Previously, as the first in a two-part series, I shared a blog about Insider Risk management and its growing importance especially now when so many organizations are dealing with constant changes related to the pandemic. Remote work. Longer hours. Burnout. Use of unsanctioned tech. Cloud-based collaboration. Worn out security practices. These cultural dynamics along with the drive to innovate and work faster are introducing more Insider Risk to the people, technology and data needed to run a healthy company. Today, 89% of CISOs believe the fast-paced culture model of their organizations puts them at greater risk of data breach (Code42 Data Exposure Report 2019).
In this week’s follow-on blog, I’ll share some thoughts on how to tackle these Insider Risk challenges by applying Gartner’s integrated risk management (IRM) methodology to data governance, risk and compliance (GRC). It’s an approach that Code42 aligns with and one that will help you keep pace with collaboration without jeopardizing the safety of data.
A lesson from the National Football League
To start, let’s look in a not so obvious place. The National Football League (NFL). In a previous post, I used the analogy of the NFL. I talked about how the NFL’s pace of play is getting faster and faster; and how that speed poses more risks to the integrity of the game and the safety of the players. All of this has changed the way the game is refereed. Referring has evolved not only to keep pace with play, but also to manage the risks to the game and prevent harm to the players. We see the same paradigm when we look at the speed in which corporate cultures rooted in cloud, collaboration and remote work operate and the corresponding need to evolve data protection.
The massive move to cloud, collaboration and remote work — the very digital transformation 80% of organizations are driven to foster — fundamentally speeds the pace of business and with it new challenges managing risks to the organization and its data. As a result, progressive CISOs, like NFL referees, are evolving their security strategies from traditional compliance-first GRC approaches to a more integrated risk management approach.
What is integrated risk management?
Gartner defines integrated risk management as “a set of practices and processes supported by a risk-aware culture and enabling technologies, that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.”
In other words, integrated risk management is about mitigating the risks of culture by building and enabling a more security-aware culture. In order to understand culture, CISOs have to first understand the behavioral dynamics of the culture and the Insider Risks those dynamics introduce to the organization. We unpacked this idea and the related Insider Risks in the previous blog and go deeper in our new data security book Inside Jobs: Why Insider Risk Is the Biggest Cyber Threat You Can’t Ignore.
How to put integrated risk management into practice
According to Gartner, there are six core components to an integrated risk management methodology:
- Strategy: Enablement and implementation of a framework for effective governance and risk ownership with continuous improvement
- Assessment: Identification, evaluation and prioritization of risks
- Response: Identification and implementation of mechanisms to mitigate risk
- Communication and reporting: Tracking and informing stakeholders of risk response
- Monitoring: Tracking objectives, accountability and effectiveness of risk mitigation and controls
- Technology: The design and implementation of an IRM solution (IRMS) architecture
To understand the full scope of risk, Gartner recommends that security leaders address all six components. Code42’s approach to Insider Risk Management (IRM) makes this process easy. Here’s how our core capabilities map to Gartner’s framework.
Code42’s Insider Risk Management Approach:
- Identify – What is our data risk exposure?
- Define – What data risk exposure (exfiltration) is unacceptable for your business partners?
- Prioritize – When and where is unacceptable data exfiltration happening?
- Respond – How to automate remediation of an unacceptable exfiltration event?
- Improve – How to measure improvement in data risk exposure and why it matters?
A game plan for the future
Insider Risk is more dynamic and pervasive and largely hidden from the data protection systems we have in place today. It’s time we acknowledge that the era of command and control is over. It died the day cloud-based collaboration was introduced and that was more than five years ago.
As organizations build cultures rooted in speed, the more cloud-native, collaborative and unfortunately compromised the organization’s data becomes. It’s what we call Insider Risk at Code42 and to mitigate it, we must first understand how to manage it.
Taking an IRM approach to data governance, risk and compliance is one way to keep up with the pace of play while protecting the integrity of the game and the safety of the players.
More resources from Code42: