Digital transformation and integration with Enterprise Risk Management

Digital transformation and integration with Enterprise Risk Management

Fri 16 Feb 2018

Digital transformation has expanded the need for security, continuity and resilience. Today’s business must embrace an enterprise risk management strategy that includes legal, regulatory and political considerations.

Enterprises today face a significant level of security challenges across their organizations. IT is no longer a secondary priority; it is now at the very heart of the enterprise and is becoming more complex. In the current landscape, security considerations have grown from preserving data confidentiality and maintaining core applications and networks to become a much larger conversation around managing organizational risk and exposure, including cyber resilience and readiness in the face of attacks.

Digital transformation presents new risks which requires companies to have complete visibility across their traditional and cloud environments, extremely well-defined access controls and owners, and even separate security strategies for on-premises systems and cloud applications. Hence digital transformation discussions should include decision makers such as chief risk officer, CIO, CEO and line-of-business executives.

In today’s world, security risk assessments is a necessity and should be embedded into all applications as the first line of defense, at the outset of any project. Industry best practices have developed an appropriate DevSecOps approach – where security is considered as code and written into the application to make this possible.

However, security considerations have grown from preserving data confidentiality and maintaining core applications and networks to become a much larger conversation around managing organizational risk and exposure, including cyber resilience and readiness in the face of attacks.

IT don’t own the applications anymore. Multiple business owners and stakeholders are building/moving business critical applications to the cloud. As agile methodologies are adopted and cloud infrastructure removes the inertia in spinning up and testing new services, how do security strategies evolve to reflect this agile approach?

To become resilient in today’s dynamic business environment, IT, cybersecurity professionals, application developers and CRO must engage in ongoing dialogue about the balance of risk versus opportunity. To balance these risks and rewards, stakeholders will need to consider the organization’s overall strategy, risk appetite, new business opportunities and current challenges.

CRO’s are incorporating discussion about cyber risk and other threats into the overall business strategy is much more effective than simply reacting to the latest “cyber scare.”

While it may be difficult at first for enterprises to gain a transparent view of threats, it is more likely to be achieved when concerned stakeholders engage in timely, ongoing and proactive risk dialogues. For instance, a move to the cloud might expose the organization to new cyber-risks, but it can also deliver huge gains such as increased capacity, greater flexibility and reduced capital expenses.

Digital transformation changes business models by enabling new types of interactions across the enterprise and with customers, partners and suppliers. These are obviously good outcomes, but these new connections also mean new external threats and a new risk profile. This is where preparedness becomes crucial. We advise clients to adopt a structured approach to cyber resilience, where security is built into the fabric of the enterprise right from the start, rather than being bolted on at the end — or worse, after an incident happens.

Any successful digital transformation journey must involve greater cooperation and understanding between IT decision makers and business decision makers. The former need to gain the trust of the latter to efficiently and effectively deliver what is needed, when needed, so that IT and the business establish strong, collaborative relationships.

In today’s era of digital transformation, being proactive about security by constantly identifying, assessing, monitoring, preparing incident response teams and cyber crisis management teams couldn’t be more relevant.

As cyber-attacks increasingly threaten every aspect of business and grow in volume and scale, companies are required to address cybersecurity risk holistically, integrating it more aggressively into their enterprise risk management.

In 2017, cyber attackers created havoc through a range of levers, from phishing attacks that influenced political campaigns to ransomware cryptoworms that infiltrated operating systems on a global scale. With the growth of the Internet of Things (IoT), we have also witnessed a proliferation of distributed denial-of-service (DDoS) attacks on IoT devices, crippling the device’s functionality.

In 2018, a heightened cyber exposure is anticipated due to a convergence of three trends:

  • first, companies’ increasing reliance on technology;
  • second, regulators’ intensified focus on protecting consumer data; and
  • third, the rising value of non-physical assets.

Such heightened exposure will require an integrated cybersecurity approach to both business culture and risk management frameworks. Chief risk officers are taking center stage to manage cyber as an enterprise risk.

Enterprise risk management (ERM) has emerged as a best practice in gaining an overview of strategic, financial and operational threats, and in determining how to mitigate and manage those risks.

A comprehensive approach to risk management is important because it helps management comprehend the true potential of threats and allows organizations to address the cumulative nature of risk.

How insurers can make sense of risk