We all live in a rapidly digitizing world - the computing power of your phone in your pocket exceeds the world’s supercomputers just a few decades ago. We have all seen the exponential growth and adoption to digital products and technologies. It is the breakneck speed with which these technologies have been produced and adopted by consumers and organizations alike that has made the concept of “digital risk management” so hard to define.
We are in the midst of an industrial revolution, the fourth specifically. During each of these benchmark events in history, industry collectively was irrevocably changed. From the advent of mass production in the 1700s to the advent of the assembly line in the early and mid-1800s, and more recently the transformation of communication with the internet. The transformation we are going through now, though, is something completely different.
Building upon the development of the modern computer and the adoption of the internet, the lines between the digital and physical world are becoming increasingly blurry. In fact, it is predicted that 2019 will be the year that the impact of cyberattacks make it to the physical world.
Defining the terms
As with any tectonic shift that impacts millions, the terminology that we use is still quite disparate. Actually, it is this lack of a common language that stands in the way of many technical leaders working to get buy-in from their executives.
Information security: For our purposes, information security is the umbrella term for all activities performed by the CIO and CISO to ensure that their organization stays secure. Information security spans both the physical and digital world.
Integrated risk management: As seen with the Gartner Magic Quadrant of 2018, integrated risk management is the natural progression of GRC. Where GRC was capable of managing and mitigating risks in the physical world, a fragmented approach cannot succeed in the digital world. Integrated risk management provides a single-pane-of-glass necessary for information security leaders to see a holistic view of their environments and perform the continuous compliance necessary to secure a digital organization.
Digitization: Many organizations have realized that in order to ensure success, they must embrace new technologies. Gartner has broken these technologies into cloud, mobile, social, big data, third-party technology providers, OT and the IoT.
Digital risk management: A fact of digitization, digital risk management is the role that CISOs play in adopting these digital technologies. Digital risk management and cybersecurity in most cases is seen as interchangeable.
Why Digital Risk Management is a fundamental change to risk and compliance management
In order to understand why digital risk management is so ambiguous and misunderstood, we must look at the way security teams approached risk and compliance before the fourth industrial revolution.
Under a checkbox compliance approach, and using a GRC tool, security teams would perform scheduled assessments and have to assemble the necessary information each time. For many, this was and is still done in static spreadsheets. The information stored in those spreadsheets was and is outdated as soon as the team hits save. It is a static snapshot of a dynamic environment.
This process is predicated on the notion that the adoption of new tools, addition of new vendors, and implementation of new technologies was slow and in the past it was. Organizations could not procure and implement a new tool in hours, it took months. Price points were also a limiting factor - in the past new tools and technologies had astronomical price tags that needed board approval before they could move forward. Today the adoption and implementation of new technologies is blistering. Every business unit within an organization is adding new tools to their productivity stack and implementing them faster than ever. The price of powerful solutions has dropped and as a result is more discretionary to the managers and directors of those units. The technology adoption process is no longer slow enough for GRC to keep up.
Risk and compliance managers need two things to keep their organization secure in a digital world: a risk-aware culture that scales beyond just their own business unit, and tools flexible and smart enough to manage and scale as the organization adopts new technologies.
Don’t let manual effort slow down your digital transformation
As we’ve written about before, the CISO and the CEO must be a collaborative team to ensure business growth while staying secure. It is in cases of digitization and digital risk management that the CISO is at the greatest risk of appearing to be a hindrance rather than an enabler of growth.
Without the proper solution to enable the CISO to manage the compliance and risks of a digital organization, they will be hard-pressed to do their job. Given that digital technologies are dynamic, static tools used to assess the risk will leave an organization open to more and more threats.
Today, it is either keep your spreadsheets and slow (or even stop) your organization's digital transformation, or adopt a powerful new solution of your own (every other business unit gets to, why not security?) and become an ally to the CEO and empower your digitization.