The Rising Significance of Risk Management

David Montague, Senior Vice President, Enterprise Risk & Security, Expedia Group

The increase in online personal data digitization, sharing and availability, combined with a surge in unintended data exposures, is leading to increased regulation, larger fines, higher costs and complexity in risk management for everyone.

While new regional and governmental compliance requirements aim to minimize risks and make it easier for consumers to manage their personal information, these directives (e.g., GDPR, PSD2, digital taxation, etc.) require increased scale and complexity, driving up costs. In some cases, the growing concern about how businesses use personal data is leading to entirely new ways of looking at the use of this data across the enterprise, as well as with other business entities.

At the same time, the rise in personal data breaches has led to more serious implications for breaches or non-compliance. Over the past 10 years, we have seen fines for security incidents increase significantly, including the recent case where a large tech company was fined five billion dollars for privacy violations.

Identity Theft Resource Center – Data Breach reports 2005-2018

• https://www.idtheftcenter.org/images/breach/Overview2005to2016Finalv2.pdf

• https://www.idtheftcenter.org/2018-data-breaches/

• https://www.idtheftcenter.org/2017-data-breaches/

From a compliance standpoint, companies are more acutely aware that risk events can have a material impact from a profit and loss perspective, driving changes in both program funding levels and organizational structures.

In today’s highly data-driven business environment, it can be difficult to define exactly where your data ends and where business partners’ data begins. Many companies are delving deeper to better understand and manage the risks from a partner data breach, as it may put their brand at risk, in the news, or even on the hook for reporting to regulators.

The CISO role must evolve.

Simply put, we can’t be caught “running to stand still.” It’s not enough to manage to today’s known risks and regulations. The digital and platform economy is moving at an ever-increasing pace, and today’s CISOs need to be business-minded and able to anticipate the technology and security needs for risk management down the road. This strategic view keeps companies nimble, helping ensure they aren’t trapped in a reactive cycle of trying to manage to the new regulation or threat of the week, which can end up distracting and slowing down growth and innovation.

U.S. context – all references to privacy and data protection rules inside the U.S.:

U.S. state legislation: IAPP – State Comprehensive Privacy Law Comparison, July 2019 - https://iapp.org/media/pdf/State_Comp_Privacy_Law.pdf

US GLBA 2005: Federal Deposit Insurance Corporation – Final Guidance on Response Programs, April 2005 - https://www.fdic.gov/news/news/financial/2005/fil2705.html

HIPAA HITECH: HITECH Act Enforcement Interim Final Rule, June 2017 - https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html

Global context – all references to privacy and data protection rules outside the U.S.:

IAPP – Changing Global Data Breach Notification Laws: Regulatory Trends, November 2018 - https://iapp.org/media/wcr_pdf/WCR-CGDBNL-I.pdf

IWIK Pro – 6 New Privacy Laws Around The Globe You Should Pay Attention To, July 2019 - https://piwik.pro/blog/privacy-laws-around-globe/

At the same time, it’s no longer sufficient to manage within the company confines. Businesses are part of a complex ecosystem comprised of extensive vendor and partner relationships, alongside increasing compliance and regulatory requirements. It wasn’t long ago that vendor and partner security compliance was managed with a simple clause in a contract. Today, it’s much more cumbersome and challenging, requiring CISOs to understand and manage risks both inside the enterprise and across their partners and suppliers.

With the growing complexity surrounding privacy and utilization of personal data, it is a given that CISOs will face additional oversight and management requirements as companies reevaluate the role of user data in business operations. CISOs should expect to “manage” data differently than they do today. For instance, the California Consumer Privacy Act (CCPA) gives California residents the right to know what personal data is collected about them and whether it’s being sold or disclosed to other parties, among other things. GDPR requires companies to support and allow consumers to request to be “forgotten.” I expect we’ll see more and more of these directives across the U.S. and the world at large. Therefore, CISOs must stay abreast of the overall risk landscape, while remaining aware of the immediate threats, to ensure they are planning for compliance beyond what is just here today.

The inherent ambiguity of policies, regulation and directives provides ample grey area to maneuver. Don’t get too comfortable in the grey zone. Today’s quick fix may lead to tomorrow’s fire drill

Prepare for the future, today.

Think big! With cybercriminals constantly developing new avenues to exploit enterprise vulnerabilities and the digital risk management landscape becoming more complex, CIOs need to move beyond current risk prevention strategies to adopt more proactive approaches, such as the use of Artificial Intelligence and data science for real-time detection and elimination of risks. At the same time, CIOs and CISOs must change their mindset and will likely be forced to understand compliance trends in their geography and across the globe to be effective.

Think small. From a personal information (PII) standpoint, today is the best time for CIOs to revamp their technology stacks and employ concepts around the segmentation, tokenization, and mapping of data to align it with their deployed technologies. In the vendor landscape, I expect to see solutions emerge that focus on applying techniques to ensure personal information is collected, stored, maintained and transported in a highly secure manner.

Looking ahead, an area that should be on your radar (if it’s not already) is the significant and rising risk of account takeover and credential management. Never forget, cybercriminals are constantly working your technology stack for weaknesses, from inside and outside your enterprise, and poor practices in these areas can fast-track their path to monetization.

As CIOs and CISOs, ensure you are solving the real business risks, not just meeting a risk management framework or regulation. Saying you were compliant when you have a breach won’t change the outcome, it will only change the credibility of your statement of compliance. The inherent ambiguity of policies, regulations and directives provides ample grey area to maneuver. Don’t get too comfortable in the grey zone. Today’s quick fix may lead to tomorrow’s fire drill. I make a habit of asking my leaders “are we secure?” If the answer is no, I ask “then what do we need to do to be secure? And, what are we going to do about it?” It’s simple, to the point, and grounds the group in the desired outcome versus checking the box.

Finally, make sure you are helping your team think big and small. Invest in capabilities that will allow your risk organization and company to leap frog through regulatory and security demands for what they can become in the future, not just what they are today. What you do today to manage risk will not be what you’re doing two years from now – so, what is your plan?

Top Enterprise Risk Management Consulting Companies