What is Digital Risk Management and Why It Matters Now
Highlights from Simeio’s June 24th “Ask Me Anything Coffee Talk Series”
Last Wednesday’s “Ask Me Anything Coffee Talk Series” was another fascinating and timely session. The topic was “Digital Risk Management.” The session hosts were Safwan Nathersa, VP of Solutions and Advisory at Simeio Solutions, and Shawn Cruise, VP of Canada at RSA Security. Here are some of the highlights from the session.
What is digital risk management, and why does it matter right now?
After over ten years of working on the digital transformation of entities, like cloud, mobility, IoT, and workforce, we now understand that digital transformation is a journey, rather than a project. Part of that journey is like being on a boat. As we course through the water, we create a wake of risk. The more transformation we drive, the larger the wake of opportunity for bad actors to assault our ever-growing attack surfaces.
Digital transformation requires understanding the data, reporting, digital assets, and risks involved throughout the journey. It also requires understanding how to quantify results in the investments you make along the way.
Digital transformation began with large enterprises. But now, small and medium-size companies are looking for digital solutions to manage risk. Over the coming months, there will be a huge increase in the need for digital risk management. This is because managing risk goes beyond digital platforms. It’s very expensive and requires highly skilled people to build, manage, and oversee it. It is the confluence of technologies, skilled personnel, and processes that control digital risk.
What does IAM have to do with risk management?
Any effective cyber strategy begins with best practices in developing and monitoring trust, and that trust is based on identities. Identity is more than the remote workforce, it’s also about customers, IoT devices, and third-party vendors.
The ability to manage and control employees, along with a supply chain, and be in compliance, must be accomplished in a user-friendly and privacy-controlled manner. IAM, when set up correctly, allows digital enablement, in a way that is seamless and user-friendly, while equipping the company to maintain strict controls, support privacy, and analyze user behavior to improve business outcomes.
The ability to have identity proofing, when a customer can’t interact with a company physically, doesn’t start when you have an individual’s information. It begins before they become a customer when you have no information about them. IAM leverages identity proofing to enable companies to validate information that uniquely identifies an individual, like their credit history, demographics, and other pertinent information, without causing hardship on the customer.
The cloud is playing a critical role in enabling cost-effective, agile, and quick adoption of risk management. Most organizations I deal with today have 25 percent or more of their applications in the cloud. So how do you enable seamless access to SaaS applications, while ensuring users have been granted permission, and the right level of access, to them? With identity becoming the new enterprise perimeter, the ability to control the entire life-cycle of all user constituencies, with the right levels of access, and facilitate risk management, is all accomplished through IAM.
Who within an organization owns digital risk management, and cares about the outcomes?
To answer that question, we must look back at history, and the lessons learned. Fifteen years ago, when we talked about mobile applications, we pushed those conversations over to the mobile and application developers. The leadership didn’t get engaged at that level. Over time, CEOs began to realize that digital transformation is a journey they needed to understand. Today, most CEOs are asking for quantifiable data on risk management. While they may not use that term, with the boundaries that have been broken, and accelerated on a global scale with COVID-19, risk management is now a top priority for all C-level leaders and board members.
When you consider all good trust strategies coming off your identity perimeters in the form of supply chain, employees, and third-party vendors, it means every person within the organization needs to understand risk management, and have a basic knowledge of the strategy. Because as you cascade that information up and consolidate it into a C-level report, the answer to the question “who cares?” is “everyone.”
As the digital transformation journey becomes a permanent state, digital risk management is about to become a permanent state best practice, tied to everything associated with digital transformation.
I recently conversed with a bank that, due to COVID-19, is making a significant shift to a remote workforce, improving their ability to service customers online, and setting up accounts with customer profiles. They wanted to know how other businesses handled their digital transformations and how they might leverage that experience.
I recently worked with a province in Canada that wanted a quick solution that would provide COVID-19 results through an identity system that is available online to their citizens. We were able to stand-up a SaaS-based solution in 24 hours, with the entire solution live, within less than two weeks.
What is AI and ML in relation to risk management?
Risk management is all about rapidly collecting, analyzing, consolidating, and prioritizing data. It’s about taking tons of data and putting it into simple, quantifiable reports that can be acted upon. Artificial intelligence (AI) and machine learning (ML) are evolving, and automating repetitive tasks. But the reality is, we have a long way to go to fully take advantage of their capabilities.
Their current impact is really in the ability to pull data together and prioritize it quickly. There are many examples of where we are progressing with endpoints, SIM technology, and reporting capabilities. Keep in mind, this is a journey, and AI and ML will play more important roles as we go forward. AI and ML give us access to data, and they will help us build better dashboards, but we’re not there yet. It will be a few years before we start seeing complete SaaS-based offerings, with the inter-connectivity of data from IoT, mobile, and third-parties.
As we mentioned earlier, risk management is expensive when done manually. As it moves to digital, the ability to leverage AI and ML to learn behaviors, and automate and mitigate risks against those behaviors more seamlessly, is when we will be at a new threshold.
How does data risk management extend to include IoT?
IoT is bringing us many new services. The challenge with IoT is managing billions of devices, all sending massive amounts of data. It goes back to trust. If you can’t manage and trust the content and devices, then it becomes harder to achieve the benefits. With that said, we are making strides with IoT, as part of the authentication strategy. There’s no avoiding IoT, and all the risks associated with it. It’s a top priority and must be part of our best practices because IoT is a top landing point for threats. Therefore, IoT needs to be included as part of a risk management strategy.
We’ve just touched upon some of the conversation. If you want to learn more, you can watch this, and other on-demand Coffee Talk sessions at https://www.brighttalk.com/channel/17142.
We hope you can join our next Coffee Talk where you can chat with IAM experts, ask questions and gain insights into how you can lower operational costs, and achieve greater security and privacy using IAM. Click here to sign-up.