How to Go Beyond Information Technology Security with Integrated Risk Management
The walls between digital and information technology risk and physical operations are dissolving. It is hard, if not impossible, to think of a single domain in which information technology has no effect on operations. Even with physical operations, new IoT technology takes previously offline infrastructure and firmly connects it to both the benefits and dangers of the internet. Without a responsive IT risk management system in place, the danger posed by exposing so many assets to the web can be catastrophic.
Monitoring IT risk and having insight into how the various parts of an organization’s IT systems are connected is critical to operational resilience. For example, the Colonial Pipeline ransomware attack did not directly affect the function of the pipeline. However, the company that operates the pipeline decided that until the extent of the cyberattack was known, the best course of action was to suspend pipeline operations.
Events like the Colonial Pipeline attack, as well as the global shutdowns due to the pandemic, have shifted thinking about IT and digital risk. Through our experience as industry leaders and our analysis of Archer customers in our 2020 Digital Risk survey, we found that nearly 75% of respondents expected their digital initiatives to accelerate due to the disruptions and shifts of the past year. To get key learnings on the convergence of digital and traditional risk, read our whitepaper “The State of Integrated Risk Management”.
The Current State of IT Compliance
IT security and compliance is often tied to IT risk management. In some cases, IT compliance helps with security like using NIST 800 standards when creating passwords. By complying with the strict NIST 800 standards for employee passwords, the risk of unauthorized access is mitigated.
There are other situations where an IT compliance solution does not offer any sort of risk management. Many IT systems utilize software and systems that can track issues through tickets, allowing for close monitoring of how problems are resolved. An IT ticket management system provides greater accountability for IT departments, but an IT ticket system needs to be tied to an integrated risk management platform to provide the greatest benefits to operational resilience.
There are many major information technology compliance standards published by private companies, non-governmental organizations, and governmental departments. Whether complying with COBIT, ISO 27000, or the European Union’s GDPR (1) , IT compliance on the Archer platform works seamlessly with IT security and risk management. Of the 1100+ deployments Archer has for IT and security risk management, more than 80% utilize compliance processes on the Archer platform.
Properly securing internal, third-party, or customer data not only increases operational resilience, but is becoming central to IT compliance. Many IT compliance standards provide strict guidelines and requirements for the collection and storage of personal data, and there are governmental regulations either already enacted or set to take effect that mandate higher data privacy standards. It’s projected that 65% of the world’s population will have its personal information covered under a privacy regulation by 2023, up from just 10% in December 2020 (2).
Third-Party Regulations and IT Risk
Regulators increasingly require organizations to perform extensive due diligence both when selecting a third party for a service, and the duration of the engagement with the third party. Treating the activities of third parties as an extension of the organization retaining their services is not only required in many jurisdictions, but for information technology services it is sound practice to mitigate risk.
The nature of information technology security issues makes third-party compliance particularly important. With physical goods or services, if a third party fails to properly secure their infrastructure, the damage or disruption to operations can be relatively easy to contain. A damaged or stolen shipment of goods could result in reduced capacity to operate but pales in comparison to the kind of disruption information technology security lapses can cause.
An IT security lapse by a third party can result in a cascade of IT systems being compromised. For example, no matter how conscientious the tens of thousands of organizations that used SolarWinds Orion software to manage their information technology stack were with IT security, they were susceptible to risk related to the SolarWinds’ security breach.
What Organizations Should Expect from their IT and Security Risk Management Vendors
More than 70% of Archer customers’ early-stage deployments target IT and security risk management use cases, reflecting the criticality of digital technology and data in achieving their business objectives, which is no surprise given RSA’s reputation for IT security. Risk between departments has become more tightly linked as digital transformation has allowed more and more operations to be controlled with the same systems. The digital transformation that has merged physical operations with information technology is driving the need for greater integration. Ideally, IT and security risks should be managed with the same tools used to manage other forms of risk. An IT and security risk management tool should be able to handle as many risk domains as your organization has to deal with. Most Archer customers don’t stop with one domain of risk, almost 80% of our customers manage multiple domains of risk on the Archer platform.
An IT and security risk management solution should offer real-time monitoring and reporting. The speed with which an attack or breach can compromise IT systems means that organizations need to be able to flag and monitor issues in real-time. Real-time monitoring tightens the loop, making it easier to address IT security and compliance issues before they become larger problems. But cyber attacks are only one part of the IT risk puzzle. Third party risk, resiliency, continuity and disaster recovery, compliance and a whole host of other risk categories affect an organization's overall technology risk profile.
Organizations should be using a risk management platform that allows for multiple risk domains to be tracked and managed with real-time reporting. An IT security and integrated risk management platform should drive operational resilience and growth. See how the right IT security risk management tools are protecting organizations and helping them expand in our industry report, “The State of Integrated Risk Management.”
(2) Focal Point Insights. Nine Data Privacy Trends to Watch in 2021. December 2020. https://blog.focal-point.com/the-9-data-privacy-trends-to-watch-out-for-in-2021