Risk Management: A Look Back at 2013 and Ahead to 2014

According to Yo Delmar, vice president of MetricStream, 2013 has been witness to extraordinary change. We are living and doing business in an increasingly global, mobile, social and Big Data world, fraught with new risks and complex regulations. As such, individuals and organizations are struggling to keep pace.

In response to greater uncertainty, complexity and volatility throughout 2013, we’ve seen increased convergence and alignment amongst internal teams, including IT, security and the business. As a result, organizations are better poised to provide the context for communicating risks. We’ve also seen the business ecosystem evolve to include geographically diverse vendors and third parties, and as a result, organizations must continue to view these entities as part of the organization itself, and manage them in a more tightly and integrated way.

Organizations have also moved away from doing IT and security operations on an ad-hoc basis, taking on a formal and structured approach that is more aligned with business priorities. Lastly, 2013 saw the continued emergence of new and innovative online, wireless and mobile technologies, requiring organizations and IT departments to get ahead of the bring-your-own-device (BYOD) trend, especially as employees continue to move away from corporate devices with some personal usage, to personal devices with significant corporate usage.

It is important that we reflect on some of these key trends in 2013, especially as we look ahead to 2014. The year ahead will require even stronger risk management, with an increased focus on leveraging social media to drive situational awareness. Organizations will need to focus more of their efforts on continuous monitoring, also leveraging security and risk analytics based on IT and security Big Data.

Organizations that focus their efforts in a thoughtful, methodical and analytical way will be poised to keep pace, and stay ahead of change and complexity in order to drive strong business performance and sustainable value to the organization and its key stakeholders.

Click through for a review of key risk management trends from 2013 and a look ahead at 2014, provided by Yo Delmar, vice president, MetricStream.

Growing convergence among IT, security and the business: The landscape of risk and compliance continues to evolve, as organizations are asked to manage their IT risk and compliance activities far beyond that of basic audit and compliance requirements of the past. As new technologies bring their own set of unique risks, there is a growing disconnect among internal audit, security, compliance and the business on what it means to build, manage and lead a truly safe, secure and successful business.

As a result, we are seeing more focused efforts when it comes to getting these groups on the same page by building a common risk language, as well as a discussion framework to enable cross-functional collaboration. Doing so can set the context for communicating risks in a way that drives more effective governance and decision-making across the board of directors, executive management team and each respective business function.

Focus on managing third-party IT and security risks: Organizations have become even more hyper-extended, and are relying more extensively on third parties, including cloud-based service providers, which form part of their business eco-system, hold sensitive or regulated information, and run critical business processes. Today, organizations can’t afford to ignore these third parties. Lack of strong oversight can result in a security breach or service disruption that can have significant business and reputational impacts on the organization. In 2013, we saw organizations become more proactive in managing their third-party risks, and ensuring that all of their third-party managed data and operations are available, compliant and secure.

Movement toward risk-based security operations management: 2013 saw an increased shift from doing IT and security operations (secops) on an ad-hoc basis, to a more structured approach that is becoming more truly aligned with business priorities. This level of risk-based security management (RBSM) allows secops teams to effectively communicate the context of security risks to senior management, as well as enable a risk-based prioritization of security initiatives to make the most effective and efficient use of resources. 

Bring your own device (BYOD) and mobile device risk management: More and more critical businesses and operations are supported by online, wireless and mobile technologies. We are seeing employees moving away from corporate devices with some personal usage, to personal devices with significant corporate usage. The threats that come with this trend include possible corporate data leaks, device thefts and misuse.

Corporate IT departments have begun to understand, plan and build strategies around mitigating and managing these risks so that the benefits of BYOD can be realized. This requires more robust corporate policies, tighter controls in the context of controlling applications and data, and defining user behavior. While many organizations have secured the data on the device, they have not secured the physical device itself. Lingering questions surrounding personal privacy infringement have yet to be answered.

Focus on continuous monitoring in risk management: Security and IT teams understand that near real-time monitoring of threats, vulnerabilities and potential exposures is becoming table-stakes for effective risk management. Many regulations and standards, such as PCI DSS 3.0, ISO 27001, ISO 22301, NERC CIP 5 and NIST CSF have and will continue to be updated with more effective approaches to risk management, based on continuous monitoring. Security and compliance teams need to be prepared for these updates, not only with technologies, but also by driving processes and people skills to another level of maturity in order to effectively implement these new lines of defense.

Security and risk analytics based on IT and security Big Data: Security analytics and metrics are as important to the business as any other key performance indicator such as liquidity, cash flow, or growth in sales or revenue. In 2014, boards of directors and executive leadership teams will demand that key security analytics and metrics be included in the operational risk portfolio. This will put the onus on security teams to provide the analysis and insights that give management the risk intelligence they need to drive better performance.

Leveraging social media to drive situational awareness: Security and business continuity management teams will continue to tap into the power of social media to learn from, and respond more effectively to, unfavorable incidents. Technology solutions can provide the capabilities to mine social media feeds, and to provide crisis updates from a variety of sources such as Google Crisis Maps, Twitter, Facebook and more. This social media intelligence can be further correlated with organizational assets and risks to determine the impact of a crisis on the business. Pre-designed workflows can be triggered based on this analysis in a way that best manages the financial, operational and reputational impact of the incident.