Moving from Cybersecurity to Digital Risk Management is like the curve-jump from hand-drawn pirate maps to data-driven GPS apps.
Enterprise risk managers use a phrase, the Risk Universe, to describe the full range of risks that could affect a company — including some that are unknown. Like our own universe (depending on whom you ask), companies, governments, and even individuals find their risk universes expanding. The world of business must now navigate through new risks introduced by digital exposures. These digital exposures go far beyond what we think of today as “cyber attacks.”
Volkswagen’s “Dieselgate”, for example, was a software-fraud that could end up costing the company between $35 and $87 billion. This wasn’t a cyber attack, but a digitally-enabled risk. The impact of the WannaCry cyber attack, by contrast has been estimated at $4 billion.
Despite their novel nature, these digital risks are still business risks and must be owned by business leaders — not left to the constrained and conflicting resources of Chief Information Officers (CISOs) or their “cybersecurity” staff. But how do you equip executives to own and make decisions about their digital businesses that mitigate an unknown risk universe while also considering the opportunities it might create?
It starts with what kind of maps you’re using.
Moving from Maps to Apps
Let’s take a step back from the risk universe and bring things a little closer to Earth. Early nautical explorers ventured across oceans in pursuit of expanding opportunities. They also faced new risks — pirates, uncharted reefs, and the occasional mermaid. As they encountered new territory, they drew maps to guide them. Each voyage into unknown territory came with new risks and lessons-learned. They would update the map, if necessary, and say:
- “We’ll never go that way again.”
- “We’ll make different choices next time.”
- “We’ve discovered a new world!”
Modern, companies are venturing into new waters, like early explorers. We have a good idea of some of the risk exposures. But, while they are well known, we still often find the victims of industry-shaking events saying “We should have seen this coming.”
Today, maps are apps that draw themselves as we go speeding down the highway. Apps alert us when we’re headed toward a problem. They tell us:
- “Take this exit to avoid the traffic up ahead.”
- “Be careful! There’s an accident (or police) just ahead.”
- “You have reached your destination.”
How do they do that?
They still use maps (including landmarks and known hazard areas), but they collect distributed data samples, and use machine learning algorithms to project the most probable picture of the real-time traffic map. As models get better, they will begin telling you what the traffic map will look like tomorrow.
This type of “predictive analysis” is the next evolution for cybersecurity. But today’s cybersecurity still does not address business risk.
Digital Risk Management is the Next Generation App for Business
Ransomware, for example, is not a brand-new problem. In fact, the Microsoft vulnerability leveraged by the May 2017 WannaCry ransomware outbreak was known and patched by Microsoft in short order. So why did the world wake up to industry-wide lockouts and upwards of 300,000 infected computers? And how did the U.S. Financial industry weather this storm and emerge without a single reported infection? Could they see the future? No, not really. But they were better able to anticipate the impact of their digital business decisions.
The answer lies in Digital Risk Management. In finance, the CEOs and Executive Boards have a better understanding of digital risks, because they are taking more ownership of them. There is a level of maturity due to the speed and nature of modern financial transactions, and an extensive regulatory environment that drives accountability for their digital decisions.
But any business should begin to look at their digital risks differently than typical “cybersecurity risks.” Ownership of the risks should lie with those motivated and empowered to make wide digital decisions.
With WannaCry, many businesses failed to take seriously the threat of ransomware. It wasn’t that they were unaware, but they didn’t have the context to understand how their digital decisions — to patch or delay, to stand up this or that digital service, to invest in a particular control — could result in tangible damage to the business. The CISO may have been able to show the value of these decisions … the morning after a WannaCry infection.
Having a map that draws itself for you enables you to see ahead and go faster.
You Can’t Fly a Rocket Ship With a Simple Map
In the case of digital business, we’re not talking about nautical ships. Digital businesses are rocket ships venturing into a risk universe at break-neck speeds. The stakes are higher, and the impacts of a digital risk can rise to the billions of dollars — leaving a company insolvent or leading to unrecoverable brand damage.
So, why are many businesses still using the equivalent of paper nautical maps (manually-updated static dashboards and inflexible frameworks) to navigate their rocket ships? To make wise risk-based decisions, businesses need maps that draw themselves in real time to reflect the real risk universe, where there are few boundaries between digital and business. The stakes are far too high.
They needed an app to alert them, “Ransomware, Dead Ahead!” and clearly show the future impact of making the wrong decision.
Businesses need the ability to see around the corner just far enough to decide to:
- Hit the brakes.
- Change Strategy.
- Carry on, full speed ahead!
“We never saw it coming,” or “we had no idea that was out there,” is no longer a sufficient answer to regulators, executive boards, and consumers.
Providing the Risk Picture to the Board
We know from history that the scenario you were planning for is not the one that cripples you. A human risk consultant can consider a discrete scenario, collect performance data, and estimate its likelihood and impact, this remains an expensive paper exercise, and only accounts for the risks the human knows about or can conceive.
Mapping a digital risk universe requires inhuman scale to consider every possible scenario and evaluate them at the speed of digital business.
If this seems like a daunting task, it doesn’t have to be. Unlike traditional cybersecurity — where practitioners strive for “zero hacks” or “360 degree coverage” — risk management needs only a “reduction in uncertainty” consistent with a company’s tolerance for loss.
Where most cybersecurity practitioners want good data or operational clarity, risk reporting can be directionally accurate rather than exact.
Going Boldly into the Digital Risk Universe
Seeing the full digital risk universe requires “seeing everywhere at once,” but it doesn’t require a massive technology deployment like yesterday’s endpoint intrusion detection approach. By leveraging next-generation machine learning and swarming algorithms, we’re able to collect a small sample of data from an organization, explore their digital risk universe, and provide a projection of the biggest risk exposures to business leaders, who are ultimately the ones accountable.
There are a lot of unknowns out there. But a change in course around how cyber and business leaders draw their maps can means they can go boldly into an ever-expanding digital risk universe.
To get in touch and learn how Emergynt can help you see into your digital risk universe, visit us at endsecurity.com.