Former White House cybersecurity advisor French Caldwell offers tips for integrating business strategy and rising technologies into enterprise risk management programs.
As cloud computing, Internet of Things (IoT), and artificial intelligence (AI) gain prominence in the enterprise, tech and business leaders alike must reconsider risk management plans and how they impact business objectives, according to French Caldwell, a former White House cybersecurity advisor, former Gartner fellow and vice president, and current chief evangelist for MetricStream.
In the past, risk management meetings occurred quarterly or even annually, and ongoing monitoring was rare. This is not wise to do with emerging technologies and digital transformation efforts underway at many companies, Caldwell said. "The risk to your current business initiatives changes over time," Caldwell said. "If you start a new business initiative, there are going to be new risks. You need to identify risks up front, but monitor those risks to your business objective on an ongoing basis."
The top drivers for governance, risk management, and compliance (GRC) investment are improving overall risk oversight, and new businesses introducing new risk, according to recent MetricStream surveys. "Back five years ago, neither of those would have been near the top of the list—it would have been regulatory compliance," Caldwell said. "But today, people want to make sure they have the right risk intelligence, and that they understand the impact of risk and regulations on investments in new business initiatives."
Accordingly, CEOs are increasingly involved with enterprise risk management today, Caldwell said. However, "there is often a disconnect between how tech leaders think and how business leaders think around things related to risk management and compliance," he added.
SEE: Risk Management: Enabling the Business (Tech Pro Research)
For example, consider compliance from the CISO and the CEO's point of view. For the CISO, compliance is about making sure IT security controls are effective, and that testing is happening properly and is being documented in the event of an audit. But business leaders often think of compliance as regulatory risk, and the risk of new rules or non-adherence to the rules on their ability to achieve business objectives.
"A lot of organizations are starting to get more mature around that—we see CISOs and CIOs looking at linking IT risk and controls to business objectives and processes, to demonstrate those links and eventual impact of those IT risks on those business objectives," Caldwell said.
Here are the top six technology trends identifying in a recent MetricStream report that are confronting GRC professionals with new challenges:
1. The transition to the modern cloud and hyperconvergence
As cloud computing grows in popularity, the landscape is moving toward XaaS—everything as a service. This will transform business value chains, as data will be able to flow seamlessly and securely across different platforms and infrastructures. The transition will welcome a new era of risks, regulations, and governance requirements. "Companies will need to not only strengthen their focus on data privacy, security, and vendor management, but also improve the transparency of audits, legal, and regulatory compliance, while refining business continuity planning," the report stated.
2. Pervasiveness of artificial intelligence (AI)
The risk intelligence gathered from AI and machine learning platforms will lead to gains in performance management at many levels, according to the report. "GRC technology will need to evolve to keep pace with these expanding data sets and varied risks," the report stated. "Solutions will need to transform to help businesses manage risk and compliance effectively and pervasively across the organization."
3. Evolution of the Internet of Things (IoT)
With a predicted 20.8 billion connected devices in use by 2020, new GRC challenges abound. IoT developers often overlook security, with the Mirai botnet demonstrating how dangerous this can be. "If we are to truly benefit from IoT in the future, we need to think of new ways of securing these devices," the report stated.
4. Blockchain layering in GRC
The use of blockchain technology is growing across many industries. Future tech tools will be able to provide a way to connect to blockchain exchanges, providing governance over and visibility into data, according to the report. "Companies will be able to leverage blockchains to streamline the exchange of risk and compliance related information in real time, while also flagging discrepancies," the report stated.
5. The new economy
Businesses will drive the formation of new industries, as we've seen with the creation of Uber and autonomous vehicles. These new industries will require new regulations and governance requirements, the report noted, and GRC technologies will need to adapt to the changing landscape.
6. The new workforce
As workforces become more mobile, businesses will require new frameworks to deal with the risks and requirements in terms of security, authentication measures, infrastructure security, data encryption, and country-specific regulations, the report said.
- IoT, encryption, and AI lead top security trends for 2017 (TechRepublic)
- Researchers create new ransomware to target industrial systems (ZDNet)
- Half of all UK businesses experienced a cyber attack in the last year (TechRepublic)
- 4 critical points to consider when receiving cybersecurity and privacy advice (TechRepublic)
- 5 ways to reduce insider security risks (TechRepublic)