Risk management is a key aspect of enterprise operational lifecycle. Every corporate initiative, board mandate and basically every movement in life implies a risk. It is imperative, then, to comprehend what an organization can do with risk. The possibilities are: Accept Risk, Deny Risk, Transfer Risk, and Treat Risk. I would like to focus on the last two (Transfer Risk and Treat Risk) since they are usually confusing and misunderstood in the marketplace.
Given the rise of cyber-insurance, organizations tend to think that they can transfer the risk because they have gone through an assessment. In an ideal world, they know their risk exposure and they have a document indicating that they will be compensated if risk actually manifests. However, companies and executives must know that they are not (really) transferring the risk but acquiring the assurance that they will be compensated. But the risk still exists and can reveal at any given time. I feel it is unfair to think that the risk is transferred; it is more the angle of risk being 'considered' and considered for the consequences and impact it may have. But the risk is never transferred nor mitigated nor reduced by having cyber-insurance. And that takes me to the last option and, usually, the one that is better understood: treating the risk with countermeasure, with controls, with processes and procedures, with technology.
Organizations around the world must adapt and adopt organizational and technological measures to fortify the way they identify risk, govern risk (beyond just manage it) and provide a risk response. The technology aspect on this is undeniable since technology will bring a fresh perspective on what is happening in the in/out vectors of company, who is accessing critical information, which anomalies are deviating from a normal pattern of behavior, etc. Technology is instrumental for success, but there are two other dimensions equally fundamental: people and processes. With that triad (People - Processes - Technology) companies can cover most of the cases in the troubled, exceptional, remote times that we are living: customer accessing products, employees managing data in the cloud, consumers requesting information from the datacenter on their mobiles. But to seize risk the right way there's another triad that should be a pillar of the governance of the digital enterprise: Culture - Structure - Strategy. It feels imperative to fully comprehend which is the culture of the company (centralized, decentralized...), how the structure of the entity is designed from a reporting and authority perspective, and how the strategy (and its tactics) are defined and executed.
A sound security program must consider these two (beautiful) triangles and build a consistent, coherent, and robust approach to govern risk and fulfill the promise of ensuring the responsible use of resources while minimizing the window of exposure of the organization on every channel to the world out there: cloud, application security, identity management, access governance, control and monitoring, endpoint protection, network assurance, etc.
Protection and defense are, more than ever, a competitive advantage for every business. If organizations can demonstrate that they have built a security program that can be trusted and puts the customers at the core of everything they do, that is a compelling message for people. We should not forget that trust is earned, is deserved -- and customers need to be assured that their data will be protected, no matter what, and that their provider have the mechanism to respond to threats accordingly.
This is not an era of changes but the change of an era. One that requires a vigorous approach to Enterprise Risk Management and the acceptance that technology plays a critical role to identify, protect, detect and response. Companies need to be on their way to becoming resilient, to being capable to respond to the overarching questions on how to anticipate, withstand, recover, and evolve. ERM presents a unique opportunity to do so and the time has come for the world to embrace it the right way.
With a background education in business administration (MBA) and law, Ramsés is a 22+ years security professional with deep expertise in the risk management and governance areas. Ramsés is the International Chief Technology Officer, Cybersecurity, at Micro Focus, where he defines the vision and mission, purpose and promise of the company in that arena.