Request Demo

Digital Risk Management

Digital Risk Redefines Enterprise Risk Management

down-arrow

For information leaders today, there is increasing interest from non-technical parties - from the legal team to the Board - in the ongoing question “are we secure”. The challenge is that any technical leader knows that it is not a binary answer, especially in today's business climate. The fundamental issue that information leaders must overcome is the understanding that in order for the enterprise to live on, their role must evolve. We’ve examined before the rise of risk quantification in other domains, from insurance to ship trading. However, the challenge facing the modern CISO and CIO is quantifying risks that have yet to be measured - digital risks.

As we’ve examined, the role of information leader has evolved rapidly over the last decade. Technological innovations and the resulting impact on people and process within an organization have driven organizations to rely more and more on the data collected by their information teams. Gartner states that By 2022, 90% of corporate strategies will explicitly mention data as a critical enterprise asset and analytics as an essential competency. The main insight being, that information leaders must begin to see themselves as asset managers in the same way that the CFO and COO do - data has become the new currency. As a result, information leaders are being held to the same standards as their peers in regards to reporting on their progress and operations. In order to effectively communicate to the Board and CEO, information leaders must be able to speak the same language as their counterparts - the language of risk.

Three buckets of risk

Business leaders are conditioned to measure risk and make decisions from that data. The main forms of risk that leaders face fall into three categories:

  • Financial risk: The risk of financial loss or gain as a result of a given investment
  • Operational risk: The risks associated with failure in people, process, and systems.
  • Strategic risk: The risks most relevant to the executive team, strategic risk is the impact that decision making has on the organization.

To date, these forms of risk have represented all facets of a business - the people and process to deliver value, the strategy guiding where the organization is going, and the cash to fund it all. We are now in a new era of business, though, with a new category to account for - the adoption of cloud technology, the permeation of artificial intelligence, and the ever-increasing reliance on data has created a new need to measure these digital risks in the same context as the original three.

Is digital risk a fourth bucket?

The challenge for even seasoned actuaries is the recognition that digital risks are not confined to one aspect of the organization anymore - marketing teams are using customer and market data to design custom campaigns, operations teams are implementing internet of things technology, and AI is guiding strategy decisions at breakneck speed. Which begins to beg the question - is digital risk its own bucket? Or, rather, does it need to be measured as a lateral aspect of the entire enterprise?

During our conversation with Raphael Yahalom, MIT researcher and CyberSaint advisor, he falls into the second camp. Quantifying digital risk is not as simple because we don’t have the data yet to project in the same way that we have with other forms of risk. Further, digital risk integrates forms of risk that have been left nebulous to date - reputational risk, for example: a glance at headlines in 2018 (and even with the TurboTax breach in recent weeks) will show the catastrophic damage that a cyber event such as a data breach can have on an organization’s reputation and even their bottom line.

New risk, new approach

The frameworks that exist today, NIST 800-30 and FAIR among them, are the foundation that the future of cyber risk quantification will be built on. These frameworks are the first step, allowing information leaders to communicate in the same fashion as their business-side counterparts, that will bridge the gap between technical and non-technical.

Digital risk itself represents a new configuration of impacts to the business and, as a result, demands new methodologies to assess those risks. However, digital risk must be conveyed in the same fashion as the other three categories to be successfully understood by other members of the executive suite.

 

You may also like

CyberSaint at RSAC 2019
on March 7, 2019

Day two of RSA and booth number 1641 is bustling. In fact, the entire Expo Hall is awash with new product announcements, compelling demos, and striking amounts of swag. The ...

Becoming Better At RSA
on February 28, 2019

Next Monday marks the start of RSA Conference 2019, where a projected 50,000 vendors and practitioners will descend on the Moscone Center in San Francisco. The theme for the ...

Digital Risk Redefines Enterprise ...
on February 26, 2019

For information leaders today, there is increasing interest from non-technical parties - from the legal team to the Board - in the ongoing question “are we secure”. The challenge ...

DFARS Cybersecurity Audits: What ...
on February 21, 2019

It’s getting real – the government is moving from self-reported compliance to external audits of a company’s cybersecurity posture: drilling deep to evaluate that company ...

Risk Quantification: It's Not ...
on February 19, 2019

Many vendors and organizations alike see opportunity in the nebulous realm of risk quantification. As we’ve seen before, risk quantification is nothing new to the world - dating ...

Why GRC Needs IRM
on February 15, 2019

Today, every organization strives to optimize the speed with which they access information. Data is being stored, processed, transmitted and utilized in almost every day-to-day ...

Alison Furneaux