The digital risk management function of an integrated risk management approach is the most nebulous facet of IRM. For many mid-level and enterprise CISO’s, their organizations are just beginning to design and execute a digital transformation initiative. It can be difficult for a CISO to know what their role is during this inflection point, let alone know what their position will be following the shift.
The crux of the misunderstanding many CISO’s have about digital risk management is the expansive landscape that digital risk encompasses. While other facets of IRM are defined - corporate compliance and oversight or audit management have defined capabilities that a solution must have, digital risk management at present is fluid. Where corporate compliance and supply chain risk management are prescribed by the regulations and standards put forth by regulatory bodies, digital risk management is defined by the specific technologies adopted by the organization. In that regard, digital risk management represents the point where CISO’s must become proactive in their cyber program.
Digital risk management capabilities are key to any integrated risk management solution, and these solutions should help you address all of the risks detailed below.
Defining a digital risk management strategy for your organization
Digital risk is created by the technologies that a specific organization adopts. As a result, a digital risk management program must be unique to the organization. Gartner’s outline for designing a digital risk management program hinges on the technology groups that organizations adopt and the risks associated:
- Third party
- Social media
- Big data
- Internet of things (IoT)
The compounding factor that makes digital risk management harder to define in general terms is the way that each industry and organization applies these new technologies and the digital risk that they create. Managing risk in digital transformation, for those undergoing that process, is continuous. We will explore the typical applications of these technologies and the digital risks associated as a foundation to build on based on specific use cases.
The aspect of digital risk management most closely related to supply chain risk management, third-party digital risk represents the enterprise’s shift from an individual to an ecosystem. With the increased outsourcing of periphery tasks and technology, the modern enterprise appears more like an ecosystem - relying more and more on their vendors and focusing on their key differentiators and revenue generators.
As third-party digital risks bear the closest resemblance to supply-chain risk management, these risks can be approached and mitigated with similar frameworks to the rest of the supply chain. Managing risk in digital transformation involving third parties leads to the complexity of third-party digital risk, which emerges when your vendor risk team starts asking vendors what technology they are using. In those cases, use the suggestions for the other five technologies and paradigms to assess your digital supply chain.
Social media risk may very well be the most straightforward of the facets of digital risk management: the risks associated with a social media presence (hashtag and handle impersonation, account hacking and phishing, etc.) represent multiple threats to an organization’s reputation.
In short - if your security team is incapable of securing your social media accounts, your digital communication channels, how can prospects and customers expect you to keep the data that matters secure, much less focus on a proactive digital risk management approach?
Mobile risk varies greatly depending on the protocols and processes set in place by the organization but addressing it is key to managing risk in digital transformation. On a broad spectrum, CISO’s and security leaders must assess how their organization uses mobile devices to determine the digital risks associated.
The common threats facing mobile devices (as defined by Gartner) are OS versions, security update versions, system parameters, device configuration, firmware, and system libraries to identify security misconfigurations, device vulnerabilities, and suspicious or malicious activity. For many business models, managing risk in digital transformation is a major challenge here, when digitizing company operations can cause digital security risk management goals to constantly shift and change.
As mobile devices today are more closely related to the computers on our desks, they need to be treated as such. We often store as much (sometimes more) information on our mobile devices than on our desktop computers. Information security leaders from CIOs to CISOs to Chief Risk Officers must be very scrutinous when assessing the digital risks associated with mobile devices in their digital risk management strategy, as to mitigate the likelihood and impact of a cyber attack.
Big data, machine learning, and artificial intelligence have captured the imagination of almost every consumer and business leader alike. For a CISO working to secure an organization, big data solutions can be the lynchpin for their digital risk strategy. We’ve discussed before how high-risk big data solutions are. Unlike other facets of digital risk management, significant data risks are not as inherently obvious.
To see the actual impact of a big data risk we’ll look at COMPAS - the artificial intelligence solution used by courts to predict recidivism rates in paroled inmates. In 2016, it was found that COMPAS exhibited an extreme racial bias, keeping many incarcerated individuals in prisons based more on race than on their past crimes.
The digital risks associated with big data solutions come from their role in the decision making processes they enhance. In most cases, organizations employ an AI solution to aggregate data and deliver advanced analytics and insights that are impossible for a human being to provide feasibly. As a result, a flaw in the model or training dataset could skew the results and dramatically impact decision making for the organization. Whether building a big data solution internally or sourcing from a third party, ensure that this most critical digital asset is secure.
Internet of Things (IoT)
One of the broadest concerning unique use cases, internet of things technology easier to grasp given security leaders’ work to secure information and operational technologies in the past. The barrier that many security leaders face is the recognition that while the IoT solutions might be smarter than their predecessors, they might be cutting-edge and often deliver the best customer experience as many are consumer-centric technologies, but they’re potentially less secure and may pose more digital risk.
As we’ve discussed before on the blog, IoT products are designed and produced so fast often at the expense of the security of the device. CISO’s looking to develop protocols for their IoT solutions should examine to their OT/IT procedures and modify and supplement them to ensure that they meet the needs of these smart products.
The other broad use case technology, cloud tech is also another subset of third-party risk that is a strong facet of cybersecurity risk management and therefore, digital risk management. As the use cases and applications vary so widely from organization to organization, to define the risks associated with each use case is nigh impossible. However, assuming that the common denominator for many organizations is storage, the most significant risk CISO’s need to assess for is the integrity of the cloud vendor.
For many leaders in the past, cloud adoption has been a binary “either we’re all in, or we’re out” decision. When accepting any digital risk in the form of adoption, but especially in the case of cloud technologies, leaders must move but move carefully. Organizations that fail to adopt cloud technologies to avoid the digital security risks will slow to a pace that will inhibit their ability to compete or even stay secure, and organizations that utilize cloud technologies without a robust assessment procedure in place will find themselves the subject of breaches and unnecessary security risks.
No “one size fits all" for digital risk management
When developing a digital risk management strategy, and adopting a solution to aid in the process, flexibility is the highest priority capability. From Robotic Process Automation to Artificial Intelligence, the days of checklist compliance are gone. As organizations transform and embrace new digital risks, they will start to differentiate at an exponential rate in ways that regulatory bodies are incapable of mandating compliance standards. We live in a digital economy, and the use cases vary too widely.
To survive post-digital transformation and ultimately manage risk in digital transformation successfully, CISO’s must develop a digital risk management strategy that is capable of shouldering the unique combination of risks associated with an organization’s combination of new technologies. Baseline compliance is no longer sufficient to protect information systems, customers, partners, and employees alike.
Thankfully, cybersecurity risk management tools like CyberStrong help to accelerate governance, risk and compliance activities associated with digital risk management and digital transformation, adding measurement, automation, and validation from assessment to Boardroom.