The ReliaQuest Exponent Customer Conference is an exciting and engaging event that brings together hundreds of security professionals and ReliaQuest customers each year to talk security.
One of the greatest aspects of this conference is the diversity of thought from a multitude of industries and sizes. At any given moment I was surrounded by various professionals from different backgrounds. For example, in one 30-minute period, I chatted with a Navy Seal, an NFL Linebacker, the chief information security officer of a major retailer, and my counterpart, the head of Incident Response for a global manufacturing company. It was fascinating to hear the unique perspectives each of us had on security while discovering how much commonality we shared.
This year, I led a roundtable discussion on digital risk. Being somewhat rusty in the policy department, I employed a tried-and-true trick I learned from my teaching days: ask good, open-ended questions. So armed with an “official” definition of digital risk from the internet, I asked the participants how they defined “digital risk” and we were off to the races! After some discussion, the group ultimately agreed on this definition:
Digital risk: any risk associated with systems, data and networks.
Based on this definition, everyone agreed that digital risk encompasses a huge area that is only continuing to grow. In these modern times, it’s nearly impossible to find a business process that is not somehow impacted by digital risk. As a result, an effective digital risk management program is imperative for every organization regardless of size or industry vertical.
Risk Registers are Broken
We next dove head-first into how organizations discover, track, and quantify digital risk. All agreed that to manage digital risk, we must have a method for quantifying and tracking it over time. One common theme centered around the management of digital risk, was that although loathed, the traditional risk register is still alive and well across industries but most agreed that implementing and maintaining the traditional risk register presents several challenges.
A few key challenges included:
- Keeping the risk register up to date, especially in smaller organizations;
- Disconnects between the risk register and strategic business objectives; and
- Quantifying different types of risks, which makes it difficult to compare.
In addition to challenges with the risk register itself, the panel discussed how a poorly implemented risk register can cause more harm than good. For example, by failing to effectively quantify digital risks in the organization, it is impossible for management to define a risk appetite or make risk-based decisions leading to potentially serious strategic pitfalls.
The Emerging Tech Effect
Armed with a clear scope, common terminology and major pain points, we discussed how emerging technologies – and emerging threats – affect the risk landscape. In addition to more tangible issues like quantum cryptology threatening our data at rest and in transit, we quickly moved on to the technology on everyone’s mind: artificial intelligence (AI).
Now, having worked in cybersecurity for quite a while, I’ve been exposed to a lot of information on AI. However, the unique perspectives that surfaced during this roundtable left me surprised. In addition to discussing all the traditional ways AI threatens our organizations, a topic I’ve spent a lot of time thinking about being in the Incident Response business, I was surprised and delighted as the topic quickly shifted away from the doom and gloom of AI, to how AI could be leveraged to enhance Digital Risk Management.
Finding Better Ways to Manage
As the group had previously established, it’s necessary to track, record and quantify risks, but risk registers present some difficulties, especially in smaller organizations. Here, I asked the group to brainstorm ideas that could enhance legacy risk registers or replace them altogether.
An interesting idea that emerged from this discussion was using AI to help simulate digital risks that could be difficult to objectively quantify. Everyone agreed that this was a very promising idea, but caution was warranted as AI “hallucinations” might lead to poorly understood outcomes. In short, understand your AI model well before making decisions based on it.
Another salient point was that the risk management process must remain linked to a firm’s senior leadership strategy. This meant including senior leadership in all phases of digital risk management from mapping to prioritization to mitigation and in the regular care and feeding of a digital risk management program to ensure it continues to identify, prioritize and mitigate risk.
All in all, to manage digital risk, organizations must first take steps to map out specific risks. From there, criteria should be assigned to prioritize which risks require immediate action and then begin the mitigation process. While no silver bullet was discovered to end the practice of risk registers, a few notable ideas emerged for enhancing our current processes.