Los líderes en las compañías deben tomar decisiones continuamente, la intuición hace parte importante de este proceso de gestión, sobre todo con la presión del ambiente cibernético que exige velocidad en esas definiciones. Sin embargo, ¿qué tanto podemos aumentar la cantidad de información que podemos analizar para tener una decisión más precisa, cómo abstraer datos de valor?. Compartiremos con ustedes una forma de pensamiento basado en los aportes que la tecnología brinda para apoyar a los líderes a enfrentar el riesgo Digital en la era del Cibercrimen.
De la Intuición a la Información: El camino a la Gestión del Riesgo Digital en la Era del Cibercrimen
1. De la Intuición a la Información
El camino a la Gestión del Riesgo Digital en la Era del Cibercrimen
Looking Around the Corner
@RSAsecurity
Miguel Angel Aranguren Romero
C I S A , C I S M , C G E I T, C R I S C , C I S S P, I T I L , C O B I T, O S C P, D A T A S C I E N C E S P
A P M G C e r t i f i e d T r a i n e r C I S A , C I S M , C G E I T, C R I S C
Latam RSA Archer Specialist
#ProtectionPeru2019
2. LA INTUICION
Habilidad para
conocer, comprender
o percibir algo de
manera clara e
inmediata, sin la
intervención de la
razón.
Es una habilidad
imprescindible para la
toma de decisiones
rápidas
#ProtectionPeru2019
3. Un bate de béisbol y una pelota
cuestan $110
El bate cuesta $100 más que la bola
Cuánto cuesta la bola?
#ProtectionPeru2019
4. Información
La intuición debe alimentarse
de información para ser
efectiva.
El exceso de información
genera parálisis por análisis
#ProtectionPeru2019
7. TRANSFORMACION DIGITAL
AUME NTO DE L RIESGO DIGITAL
AUMENTO DE LA
SUPERFICIE DE
ATAQUE
ATAQUES MÁS
SOFISTICADOS
AUMENTO DE LAS
PRESIONES DE
CLIENTES Y DE LA
REGULACION
AUMENTO DEL IMPACTO
EN EL NEGOCIO DADO EL
AUMENTO DE
OPERACIONES DIGITALES
10. CEO / BOARD
MALICE MANDATESMODERNIZATION
? ? ?
R I S K
M A N A G E M E N T
I T S E C U R I T Y
ENABLE
INNOVATION &
AGILITY
ENSURE
RESILIENCY
BUILD TRUST DEFEND the
ECOSYSTEM
11. CEO / BOARD
? ? ?
R I S K
M A N A G E M E N T
I T S E C U R I T Y
D I G I TA L R I S K
INSIGHTS
ACTIONS
VISIBILITY
12. R I S K
M A N A G E M E N T
S E C U R I T YI T
IDENTIFY
RISK
ASSESS
RISK
TREAT
RISK
MANAGE RISK &
OPTIMIZE YOUR BUSINESS
D I G I TA L R I S K
INSIGHTS
ACTIONS
VISIBILITY
MANAGE DYNAMIC
WORKFORCE RISK
MANAGE PROCESS
AUTOMATION RISK
SECURE
YOUR CLOUD
TRANSFORMATION
MITIGATE CYBER ATTACK
RISK
MODERNIZE YOUR
COMPLIANCE
PROGRAM
COORDINATE BUSINESS
RESILIENCY
MANAGE THIRD PARTY
RISK
EVOLVE DATA
GOVERNANCE &
PRIVACY
INTEGRATED RISK MANAGEMENT
EVOLVED SIEM / ADVANCED THREAT DETECTION & RESPONSE
SECURE, RISK-BASED ACCESS & AUTHENTICATION
OMNI-CHANNEL FRAUD PREVENTION
ADVANCED RISK AND CYBERSECURITY SERVICES
13. Líneas de negocio
cruzadas y límites
organizativos para
favorecer la
colaboración
Definir y reforzar la
propiedad del riesgo
mediante la rendición
de cuentas
Consolidar datos y
permitir el análisis y
visibilidad de los
riesgos
Automatizarprocesos
parasereficientes
PARA MITIGAR
EL IMPACTO EN EL NEGOCIO?
ESTAMOS PREPARADOS
Digital Transformation:
Companies are increasingly digitizing their businesses so that users and things can connect to information and resources anytime and from anywhere, and with as little friction as possible.
More applications (on-prem, cloud, mobile) and more devices (BYOD) and IoT, as well as personalized “workspaces” to support the needs of an increasingly diverse workforce.
And while it feels like everyone’s favorite buzzword, the fact is “digital transformation” is critical to the success of modern businesses. And it’s no longer optional, but instead a prerequisite for remaining relevant in today’s application economy.
