The rise of the modern, digital enterprise has transformed business decision-making. Almost all (98 percent) organisations are now engaged in digital transformation initiatives, with global spending on digital transformation set to reach $2.3tn by 2023. Businesses are harnessing digitisation to create new avenues for growth, improving customer experiences accelerating delivery of new products and services and optimising business operations. However, this has also resulted in a growing, and far more complex, set of digital risks – as third-party digital ecosystems grow, the number of connected devices soars, and a more mobile and dynamic workforce emerges.
Companies are concerned about these risks – and rightfully so. 88 percent of organisations expect their risk profile to change over the next few years due to digital transformation. It’s understandable, therefore, that discussions at the top of organisations are also evolving, as board members now ask increasingly nuanced, probing and complex questions about risk. The difficulty for Chief Risk Officers or Chief Information Security Officers is that the constantly shifting and evolving nature of the new digital risk landscape makes it hard to present a clear yet concise picture of what the business faces. The conversation can swing between the highly technical details and broad, sweeping generalizations, leading to miscommunication and a lack of understanding or prioritisation of digital risk at the C-Suite level.
As a result, it’s more important than ever that CROs and CISOs are able to determine, prioritise and then communicate risk to business decision-makers. To help with this, here are three steps they can take to ensure they are risk-ready, whatever comes their way:
- Turn risk into a business partner
We now live, work and play in a hyperconnected digital world. Systems are upheld and connected by complex infrastructures, and risk is an inherent part of the equation. To become risk-ready, businesses need to break down traditional siloes between different departments and teams and take a more unified approach to risk management. A unified approach enables different areas of the business to collaborate, share insights on digital risks they face and prioritise the risks based on the context of the wider company and its long-term vision.
Understanding the future aims and direction of the business helps shape risk strategy ensuring risk management practices evolve as quickly as the business and adapt as new risks arise. Continued dialogue across the organisation on new issues or threats different departments may be facing is required. Ongoing communication is necessary for business leaders to make decisions with appropriate context on how operational changes may affect the organisation’s risk profile.
- Tackle technology, people and processes – not just one!
Though ‘people, process and technology’ is a well-used phrase, putting it into practice can be difficult and requires striking the right balance. Technology is, of course, crucial to enhance and support teams, providing visibility into risks faced – such as advanced threat detection on company networks and systems. However, it’s important to remember it isn’t a silver bullet; optimising processes and ensuring the workforce’s skills and resources are well matched are also crucial to becoming a risk-ready enterprise.
Taking this three-pronged approach helps ensure that security teams aren’t in a constant state of relying only on technology to defend against each and every threat the business faces. Instead, with the right mix of people, process and technology, teams can identify what is important to the organisation, prioritise risk and threats accordingly and align technical purchases and security approach with the overall business strategy.
- Understand the third-party ecosystem and how it impacts risk
In the era of digital transformation, the risk-ready enterprise understands its success must now be a team effort. Digital business ecosystems are constantly expanding, and are unavoidable, as organisations increasingly rely on third parties to offer specific skills, tools, or enhanced customer relationship management, to name just a few benefits. However, external parties can also introduce complex risks to businesses that need to be managed.
Assessing third parties’ risk management capabilities is a crucial component of becoming a risk-ready enterprise, and this must take place across the entire organisation. Third-party risk shouldn’t just be considered the responsibility of IT teams; building visibility and understanding of how these risks can affect other areas of the business will result in more informed decisions being made on new partners, a consolidated approach to managing third party risk and better protection for the business as a whole.
Look beyond box-checking exercises
The constant digital evolution of modern enterprises is magnifying the scope of risk. Growing numbers of third-party relationships, new technology increasing exposure points for sensitive data and an expanding digital attack surface means becoming a risk-ready organisation is more important than ever. To successfully manage the breadth, growth and complexity of digital risk, organisations must abandon ‘box-checking’ exercises in favour of a more measured, business-driven risk management strategy that identifies, assesses, and treats risk within a wider business context. Understanding the digital risk profile will enable boards and leadership teams to make better informed decisions on how to put the right safeguards in place to move quickly, but safely, through their digital journey.
By Steve Schlarman, Director & Portfolio Strategist, RSA Security
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.