The digital risk management function of an integrated risk management approach is the most nebulous facet of IRM. For many mid-level and enterprise CISO’s, their organizations are just beginning to design and execute a digital transformation initiative. It can be difficult for a CISO to know what their role is during this inflection point, let alone know what their position will be following the shift.
The crux of the misunderstanding many CISO’s have about digital risk management is the expansive landscape that digital risk encompasses. While other facets of IRM are defined - corporate compliance and oversight or audit management have defined capabilities that a solution must have, digital risk management at present is fluid. Where corporate compliance and supply chain risk management are prescribed by the regulations and standards put forth by regulatory bodies, digital risk management is defined by the specific technologies adopted by the organization. In that regard, digital risk management represents the point where CISO’s must become proactive in their cyber program.
Defining digital risk for your organization
Digital risk is created by the technologies that a specific organization adopts. As a result, a digital risk management program must be unique to the organization. Gartner’s outline for designing a digital risk management program hinges on the technology groups that organizations adopt and the risks associated:Third party
Internet of things (IoT)
The compounding factor that makes digital risk management harder to define in general terms is the way that each industry and organization applies these new technologies. We will explore the typical applications of these technologies and the risks associated as a foundation to build on based on specific use cases.
The aspect of digital risk management most closely related to supply chain risk management, third-party digital risk represents the enterprise’s shift from an individual to an ecosystem. With the increased outsourcing of periphery tasks and technology, the modern enterprise appears more like an ecosystem - relying more and more on their vendors and focusing on their key differentiators and revenue generators.
As third-party digital risks bear the closest resemblance to supply-chain risk management, these risks can be approached and mitigated with similar frameworks to the rest of the supply chain. However, the complexity of third-party digital risk emerges when your vendor risk team starts asking vendors what technology they are using. In those cases, use the suggestions for the other five technologies and paradigms to assess your digital supply chain.
Social media risk may very well be the most straightforward of the facets of digital risk management: the risks associated with a social media presence (hashtag and handle impersonation, account hacking and phishing, etc.) represent multiple threats to an organization’s reputation. In short - if your security team is incapable of securing your social media accounts, your digital communication channels, how can prospects and customers expect you to keep the data that matters secure?
Mobile risk varies greatly depending on the protocols and processes set in place by the organization. On a broad spectrum, CISO’s and security leaders must assess how their organization uses mobile devices to determine the risks associated. The common threats facing mobile devices (as defined by Gartner) are OS versions, security update versions, system parameters, device configuration, firmware, and system libraries to identify security misconfigurations, device vulnerabilities, and suspicious or malicious activity.
As mobile devices today are more closely related to the computers on our desks, they need to be treated as such. We often store as much (sometimes more) information on our mobile devices than on our desktop computers. CISO’s must be very scrutinous when assessing the risks associated with mobile devices in their digital risk management strategy.
Big data, machine learning, and artificial intelligence have captured the imagination of almost every consumer and business leader alike. For a CISO working to secure an organization, big data solutions can be the lynchpin for their digital risk strategy. We’ve discussed before how high-risk big data solutions are. Unlike other facets of digital risk management, significant data risks are not as inherently obvious. To see the actual impact of a big data risk we’ll look at COMPAS - the artificial intelligence solution used by courts to predict recidivism rates in paroled inmates. In 2016, it was found that COMPAS exhibited an extreme racial bias, keeping many incarcerated individuals in prisons based more on race than on their past crimes.
The risks associated with big data solutions come from their role in the decision making processes they enhance. In most cases, organizations employ an AI solution to aggregate data and deliver insights that are impossible for a human being to provide feasibly. As a result, a flaw in the model or training dataset could skew the results and dramatically impact decision making for the organization. Whether building a big data solution internally or sourcing from a third party, ensure that this most critical digital asset is secure. Read more about securing AI here.
Internet of things
One of the broadest concerning unique use cases, internet of things technology easier to grasp given security leaders’ work to secure information and operational technologies in the past. The barrier that many security leaders face is the recognition that while the IoT solutions might be smarter than their predecessors, they’re potentially less secure. As we’ve discussed before on the blog, IoT products are designed and produced so fast often at the expense of the security of the device. CISO’s looking to develop protocols for their IoT solutions should examine to their OT/IT procedures and modify and supplement them to ensure that they meet the needs of these smart products.
The other broad use case technology, cloud tech is also another subset of third-party risk. As the use cases and applications vary so widely from organization to organization, to define the risks associated with each use case is nigh impossible. However, assuming that the common denominator for many organizations is storage, the most significant risk CISO’s need to assess for is the integrity of the cloud vendor. For many leaders in the past, cloud adoption has been a binary “either we’re all in, or we’re out” decision. When accepting any digital risk in the form of adoption, but especially in the case of cloud technologies, leaders must move but move carefully. Organizations that fail to adopt cloud technologies will slow to a pace that will inhibit their ability to compete, but organizations that utilize cloud technologies without a robust assessment procedure in place will find themselves the subject of breaches and unnecessary security risks.
No “one size fits all" for digital risk management
When developing a digital risk management strategy, and adopting a solution to aid in the process, flexibility is the highest priority capability. The days of checklist compliance are gone. As organizations transform and embrace new digital risks, they will start to differentiate at an exponential rate in ways that regulatory bodies are incapable of mandating compliance standards for. The use cases vary too widely. To survive post-digital transformation, CISO’s must develop a digital risk management strategy that is capable of shouldering the unique combination of risks associated with an organizations combination of new technologies. Baseline compliance is no longer sufficient.