It’s the time of year when leaves are changing colors and temperatures are dropping. It won’t be long before snow falls, and our family is out on the ski slopes. Skiing is one of the most enjoyable winter activities imaginable, but also one of the riskiest. That’s why we start gearing up early, well before the first snowfall—checking equipment, planning where to go and choosing lessons for the kids to improve their skills. Being prepared is all about making the skiing season both fun and safe. Given the choice between staying home and getting out there and enjoying ourselves, we’ll go with the latter every time. But we’ll also make sure we’re well informed and well prepared for the challenges that come with our skiing adventures.
The choice between playing it safe and seizing the moment is one that businesses face regularly in today’s digital world, where seizing the moment means embracing digital transformation. Through digital transformation, organizations gain the ability to provide more services online, enjoy a free flow of information with supply chain partners and collaborate nimbly with third parties—all of which will allow them to sharpen their competitive edge and take advantage of new opportunities. But to fully embrace digital transformation, they also have to be prepared to manage the risk it presents.
A critical source of digital risk is the explosion of online identities that comes with having so many connected devices. By embracing cloud environments and SaaS applications, the digitally connected environment creates a larger attack surface; gives rise to shadow IT and “islands of identity” that can be difficult to secure; and creates regulatory compliance challenges, because mandates like GDPR and PCI are complicated by third parties and extended business infrastructures. In the presence of all these risk factors, identity and access assurance becomes one of the most consequential controls—a key means by which organizations can better manage risk so they can freely pursue business goals.
Visibility, Insight, Action: The 3 Essentials of Digital Risk Management
1. Visibility into risk: What is the risk? What impact does it (or could it) have? Is it potentially devastating, or is it manageable? Is it a risk the organization is willing to take?
2. Insight about risk: What is our understanding of the risk? How can we think through it to make plans to manage it?
3. Action in response to risk: If the risk becomes reality, what do we do? It’s important to have a plan even when (or especially when) things are going sideways.
To gain visibility and insight requires collaboration among multiple teams, since different teams typically have different views on risk. One challenge is that in most organizations, security and risk management functions have historically operated in silos, with different priorities and perspectives. For example:
- Security teams understandably put the security of the business first.
- Line-of-business teams want to be able to get the job done without jumping through hoops.
- Compliance managers prioritize fulfilling regulatory requirements.
- CISOs need to drive security and compliance as well as alignment business goals.
- IT managers are often focused on not getting caught in the tug of war between line-of-business and security teams.
- Identity and access managers are concerned with ensuring users are who they claim to be, and have the proper level of access.
- Risk managers want to understand all the risk factors that threaten the organization.
These are all important operational priorities. The question is how can an organization break down the silos, so that people can work together to manage risk, yet still maintain their priorities? And how can teams work together to gain holistic visibility beyond their own specific concerns?
Breaking Down Silos: The Elements that Enable Visibility, Insight and Action
It takes a combination of the following elements to provide holistic visibility across silos, drive insights into risk and facilitate prioritized action to manage digital risk. These are the elements that make it possible to evaluate the level of risk, as well as the impact on the business, of granting a request to access a corporate resource.
- Business Context: If someone gains access to an application or asset they shouldn’t have access to, it’s important to understand the impact it will have on the business. How critical is the application or asset? When it comes to managing risk, there’s a big difference between someone getting access to the Customer Relationship Management application and someone getting access to the server that hosts the cafeteria menu.
- Identity Insights: Managing risk means being able to make informed access decisions that are based on the confident knowledge that a user who gains access to the organization’s secure information is who they claim to be. That requires insights into the user, what they should be able to access and how they typically behave.
- Threat Intelligence: This is information about potential threats to any aspect of how a user accesses secure systems and information, from the device they use, to the network they’re on, to the supporting infrastructure.
Pursuing digital transformation can be an exciting and rewarding path for organizations today. But just as my family and I have to devote the time and effort it takes to learn what we need to know and do what we need to do to manage the risk that comes with skiing every winter, so too do those organizations need to work to manage the digital risk they face. In both cases, the payoff is worth every bit of the effort.
# # #
Learn about RSA SecurID Suite, one of several RSA product suites that provide tools and methodologies to help organizations bridge the gap between business and security teams and more effectively manage digital risk.