Ask the Expert: Managing Risk through Digital Transformation, Part 3
Ken McPherson, CEO of Iceberg Networks sat down with us to answer more of the top questions we hear from organizations about managing risk through digital transformation. The following is an edited transcript of the conversation.
Q: What impact do you think COVID-19 has had and will have going forwards when it comes to digital transformation?
A: This is a very important question for all organizations to consider right now, regardless of your industry. We hear about it in the news, digital transformation has become even more imperative than ever because of the pandemic, because things have changed. Endorsing the digital economy has become a major priority. The use cases that we were already implementing for organizations around digital risk management are just as important, but now the urgency has picked up. In some cases, the scope has grown as well.
I’ll explain in all three cases. With respect to cyber risk, cyber attacks are up by 700% since the pandemic started. The bad guys didn’t go away or take a break because of the pandemic, it’s gotten worse. Organizations need to be in a position where they are protecting as well as possible and responding as quickly as possible. The pressure to get good vulnerability response programs that are effective, protecting the right crown jewels, protecting where key assets are so that you are safe has never been more important.
Under the Security Incident Response (SIR) use case under cyber risk, the ability to be able to prioritize extremely quickly on incidents that could have the biggest impact against your organization and responding quickly has never been more important than since the pandemic because of this increase in cyber attacks.
IT as well, with everybody working remotely now, the interest of cyber attacking remote users. If you don’t have the right security in place, that business impact has become really critical. Also, internal attacks within the organization. There has been much more of a focus around the entire cyber risk program for organizations since the pandemic.
The second one is the effect it has had on third-party (vendor) risk. Most organizations were already down the path of analyzing vendor risk but they never really thought about “are our vendors resilient?” and “can they work remotely?” or “can they provide products for us if we need it in our supply chain?” It has opened up a whole problem set for organizations to try to solve.
The other really interesting one that we have seen have an uptick because of the pandemic when it comes to vendor risk is the importance of concentration risk. I was at a CEO conference in February and the pandemic had just hit. The gentleman beside me was in a fencing business. All of his product options to source were from China. So, all of a sudden, his concentration risk where he had 3 different suppliers he could order from became a big issue because all of China was shut down.
You can also think of that from a technology standpoint. If you are using a cloud service and you realize that vendor is supplying three different services to your organization, if for some reason they can’t operate, you are now exposed. It’s really opened people’s eyes to the fact that it’s not just that first vendor, it could be the fourth- or fifth-party. Plus, this whole issue around concentration, in a specific area. We used to think of this in terms of natural disasters. If I buy all my product in California and there is a disaster, could I be exposed in my supply chain?
Now the pandemic has opened us up to different ways to look at concentration risk, so we are finding that particular program, vendor risk has taken on a whole new meaning.
The final piece, probably the biggest one and this is something that I think will actually come more into play this summer is business resilience. Right now, most organizations are constrained to deal with and respond to the pandemic, but as we get through this and the threat of a second wave or other pandemics, organizations will have to review that business resiliency program.
It’s changed significantly from this and I’ll explain why. A year ago, if we sold a business continuity program, it was generally a set of assets. I need to do a business impact assessment against those, understand where my key values are, a business continuity program and business plans around that and then maybe if I’m really advanced, a crisis management system.
What the pandemic has done is opened our eyes that we were way under scope in the sense that we were looking at maybe specific assets or processes, but we never really thought about HR resiliency. What if someone gets sick and they play a key role in the company, or they can’t work remotely. Have we thought through that?
I talked about our third- and fourth-parties, are they resilient to be able to continue to help us deliver services if something like this happens? We also see the IT side and other areas being more focused now because of the pandemic, the scope of everything I have got to look at, that allows me to operate becomes much more critical. It has also puts a focus on how it relates to each of my business units or my lines of business. This idea of a business resiliency program has taken on a whole new meaning.
I was talking to a Vice President of Business Resiliency at a big insurance company and she mentioned before the pandemic that she couldn’t get the ear of the executive. Now she can get a board meeting whenever she wants.
So, the other piece is, it’s top of mind for the board and the top executives, now we need to have a strong resiliency program. All of these are parts of digital transformation and your digital risk management program that is evolving due to the pandemic.