What a difference a decade makes: ten years ago, the FBI put the cost of cybercrime in the United States at $264 million, a mere fraction of the $1.4 billion reported in 2017. In many ways, what we see in that shift is a change in the very nature of cyber risk. Consider that ten years ago, data breaches—a category of cybercrime that can cost an organization millions or even billions of dollars today, and put its very existence at risk—didn't even make the FBI's list of top cybercrimes. In 2017, it was number two. Its primacy as a threat is reflected in conversations I have with RSA customers, where I hear again and again how fear of a data breach is keeping business and IT executives alike awake at night.
What's at risk for businesses today is dramatically different from what was at risk not all that long ago. The forces that shape and define risk have changed completely over the last few years. And the strategies and actions to manage that risk have to change, too.
Risk Today: Bigger Problems, Higher Stakes
Digital transformation is one of the most influential forces—perhaps the most influential force—redefining business risk today. Informed by a combination of modernization (in the form of digital transformation), malice (the growing risk of cyber attack) and mandates (intensifying regulatory requirements), digital transformation sends organizations scrambling for ways to address new security and risk challenges that are difficult, large in scale and continually evolving.
Cloud, mobility and the internet of things—the fundamental elements of digital transformation—open organizations up to more interactions and opportunities, as well as to greater risk. Working with third parties, a remote workforce, and digital technologies that connect your business to the world can cause concerns about cyber risk to rise to a critical level across the organization.
Today's cyber incident no longer interrupts just IT, where the damage may once have been neatly contained and easily addressed; it disrupts the entire business. And the damage—whether it's from a theft of corporate IP, a breach of customers' personal data or other event—can be devastating.
Risk Frameworks: Responding to Risk Across the Organization
Risk that doesn't respect traditional organizational boundaries merits a response that doesn't recognize those lines, either. Returning to the data breach example, if that risk is associated with engaging with a cloud service provider, it represents not only a cyber incident risk, but also a third-party risk and a data privacy risk (which is itself a compliance risk). It must be addressed on all these levels, as well as across business and IT lines. This is what RSA means when talking about business-driven security: putting IT events in a business context, so that you're able to consider them from the perspective of the business impact they exert and the business cost they exact—and vice-versa.
The term we're hearing today to describe a concerted approach to managing risk in general, and digital risk in particular, is integrated risk management. It's an effort to blur the lines between security risk and business risk, bringing together strategic thinking about how to manage risk with tactical technologies for carrying out risk management strategy. The best way to realize it is through a clearly defined risk framework, similar to the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) for improving an organization's response to risk.
Taking Action: 3 Things to Do Right Now
Perhaps the greatest challenge associated with integrated risk management is that there is no single risk profile that applies to every organization. Building on a framework for improving risk management is a highly idiosyncratic exercise that will be different for every organization, depending on the specific factors contributing to its digital risk. One thing is clear, though: the framework must address risk management from the perspective of both business strategy and cybersecurity technology. That means being able to conduct business-level cyber risk quantification and modeling on the strategic side and deep-diving into threat hunting, incident response and red on blue training on the technology side.
Success starts with taking steps to identify the various forces shaping your organization's risk posture:
- Uncover where digital risk exists in the organization. For example, to what extent do you rely on third parties in various business operations? And do the third parties themselves rely on other parties—subcontractors, that is—to do work on your behalf? If so, your third-party risk is even greater than it would be if you only worked directly with third parties.
- Assess how well prepared you are to deal with risk in different areas. For example, is data privacy of paramount concern? Think about whether you have customers outside the U.S., subjecting you to stricter data privacy regulations than your own country imposes, or about the role of data privacy in your particular industry (healthcare, for instance) and what steps you have and haven't yet taken to address that risk.
- Quantify the cost to manage cyber risk in an integrated, concerted manner. For example, what's the cost of technology tools to address cyber incident risk by defending against attacks, detecting them when they occur and remedying them? Conversely, what's the cost of not managing that risk—i.e., the cost that would result from a data breach or other potential catastrophic cyber event? A good example is the cost of a business interruption if you aren't adequately managing business continuity risk.
If you need help to undertake these three critical steps, get it before you get underway. You'll realize from the start the benefit of having expert guidance and consultation to make the most of the risk framework within which you're operating.
Learn more about the value of frameworks for managing risk in the paper RSA Risk Frameworks: Making Digital Risk Manageable.