Security puzzle calls for some joined-up thinking

 As the technology revolution rolls on, organisations around the world are starting to see the benefits of greater and greater levels of interconnectivity. Digitisation initiatives are aimed at tackling bottlenecks in business processes, bridging the air gaps that have existed between traditionally disconnected processes, and enabling information to flow freely, both across silos within the same organisation and to and from external partners.

In a series of Computer Weekly Security Think Tank articles, a panel of experts discussed how, in the age of digitisation, there are new risks so security needs to be more integrated.

As Sandeep Godbole, past president of ISACA Pune Chapter, points out, the adoption of technology has exposed modern organisations to the contrast presented by technology – the opportunities on one side and the risks of the connected world on the other.

These opportunities and risks affect the organisations in diverse ways, he says. Some have operational impacts, while others may have strategic impacts. “Good governance requires that opportunities and risks having a profound impact on organisations be monitored and the required actions be taken,” says Godbole. “Embracing the opportunities may require setting up the enablers, including organisational structures, technology capabilities, building human capital and supporting the change.”

Addressing the risks requires the implementation of appropriate security controls, tools and processes that mitigate the risks, says Godbole. “Since the connected world enabled by technology presents organisations with risks and opportunities, appropriate security measures play a key role in modern organisations. Addressing risks and providing adequate protection enables organisations to leverage technology. Security, therefore, plays a role of an enabler in organisational strategy.”

Recent research from Ovum found that organisations’ approaches to handling and addressing digital risk vary wildly. Ovum research director Maxine Holt says: “Handling new risks is a consequence of expanding digitisation. The need and ability to manage risk does not cease at an organisation’s boundaries in this increasingly connected world.”

Holt warns that ignoring or preventing the opportunities presented by digital transformation is not a practical option for information security functions. She believes digital risk is an “essential” inasmuch as the organisation must take risks if it is to move forward. Holt explains: “The most risk-averse organisation could avoid digital transformation but simultaneously is likely to lose the edge on its competition or provide a poorer service to citizens.”

For an organisation to be sufficiently effective and efficient, Holt says it needs to be able to discover, manage and mitigate digital risk. This, she says, requires greater integration between internal functions – particularly governance, risk, compliance and security – as well as across the partners that supply or underpin many of the newer technologies being exploited.

Holt suggests that appointing someone with responsibility for organisational digital risk can enable joined-up and better strategic decision-making for a more integrated approach to risk management. According to Holt, the idea of creating a digital risk officer role is a big step forward, as surprisingly few organisations have someone in this role.

“A team under the remit of the digital risk officer should be created to address the risks of digital transformation projects – knowledge is needed from across senior risk, compliance, IT, technology, legal, audit and cyber security staff,” she says. This team should aim to establish a central risk taxonomy to enable a common understanding of individual risk types throughout the organisation, says Holt.

In the past, separate siloed risk management has often resulted in tick-box compliance. Paddy Francis, CTO at Airbus CyberSecurity, says: “Integrating all these different aspects of risk into a single framework gives a better view of the overall operational risk to the business and allows development of mitigation strategies that work for the business as a whole.”

Francis believes IT security professionals should play a key role in moving to an integrated risk management approach. Francis presents the case for security teams to consider risks and mitigations in the context of the enterprise rather than just IT. “IT professionals and other risk owners must have, or gain, an understanding of the business drivers so they can see the risks in the right context and make appropriate risk mitigation trade-offs and not focus solely on their own area, while creating new risks elsewhere,” he says.

Francis says IT risk and related risks such as the IT security contribution to business continuity management and General Data Protection Regulation (GDPR) compliance should be brought together into a central integrated risk management strategy.

If organisations want to make integrated risk management work, Deshini Newman, managing director EMEA at (ISC)², believes information security practitioners need to be integrated into the heart of the risk management reporting and evaluation process. “They simply cannot be downstream of it and still be expected to operate quickly and proactively when a security concern manifests itself,” says Newman.

Ovum’s Holt recommends information security professionals to involve senior management to help drive integrated risk management. “Business-focused information security functions can represent and communicate the need for integrated risk management to those who can change the firm’s approach,” she says.