Digital Society is Real, and Security and Risk Management Solutions Must Embrace Digital to be Successful
Digital Society: “The collection of people and things that are engaged in continuous interaction. The online world that affects the physical world, physical context that drives online experience, and all things that become part of that interaction.”
Every security leader has heard, or said, at some point that digitization, its pervasive connectivity, and privacy implications are making the task of managing technical cybersecurity risk more complex than ever before. At the same time, cybersecurity threats pose reputational, environmental and operational business risks, with impacts that the business-side C-Suite is starting to take note of and including in more Boardroom discussions.
Digital provides a massive amount of upside for security and risk management teams, as well as business teams across finance, marketing, and IT: greater efficiency, faster time-to-value, less friction points and more automation. The high-level outcome is more innovation and greater creativity that rejuvenates legacy processes, strategies, and plans, often times using new technology such as artificial intelligence and machine learning. These new ideas lead to smarter growth and faster market penetration. Over the last 10 years especially, the problem with all of these digital innovations is that even though digital leads to innovation and creativity, it also inherently leads to more frequent disruption.
Security leaders know the process of baselining their current information security program posture well: defining their current state, their vision, and their strategy that must be executed flawlessly to get there. However, digital disruption is becoming more pervasive in organizations, expanding the gap between security leaders’ current state and their anticipated vision.
As we’ve seen with more organizations forgoing just meeting a single standard such as NIST or ISO27001, and developing custom or hybrid standards that meet and evolve with their business needs, even the best-laid plans for remediation aren’t preparing security leaders and teams for constant digital disruption that shifts the needs of their business monthly, weekly, daily. Unfortunately, until this point, no security and risk management solution could keep up with the pace of digital business and support security leaders in a way that also supports their ability to execute their strategies successfully. As more security leaders enter the Boardroom, it’s also imperative that governance is established to facilitate enhanced communication, decision making, and accountability across the C-Suite and Board when it comes to digital disruption and cybersecurity risk management.
What should the security and risk management solutions market focus on for the rest of 2019 and beyond? Supporting security leaders who are tasked to keep up with the fast pace of digital business. Speed and agility in solutions are not “nice to have”, but necessary for solutions providers to successfully support their customers in our digital society. Security and risk solutions providers must go to market with nimble, flexible, and configurable solutions that simplify the growing complexity of our digital society - knowing well that security leaders must rely on their offerings to achieve their vision efficiently. Security and risk management solution must provide security leaders with the tools they need, when they need them, and must support them in their new role in the Boardroom.
Integrated Risk Management Requires a Completely Different Approach - It’s Time to Listen to What the Market Needs
Integrated risk management (IRM) focuses on the ecosystem beyond the four walls of the enterprise. It’s meant to be is the connective tissue between partners, suppliers, third parties, business units, and more. Unfortunately for today’s security leaders, the IRM market is filled with solutions that have modules, and thus are not truly integrated. Their modules do not talk to each other and still propagate a siloed approach to risk management rather than a collaborative approach across business units and roles. Those who achieve the vision of truly integrated risk management while providing solutions that simplify, not complicate, this process will win as security and risk management continues to become a greater focus.
Integrated risk management (IRM): “a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.”
At the Gartner Summit, it was intriguing to hear global research leaders point out members of the 2018 IRM Magic Quadrant for staying fragmented, manual, and unnecessarily complex regardless of market needs. Those solutions were built as traditional governance, risk and compliance solutions (GRCs) but have attempted to relabel themselves as IRMs by assigning themselves to a new category without genuinely changing their actual offerings.
For security leaders, this outcome comes as a disappointment, but calls for a fundamentally new kind of solution to emerge, fulfilling the integrated risk management strategies that security leaders, C-suites, and Boards are trying to implement.
Gartner describes these emerging providers as agile, fully integrated, flexible, non-modular, and metrics-based solutions. which are built to scale for even the largest enterprises. Gartner analysts described this trend as a combination of IT risk, cybersecurity risk and compliance management, a fully integrated solution set in one platform.
In studying the market trends and the needs of today’s digital business, Gartner also called out another problem with today’s security and risk solutions:in an effort to add risk quantification to their legacy platforms, which is a Gartner IRM critical capability, IRM market leaders have lean on black-box scoring methodologies that are neither transparent or simple to explain. Some tools have gone to an extreme of relying on quantitative data as the sole means of managing risk. Metrics are valuable tools in a compliance and risk management program, but only when used effectively and in the way that’s valuable to the security leader. According to the Gartner research leaders at the Summit as well as the critical capabilities and other research documents, the Magic Quadrant players are not able to support truly effective risk quantification.
If done well, metrics facilitate a better understanding between security and business-side leadership, provide a simple measurement methodology, and help benchmark departments, business units, asset groups and support many other use cases across an enterprise. If done poorly, it leaves the security leader with little understanding of how she reached those metrics, little ability to communicate how those metrics affect business outcomes, and reliance on a risk quantification tool that is a hindrance to understanding. In truth, risk quantification should be coupled with qualitative data to give security, risk, and business leaders the information they need to make better, more informed decisions that rely on clear metrics - not on black-box obscurity.
In the same way that newer integrated risk management solutions are building to the needs of the market when it comes to platform flexibility and time-to-value. These same solutions have implemented simple and transparent scoring, as well as industry-standard risk quantification that allows us to sell credibly to the market as opposed to relying on proprietary scoring models and integrations.
Listen to the Market or Fail
The Gartner Security and Risk Summit was a great experience as someone obsessed with mapping the needs of the market into our own growth as an integrated risk management company. It’s clear that digital risk management is the next great wave of innovation and that IRM solutions should be focused on managing the risk of digital business, its products, and services - something our customers use our platform for today. We should also rise to the opportunity to build products and services that are able to empower security leaders to achieve true integrated risk management in the face of the digital disruption, especially disruption resulting from positive innovation and creativity of a successful business.
The last recommendation to the security and risk management solutions market is to embrace honesty and accuracy when positioning your solution to the market. Marketing in the security space is complex. There are a lot of competing voices, big budgets, and new point solutions vying for attention, but be aware that the market does care if you overpromise and underdeliver. Since some IRM products across the board are over-promising and under-delivering, transparency in all things - pricing, product marketing, time-to-value, and positioning - is your key to rapid, substantive growth.