Trends in IT Risk Management

You probably already know how critical managing cyber risk is today. Your business’s bottom line, reputation, and future can be at stake. IT risk management is so important – one incident exposing sensitive data can result in stiff fines, legal backlash, and, worst of all, loss of customer trust. 

It’s also no secret that managing risk today is more challenging than ever. Risks are everywhere—and they appear to be multiplying at an unprecedented rate. The complexity of business, rise of cloud computing, increase in third-party vendors, and proliferation of regulations amidst a global pandemic have created the perfect storm for risk exposure. Oh, and did we mention the critical cybersecurity skills shortage? All of this means that your team will need to tackle more risk than ever with far fewer resources.

In such challenging times, how can your organization hope to manage risk?

It won’t be easy—but there are options for those willing to take a hands-on, proactive risk management approach. In this article, we will discuss the latest trends in IT risk management and see how smart organizations stay safe and compliant during turbulent times.

Cybersecurity and Data Breaches

Historically, with cybersecurity, prevention has been the word. We build bigger, better gates to keep malicious intruders out, but over-reliance on prevention is failing—miserably. In the first half of 2020, there were 540 publicly reported data breaches impacting over 163 million people. This number is down 33% from the first half of 2019, but one breach is too many when weighing the financial and reputational costs. 

The damages inflicted by cybersecurity incidents shows us all too clearly how failing to address vulnerabilities and prevent breaches can prove catastrophic for your organization. Below are some tools modern teams engage to help heighten security and prevent costly cyber incidents.

Data Security Governance Frameworks

What is more important than protecting data? These internal structures provide guidance to help organizations manage their data and keep it safe. These frameworks establish storing, handling, and security measures for enterprise data. They can help your business navigate data privacy and cybersecurity regulations, stay compliant, and maximize data usage.

Third-Party Security Operations Centers

When it comes to full-time protection of your data, it can make sense to hire a professional. Third-party security operation centers specialize in preventing, detecting, analyzing, and mitigating cybersecurity incidents. These external vendors provide skilled teams dedicated to around-the-clock threat intelligence and rapid remediation at a fraction of the do-it-yourself cost. However, you will need to develop trust in third-party handling, storing, and analyzing your sensitive data.

Multi-factor Authentication 

As modern hackers gain sophistication, many organizations now turn to multi-factor authentication. Users must provide two or more forms of identity verification to gain access to networks. In addition to names and passwords, which are easier to steal, users must now possess something such as a code sent via mobile, or a security badge, smartcard, or software token. 

Another notable means of verification, growing in popularity as it becomes more accurate and available, is biometric authentication. Accuracy is hard to dispute, as hardware devices read and match unique human physical traits such as fingerprints or eye patterns to verify identity. Keep in mind the cost of biometric hardware could be prohibitive, and the need for users to be present–especially challenging during the age of COVID and remote workforces.

Robotic Process Automation (RPA) and Artificial Intelligence (AI) Technology

No discussion of risk management today would be complete without addressing RPA and AI technology’s rapidly increasing roles. Successful risk management requires a proactive stance. Continually assessing risk and the use of predictive analytics can be helpful in high-risk areas. Organizations must stay one step ahead by collecting data, identifying emerging risks, and acting swiftly to prevent cyber incidents before they occur.

RPA and AI support risk assessment by gathering and processing the data to fuel the predictive analytics used to identify emerging risk patterns. RPA collects, standardizes, cleanses, and prepares real-time data for use in predictive modeling processes while also automating risk testing and remediation. AI, specifically machine learning (ML), can create self-learning, predictive algorithms to extract insight, generate reports on emerging risks, and guide management policy. Machine learning can also be used in risk detection, instantly flagging suspicious activity.

RPA and AI technology can provide a considerable boost for overwhelmed security teams. Both technologies drive the speed and volume of work, help scale limited security resources, and allow humans to focus on more value-added risk management tasks.

Continuous Adaptive Risk and Trust Assessment Approach (CARTA)

When you’re looking to effectively manage risk, you need to begin by assessing your organization’s current posture. What threats are you currently facing, and what dangers are emerging? Where are your most exploitable vulnerabilities? Before embarking on the journey to where you want to be, you must begin by knowing where you are—and this starts with assessment.The Continuous Adaptive Risk and Trust Assessment Approach (CARTA) is a strategic security approach built on adaptive platforms that stress continuous assessment for risk and trust across the enterprise. CARTA promotes the Shift Left philosophy of testing early in the development process with ongoing assessments to keep pace with today’s continually evolving threat landscapes. In line with CARTA, many compliance frameworks, such as ISO 27001 and NIST SP 800-53, now embed continuous, ongoing risk assessments into their recommended process.

Advanced Risk Analytics

Many innovative organizations have adopted advanced analytics to understand, predict, avoid, and, if necessary, remediate risk. These advanced data interrogation techniques deliver fast, actionable insight helping modern enterprises stay ahead of risk. 

Data-Driven Approach

Data is power in the hands of risk managers. As such, modern analytics depends on the effective collection and management of data. To have any hope of predicting emerging risk, teams must maintain a constant awareness of existing environmental conditions. This approach requires a continuous flow of relevant data–far more than manual processes can handle. Fortunately, today’s risk management teams have the power of automation and smart technology to support this data-driven approach. 

