Securing the Digital World

Lay the Foundations of Digital Risk Management

May 19, 2020 | by Steve Schlarman |

In my last blog, I discussed four major areas of disruption related to the current disruption. The challenges are certainly a catalyst for organizations to rethink how they maintain continuity of operations in the face of disruption.

Digital transformation and automation play a tremendous role in maintaining resiliency and continuity of business operations. A variety of examples illustrate the advantage of digitally mature companies during this crisis: Retailers continue to serve customers through increased online order and pick-up services; manufacturers rely on automated production while they deal with staffing shortages and supply chain restrictions; businesses lean hard on technologies - from video conferencing to automated workflows - to maintain continuity of operations.

Additionally, companies with highly automated operations are better positioned to adapt to 'stay at home' orders. Companies that have already enabled a dynamic work environment can shift operations more quickly. Technology is helping address many workforce enablement services – from staff hiring and onboarding to everyday meetings, and companies with more capabilities in these areas can respond faster.

Optimization of the supply chain is another area of digital transformation that increases resiliency of business operations. Advanced analytics and automated supply chains allow organizations to adjust to the needs of an evolving supply chain. The current crisis underscores the importance of knowing the "who, what, where, why, and how" of your business ecosystem. Anticipating disruptions based on geography, prioritizing supply chain issues or fast-tracking assessments of new vendors are areas where automated vendor management processes can make a difference.

Finally, companies with strong security operations (agile, automated, broad visibility into threats) and automated risk management processes (risk assessment, control exception management) can more effectively adjust to emerging risks. Modernization of risk and security practices – from advanced detection and response capabilities to automated workflows and risk assessment processes – allows an organization to address heightened threats and shift controls appropriately.

As disruption ripples across an organization, security and risk functions must adjust. With the current situation as an example, there were immediate, emergency steps taken to ensure the health and welfare of customers and employees. Next, to sustain business operations, processes had to adjust to maintain the delivery of products and services. Risks encountered during these initial phases must be identified, assessed and treated – many times with stop-gap or temporary approaches. Finally, as the organization emerges from the crisis, there will be a need to adapt by aligning and improving security and risk management practices related to business operation changes.

During these phases, response activities varied, but many had direct impacts on the organization's security and risk strategies including:

  • Enabling a remote workforce due to shelter-in-place orders. Some already had capabilities in place, but most had to ramp up with more broad deployments. These efforts had multiple security and risk implications including: secure authentication, authorization, and access privileges.
  • Resiliency efforts were mission critical for building continuity and mitigating supply chain disruption. Companies with extensive vendor ecosystems, especially physical supply chains, had to understand the who, what, where and why as these vendors were disrupted. In these circumstances, success in managing risk is dependent on how well the business continuity and vendor management processes communicate.
  • As employees increasingly relied on cloud solutions, organizations had to address cloud security risks. In tandem, heightened concern for an elevated volume of fraud attacks caused more headaches. Virtual SOCs were established quickly to address these and other security issues.

These are just a few examples. In short, companies made on-the-fly decisions to relax controls, assess risks, track exceptions and address short-term compliance exemptions while understanding that as things went back to 'normal' (whatever that would be), decisions would have to be unraveled.

Fundamentally, efforts to maintain security and reduce exposures across the digital business can be summed up in eight critical risk areas:

  • Coordinate business resiliency to maintain continuity of business operations;
  • Mitigate cyber attack risks threatening customers' digital business, customers, brand and critical assets;
  • Manage dynamic workforce risk as organizations adapt to the new paradigms of employee work environments;
  • Manage third party risk around the hyper-connected and expanding business ecosystem;
  • Manage process automation risk as digital strategies unfold supporting operational risk programs;
  • Secure cloud transformations as companies use hybrid cloud environments;
  • Modernize compliance programs to prepare for impending compliance changes with an ongoing, programmatic approach; and,
  • Evolve data governance and privacy controls to protect key information assets and meet today's privacy regulations.

These critical risk domains are the foundation of how RSA approaches digital risk management. While this may seem overwhelming, risk in the digital era is as hyper-connected as your enterprise. A unified approach to managing these critical areas of digital risk can be summed up in in three strategic efforts:

  1. Evolve security and risk management practices to support digital transformation. Traditional ways of managing risk can't keep up with the pace of modern business. A digital business needs the tools and technology of security merged with the business focus of risk management to identify, assess and treat the risks that matter most.
  2. Understand and appropriately respond to cyber threats across your organization. Malicious threats can lead to disruptions, data breaches, reputational damage and financial impacts. Protect and mitigate risks across core infrastructure, cloud, mobile, IoT and third-party ecosystems.
  3. Manage the increasingly complex regulatory landscape. Privacy and data regulations in a global economy require a continuous compliance strategy. In addition to the current regulatory requirements, anticipate a shift as industries emerge from today's disruption.

Digital transformation has blurred the boundary between cybersecurity and risk management. As companies' security and risk functions break down silos to deal with today's challenges, an integrated approach should emerge to deal with tomorrow's risks. Digital risk management brings IT, Security and Risk teams together in a unified approach and address fundamental areas of digital risk.