Cyber Risk Management maturity during digital transformation is associated with enhancing brand trust and reliability. Recovery from disruptions during COVID-19 pandemic has been slow and sporadic. Targeted and accelerated digital transformation initiatives can bring back company stature and relevance by adjusting to reduced budgets, shifting resources to diversify revenues and speeding IT modernization to enhance digital resiliency.
Threatening to halt this recovery are the ever-increasing successful security attacks across industry verticals, notably sensitive information disclosures, phishing, ransomware, and routine system availability failures. Companies of all sizes are exposed to these threats but few are equipped to provide rapid response. How prepared is your company?
Here’s the list of fundamental cyber risk management imperatives to accelerate digital transformation recovery.
Delays in risk management decisions during digital transformation rollout are often due to management misalignment on cyber risk accountability. Companies should stop associating cyber risk as a technology function and realign it with the objective to improve timely and adequate response to security events. Constant discovery of security weaknesses and exploits caused by opportunistic threat actors during COVID-19 recovery makes this realignment even more critical and urgent.
Dismantling monolithic cyber security and compliance activities, and replacing them with modular capabilities enables activities distribution for ideal responsiveness and reduces friction between stakeholders. Constant improvements to program maturity can be achieved through continuous monitoring of security and compliance posture while keeping controls volatility to a minimum.
Companies taking the fastest course to meeting business process changes during COVID-19 pandemic are accumulating technical debt and thereby increasing security exposure to opportunistic threat actors. Rapid response to cyber security events while managing technical debt requires complementing on-demand security assessments and risk management activities with security controls engineering, configuration assessments and adaptive security monitoring.
Incorporating security by design paradigm into digital resiliency initiatives speeds up recovery from COVID-19 by ensuring cyber risk analysts are not chasing irrelevant or non-contextual weaknesses. DevSecOps and Zero Trust Architecture concepts have proven to accelerate security and compliance considerations and should be applied during digital transformation recovery.
Cyber security controls for privileged users who are defined as entities with greater entitlements as compared to others, should be re-engineered from traditional multi-channel to omnichannel capabilities. Adopting enhanced user access controls, securing user relationships and maintaining activities traceability are the key facets in minimizing friction and transforming customer experience.
One-size-fits-all cyber security controls approach directed by an enforcement mandate have failed to consider dynamically changing user characteristics. Accelerated migration to the new normal will require identity management and access control systems make rapid control decisions based on dynamic human and non-human (aka bots) attributes including location, business operating timeframes, toxic access combinations, device and user type.
Improving response time for cyber security events during digital transformation recovery can only be achieved by maintaining practitioner level understanding of cyber security controls and demanding their continuous monitoring. Security by trust without verification impedes companies from achieving strategic objectives.
Whether home grown or on-premise hosted or Cloud, cyber security standards should be constantly updated to measure and maintain controls effectiveness. Adopting standards should be non-negotiable for foundational cybersecurity controls including timely patching, vulnerability assessments on updates and upgrades, privileged access management, adaptive authentication, encryption and periodic backup.
Cyber risk management maturity journey during digital transformation recovery begins with justifying incremental cybersecurity investments by adopting modular capabilities that are distributed for optimal responsiveness. As the new normal is formalized, an effective cyber risk program implements contextual activities to constantly monitor controls, measures controls effectiveness and adapts to detect scenarios of risk with full stakeholder transparency. There will be more implementation guidance on these imperatives as the recovery continues.
Vijay Vedanabhatla, MBA, CISSP, CSSLP is a proven leader with over 20 years of experience in Cyber Risk Management advisory, Cyber security program maturity and Security Controls engineering. He is currently the Strategy Advisor for Entersoft Security. Vijay previously led the transformation of Identity and Access Management, Data Protection Solutions and Security Architecture and Engineering functions at United Parcel Service (UPS), a Fortune 500 Logistics and Transportation company.