And while digital transformation means different things to different organizations (email may be transformative to some, while others define transformation as the use of artificial intelligence), the reality is every organization is facing some level of modernization that affects their risk profile – as sensitive information (company and personal) is increasingly spread across a countless number of applications, connected devices and cloud environments.
This results in less visibility and control for organizations and has made digital risk the largest facet of risk facing modern businesses.
Digital transformation in organizations is increasing digital risk.
Digital risk can’t be viewed as a simple “increase of risk” but an exponential factor applied to traditional risk profiles.
As organizations extend technology deeper into their day-to-day business operations, they introduce digital risk. Digital risk refers to unwanted and often unexpected outcomes that stem from digital transformation, digital business processes and the adoption of related technologies. These outcomes may include cybersecurity risk, third-party risk, business continuity risk, data privacy risk and others. These fast-moving and elusive outcomes may be more disruptive than the operational risks that businesses have historically managed.
In fact, many organizations are finding that as digital adoption accelerates, Digital risk has become the greatest facet of risk that they face, and therefore must manage.
While this gap seems intuitive, it is much deeper than a single dimensional view of the changing face of risk.
4 key problems organizations face with digital transformation that are creating more digital risk are:
Expanding Threat Surface
More sophisticated attacks
Increasing regulatory pressure and consumer demands for more transparency from organizations regarding their data
And…with more interconnected digital operations, the business impact due to a cyber attack is much greater.
SLIDE THEME: Digital risk is a multi-dimensional challenge that requires coordination between functions that are often siloed in organizations; Risks are found in the cracks between these functions.
As organizations extend technology deeper into their day-to-day business operations, they introduce digital risk. Digital risk refers to unwanted and often unexpected outcomes that stem from digital transformation, digital business processes and the adoption of related technologies. These outcomes may include cybersecurity risk, third-party risk, business continuity risk, data privacy risk and others. These fast-moving and elusive outcomes may be more disruptive than the operational risks that businesses have historically managed.
In fact, many organizations are finding that as digital adoption accelerates, Digital risk has become the greatest facet of risk that they face, and therefore must manage.
While this gap seems intuitive, it is much deeper than a single dimensional view of the changing face of risk.
Digital risk requires a new perspective.
[CLICK – GAPS]
The traditional, siloed approaches create ‘blind spots’ in understanding the true nature of risk as visibility is disrupted by the ‘cracks’ between functions. Organizations are missing key insights to drive actions that can make the difference in making the right business decisions.
Your IT team cares about the infrastructure, providing services to enable users and customers, and limiting downtime. They’re also tasked with modernizing over time, and keeping pace with technology innovations and changes such as BYOD, journey to the cloud, seemingly endless application patching.
Yet, as you implement these new technologies in your business, your attack surface is increasing – making your security team’s job even harder. Hackers and threat actors can access your network and cause sever disruption to your business. Many Security Operations Centers are finding it’s hard to keep up.
Meanwhile, your Integrated Risk Management Team focuses on meeting regulatory and audit needs and meeting the company’s changing risk requirements. More focus on data security and privacy, a shift from prescriptive requirements to assessment and out-come based programs, and an emphasis on continuous compliance (for example, GDPR-the EU’s General Data Privacy Regulation) requires an integrated approach to risk management.
These ‘blind spots’ highlight the struggle companies face today to operationalize the integration between IT, risk management functions and cyber/IT security operations.
[CLICK – CONVERGED ARROW]
As your digital adoption expands, these three groups MUST converge into a combined force to manage risk. This is where the challenge lies in many organizations.
SLIDE THEME: The new objectives of risk management require Visibility, Insight and Action across these functions.
As the forces of Modernization, Malice and Mandates place increasing pressure on your IT, security and risk management teams, each function is focused on its own priorities. Digital initiatives affecting business are diverse and agility, precision and priority are the keys to managing risk today as organizations absorb the new digital operations. The success of a digital risk management strategy depends on breaking down the walls between traditional risk and security functions to ‘future proof’ the organization’s tactics. However, many organizations lack the cohesive approach and technology strategy to enable this transformative shift.
Your CEO and board are now asking some questions they might not have asked before, such as: “How are we going to drive innovation?” or “How do we move faster in the market AND avoid a data breach, a business disruption or a compliance failure?”. Siloes will make answering these questions more difficult. It isn’t just about protecting the companies assets.
[CLICK - OBJECTIVES]
Today’s risk management strategy must simultaneously:
ENABLE INNOVATION & AGILITY: Your business must be comfortable to embrace risk & aggressively pursue market opportunities. To do that, organizations must identify and address risk associated with the use of emerging or disruptive technology in transforming traditional business processes, products and business models;
BUILD TRUST: Your business must also build trust in several ways. Your customers must trust you with their data. Your business must trust the data your digital initiatives are producing.
