As companies continue to shift data and resources to electronic formats, a trend growing faster year over year, information and cyber risks shift to the top of management’s priority list. This means that management must dedicate more resources – resources that don’t exist – to the management information risk. This shortage of human resources combined with an exponentially growing digital attack surface means companies must find new ways to effectively identify risks and allocate resources.
The Institute for Information Security and Privacy at Georgia Tech’s 2016 Cyber Threats Report noted these issues as two of their four key findings:
#2. Exponential growth in the Internet of Things over the past two years creates a larger cyberattack surface.
#3. The digital economy is growing more complex while a lack of highly trained security workers persists worldwide.
If these trends are accurate the only solution is to more effectively assess and manage risk. In 2016, companies who make progress on information and cyber risk management will be those who have effective methodologies to assess risks and allocate resources effectively. In my mind, in addition to Georgia Tech’s four points, there are three additional areas of interest:
1. Enhanced Third Party Risk Management
The SaaS and Cloud markets continue to experience massive growth as traditional companies shift away from managing information and technology in-house. For risk managers this trend creates a unique challenge: How do you manage processes which may impact all industries and all departments? Who is in charge of inventorying and managing third party risk when the entire organization is engaging in relationships with third parties? Going forward management will have to implement processes to inventory, vet, and manage third parties on an ongoing basis.
2. Accurately Inventorying and Assessing the Attack Surface (Risk Assessment)
Given the growth in digitization, use of the the cloud, and SaaS services the digital attack surface is exploding. This highlights the need to implement an effective risk assessment process. I’ve written about that in detail, but here a are a few key points:
- Identify business drivers and link them to business risk.
- Inventory third parties, applications, and digital assets. Link them to business drivers and risks.
- Implement risk tracking and analysis methods.
- Use data and automation to identify, manage, and remediate risks.
- Allocate resources based on risk (#3 below)
3. Effectively Allocating Resources to Risk Management Activities
Market trends indicate explosive growth in digitization combined with a massive shortage in information security talent. That combination creates a lot of risk for organizations who do not have an efficient plan in place. In the short term the only solution to this problem is one, hiring consultants, and two effectively allocating in-house resources based on risk assessment.
If you have questions about managing these challenges please let me know in the comments.