Digital transformation creates new security threats and increases the potential impact of cyber attacks. However, so far risk management hasn’t kept up with the pace of change, according leading security executives and analysts.
The changes brought on by digital transformation mean it is now impossible to completely guard against security threats and digital businesses must essentially pick their poison in some cases. Rather than focusing only on prevention, the best defence now is an integrated approach to digital risk management and a “risk aware” culture, according to the experts Which-50 spoke with.
“Digital threats spread faster [and] go deeper from a business impact perspective than perhaps some of the old school or traditional elements of risk,” said Ben Desjardins, Vice President, Product Marketing, RSA Security, a cybersecurity firm with customers including Dell, Me Bank and Seek.
“As organisations move down a path of digital transformation they’re really creating the pathways for that deep business impact [of cyber attacks].”
The same requirements that drive digital transformation – open data, speed and agility – are also creating exploits for bad actors, according to Desjardins, who told Which-50 organisations must now employ a more integrated approach to security and risk management to identify, prevent and contain cyber security threats.
The increasingly sophisticated and active threat environment also means it’s impossible to prevent all attacks, according to Desjardins.
“We live in a world today where security teams are overwhelmed. There is, by and large, a recognition that it’s impossible to keep every attack out. So we have to shift towards a focus that’s more balanced across protection but also detection and response.”
That capability is particularly important as tightening regulations leave companies few places to hide. Australia’s new Notifiable Data Breach scheme means organisations must now report significant data breaches to the privacy watchdog.
However, Desjardins expects the amount of actual breaches occurring, rather than the amount being reported, is also rising.
“There are more attacks. They’re increasing in not just frequency, but severity and virility,” he said.
When breaches do occur the important thing now is for organisations to understand their impact and be prepared to respond to them, according to Desjardins.
“Nobody wants to be in a position of having to report out to regulators or the press or customers that they’ve been breached when they don’t have a good understanding of what actually happened. That’s a really bad position to be in.”
The integrated approach
Understanding risks, how to respond and how to prevent cyber attacks requires “integrated risk management”, Desjardins says, where risks are identified and considered across several functions of the business, rather than being seen through the lens of IT.
Research firm Gartner offers a similar assessment. During the Gartner Security and Risk Management Summit in Sydney yesterday, Earl Perkins, a Gartner Research VP also claimed and integrated approach was necessary.
“It’s a team sport,” Perkins said of risk management in a digital age.
“Meaning that everybody, every particular department or division or section of the organisation [should be involved]… This is something that touches all of us because the risk will be shared.”
According to the Gartner analyst, so far risk management hasn’t kept up with digital transformation. That is a concerning trend, according to Perkins.
“If there’s any place where risk management is more urgently needed than even in the past it has to do with this accelerated rate of change and our ability to be able to manage it properly and take the right kind of risks.”
IT departments have tended to view risks through their own lens and often fail to recognise risks not directly involving information technology. But as digital technology reaches further across departments and solutions are increasingly procured by departments outside IT, that approach will not work, he said.
“Ironically the very tools we want to use in digital transformation age are making it more risky. And that’s why you need integrated risk management.”