Rising complexity, higher stakes for enterprise risk management
Cyber risk has understandably become a focal point for enterprise risk managers, but the risk landscape is multi-layered and extends beyond the realm of cybersecurity. In addition to contending with a daunting array of cyberthreats, enterprises are determining how much risk they are willing to accept in deploying emerging technologies, working through a heightened focus on customer privacy and adjusting to changes in the regulatory environment.
New industry research from ISACA, CMMI Institute and Infosecurity shows that enterprises are struggling to manage and optimize their risk, not only when it comes to confronting cyber risk, but in gathering a firmer handle on the holistic enterprise risk environment. Below is my perspective on three data points from the research that I found to be particularly significant:
The shifting threat landscape is wreaking havoc
Changes/advances in technology and changes in types of threats were pinpointed by survey respondents as the top two cybersecurity challenges organizations face today, even moreso than other response options, such as too few security personnel and inadequate security budgets.
This data point reinforces that the unprecedented pace of technological change – and the corresponding domino effect on the threat landscape – is placing a heavy strain on the capabilities of enterprises to effectively and securely leverage these new technologies. Security and enterprise risk programs that were sufficient five years ago – or, in some cases, maybe even five months ago – can be inadequate in holding up to new risks that emerge.
Risk management is about optimizing risk, not removing it from the equation altogether, so these challenges should not preclude enterprises from thoroughly testing and exploring how emerging technologies can be deployed to create efficiencies and spark innovation.
The ISACA study found that while nearly two-thirds of respondents’ have defined processes for risk identification, only 38 percent feel that those processes are at either the managed or optimized level of the maturity spectrum for risk identification. This points to a high adoption, but low optimization trend, demonstrating room for improvement in terms of enterprises actually taking action to address risk, and not just setting up the framework.
Security and risk professionals must revisit their processes, pursue the ongoing training and knowledge resources needed to understand how these technologies are reshaping the risk environment, and communicate those risks clearly to enterprise decision-makers who might be tempted to green-light deployments based on market pressures without first conducting the needed level of due diligence.
Cloud was identified as the emerging technology that most increases risk
By an overwhelming margin, cloud is deemed to be the technology that most expands risk (70 percent of respondents say it increases risk, compared to the next highest response option, Internet of Things, which came in at 34 percent).
As the survey report notes, “There is a good reason why the cloud percentage is so high – practitioners are intimately familiar with the challenges of cloud, including compliance and regulatory challenges, data sovereignty, lack of direct operational control over service provider environments, shadow adoption, and numerous other pain points.”
Essentially, cloud-related risk is much more of a known commodity than risk related to more recent, emerging technologies. However, if organizations align their cloud projects to business strategies and provide relevance governance oversight, cloud risk can be appropriately mitigated.
This data point also raises questions about how technologies that are less mature than cloud – such as artificial intelligence and blockchain – will impact enterprise risk as adoption increases and more use cases arise. Each technology brings its own set of risks and potential misuses that will need to be accounted for in enterprises’ risk programs.
Reputational risk should not be overlooked
Respondents identify reputational risk as the second-most critical area of risk facing their organizations today, behind only information/cybersecurity risk. While respondents naturally identify cyber risk as a leading concern, given the volume and increasing sophistication of the current threat landscape, ultimately, reputational risk can have an even longer-term impact on an organization. There are countless examples of enterprises that have become embroiled in a public relations crisis and never fully recovered – or if they do, only after several years of concerted time and expense dedicated to rehabilitating their brand image.
Of course, cyber risk and reputational risk often go hand-in-hand, given that the fallout from major breaches and other cyber incidents can have a direct and serious impact on an enterprise’s reputation with customers and the general public. But reputational damage also can arise from a variety of other sources, such as fiscal mismanagement, penalties from regulatory compliance oversights and a lack of transparency with customers when it comes to how their personal data is being leveraged.
Even greater challenges ahead
The considerations mentioned above are just some of the many topics that enterprise risk leaders will need to work through in the 2020s and beyond. The risk environment will only become more complex in the new decade, as the aforementioned pace of technology-driven change will further accelerate, with the evolving cybersecurity landscape and the rise of AI factoring prominently into that equation. Managing and optimizing risk have long been essential objectives for high-performing enterprises, but the stakes are rising – as is the degree of complexity.
(This post originally appeared on the ISACA blog, which can be viewed here).