The brave new world of enterprise risk management
Some people are trained to plan for the worst, such as lawyers, Navy SEALs and Cleveland Browns fans. The people tasked with enterprise risk management are finding that the old ways of planning for the worst cyber risks are changing.
The rise of cloud computing in the past few years has instigated a fundamental shift in technology architecture, with far-reaching cybersecurity implications. The pressure building on CIOs and CISOs is coming from both sides of the equation. As the points of vulnerability on distributed enterprise networks have grown, so have the expectations and demand by consumers that organizations protect their data.
An IBM and Ponemon Institute study quantified the average cost of a stolen data record at $158, and the average overall cost of a data breach at $4 million. However, breaches of particularly sensitive data records, such as those in the healthcare and financial industries, have a much higher cost. For example, the healthcare industry experienced the highest average per-capita cost for a data breach at $355. Part of this high cost comes from legal fines, but it’s also due to lost business.
Indeed, the study found that the greatest financial consequence to a data breach is lost business. A cyber attack doesn’t just result in a data breach; it’s a breach of trust between the organization and its customer base. With customer trust a key driver in brand loyalty, people have little patience for enterprises that aren’t careful with their data.
The troubling news from the IBM/Ponemon report is that it estimated a 26 percent probability that an organization will experience a material data breach. Thus, the new world of enterprise risk management needs to focus as much on rapid response and mitigation as it does on prevention. This approach is supported by another conclusion from the report: The speed with which an organization detects and resolves a data breach has a direct impact on keeping the cost of that data breach down.
So, the new nature of cyber risks requires a new approach to cybersecurity policies and best practices.
Start — and continue — with the risk assessment
Conducting a risk assessment isn’t new. Enterprise risk management teams still need to identify mission-critical applications and high-value data and map and weigh points of vulnerability, all to set priorities for security resources. Yet there are three major shifts in the assessment approach:
- Data is king
Data has black-market value, and that’s what cybercriminals are after. Keeping mission-critical applications running is certainly important, but protecting the confidentiality and integrity of data is paramount.
- Volatility of access points
Mapping and tracking the ever-changing multitude of devices, systems and people who have varying levels of access to different data stores is vital. Detailed workflows need to be understood, monitored and logged, so unexpected usage patterns or access sends up some red flags. Assessments need to identify the most important and most vulnerable entry points.
- Assess risks daily
Enterprise risk assessment traditionally has been an annual or biannual process, or was sparked by a major change, such as adding new hardware or applications. Today, new users, devices, hardware and applications are always shifting and moving online. The value of cloud services is that provisioning hardware and integrating systems can happen quickly and often, which means risk assessment must be a daily process. By setting a cybersecurity framework, the priorities and processes of a risk management program may still run on a formal schedule. Yet the need to constantly monitor emerging threats, estimate the probability they’ll materialize at your organization and quantify the scope of damage they might cause is an ongoing responsibility.
Merging individual awareness and automation to create a safety net
The most effective security frameworks integrate technology and organizational culture to harden digital targets. Some priority tools include the following:
- Using patch automation systems to minimize risks for zero-day attacks and respond to known threats.
- Implementing user and entity behavior analytics to determine regular and expected patterns of data access and perform real-time analysis of touches on sensitive data to immediately flag anomalous actions by applications or humans.
- Employing cloud management services and other cloud-based security-tracking tools for 360-degree network monitoring.
- Protecting data through encryption, detection and other systems.
Of course, the weakest points in any network are the humans. Reminder emails warning users to beware of cyberthreats and annual security training sessions are insufficient to make the people accessing an enterprise network and data a shield instead of a vulnerability. Several organizational changes can instill a culture of shared responsibility for enterprise cybersecurity.
To start this process, security can’t be only an IT responsibility. Business line managers (as well as people in back-office departments) need ownership over the security of their data and workflows. This means creating interdepartmental task forces to perform the ongoing risk assessments and assign priority to data and workflows. Other cultural and operational changes to make include the following:
- Set up rapid-response interdepartmental task forces that prepare mitigation and remediation plans for potential data breaches, then execute them quickly when a breach occurs.
- Increase user training to guard against security threats and run simulations that test the average user as well as the rapid-response teams.
- Make sure the CISO position is vested with authority and sits high in the reporting structure to reflect the seriousness of the responsibility.
Merging the technology and human elements can have a significant positive impact in preventing or neutralizing a security breach. According to the IBM/Ponemon study, use of rapid-response teams and data encryption both reduce the average cost of a data breach. Mix them together, and an enterprise minimizes the costs and potential damages even further.
Solid enterprise risk management in today’s cloud-based, multi-device, big-data environment requires multiple layers of intelligence, defensive barriers and proactive measures by both humans and technology.