Predictive Risk Intelligence

Would your team like to accurately identify emerging risks? Who wouldn’t, right?

Being able to spot emerging risks would give your organization the jump on determining the likelihood and impact of these potential threats–a significant advantage in planning your risk mitigation and management strategies.

The growing practice of predictive risk intelligence (PRI) uses data-driven analysis to predict and manage emerging risks, helping to eliminate or reduce the negative impact of loss events on your organization. PRI creates a 360-degree view of emerging risks by applying advanced analytics to internal and external data sources. It recognizes trends and identifies potential risks before they become threats and creates alerts in near real-time. PRI requires dependable, comprehensive data feeds but automates analyses for fast escalation and remediation response.

Predictive risk intelligence is described by Deloitte in a five-step process:

1. Identify and prioritize top risk events to monitor
2. Identify the triggers or precursors of risk events (map to data sources)
3. Identify the internal and external sources of data to mine and analyze
4. Develop both static and self-learning algorithms to predict the likelihood of risk event (data-mining and machine learning drive ongoing improvements)
5. PRI alerts and notifications generated by risk predictive algorithms and converted into formal reports 

The capability of predictive risk intelligence is poised to grow with the disruptive technologies of AI and RPA. It should play an essential role in your organization’s risk monitoring effort moving forward.

Cloud Technology and IT Risk Management

Storing data in the cloud provides many business advantages, and has some significant drawbacks in managing risk. Organizations are trending toward using the cloud as their primary platform for data storage and security. Storing data in the cloud can be cheaper, save space, and provide a convenient network option easily accessed from anywhere—certainly an advantage in the age of COVID-19 and remote workforces. 

How do you feel about your organization’s data in the hands of a third party? For all the benefits the cloud brings, some unique challenges must be considered when storing your data in the cloud. Missing or ineffective governance and change controls within the cloud can lead to the exposure of sensitive data. Cloud storage introduces changes to identity and access management (IAM) controls, discussed in more detail here. With the complexity and decentralized nature of cloud services, logging and monitoring take on added importance as does the use of encryption and alarms. It’s also important to monitor potential gaps between security and compliance risk management controls when storing data in the cloud.

Cloud access security brokers can provide an acceptable surrogate security option for users uneasy with default cloud controls. This on-premise or cloud-based security software bridges the gap by enforcing security policies for cloud service consumers. These brokers ease the issue of third-party trust by extending your organization’s infrastructure security controls to the cloud. Security brokers can provide the necessary peace of mind allowing your organization to maximize cloud storage benefits while minimizing the potential security gaps.

Data Governance

Data governance is part of a broader governance framework your organization can employ to manage risk and stay secure. This framework includes cyber risk governance, which many organizations feel is best addressed through an enterprise risk management (ERM) approach. Cyber risk is viewed as part of enterprise risk, and all risk is considered in light of the overall business strategy and objectives. Governance includes creating a cross-departmental, cybersecurity risk management team, often headed by a top security official. This team is responsible for overseeing risk evaluation, developing a risk management plan, and creating a budget to mitigate risks.

As you know, managing data is critical to managing risk. In fact, good data management is so essential that many organizations form internal governing bodies with specialized agents to create standards and policies for handling company data. Data governance oversees and regulates the availability, functionality, integrity, and security of data across your organization. Think of it as a set of internal guards that shield your data from misuse or compromise, keeping you secure in a world of infinite risk. 

See how you can define and build an internal compliance committee: Read more. Modern risks come in many forms, from malicious invaders to the rapidly growing regulatory compliance requirements list. These requirements are undoubtedly necessary to safeguard sensitive data, but they provide another challenging hurdle for your risk management team. The General Data Protection Regulation (GDPR) opened the floodgates in May of 2018, with the trend of more data privacy regulations to come. California followed shortly after with the California Consumer Privacy Act (CCPA), and many states appear poised to enact their own version of this regulation. Smart organizations won’t hesitate to generously allocate resources to governing their data—in the final analysis, it could prove far less costly than running afoul of the rapidly growing number of compliance regulations.

Business First Approach

Successful organizations understand the importance of a coordinated IT and business effort when managing technology risks. Mitigating risk today requires more than just IT-driven answers–business must take ownership in a collaborative solution to ensure security across the enterprise.

Starting with a business-first approach, based on dialogue between IT and business teams, provides a complete picture of information needs, functions, and risks. IT should lead in risk assessment, but business teams need to shoulder responsibility for prioritizing risk based on business strategy and objectives. Defenses should be evaluated on the threat impact to the business, with the strongest controls applied in areas of greatest value. 

IT Risk Management: Closing thoughts

There is no sugarcoating the facts regarding managing IT risks today—it’s hard and getting harder. Organizations face heightened risk in every direction and must often forge ahead with insufficient security resources. However, for organizations that keep current with risk management trends and take a proactive, analytics-driven stance, their value will only rise. The days of building bigger gates are over—future success will depend on protecting your data while utilizing emerging technology to continually assess, predict, and stay one step ahead of risk.