Posted by Vito Nozza on May 19, 2020 10:00:00 AM
Security and risk management are always in fashion, but they’re now hotter than ever—and they can help you achieve your organization’s strategic goals.
If you had asked me six months ago what two items were top-of-mind for a CEO, I would quickly respond digital transformation and security—in that order. Fast forward to today and I would say it’s the COVID-19 pandemic and business continuity. That being said, we should not discount the fact that the economy rebounding will bring about not only an increase in new opportunities, but also a new risk landscape.
Now, I’m not going to make this another “what to do during a pandemic”-focused blog post. Instead, let’s discuss how companies can prioritize business survivability in current and future environments.
Let’s start by discussing digital transformation for a bit and explore why businesses engage in such an intensive ordeal. Digital transformation is really a driver that alters the thought process of business executives as they look for a competitive advantage over others within their industry. With any driver—either internally (e.g., resources, innovation) or externally (e.g., regulations, competitors, technology)—new risks are introduced to the ecosystem. Risks aren’t just things that are scary and detrimental to your business. They are also opportunities to increase your business’s value. How can you make a good decision without knowing the risks that are present? Making a change to the environment alters not only the direct threat landscape, but also other entities within.
Knowing the specific drivers that affect your industry will allow you to make your digital transformation strategy more resilient. Whether you are in healthcare (where HIoT devices are being implemented), financial services (where smart branches are the new norm), hospitality (where bots are adding business value), or elsewhere, the key is knowing your threats.
This all starts with the board, your C-suite, and senior management understanding Governance, Risk, and Compliance, or GRC. I typically recommend forming a steering committee to guide and formulate many of the company activities around GRC. But to back up for a second—what is GRC, exactly?
- The G stands for Governance, which consists of rules, policies, and processes required to ensure proper methodologies are being followed.
- The R stands or Risk Management, where understanding the risks that are faced within the environment will allow for more informed business decisions.
- The C stands for Compliance, which in today’s world of regulatory factors and privacy measures means that the company is performing due diligence. Compliance is typically considered non-negotiable in most corporations, especially public ones.
GRC is essentially a company’s ability to ensure that its values, objectives, and business efficiencies are being implemented and monitored properly. This is a vast topic that I could go on about for days. However, let’s focus on a subset of GRC that should be a mainstay for most companies: Enterprise Risk Management (ERM).
ERM builds upon traditional IT risk to create a more integrated approach to achieving organizational objectives. In order to understand the broad spectrum of risks across the company, a proper ERM program should be embedded in every aspect of the ecosystem: A change in the HR department could affect the privacy of personal data, which could then affect reputational risk. The concept of a domino effect is frightening, when it could mean the destabilizing of a business entity.
Various risks are spread across a company and must be considered as part of a holistic approach to ERM. They include:
- Strategic Risk: The board and C-suite will need to understand what risks are evident and, depending on their risk tolerance, decide if a new path/venture is acceptable.
- Compliance Risk: As I mentioned in the GRC section, are you complying with all the applicable laws and regulations that your industry requires?
- Operational Risk: Are people, processes, and policies available to ensure operational efficiencies and business continuity?
- Insurance Risk: Should a disaster strike, do you have the proper coverage? Is your cybersecurity coverage sufficient? Do you know what exceptions exist in your coverage that could leave you exposed?
- Reputational Risk: If your company becomes compromised, will it affect your customer confidence? Will trade secrets be lost? Is your intellectual property secure?
- Residual Risk: After all your protections, controls, and measures have been taken into account, what might you be forced to live with and accept?
Understanding risk company-wide allows you to place controls on your people, policies, processes, and technology to mitigate threats, risks, and vulnerabilities. New threat vectors are constantly created as the paradigm shifts, altering the current security posture throughout the environment.
Have your new digital transformation initiatives been gauged against your board’s—and subsequently the company’s—acceptable risk tolerance? At what point does introducing or altering business objectives to gain increased value cause risk to become a problem that should be avoided?
There are various Risk and ERM frameworks (e.g., NIST CSF, NIST 800-53, and COSO), each of which describes an approach for identifying, assessing, and planning a response to the risks, as well as monitoring risks and opportunities within both internal and external environments (drivers) facing the enterprise. Management selects a risk response strategy for specific risks that have been identified and analyzed, including:
- Avoid the Risk: Exiting the activities giving rise to risk
- Mitigating the Risk: Taking action to reduce the likelihood or impact related to the risk, placing it at an acceptable level
- Transferring the Risk: Transferring or sharing a portion of the risk, to finance it
- Accepting the Risk: Deciding no action must be taken, due to a cost/benefit breakdown
As all actions are decided upon, a proper Risk Register will allow educated risk decisions to be made by management on the severity or criticality of the risk to the company. Also note that as the environment changes—as many have with the current COVID-19 crisis and influx of remote users—risks that were deemed minor might become a critical threat to the organization. This is a main reason why undergoing a risk assessment on at least an annual basis has been a security best standard and looked upon as a measure for due diligence.
In closing, security is never a “set it and forget it” area, whether it involves a technical update, a revision on a remote user policy, or perhaps a refresh to a disaster recovery plan. Your company’s risk assessment that was conducted last year must be revisited, as new threat vectors have come to light with this pandemic.
The security advisors at ConvergeOne can help you create an Enterprise Risk Program that includes facilitating changes to the technologies required for digital transformation, mitigating risk vulnerabilities, and monitoring and optimizing the risks that do exist. As the environment changes due to business and technology challenges, opportunities, and advancements, you want to ensure proper risk measures are part of your success criteria. Ensuring GRC and ERM are the lifeblood to your company’s success.
With that, I will quote one of my favorite 70s Saturday morning cartoons, “Now you know…and knowing is half the battle.”
[ GUIDE ] BUILDING HUMAN FIREWALLS:
10 STEPS TO CYBER AWARENESS
Are your employees equipped to act as a human firewall, defending your organization against attempted cyber attacks?
The statistics are staggering: spear phishing accounts for 95% of enterprise network attacks, according to the SANS Institute. Since attacker can craft messages to your employees posing as a reputable contact, technology can only do so much. To effectively prevent your organization from falling victim to cyber attacks, it’s essential that your employees develop strong cyber instincts.
This guide contains an overview of ConvergeOne’s 10 steps to creating a cyber aware culture, including key questions and ideas for tackling each step.