are deploying related app services, such as Ingress control and service discovery, both on premises and in the public cloud.”
One of the most widely deployed application services are those largely dealing with corporate and per-application security. “For the third year running, respondents told us by a wide margin (over 30 percentage points) that the worst thing they could do is deploy an app without security services,” details the report.
5. 63% of organizations still place primary responsibility for app services with IT operations, with more than half moving to DevOps-inspired teams.
“It’s also no surprise to find that as organizations transform from single-function to modern ops-oriented team structures,” adds the report, “responsibility begins to shift from IT operations and NetOps to SecOps and DevOps.”
One reason why? The shift of application services into modern architectures. “DevOps teams are intimately involved with the CI/CD pipeline, which, for cloud- and container-native apps, includes a growing portfolio of application services such as ingress control, service mesh, service discovery, and good old-fashioned load balancing.”
DX Journal covers the impact of digital transformation (DX) initiatives worldwide across multiple industries.
Digitized and digital: Two sides of the digital transformation coin
According to a research brief out of MIT, thriving in the digital age means undergoing two distinct transformations: Digitization, i.e. the incorporation of digital technology into core operations like accounting and invoicing, and becoming digital — “developing a digital platform for the company’s digital offerings.”
While both of these require companies to embrace emerging technologies, these present two distinct challenges, each with a differing set of rules and strategies. As explained by Sara Brown from the MIT Sloan School of Management, “Becoming digitized relies on traditional business methods. Becoming digital requires breaking old rules and embracing new thinking.”
Digitization relies on the company’s operational backbone, which supports core operations — i.e. how a company delivers goods and services, maintains its books of record, and completes essential back office processes, explains the research brief. Traditionally, base technologies for these were ERPs, CRMs, and core banking engines. Today, though, it’s likely software-as-a-service (SaaS).
At the same time, becoming digital means creating a digital platform — “a foundation for a company’s digital offerings and their rapid innovation.” Creating speed and innovation, “this platform, a combination of different software components that can link with partners and connect with customers, enables a company to quickly develop and add new digital offerings, and targets revenue growth,” explains Brown.
When it comes to managing both sides of this digital coin, decision-makers must manage leadership, operational, and cultural differences, Brown says:
Leadership: For digitization, leadership is firmly in place, making clear decisions, outlining processes and standards, and ensuring adoption success.
For a digital platform, however, top-down decision making stands in the way of success. Trusted teams are in the driver’s seat, innovating and implementing new ideas. It’s up to management to define an overall digital vision.
Operational: “Changes to the operational backbone can be planned and evaluated using traditional methods like metrics and customer satisfaction,” writes Brown. On the digital platform side, these methods only result in frustration.
Cultural: Digitization isn’t changing the fundamental place of the operational backbone, MIT’s research found. A digital platform, however, “means radical changes in how decisions are made and work gets done. This can be uncomfortable for people at every level.”
When it comes to actually managing these two different teams, MIT researchers suggest these three actions:
Keep ‘em separated: Simultaneous management of digitization and digital means clearly distinguishing their separate responsibilities, says the research brief. Examples of companies that have taken this approach include Schneider Electric, Royal Philips, and Toyota. In another example, one organization’s operational backbone was managed by the CIO, with a Chief Digital Officer taking the lead on the digital platform.
Funding should also be separate. As the researchers outline, “People responsible for digitization can better pursue operational excellence when the operational backbone receives consistent investment, year after year, at the enterprise level.” Meanwhile, funding for short-term digital innovation “experiments” can be easily upped or decreased, depending on outcomes.
It’s important, however, to keep the overall shared vision in mind, explains tech specialist and Tech Wire Asia editor Soumik Roy, for TechHQ. Leaders might feel that separate teams are a waste of resources, he writes, “because ultimately, the business needs its digital initiatives to converge — like its data, analytics, and platforms.” But in reality, separate teams can optimize DX efforts, but only if a shared vision of the organization’s future is kept top of mind: “Each team, working on their own side of improvements, can make contributions that help move closer to the end state. In practice, this is often more productive as well.”
Rule breaking: Inherent in digital innovation is breaking old rules and making new ones, the researchers found — from subverting budgets processes to guarantee resources to bypass CRM approaches, among other challenges.
Rule breaking ends up being manageable because it’s relatively contained to a small team that’s experimenting, though it’s crucial digital teams have sign-off and ongoing support from senior leadership.
New leadership: “Not all people who have successfully led traditional businesses are well-suited to digital business leadership,” says the brief. “The idea of breaking rules to identify what works may feel terribly unnerving for some— even when they have been encouraged to experiment.”
If someone in a leadership position isn’t comfortable with creating new rules, they explain, coaching could be implemented to help guide them in the right direction. Alternatively, there is likely plenty of new talent that is ready to implement a shift.
DX Journal covers the impact of digital transformation (DX) initiatives worldwide across multiple industries.