(Authored by Steve Schlarman, Portfolio Strategist, RSA)
It was Mark’s big shot. He finally had a meeting with Sharon, the CIO. Her schedule was so busy it was legendary and for her to spend time with a risk analyst was a clear indicator she recognized the new challenges facing their company. Although he only had 15 minutes, Mark was prepared - notepad at the ready, brimming with nervous energy. After some brief chit-chat he got down to business – ready to drill into a conversation about their company’s biggest obstacles; the most impactful concerns; the top of mind issues; the coup de grace that could spell disaster for the organization. He took a deep breath and went to his big money question… ‘So, what keeps you up at night? What are you worried about?’
Sharon beamed. She spun around to her white board and spewed a litany of projects fueling their company’s digital transformation – an IoT project, the SalesForce.com implementation, a massive VMWare migration and their hybrid cloud, the new employee work-at-home program, the impending customer mobile portal…
While that question got Sharon started, let’s think about this a bit differently.
With all the benefits the new digital world offers, there are a host of risks that must be managed. The major areas of risk remain the ‘usual suspects’ such as security, compliance, resiliency, inherited risks from third parties and operational risk. However, digital business amplifies uncertainty for organizations today. For example:
Digital business, by its very nature, increases the threat of cyber incidents and risks around your intellectual property and customer data.
The expanded connectivity and expectations of the ‘always on’ business stresses the importance of resiliency.
Business has evolved into an ecosystem of internal and external services and processes leading to a complex web of ‘inherited’ risks.
The disappearing perimeter and digital workforce is challenging how organizations engage their customers and employees.
Factors such as these are why digital initiatives are forcing organizations to rethink and increasingly integrate their risk and security strategies.
The objective for today’s risk professional is not just about defending against the bad. Just like Mark discussing the parade of initiatives with Sharon that clearly impact their company’s future, you must be ready to help usher in a new age of digital operations. Merely riding the buzzword wave - IoT, social media, big data analytics, augmented reality… - is not enough.
You must look at opportunities to enable innovation in your business while building trust with your customers and throughout your enterprise. Your business must be comfortable with embracing risk and aggressively pursuing market opportunities offered by new technology. To do that, risk associated with the use of emerging or disruptive technology in transforming traditional business processes needs to be identified and assessed in the context of fueling innovation. You also must keep focus on the negative side of risk. Your business today demands an open, yet controlled, blend of traditional and emerging business tactics. You must help manage the ongoing risk as these transformed business operations are absorbed into the organization fully, i.e. the new model becomes the normal model of doing business.
Risk is, by definition, uncertainty. Everyone is concerned about uncertainty in today’s world. However, if we go back to the simple equation (risk = likelihood * impact), risk should be something we can dissect, understand, and maybe even calculate. While you are helping your organization embrace the advantages (positive risk) of technologies like IoT, data analytics, machine learning and other emerging digital enablers, the volatile, hyperconnected nature of digital business amplifies the negative side of risk. It is anxiety about the unknown that leads us into that executive conversation, but it shouldn’t lead to worry.
Worry is about fear. Your executives shouldn’t be afraid in today’s world. They should have informed concerns. And you – as the security or risk person in the room – should be feeding insights to raise their visibility of the likelihood of events and diminish their distress on the negative impacts. Risk is part of riding the waves of business opportunities.
Risk is not something you should WORRY about… it is something you should ACT on.