In a world where continuous innovation and business disruption are driving businesses to explore new business models, leverage new technologies, sensors and connected devices it is imperative for companies to leverage the right mode for risk management.
In the past risk management has been an extension of a command and control mindset, but going forward both business and technology leaders realize that security and risk management can be an enabler to future proof their businesses and processes.
Key trends impacting businesses today and going forward:
1. Innovation leads – regulations lags behind
Enabled by mobile, IoT and cloud technologies business are finding different ways to provide better and new products and services to their customers.
At this pace of innovation regulators often lag years behind leaving it up to organizations to proactively manage that risk as innovations like ChatGTP and DAll-E are exponentially accelerating.
Companies have long exploited the customization of content, selling services based on the data they gathered on their customers which has been exposed in data breaches impacting millions of consumers private sensitive data. Regulators are catching introducing data privacy regulations like GDPR and it is left to organizations to put the appropriate guard rails in place to protect their clients and business, but not stifle growth and innovation. Often consumer protection is an afterthought or a second priority depending on the organization.
2. Connected business models require automated controls
In a world where companies are coping with a plethora of trends such as an always on connected workforce, connected devices that are exchanging information with each other, artificial intelligence and big data enabling to sift through petabytes of data it is becoming increasingly obvious that humans need support and augmented capabilities enabled by AI and machine learning.
On the downside hackers, nation-states and criminal organizations are already leveraging AI enabled automation to get into our systems, exfiltrate data and leverage technology to do go after their objectives be it to sell data in the dark web, steal intellectual property, crush a companies reputation or meddle in countries elections.
The good news is that technologies and tools are emerging to counter that trend and leverage automation and artificial intelligence for decision support and in clear cut cases apply the automation.
As a matter of fact smart devices themselves can become enforcement points of controls, monitor in real-time and authenticate devices and products improving security posture providing additional data insights. This can for instance be leveraged to authenticate physical products authenticity when they move through a supply chain or connected devices verifying digital identities of users and devices.
3. Align your actual risk exposure with your companies risk tolerance
Lets face it – there will never be a 100% coverage for any possible threat to your organization. As a matter of fact stating that an organization is 100% protected from cyber risks would mean that innovation is seriously stifled, management is out of touch with latest technology disruptions and from the point of ignorance probably does not have a critical incident recovery plan in place.
If Capital One, Microsoft and Marriott cannot keep intruders out of their systems then the likelihood of a company experiencing a cybersecurity breach is high even with the right controls, tools and processes in place. As a matter of fact the assumption needs to be that at some point you will be hacked.
With all of that happening how do you actually measure risk and prioritize your security investments? – and by that I mean not only pro-actively investing in technology, but also investing into people and processes.
4. Measuring and Managing Future Digital Risk:
Many security firms and consultancies offer risk assessments based on important frameworks like SANS CIS security controls, ISO 27001, National Institute of Standards and Technology controls and others.
However, it is up to your organization to prioritize investments to improve your security posture. These decisions cannot be outsourced.
The SAFE risk management framework adds additional aspects to telling a story about risk, probability and impact to break down risk and enablinb leadership teams to prioritize security investments:
- Probability: What is the likelihood and frequency of experiencing a security incident
- Monetary Impact: In the case of a small to catastrophic incident – what is the monetary impact not only from systems being down
- Reputational Impact: What would it mean for current customers and prospective customers if information in the public domain showcases recklessness and bad business practice like was the case when Yahoo lost 350 million dollars during the Verizon acquisition when breach and management misstep information surfaced
- Operations Impact: What would it mean for your operations to be down for 1 day? How long would it take to recover?
However, there is no point in documenting risk in risk registers that deeply buried in IT team sites.
There needs to be transparency, buy in, prioritization and accountability of risk management for all leaders across an organization.
After all, risk is relevant for all deparement top down, bottom up and across an organizations culture that needs to be embraced by every employee and partner:
With that comes the need for a way to educate and inform leaders to make the right decisions through actionable risk measures that make business sense.
Since investments are measured in return of investment ROI – security investments require a similar mindset
This is where ROM – return on risk mitigation comes into play
With this measure in your hands you can effectively prioritize risk reduction investments based on your risk tolerance and based on the innovation opportunity and markets you are striving to capture no matter if digital or physical.