
The Rising Significance of Risk Management


David Montague, Senior Vice President, Enterprise Risk & Security, Expedia Group
The increase in online personal data digitization, sharing and availability, combined with a surge in unintended data exposures, is leading to increased regulation, larger fines, higher costs and complexity in risk management for everyone.
While new regional and governmental compliance requirements aim to minimize risks and make it easier for consumers to manage their personal information, these directives (e.g., GDPR, PSD2, digital taxation, etc.) require increased scale and complexity, driving up costs. In some cases, the growing concern about how businesses use personal data is leading to entirely new ways of looking at the use of this data across the enterprise, as well as with other business entities.
At the same time, the rise in personal data breaches has led to more serious implications for breaches or non-compliance. Over the past 10 years, we have seen fines for security incidents increase significantly, including the recent case where a large tech company was fined five billion dollars for privacy violations.
Identity Theft Resource Center – Data Breach reports 2005-2018
• https://www.idtheftcenter.org/images/breach/Overview2005to2016Finalv2.pdf
• https://www.idtheftcenter.org/2018-data-breaches/
• https://www.idtheftcenter.org/2017-data-breaches/
From a compliance standpoint, companies are more acutely aware that risk events can have a material impact from a profit and loss perspective, driving changes in both program funding levels and organizational structures.
In today’s highly data-driven business environment, it can be difficult to define exactly where your data ends and where business partners’ data begins. Many companies are delving deeper to better understand and manage the risks from a partner data breach, as it may put their brand at risk, in the news, or even on the hook for reporting to regulators.
The CISO role must evolve.
Simply put, we can’t be caught “running to stand still.” It’s not enough to manage to today’s known risks and regulations. The digital and platform economy is moving at an ever-increasing pace, and today’s CISOs need to be business-minded and able to anticipate the technology and security needs for risk management down the road. This strategic view keeps companies nimble, helping ensure they aren’t trapped in a reactive cycle of trying to manage to the new regulation or threat of the week, which can end up distracting and slowing down growth and innovation.
U.S. context – all references to privacy and data protection rules inside the U.S.:
U.S. state legislation: IAPP – State Comprehensive Privacy Law Comparison, July 2019 - https://iapp.org/media/pdf/State_Comp_Privacy_Law.pdf
US GLBA 2005: Federal Deposit Insurance Corporation – Final Guidance on Response Programs, April 2005 - https://www.fdic.gov/news/news/financial/2005/fil2705.html
HIPAA HITECH: HITECH Act Enforcement Interim Final Rule, June 2017 - https://www.hhs.gov/hipaa/for-professionals/special-topics/hitech-act-enforcement-interim-final-rule/index.html
Global context – all references to privacy and data protection rules outside the U.S.:
IAPP – Changing Global Data Breach Notification Laws: Regulatory Trends, November 2018 - https://iapp.org/media/wcr_pdf/WCR-CGDBNL-I.pdf
IWIK Pro – 6 New Privacy Laws Around The Globe You Should Pay Attention To, July 2019 - https://piwik.pro/blog/privacy-laws-around-globe/
At the same time, it’s no longer sufficient to manage within the company confines. Businesses are part of a complex ecosystem comprised of extensive vendor and partner relationships, alongside increasing compliance and regulatory requirements. It wasn’t long ago that vendor and partner security compliance was managed with a simple clause in a contract. Today, it’s much more cumbersome and challenging, requiring CISOs to understand and manage risks both inside the enterprise and across their partners and suppliers.
With the growing complexity surrounding privacy and utilization of personal data, it is a given that CISOs will face additional oversight and management requirements as companies reevaluate the role of user data in business operations. CISOs should expect to “manage” data differently than they do today. For instance, the California Consumer Privacy Act (CCPA) gives California residents the right to know what personal data is collected about them and whether it’s being sold or disclosed to other parties, among other things. GDPR requires companies to support and allow consumers to request to be “forgotten.” I expect we’ll see more and more of these directives across the U.S. and the world at large. Therefore, CISOs must stay abreast of the overall risk landscape, while remaining aware of the immediate threats, to ensure they are planning for compliance beyond what is just here today.
The inherent ambiguity of policies, regulation and directives provides ample grey area to maneuver. Don’t get too comfortable in the grey zone. Today’s quick fix may lead to tomorrow’s fire drill
Prepare for the future, today.
Think big! With cybercriminals constantly developing new avenues to exploit enterprise vulnerabilities and the digital risk management landscape becoming more complex, CIOs need to move beyond current risk prevention strategies to adopt more proactive approaches, such as the use of Artificial Intelligence and data science for real-time detection and elimination of risks. At the same time, CIOs and CISOs must change their mindset and will likely be forced to understand compliance trends in their geography and across the globe to be effective.
Think small. From a personal information (PII) standpoint, today is the best time for CIOs to revamp their technology stacks and employ concepts around the segmentation, tokenization, and mapping of data to align it with their deployed technologies. In the vendor landscape, I expect to see solutions emerge that focus on applying techniques to ensure personal information is collected, stored, maintained and transported in a highly secure manner.
Looking ahead, an area that should be on your radar (if it’s not already) is the significant and rising risk of account takeover and credential management. Never forget, cybercriminals are constantly working your technology stack for weaknesses, from inside and outside your enterprise, and poor practices in these areas can fast-track their path to monetization.
As CIOs and CISOs, ensure you are solving the real business risks, not just meeting a risk management framework or regulation. Saying you were compliant when you have a breach won’t change the outcome, it will only change the credibility of your statement of compliance. The inherent ambiguity of policies, regulations and directives provides ample grey area to maneuver. Don’t get too comfortable in the grey zone. Today’s quick fix may lead to tomorrow’s fire drill. I make a habit of asking my leaders “are we secure?” If the answer is no, I ask “then what do we need to do to be secure? And, what are we going to do about it?” It’s simple, to the point, and grounds the group in the desired outcome versus checking the box.
Finally, make sure you are helping your team think big and small. Invest in capabilities that will allow your risk organization and company to leap frog through regulatory and security demands for what they can become in the future, not just what they are today. What you do today to manage risk will not be what you’re doing two years from now – so, what is your plan?
See Also :
Top Enterprise Risk Management Service Companies
Top Enterprise Risk Management Consulting Companies
ON THE DECK
Featured Vendors
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
Cloud At The Edge
Edge Computing - Where Does It Fit Today And Tomorrow!
The Evolution of Digital Banking Landscape in Indonesia
Banking Preference Shifted: Moving Away from Traditional Banks
How Opendoor Platformized Inspection Tooling for Self-Guided Assessments
