Business & Technology
The Internet is the backbone of the new digital economy. McKinsey estimates that data growth has generated 10% net new growth in GDP, and with the increase of IoT, it is estimated that in just three years there will be 4.3 devices connected to the Internet for every man, woman, and child on the planet. And that number is expected to grow into the hundreds. This has significant ramifications for how businesses operate.
The problem with our increasing reliance on data is that anything that can be generated, transmitted, stored, or analyzed can also be stolen. The question that many businesses are grappling with is, “how can we capitalize on the opportunity of the digital economy while managing the attendant risk?”
This is the role of risk management.
The challenge is that traditional risk management strategies do not always translate well to our new distributed and elastic networking ecosystems or the increasing sophistication of cybercrime. Increasing hyperconnectivity of devices and networks, the globalization of the digital economy, advances in cybercrime techniques, and the commercialization of crime-as-a-service has resulted in an explosion in both the frequency and severity of cyberattacks.
Given the radical transformation of network infrastructures, every organization, regardless of size or industry, needs to regularly examine their exposure to cyber risks and prepare for a potential incident. The basic formula is Risk = Threat x Vulnerability x Consequence. While this may seem simple on the surface, getting the information required to make a risk calculation is not trivial.
Historically, organizations have focused primarily on reducing and managing the threat and vulnerability components of the equation. Of course, we need to understand what devices are on our network, where our data lives, who has access to these resources, and how applications and services connect these things together.
However, managing these elements of the equation is becoming increasingly complicated, and given the current rate of effective security breaches, it can be argued that it hasn’t been particularly effective. Part of the problem is that the isolated security tools and platforms currently deployed in our networks to address threat and vulnerability were never designed to protect today’s complex ecosystems. As we move infrastructure and services to the cloud, implement and adopt IoT technologies, embrace a more mobile workforce, and acknowledge the growth of shadow IT (where data and services live outside the network, and often out of the sight or control of the IT organization), the potential attack surface grows.
In order to be effective, risk management needs to focus more resources on the third element of the equation, which is consequence. To do that, defenders must invest time and energy getting to know what data is worth protecting, who and what can access it, and how to build an ecosystem designed to prioritize and protect your digital assets and resources.
Doing this requires creating digital trust.
Effective cybersecurity is more than just defense. It is an essential enabler of digital transformation. If organizations and users can’t trust their data, and trust that it is safe, they will not engage or take the risks that drive growth, and the digital economy will fail.
To establish digital trust, every member of the ecosystem must commit to doing their part to secure mutually valuable assets. Because interconnected networks span a variety of ecosystems, from cloud and IoT to virtualized networks and endpoint devices, protecting what’s left of our borders is no longer enough. To weave digital trust into the environment, organizations require an integrated security architecture that can provide transparency and control from top to bottom, across the entire distributed technology landscape.
But digital trust is about much more than technology. It requires shifting our paradigms from being reactive to proactive. This includes educating people, establishing a culture in which security is paramount, understanding the risks associated with business objectives, and mindfully creating processes that engineer as much risk out of the system as possible.
The goal of any risk management strategy is to maximize the opportunity while minimizing risk. This requires understanding your business goals, the context of your market, customers, value proposition, and your expected results (KPI’s) and connecting them to a cybersecurity strategy. Risk can only be quantified by knowing what your vulnerabilities are as well as the impact to your organization if they are exploited.
The person primarily tasked with the protection of data assets in many organizations is the CISO. Today’s CISO must be more than a technologist and risk manager. They must also be business leaders, They must understand short and long-term business objectives, have clear line-of-sight across the organization and technology, and be able to establish policy and governance for everyone who touches your data. At every step along the way, it should be possible for the CISO to assess vulnerabilities and threats, size the consequences of compromises, and tie investments and focus to business objectives.
It can’t stop there, however. While the CISO is the quarterback, cybersecurity as a core behavior needs to permeate every function and all levels of the organization, from the CEO and CFO on down. Each business or functional leader must be mandated to embed security into the core processes and initiatives that they respectively own. And every employee needs to understand that good security practice benefits everyone. There can be no single throat to choke – all leaders must have a role in assigning risk and assuming the weight of consequences.
To do this effectively, organizations need to be more precise about describing why something is risky. Is this risk due to a system or process vulnerability, an internal or external threat, or the consequence of something else? Organizations also need to assess the size of a risk - low, medium, or high – to appropriately allocate resources, and estimate the consequences should a breach be successful.
Finally, you have to prepare for the unknown. Many organizations that have dealt with a breach can tell you that some risks you aren’t even aware of can have severe consequences. Which means you need to be thoughtful about engineering as much risk out of your infrastructure and processes as possible to protect your most critical assets, rather than simply relying on reactive security technology.
This byline originally appeared on CSO.com