The security team exited the meeting with heads down. They had just spent a tough two hours packed in a conference room. Charles, the CISO, was particularly stressed. His mind was swirling with the implications of the discussion he and his team had just endured. He could feel the anxiety of his crew; their nervous looks being exchanged across the room as the business team walked through their new initiative. They collectively walked into the 'bull pit', the area around their respective cubicles and immediately broke into a cacophony of chatter.
"15,000 users on the first deployment? Plus, one to two thousand add per month? We won't be able to keep up!"
"Did anyone catch the mention of expanding to Europe? That means EU citizen data, I don't think they understand the implications."
"Don't get me started on the architecture. We haven't even started looking into the specs and they have their contractors already coding."
Charles raised his arms to quiet his team. "Folks – I know this is a big lift. But you heard the opportunity in front of the business. This is high stakes. Let's work the issues and get the ball rolling."
Digital initiatives today are the lifeline to many businesses. The doors opened by leveraging new technologies – like IoT, social, big data analytics, AI, augmented reality and a host of others – are immense. So, what makes managing this new digital risk so hard? Haven't we survived technology shifts before? Well, sort of. Every shift in technology has had its horror stories. We went from mainframes to distributed computing – terms like "ILOVEYOU", Conficker, Code Red, and SQL Slammer should jog your memory about the difficulty of these shifts.
In the pursuit of modernization, digital technology offers organizations opportunities to transform their operations, resulting in increased speed, agility and efficiency. However, the explosion of information, users, connected devices, digital channels and third-party applications introduces new threats and risks. The technical complexity, combined with a cybersecurity talent shortage and organizational silos, can create an abundance of new opportunities for adversaries, who have more tools, resources and patience than ever before. Finally, governing bodies are trying to drive more accountability for data security and privacy by enforcing risk-based requirements versus prescriptive checklists. Security and risk requirements are converging to shift the conversation from technology-focused security issues to a business risk and litigation challenge.
Like Charles, you can be presented with an opportunity to be part of a transformation of your business. But the task can seem so daunting, it is hard to understand where to start. When faced with the uncertain, it is always good to remember the basics. In this case, it is all about risk. Whether you pull out ISO:31000, the NIST Cybersecurity Framework or another source, the concepts of IDENTIFY, ASSESS and TREAT risk are an excellent way to begin.
IDENTIFY – What have you deployed that helps identify risks? Usually this will be a combination of technologies and processes. Cataloging those sources of risk identification is an important step in understanding how well you are positioned to handle emerging risks coming from digital initiatives. A secondary question to consistently ask is 'where do the identified risks go?'
ASSESS – Risks are generally not hard to find. If you are in the security world, a simple vulnerability scanner will identify enough potential issues to keep you busy seemingly round the clock. Here is where you need context to add the elements to understand the RISK of an issue. Again – this may be a combination of technologies and processes, but the important factor is to evaluate the issue from a likelihood and impact lens. What tools can be used to automate analysis of issues and what is needed to ensure the risk is tied to business impact?
TREAT – Finally, SOMETHING must be done with the risk. Whether you decide to mitigate, accept, transfer or avoid the risk, a treatment plan must be implemented. Even doing nothing requires you to at least acknowledge the accepted risk and support your decision process.
Implementing these steps are not as easy as it sounds. Many times, traditional, siloed approaches to risk management and security will throw up roadblocks. These silos create 'blind spots' in understanding the true nature of risk as visibility is disrupted by the 'cracks' between functions. Organizations are missing key insights to drive actions that can make the difference in making the right business decisions. The 'blind spots' highlight the struggle companies face today to operationalize the integration between risk management functions and cyber/IT security operations. Digital operations increase the speed and scope of business impact resulting from cyber incidents making cyber risk the heart of digital risk. Digital Risk Management depends on the strength of the intersection between understanding business risk and the effectiveness of security operations.
Charles was right. Settling the team down and focusing them on the basics to 'work the problem' is the right place to start. Identifying clear risks, assessing their impacts and deciding the correct plan of action sets in motion a risk-based approach. Depending on your digital initiative, that could start with compliance, security, resiliency or several other points of entry to addressing digital risk. You can begin with leveraging your existing tools and processes, but evolving them to deal with the fast moving, high stakes of digital operations may take a new perspective. Clearing out the blind spots between functions will help you understand what exposure there is and create an integrated strategy that enables innovation while managing risk around the most important parts of their new and evolving business operations.
My last blog talked about not worrying about risk – but ACTING on risk. Shining a bright spotlight in the cracks between your core functions responsible for risk management is a high impact first act. The next act will emerge from those shadows.
Register for our executive webinar series on digital risk management to find out why risk management is so critical and how companies are addressing digital risk.
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity.