"Why haven't we seen a demonstrable reduction of risk?" This is a question increasingly being asked by business leaders around the globe who are troubled by recent headlines despite growing investment in information security products and services.
Unfortunately for business leaders, the fear of "What if?" is likely to remain as the threat landscape evolves and becomes more complex. In fact, Paul O'Rourke, Asia-Pacific and Global Financial Services Cyber Leader at PwC Australia, told RSA that rapid and widespread adoption of new technologies will likely trigger more security incidents and breaches with an even greater impact – all within the "the next 6 to 12 months." In O'Rourke's view, because more applications are being "introduced without security appropriate controls, it's inevitable that we'll see exploitations of these vulnerabilities."
In the Asia-Pacific and Japan (APJ) region specifically, digital transformation is occurring at a greater velocity than ever before. In fact, $356 billion will be spent this year on digital initiatives. Security controls are needed to keep pace with the rate of change. In his opinion, the introduction of new technology that disrupts traditional business operations "can increase [an organization's] security risk posture."
Due to this reality, InfoSec professionals are under "great stress" as the development lifecycle erodes from the ever-changing nature of technology. O'Rourke believes that this will force security teams to "reinvent themselves." In part, he believes this is because "compressed timeframes don't give security [teams] much room to assess and develop a plan," which creates vulnerabilities for the business. In O'Rourke's view, organizations need to be thinking with a "security by design" mindset where security assessments are built into the development lifecycle.
Addressing "Cyber Fatigue"
Among O'Rourke's clients there is a common frustration in the C-suite as to why there has been minimal "reduction of risk" despite more investment in security.
While there are many contributing factors – like a rapidly evolving threat landscape or just bad investments – O'Rourke believes that this perception should serve as a reminder that security professionals "need to get much sharper at addressing metrics and reporting in the language used by the stakeholders."
Historically, a CISO or CSO reports on the state of the organization's security posture by analyzing the past. Instead, O'Rourke believes that business leaders want to know "what is happening today" so they can prepare accordingly. This is particularly true because "there is a lot of transformation happening" – not just in IT. From cloud to IoT and smart initiatives, organizations (both public and private) are becoming more digital. The "speed to market," as a way to keep pace with market demands and competition, creates vulnerability and business leaders are looking to understand what risks could threaten the business in real-time.
Digital Risk on the Mind
"Rarely is there a C-Suite or Board I talk to that doesn't see cyber as a top three enterprise risk," O'Rourke told RSA. While concerns over stock price, market competition and other traditional business challenges remain, organization leaders are having to worry more about emerging digital risks.
In O'Rourke's opinion, regardless of where the business is based, the reason business leaders view cybersecurity as a consequential digital risk is because "it's the risk they're least comfortable with because it moves so quickly." Research also shows that 41 percent of chief executives say cybersecurity will present the greatest reputational risk to their business in the next 12 months.
However, it's not just cyber that is keeping executives up at night. According to O'Rourke, "privacy is the word executives are increasingly using" today. He says that cyber is "a more topical" concern, but "new regulations and GDPR" are making data privacy a "fundamentally big issue." From China to Hong Kong and Australia, there's "increasing expectation from regulators [in Asia-Pacific] that organizations need to do a better job at privacy."
To help mitigate a potential breach, organizations need to scrutinize their strategy for managing digital challenges like third-party risk and dynamic workforce, which includes the proliferation of devices, BYOD policies and contingent employees. According to O'Rourke, one fundamental challenge to managing these risks is identity and access governance. In his view, "if the right governance isn't in place, it'll [result in] an exposure for the business."
While access governance has historically been a challenge, "it's been made harder by the proliferation of IoT" in the workplace, says O'Rourke. He adds, "we've gone from having just an employee base that is monitored and can be controlled to a massive [expansion] of access." Compounding the issue are the third-party contractors and vendors that increasingly have access to an organization's critical systems. Historically, contracts and SLAs have governed security protocols, but O'Rourke says this expectation will need to evolve as "regulators want demonstration of real-time compliance and governance."
Governance Will Be Key to Managing Digital Risk
Alongside a robust access governance strategy, O'Rourke calls for GRC tools to be "embedded across the organization." In the past, he says, these tools "were deployed in a very narrow capacity," but with the expansion of digital risks, organizations should have a "reinvigorated interest" in integrating a governance and compliance tool into more areas of the business. He believes that when integrated across the business, "organizations will extract significantly more value."
# # #
What impact do you think digital risk is having on businesses? Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity. Follow PWC's Paul O'Rourke on Twitter at @PaulO_Rourke to read more of his insights on the cybersecurity market.