Risk. We are all familiar with the term. While different perceptions of risk abound, the basics are straight forward. Whether it is the risk of crossing the street, or the risk of a multi-year, billion-dollar strategic business initiative, risk comes down to uncertainty. For the past several months, RSA® has hosted a series of webinars to evangelize the concept of 'digital risk' and 'digital risk management'. Along the way, we have seen that these terms could be construed a few different ways. For instance, Digital risk could be associated with ONLY the digital portion of risk within an organization, i.e. cybersecurity and risks related to 1s and 0s. An interpretation of digital risk management may refer to the digitization of risk management processes, e.g. automated risk assessment workflows and data analytics. While our original intent was to highlight 'digital risk' as the uncertainty associated with digital business, these tangential discussions have been beneficial in acknowledging the face of risk has changed and the requirements for risk management are evolving.
Our definition of 'digital risk' is intended to encompass the many risks associated with digital business – or in other words, "digital business (pause) risk". As organizations transform operations by adopting technology, the impact and likelihood of negative (and positive) events becomes intertwined with the digital world. As this conversation has unfolded, a few myths become apparent when contemplating the impact of the digital transformation to operational and strategic risk.
Myth #1: Digital Risk is only a technology problem
This may be the biggest misconception of digital risk. Sure – the fastest growing segment of risk involved in digital business is the technology itself. New architectures, revolutionary algorithms, and advanced automation have many sharp edges where an organization can cut itself. But those risks are only one dimension of the overall picture. Digital business risk comes in many forms ranging from contractual agreements with your partners and suppliers as you digitize your supply chain to the unpredictability of viral trends as you launch your digital marketing campaigns. These are broad issues that require a broad solution. Therefore, relegating digital risk into a technological box will not give it the attention it requires.
Myth #2: We are already ready
Most business leaders understand that the level of risk today is changing. We can cite different industry surveys, including our own RSA® Digital Risk Survey 2019, but the consistent theme is that risk today has changed due to the nature of digital business. A dangerous misconception though is that existing teams, technologies and processes are prepared to handle the change. While individual domains of risk management may be effective, the connected nature of digital business requires additional collaboration between functions. Cross-functional teams must tackle traditionally siloed risks. For example, a data breach will require a smooth, prepared transition between investigating a security incident to engaging a compliance team to initializing a crisis management team. If you expect data to flow seamlessly in your digital business when things are going as planned, you better prepare for risk management processes to flow seamlessly when things go wrong.
Myth #3: The tech will take care of itself
It would be nice if all innovation had controls and impenetrable security built in but we all know that is highly unlikely. (Ok – I know that is a bit optimistic but saying it was impossible just seemed too cynical). While advances in technology can (and have) significantly improve elements in risk management such as behavioral analytics in cybersecurity, data mining for predicting failure rates and safety sensors in SCADA/ICS, we can rest assured that there will always be gaps. As business operations become more tightly coupled via digital initiatives, the cracks between the people, processes and technologies represent potential risks that if exploited by a malicious threat or stumbled upon by accident may lead to a considerable impact.
Myth #4: There is a finish line
Face it – this isn't the first major technological wave we have experienced, nor will it be the last. Just as you lock down one area of risk, another will pop up. It is inevitable so just accept it and adapt. Continuous assessment of risks and adjustment of controls is a fact of life in security and risk management. Unfortunately, the shifts in your business or organization will not subside. Whether it is the loss of a key management champion or the rise of an unexpected threat, your risk management strategy must be as resilient as your business strategy. Points of failure, weak spots and talent needs must be anticipated for inevitable change.
For risk and security professionals, I know there is much to do as your business explores its digital future. One major contribution you can make is to ensure these misconceptions do not invade those plans. The strategy to address emerging risks related to digital operations must start with clear communication supported by stated business goals – not just a laundry list of tools and software needed to address technical risks. We know there is the need for technology support in terms of new or improved infrastructure. In conjunction with those technology controls that can automate and streamline risk treatments, the organization – in skills and processes – must be ready.
Read the RSA® Digital Risk Report 2019 to learn about the perceptions and attitudes towards risk in the digital world. Watch our ongoing webinar series on the risks of digital transformation and how you can adjust your strategies as your organization takes on digital business.
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity