It is no longer a matter of specific industries: More and more businesses are facing the challenges of digitization. Businesses across all industries are increasingly dependent on technology. Agile innovation is a must to gain a competitive advantage and stay ahead of fellow contenders. Time to market, innovation, user experience and growth are the main performance indicators for businesses active in the areas of the digital economy.
And for all of these companies and organizations the same holds true: Digital economy inevitably leads to digital risks at an equal if not larger scale. They are a reality and they need to be approached adequately. A constantly growing number of attackers target exactly these types of businesses. They range from well-funded, state-sponsored attackers to private attackers and act upon varying motives.
Agile Business and Digital Risk Management: What sounds at first like a complete contradiction turns out to be two sides of the same medal. Defining and implementing the right approach towards achieving these objectives by choosing the suitable and adequate building blocks from a broad range of available methods and tools is a sine qua non for every company’s strategy for Digital.
In parallel the area of IT-GRC is rapidly evolving. While the requirements (legal, regulatory, sector-specific and business-oriented) are constantly increasing, the product landscape is changing. Vendors are really creative in creating new terminology for technology, old and new. Analysts and journalists contribute to this by slicing the market into new segments and coining new terms. This makes it difficult for organizations to get a clear perspective on the market, the vendors and the functionalities provided.
But: No matter if you call it IT-GRC or choose another term for describing this discipline, the core requirements in that area won’t change for a large group of organisations by changing a name. These requirements demand for processes and an adequate organisation that are needed to make sure that IT reflects and implements enterprise strategies and pursues enterprise goals. The foundation for all deployed and implemented principles and guidelines are corporate policies which need to be refined to actionable methodologies and controls.
Digital Risk Management is an essential part of IT-GRC (and it is in fact the R in GRC). It is focused on the threats and risks for enterprise information and the underlying IT systems processing them as they are implementing the full set of business processes. This in turn leads to the definition of a set of measures and controls which are adequate to reduce digital risks to an acceptable level by taking the value and the criticality of information at stake into consideration.
The development and definition of a comprehensive strategy for Digital Risk Management is a key challenge for the entire organisation. While the actual IT-GRC solution in the end will be implemented at a technological level through an IT-GRC platform, the overall risk management strategy has to be defined end-to-end and along the set of business processes.
The first important step is to understand the overall risks for an organisation. Embedding IT-GRC into an overall enterprise GRC effort is the key to getting to comprehensive and resilient Digital Risk Managements processes.
This step typically goes beyond the scope of traditional IT-GRC and demands the involvement of an overall business GRC team (and thus the business itself). The integration of business processes and their individual requirements will inevitably lead to including requirements like “agility” and “time to market” into the overall set of an organisation’s objectives. And once this set of organisation’s objectives is defined it is clear that in turn not achieving an organisation’s goals of course has to be considered as a life-threatening risk for an organisation. By understanding those individual risks, their probabilities and their individual impact on the organisation risks can be compared and prioritized. These in turn can be mapped to IT systems as the technological implementation of business processes and will lead to a set of IT risks that need to be effectively managed as part of Digital Risk Management efforts.
Once IT-GRC is reliably embedded into an overall GRC strategy, the implementation of a modern approach towards IT-GRC is highly recommended
Traditional risk management approaches focused on preventing risks. Forward-thinking organisations are looking into the implementation of a multi-phased approach.
- Prevent - Implementing and measuring appropriate controls for the reduction of mitigation of identified risks is of course still an important part of Digital Risk Management, but with changing IT landscapes and constantly moving security perimeters this is no longer sufficien thet.
- Detect - Substantial efforts have to be spent on the detection of actual incidents as they cannot be completely prevented. This ideally has to happen in real time reduce the impact of an actual breach or incident.
- Respond - Preparing and implementing predefined responses are key tasks for identified risks and threats. The reaction time for a response is off chorus of highest importance so relying on predefined measures for responding to actual threats as the basis for timely and complete responses.
- Recover - The process of “getting back to normal” is a crucial step in the aftermaths of an incident and needs to be aptly prepared.
- Learn & Improve - Of course nobody wants to be hit by the same type of risks materializing again and again, so the integration of lessons learned out of past incidents into the preventative measures has to be formalised as a constant improvement process.
Evolving the role of IT-GRC within the organisation as described above again goes beyond the scope of traditional IT-GRC. This requires on the one hand clearly defined tasks and responsibilities for the IT-GRC team itself. On the other hand, it requires well-defined interfaces to various teams and departments within the overall organisation:
Well-established integration with the overall enterprise GRC is required for potentially all phases. Detecting actual issues, threats and incidents requires interoperation with other teams within the organisation, for example the SOC (Security Operations Centre), existing SIEM (Security Information and Event Management) implementations and of course the incident management teams. The Response and Recovery phases requires tight integration with operational teams, again with the incident management teams and for worst-case scenarios communication with crisis management teams might be required as well. Converting experiences into policies, guidelines and controls can turn out to be the most complex part of the process as it might involve many individual teams.
As a temporary summary: IT-GRC is here to stay, but it has to evolve: Adapting to changing IT architectures, enterprise collaboration and business models will lead to far more active and proactive Prevent-Detect-Respond-Recover processes. To achieve this while keeping focus on core IT-GRC processes will require a well-designed integration and interfaces with enterprise GRC, the business and various other teams involved in the delivery processes.
Matthias Reinwarth is Senior Analyst at KuppingerCole focusing on Identity and Access Management, governance and compliance. He has consulted in the Identity Management sector since 1993. Based on a combined education in economics and IT, Matthias developed a strong background in Identity and Access Management including Identity and Access governance and compliance.
Matthias has co-authored the first German book on directory services in 1999
and has acquired practical experiences as an IAM consultant for more than 20
years. He has been successfully working in assignments across various sectors
including media, government, financial, telecommunications, logistics and
industry (e.g. chemistry and pharmaceutics). Matthias areas of expertise cover
all major aspects of IAM including technology and infrastructure, data and
entitlement modeling as well as IAM processes and governanc