Securing the Digital World

Standard Frameworks in a World of Digital Transformation

May 19, 2019 | by Arthur Fontaine |

Technology has always moved fast – it's an industry designed for continuous innovation. But as capabilities grow, so does complexity – and this complexity contributes to risk.

As technology has evolved, global and national standards bodies have developed a wide range of standard frameworks. These are a big help to organizations as they assess and advance their maturity in specific risk areas.

Broadly adopted frameworks include ISO 31000 for Risk Management and NIST Cybersecurity Framework (CSF) 1.1. Many others exist for specific domains, such as NIST SP 800-161 for Supply Chain Risk Management, or NIST SP 800-61 Rev. 2 for Computer Security Incident Handling. Of course, there is a myriad of industry standards such as FINRA for Financial services and HIPAA for Health Care. Many of these frameworks are interrelated –built upon, or even wholly integrate, other frameworks.

The availability of these high-quality universal frameworks has transformed the way in which organizations around the globe protect themselves and manage risk. Methodologies are much more standardized, skills transfer more easily, and documenting processes and compliance is a more straightforward activity.

As we approach the end of the twenty-tens, let's step back and marvel at the changes the world has experienced lately. Again, technology has always moved fast – but we're in the middle of warp-speed acceleration. Just consider all the technologies that are in standard use today, that weren't a factor in 2010 or even 2015.

An explosion of disruptive technology, led by Cloud, Mobile, and IoT innovations, enables new operational models and work styles. Automation and Data Analytics fundamentally improve key processes while social media empowers direct conversations with your customers and entire value chain.

Taken together, these technology revolutions drive Digital Transformation, a tectonic shift that has rewritten the standard technology operating model in just a few short years.

Digital Transformation drives efficiency and effectiveness everywhere but, like all waves of technology, creates corresponding risk. These new foundational technologies impact an organization as broadly and deeply as anything we've experienced previously. The result is a new class of pain points – worsening current security and risk challenges, while introducing entirely new ones.

Solution Areas

In fact, Digital Transformation creates a distinct and unprecedented class of challenges: Digital Risk. They're different in that they touch all the parts of an organization, not just Risk, Security, and IT functions. The consequences of failing to mitigate Digital Risk can be catastrophic – from data loss and crippling cyberattacks, to partnerships and technology dependencies directly affecting an organization's ability to operate and serve its clients.

RSA customers now express their requirements in these terms, not traditional concepts like cybersecurity, IT, and risk. To be sure, Digital Risk encompasses all those things, but truly addressing it requires a higher-order response. These problems are now owned at the top of the organization, not just in the functional areas.

The strength of standard frameworks is that they are well understood and widely deployed. Organizations adopting any (or all) of these frameworks put in place a process to improve and continuously mature their capabilities in a range of specific security and risk domains. And they form a kind of lingua franca for the industry, spurring the adoption of best practices across organizations of every type.

However, through the lens of Digital Transformation, and specifically Digital Risk, standard frameworks typically don't focus narrowly enough. In practice, Digital Risk tends to combine standard frameworks in new ways. They cut across the previously disparate core disciplines of integrated risk management, cybersecurity, and identity management, thus requiring a different approach.

Interestingly, there is a significant amount of overlap between digital risks. As you engage and improve maturity in one area, you increase your capabilities in others. Up-leveling your identity, security, or risk capabilities have similar benefits when addressing different digital risks. The net result is that the overall posture of the organization matures.

As the emergence of Integrated Risk Management coalesces the traditionally separate Risk, IT, and Cybersecurity practices, we predict that organizations and vendors will increasingly embrace this approach. Because it's both focused and flexible, it adapts to an organization's specific requirements and circumstances, including specific characteristics around industry and risk strategy.

# # #

Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity