Most companies of scale have cyber security measures in place – software solutions, policies and protocols, and regular assessments conducted by IT staff members around compliance and efficacy. With these measures in place, the executive management team might feel confident that their digital data is secure – until they’re blind-sided by crisis-inducing error or a data leakage event.
Free eBook: Modern Retail Security Risk – Get your copy now.
Equating cyber security to digital risk management is a catastrophic mistake. Cyber security is only one element of the comprehensive strategy required to effectively manage digital risk across an enterprise.
Digital risk management is a complex endeavor requiring real-time monitoring, strategic information architecture and advanced expertise in many areas related to technology, development, operations, data integrations and information systems. And, while cyber security is an important component, it is but one of the five critical pillars of digital risk management which include:
Cyber Security protocols around systems breaches, incident management, and known exploit prevention
Data Loss Prevention measures that protect against system failure, corruption and accidental overwriting and deletion
Data Leakage Prevention protocols that ensure that users do not send confidential information outside of the organizational network
Availability protections that ensure that critical business processes aren’t disrupted due to application downtime
Governance policies with respect to obligation, regulation, compliance, client contractual requirements and data custodianship
Traditional IT departments lack the cross-functional expertise required to adequately manage digital risk across these five areas. In fact, Gartner recently published the results of an executive survey which revealed that an estimated 60% of large-scale enterprises will experience a significant digital breach attributable to the IT security team’s inability to manage digital risk with respect to new technologies, the proliferation of connected devices, and interdependencies.[1]
Gartner’s survey also showed that one-third of large scale enterprises reliant on digital models and activities will have hired a digital risk officer by 2017. In a related report titled “Top 10 Strategic Predictions for Businesses to Watch Out For,” Gartner estimates that digital businesses will require 50% less IT business process workers and 500% more digital jobs by 2018.[2]
This vast and radical shift in IT staffing across industries means that organizations will be scrambling to find candidates to fill digital risk positions. In the interim, IT department staff will lack the requisite skill set to effectively assess and manage digital risk at both a strategic and tactical level.
What can large scale organizations do to avoid falling into the 60% that will experience breach?
Recognize that Digital Risk Management Extends Beyond Cyber Security
The key point here is that the failure to integrate all aspects of digital risk management directly lead to digital crises.
For instance, with respect to Anthem’s recent breach that will likely expose the company to liability in the billions, it’s widely believed that hackers infiltrated the health care provider’s networks by using a sophisticated malicious software program that allowed them access to the login credentials of an Anthem employee.[3] Preventing this event would have involved better data management with sound encryption policies, which fall under the pillar of data leakage prevention.
And the infamous Target breach? It’s believed that the architecture of this attack was sequential, starting with infiltration through a third-party vendor. From there, hackers leveraged Target’s vendor portal access to gain control of the retailer’s servers and from there hijacked the point-of-sale systems. Experts widely believe that if Target had detected and countered any of these stepping stones in progress, the attack would likely have fallen apart. [4] Better governance policies would have enabled Target to understand their vendor’s digital risk, and any potential consequences that risk would bear on Target’s brand and balance sheet.
Conduct Independent Cross-Functional Reviews to Create Checks and Balances
According to a report issued by Online Trust Alliance in January 2015, over 90% of the data breaches that occurred during the first half of 2014 occurred as a result of the combination of human error and poorly designed workflows. The report states these breaches could have been prevented if organizations had appropriate digital risk management strategies and policies in place.[5]
In traditional enterprise structure, digital risk evaluation is conducted by non-engineers who require the participation of the people they are assessing, basically turning evaluations into self-assessments. There are no checks and balances to confirm that best practices are being followed and digital risk is being properly managed for the organization. The need for independent assessment becomes crystal clear. Independent review provides digital risk transparency by providing accurate and timely reporting around potential risk factors.
Integrate Subject Matter Experts that Have the Skills Required to Properly Manage Digital Risk
The staggering instances of human error and poorly designed workflows also brings to light that a significant skills gaps exist within IT departments. This is understandable given that comprehensive digital risk management requires highly specialized knowledge of data management and protection practices, advanced systems engineering and architecture, and defensive architecture for public-facing applications to ensure that the organization has clear and continuous oversight to achieve optimal digital risk protection and avoid breach. Internally hiring engineers of this caliber would be cost-prohibitive for any organization, yet it is critical to give IT teams the help they need to succeed in protecting digital assets in an increasingly complex technological landscape.
By Michael McQuinn, co-founder and CTO of Criterion Advisory
Bio
Michael brings a wealth of technical knowledge to Criterion Advisory, including fifteen years of experience in application architecture and development, with a focus on high- performance and low-latency platforms. He specializes in domain modeling of complex business applications, for which he is a co-inventor of two pending patents. At Criterion, his responsibilities include platform innovation, strategy, and development. Previously, McQuinn ran a boutique technology consulting company, serving as Architect and Technical Lead. His clients came from varied industries, including security technology, email security, financial services, IT services, education, and consumer technology. Select projects include a real-time anti-phishing platform that has been adopted by Google & Yahoo, and an automated vulnerability analysis platform. In the past, McQuinn has developed cutting-edge electronic trading algorithms, including a novel architecture that reduced latency by 30%. He has managed solutions on the web, mobile, server, and desktop platforms. As an active member of the NYC technology community, McQuinn collaborates with leaders in the Ruby, Rails, and Javascript fields. He is a contributor and maintainer of several open-source projects, particularly in the Rails and Javascript ecosystems. McQuinn has Bachelor of Science and Masters of Science degrees from the University of Illinois, with a major in Computer Engineering. His Doctorate work modeled the performance, reliability, and availability of distributed computer systems under varied failure conditions. He has awards from the National Science Foundation and the IEEE.
To learn about Criterion Advisory, please visit http://www.criterionadvisory.com
[4] http://www.zdnet.com/article/anatomy-of-the-target-data-breach-missed-opportunities-and-lessons-learned/
[5] https://otalliance.org/news-events/press-releases/ota-determines-over-90-data-breaches-2014-could-have-been-prevented
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.