Each day, news headlines remind us that enterprises are rife with risk. In fact, per a recent survey, most CISOs in North America believe that data breaches are an inevitable hazard. More troublesome still, the risk landscape is changing so fast that risk leaders barely have time to ponder what their response strategy should be before their needs change once again.
The fact is, as digital transformation delivers useful and productivity-fostering innovations in many organizations, cyber criminals, too, are becoming faster, smarter, and more dangerous with technological advances. As organizations continue on their digital transformation journeys, one key security-related trend they need to consider is the growing convergence of information security and operational risk.
It used to be that enterprises treated these as separate elements. But that's changing, in large part due to the increased instrumentation and actuation brought about by the IoT, the automated decision making of machine learning, and the digital value exchanges made possible by blockchain. As a result, organizations can no longer think of information security and operational risk as two separate things.
Embed cyber resilience in business processes
After all, with digital transformation, IT no longer just supports the business; IT is the business. Consider an agricultural company that uses IoT sensors in its fields, fertilizer and sprinkler systems to keep crops fed and watered, and airborne drones to monitor it all. These systems need to cooperate with both each other and external systems.
Cyber resilience should be embedded into the business process to ensure that seas of sensors and actuators coordinate their responses as situations change. Patching a system or even a single sensor should not be allowed to create a cascading failure; otherwise, the company risks losing the entire crop—and the revenue associated with it. The line between information risk and operational risk has faded to the point where it barely exists.
In the past, most information risks could be adequately monitored and moderated by humans. But with the expanding scale of IoT implementations, that's becoming increasingly difficult.
While automation is the obvious solution, rules-based systems are too limited for today's world. These systems are good at spotting anomalies, but not so good at adjusting to in-the moment developments. Context will become increasingly important.
[ Special Coverage: RSA Conference 2019 ]
Unify digital transformation and security
The risk environment is changing rapidly. A strong approach to managing evolving risks requires that organizations stop treating information risk as a separate activity and instead unify their plans for overall digital transformation and security under a single, strategic initiative.
One way to envision what this means is to consider how weather forecasting is used to inform decision making. In the past, a company's operational risk teams might consult weather forecasts to coordinate supply chain logistics.
Now, however, the company's information teams must also get involved to consider how those same adverse weather conditions might affect, for example, cloud computing data centers. Sometimes, there's only a small opportunity to make an important decision—e.g., to move just-in-time workloads to lower-risk, higher-cost locations that aren't in a storm's path.
Foster resilience
As the weather example demonstrates, the best way to defend against threats is with a structured, enterprise-wide risk management strategy that has well-defined governance and policies.
The ultimate goal is to foster resilience in systems, to allow them to not only withstand natural disasters and malicious attacks, but to carry out mission-critical business operations if and when disaster—in any form—strikes.
There is certainly good news and bad news wrapped up in digital transformation efforts and corporate use of new technologies. But a strategic review of how the IT landscape is expanding—as well as careful preparation for what that means for security practitioners—should give leading-edge organizations more than a fighting chance to keep both the bad guys and the bad elements at bay.
Keep learning
Learn from your SecOps peers with TechBeacon's State of SecOps 2021 Guide. Plus: Download the CyberRes 2021 State of Security Operations.
Get a handle on SecOps tooling with TechBeacon's Guide, which includes the GigaOm Radar for SIEM.
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed on cyber resilience with TechBeacon's Guide. Plus: Take the Cyber Resilience Assessment.
Put it all into action with TechBeacon's Guide to a Modern Security Operations Center.
