Maksim Kabakou - Fotolia

Security Think Tank: Risk is unavoidable in digital transformation

How can security professionals help their organisations move from traditional governance, risk and compliance to integrated risk management that integrates risk activities from across an organisation to enable better strategic decision-making?

The information security function has come a long way over the past couple of decades. Many organisations now have a team – or even teams – of people responsible for managing the security controls necessary to prevent, detect and respond to security incidents and breaches.

As the information security function evolved, it took inputs top-down – security governance driven by organisational governance, security risk driven by organisational risk, and compliance driven by the compliance function. More recently, however, the evolution of the enterprise via digital transformation means that a more integrated approach to risk is required today.

Handling new risks is a consequence of expanding digitisation. The need and ability to manage risk does not cease at an organisation’s boundaries in this increasingly connected world.

Ignoring or preventing the opportunities presented by digital transformation is not a practical option for information security functions. Digital risk is an “essential”, inasmuch as an organisation must take risks if it is to move forward – the most risk-averse organisation could avoid digital transformation, but simultaneously is likely to lose the edge on its competition or provide a poorer service to citizens.

To be sufficiently effective and efficient, the ability of organisations to discover, manage and mitigate digital risk requires greater integration between internal functions – particularly governance, risk, compliance and security – as well as across the partners that supply or underpin many of the newer technologies being exploited.

Recent research from Ovum revealed that organisational approaches to handling and addressing digital risk vary wildly. It is clear, however, that a range of functions are involved in determining digital risk.

“To be sufficiently effective and efficient, the ability of organisations to discover, manage and mitigate digital risk requires greater integration between internal functions”
Maxine Holt, Ovum

As such, integrating risk management to enable joined-up and better strategic decision-making requires the appointment of someone responsible for organisational digital risk – a digital risk officer (or similar). This will be a big step forward, as surprisingly few organisations have someone in this role.

Furthermore, a team under the remit of the digital risk officer should be created to address the risks of digital transformation projects – knowledge is needed from across senior risk, compliance, IT, technology, legal, audit and cyber security staff. They will all be able to contribute towards one of the key goals – establishing a central risk taxonomy to enable the understanding of individual risk types to be common throughout the organisation.

Information security professionals cannot – alone – drive integrated risk management. This must be the result of key sponsorship and ongoing involvement from the C-suite.

However, business-focused information security functions can represent and communicate the need for integrated risk management to those who can change the organisation’s approach. A joined-up approach to risk management enables organisation-wide risks to be prioritised and addressed according to enterprise need – which is unique to each establishment.

The benefit? Improving the business alignment of the organisation’s security posture – an imperative.

Read more from Computer Weekly’s Security Think Tank about integrated risk management

Read more on IT risk management