CyberSaint Blog | Expert Thought

Risk Management In The Digital Age

Written by Ethan Bresnahan | January 15, 2019

The digital risk management function is the most nebulous facet of a cyber risk management approach. Many enterprise CISOs are beginning to design and execute a digital transformation initiative. It can be difficult for a CISO to know their role during this inflection point, let alone their position following the shift.

The crux of many CISOs' misunderstanding of digital risk management is the expansive landscape that digital risk encompasses. While other facets of IRM are defined - corporate compliance and oversight or audit management have defined capabilities that a solution must have, digital risk management is now fluid. Where corporate compliance and supply chain risk management are prescribed by the regulations and standards put forth by regulatory bodies, digital risk management is defined by the specific technologies adopted by the organization. In that regard, digital risk management represents where CISOs must become proactive in their cyber program. Digital risk management capabilities are key to any cyber risk management solution, and these solutions should help you address the risk profiles detailed below.

Risk Management in the Digital Age

Digital risk is created by the technologies that a specific organization adopts. As a result, a digital risk management program must be unique to the organization. Gartner’s outline for designing a digital risk management program hinges on the technology groups that organizations adopt and the risks associated:

  • Third-party
  • Social media
  • Mobile
  • Big data
  • Internet of Things (IoT)
  • Cloud

The compounding factor that makes digital risk management harder to define in general terms is how each industry and organization applies these new technologies and the specific risks they create. Managing risk in digital transformation for those undergoing that process is continuous. We will explore the typical applications of these technologies and the digital risks associated as a foundation to build on based on specific use cases.

Third-party Risk Management

Third-party digital risk management is the aspect of digital risk management most closely related to supply chain risk management. It represents the enterprise’s shift from an individual to an ecosystem. With the increased outsourcing of periphery tasks and technology, the modern enterprise appears more like an ecosystem, relying more and more on its vendors and focusing on its key differentiators and revenue generators.

As third-party digital risks bear the closest resemblance to supply-chain risk management, these risks can be approached and mitigated with frameworks similar to those of the rest of the supply chain. Managing risk in digital transformation involving third parties leads to the complexity of third-party digital risk, which emerges when your vendor risk team asks vendors what technology they are using. Use the suggestions for the other five technologies and paradigms in those cases to assess your digital supply chain.

Social Media

Social media risk may very well be the most straightforward aspect of digital risk management: the risks associated with a social media presence (hashtag and handle impersonation, account hacking, phishing, etc.) represent multiple threats to an organization’s reputation.

In short - if your security team cannot secure your social media accounts and digital communication channels, how can prospects and customers expect you to keep the data that matters secure, much less focus on a proactive digital risk management approach? 

Mobile

Mobile risk varies greatly depending on the organization's protocols and processes, but addressing it is key to managing risk in digital transformation. On a broad spectrum, CISOs and security leaders must assess how their organization uses mobile devices to determine the digital risks associated.

The common threats facing mobile devices (as defined by Gartner) are OS versions, security update versions, system parameters, device configuration, firmware, and system libraries to identify security misconfigurations, device vulnerabilities, and suspicious or malicious activity. For many business models, managing risk in digital transformation is a major challenge, as digitizing company operations can cause digital security risk management goals to shift and change constantly.

As mobile devices today are more closely related to the computers on our desks, they need to be treated as such. We often store as much (sometimes more) information on our mobile devices than on our desktop computers. Information security leaders, from CIOs to CISOs to Chief Risk Officers, must be scrutinized when assessing the digital risks associated with mobile devices in their digital risk management strategy to mitigate the likelihood and impact of a cyber-attack.

Big Data

Big data, machine learning, and artificial intelligence have captured the imagination of almost every consumer and business leader alike. For a CISO working to secure an organization, big data solutions can be the lynchpin for their digital risk strategy. We’ve discussed before how high-risk big data solutions are. Significant data risks are not as inherently obvious, unlike other facets of digital risk management.

To see the impact of a big data risk, we’ll look at COMPAS - the artificial intelligence solution used by courts to predict recidivism rates in paroled inmates. In 2016, it was found that COMPAS exhibited an extreme racial bias, keeping many incarcerated individuals in prisons based more on race than on their past crimes.

The digital risks associated with big data solutions come from their role in enhancing decision-making processes. In most cases, organizations employ an AI solution to aggregate data and deliver advanced analytics and insights that are impossible for a human being to provide feasibly. As a result, a model or training dataset flaw could skew the results and dramatically impact the organization's decision-making. Whether building a big data solution internally or sourcing from a third party, ensure this most critical digital asset is secure. 

Internet of Things (IoT)

One of the broadest concerning unique use cases, the Internet of Things technology, is easier to grasp given security leaders’ work to secure information and operational technologies in the past. The barrier many security leaders face is the recognition that while the IoT solutions might be smarter than their predecessors, they might be cutting-edge and often deliver the best customer experience, as many are consumer-centric technologies. Still, they’re potentially less secure and may pose a more digital risk.

As discussed on the blog, IoT products are designed and produced quickly, often at the expense of the device's security. CISOs looking to develop protocols for their IoT solutions should examine their OT/IT procedures and modify and supplement them to ensure that they meet the needs of these smart products.

Cloud Technology

The other broad use case technology, cloud tech, is another subset of third-party risk that is a strong facet of cybersecurity risk management and digital risk management. As the use cases and applications vary so widely from organization to organization, defining the risks associated with each use case is nigh impossible. However, assuming that the common denominator for many organizations is storage, the most significant risk CISOs need to assess is the integrity of the cloud vendor.

For many leaders in the past, cloud adoption has been a binary “either we’re all in, or we’re out” decision. When accepting any digital risk in the form of adoption, but especially in the case of cloud technologies, leaders must move but move carefully. Organizations that fail to adopt cloud technologies to avoid digital security risks will slow to a pace that will inhibit their ability to compete or even stay secure, and organizations that utilize cloud technologies without a robust assessment procedure will find themselves the subject of breaches and unnecessary security risks.

Customize Your Risk Management Strategy for Digital Transformation

Flexibility is the highest priority capability when developing a digital risk management strategy and adopting a solution to aid in the process. From Robotic Process Automation to AI, the days of checklist compliance are gone. As organizations transform and embrace new digital risks, they will start to differentiate exponentially in ways that regulatory bodies are incapable of mandating compliance standards. We live in a digital economy, and the use cases vary too widely.

To survive post-digital transformation and manage risk in digital transformation successfully, CISOs must develop a digital risk management strategy capable of shouldering the unique combination of risks associated with an organization’s combination of new technologies. Baseline compliance is no longer sufficient to protect information systems, customers, partners, and employees.

Thankfully, automated cyber risk assessment tools, like CyberStrong, help accelerate governance, risk, and compliance activities associated with digital risk management and digital transformation, adding measurement, automation, and validation from assessment to the Boardroom. Schedule a conversation with the CyberSaint team to see how you can enhance your cyber risk management strategy in the digital age.