Ask the Expert: What kind of risks are posed by digital transformation?
Ken McPherson, CEO of Iceberg Networks sat down with us to answer some of the top questions we hear from organizations about managing risk through digital transformation. The following is an edited transcript of the conversation.
Q: What kind of risks are posed by digital transformation?
A:Digital transformation is top of mind for many organizations. The latest prediction is that trillions of dollars will be spent on digital transformation. I think people need to step back and realize why is that? It’s because we’re moving to a digital economy and companies and organizations are thinking “how do we drive new revenue streams?” and “how do we drive costs out of our operations?”
To do that, is switching to digital. The issue that is really being overlooked is that you can’t do it safely if you don’t have a digital risk management program. The flip side is if you have an active digital risk management program, you can make it an enabler for digital transformation with the executives now being extremely confident and feeling safe of where you’re going.
Currently, GRC/IRM solutions have three particular use cases that can be very impactful and they can be up and running very quickly to move a company down that path of digital risk management.
The first one and probably the most prevalent is around cyber risk. One of the biggest concerns is could I get breached? Are we safe from cyber attacks?
There are two really impactful business cases in that area. One is around preventing it totally, having a strong vulnerability response program. The ability to make sure that you are patching the right things that are instrumental to the business and responding quickly to any type of vulnerabilities so the bad guys can’t even get in.
The other area of cyber is to prevent and quickly respond to a potential breach, which is Security Incident Response (SIR). This is a big use case that’s linking in the risk side of it.
I met with a CISO a few months ago and the goal of their SIR program is “When an incident comes in, how do I immediately recognize what business unit or process it’s impacting?” and “Where is the incident occurring in the world? Subsequently, what regulation could I be exposed to? What kind of fines? What kind of exposure?
When it comes to that incident, I can quickly prioritize it and make sure I’m responding to the most important ones as fast as possible to prevent damage. Cyber is a huge area of digital risk. If you get that going now, it can make a real impact and get you into that safer spot.
The second use case would be third-party risk. If you think back again about driving new revenue streams or driving costs out of supply chains, if I outsource, if I leverage the cloud, if I use third-parties, I might be able to be more efficient, get things out the door quicker and drive out costs. Being able to understand what risks those organizations could bring to our organization so that we are safe again is critical. A lot of it is now realizing that if we tie it back to cyber, will they be accessing our network? Is there any exposure to our data by starting to leverage this third-party and therefore, are we protected? Putting in systems to quickly be able to gauge any third-parties to know if they provide potential risk and make sure those risks are mitigated can help us enable and get to market quicker and improve time-to-value for some of those new services and revenue streams.
The third piece has come about from an important white paper that was written by the Bank of England around operational resiliency. It’s the recognition by organizations or by the industry that breaches are going to occur, therefore, how quickly can you get up and running again and protect against this. Around a whole business resiliency program, we’re seeing this more and more in digital transformation, it’s changing every piece of governance, risk and compliance. If you think of some of the new processes that are leveraging AI or machine learning, what is our new governance to manage that? How do we actually know where our risks are and are we managing them properly? What kind of controls do we need to have in place? GRC itself is going through a bit of a digital transformation to be able to properly protect and take care of operations processes for organizations. All of these are use cases that out-of-the-box today can help organizations deal with digital risk management now and go into digital transformation more confidently.