DEFEND the ECOSYSTEM: Business today demands an open, yet controlled, blend of traditional and emerging business tactics. Organizations must manage the ongoing risk as the transformed business operations are absorbed into the organization fully, i.e. the new model becomes the normal model of doing business.
ENSURE RESILIENCY: Today’s always on, always there expectations – from your employees to your consumers to your business partners – demand a highly resilient and secure digital AND business infrastructure.
*********** ADDITIONALLY COMMENTARY **********
Every organization is approaching the risk, security and compliance needs of the new business landscape in some manner today. Most often, these challenges are met through various silos within the organization. Functions like IT, Security, fraud management, Legal/Compliance, Audit, Business Continuity and Risk Management implement their own processes to identify, assess and monitor their respective risks and apply controls as necessary. While these silos may be meeting the needs within their individual domains, the true risks are found in the ‘cracks’ between these programs.
However, today’s digital world is requiring a new strategy:
Risk based approaches to prioritize based on business context are absolutely fundamental to align efforts and balance the upside and downside of digital opportunities. This highlights the need to apply risk based strategies that take into consideration both the likelihood of negative events and the impact of those events. It also stresses that there is an upside to risk taking – as long as the organization is aware of the risks involved and can adjust (be proactive) in managing the risk. (Foreshadowing of convergence of risk and security)
The existing adages of risk and security still hold true. However, the complexity of digital operations is straining traditional approaches. A transformative shift must take place. A transformative approach is required that breaks those silos down and works through the problems (achieving the objectives) in an integrated fashion. One that takes a wider view of the risk your business faces, and cuts through silos and unneeded complexity. (Foreshadowing of the Solutions approach)
None of this takes place overnight. Your strategy must be executed one win at a time combining processes and skills with the emerging technological advances in risk and security management. (Foreshadowing of the services/expertise we bring with the technology to back it up)
SLIDE THEME: The new objectives of risk management require Visibility, Insight and Action across these functions.
The keys to managing Digital Risk is
Gaining the broadest VISIBILITY so you can be sure that you have the right information and business context, Drawing INSIGHTS to understand what is really happening – what seemingly unconnected events may be related and warrant attention.
You can prioritize your response, based on the value of assets and potential losses. And then take ACTION, wherever needed, automating responses where appropriate, and allowing your people to focus on what matters most.
RSA takes a transformative approach to digital risk management that takes a wider view of the risk your business faces, and cuts through the silos (blind spots) and unneeded complexity. (Note elimination of silos and connecting arrows between IT, security and risk management)
SLIDE THEME: RSA solutions provide the VIA through a combination of products and services that target the most crucial areas of DRM to give you the most value from your investment.
When you have the visibility, insights and action aligned across your IT, Security and Risk functions, you can put in motion the right people, processes and technologies to:
IDENTIFY risk
ASSESS risk
TREAT risk.
Since digital risk has many dimensions, we believe that the best place to start is to determine an area of focus, one that has perhaps emerged from executive questions or new risks that emerged as a result of digital investment and implement these steps (Identify, Assess, Treat) in a well rounded strategy.
So how do organizations get started with Digital Risk Management? At first glance it may seem a bit daunting, requiring encompassing changes that may be too ambitious, too disruptive, or simply take too long.
[CLICK – Solutions build]
RSA Business Driven Security solutions target key areas of managing risk that help protect your organization (negative side of risk) while enabling innovation (positive side of risk) within your digital strategies. RSA can help you:
Manage process automation risk as your digital strategies unfold by supporting your operational risk program;
Mitigate cyber attack risk threatening your digital business, your customers, your brand and your critical assets
Modernize your compliance program towards continuous compliance (an ongoing, programmatic approach) to meet today’s regulatory challenges;
Manage the risk of the dynamic workforce as your organization adapts to the new paradigms of employee expectations, skills and needs;
Manage third party risks as you build a hyper-connected and expanding business ecosystem;
Secure your cloud transformation as you move operations to new technology architecture;
Coordinate business resiliency to safeguard your digital operations against a wide range of events; and
Adapt your data governance and privacy controls to protect your key information assets.
[CLICK – PRODUCTs]
RSA is unique in our ability to deliver solutions achieving this objective as our products help you:
Converge risk management and security disciplines to collaborate across functions, build efficiencies, leverage processes and data and execute on a cohesive strategy to enable and protect your business.
Address the identity and fraud management processes necessary to enable the massive increase in users while protecting the data and transactions within your evolving digital operations
Leverage our experience across the spectrum of security and risk management to target the most impactful areas related to your digital transformation and get you on the right path to manage digital risk from the start.
[CLICK – PBOs]
For organizations pursuing ambitious digital initiatives, RSA’s unified, phased approach to managing digital risk helps you focus your investment in the right areas to thrive and continuously adapt to transformational change and drive value. We help your organization take a strategic approach to identify, assess and treat risk to not only manage your risk, but optimize your business.