Digital Transformation and Risk Management Must Go Together
The recent PwC 2022 Global Risk Survey gives a glimpse into what senior leaders think about their business efforts. The report opens with some expected highlights worth repeating:
In view of these issues, digital transformation and risk management are more important than ever. What’s the difference between them, if any? In fact, they are much more closely linked than their names suggest.
In a word: yes. Whether that is a sound business decision is a different issue. As we noted before, there are many different puzzle pieces to strengthening an organization, but those different pieces have connective tissue: the risk assessment.
You see, a strong risk management program gives an organization a sober and clear-sighted approach to its decision:
These simple examples illustrate that at the heart of any strategic issue, there is some underlying risk issue, too. And, as we previously saw, program maturity and posture will be driven in large part by the organization’s risk appetite. Running a digital transformation strategy is no different.
You have probably seen a ‘heat score’ matrix in your professional travels. They’re color-coded scores, translating some qualitative assessment into a quantitative score, used to make quick decisions. In the heat of the moment – for example, during an incident response or crisis management scenario – these matrices are excellent tools. They don’t work as well for strategic planning, though.
Complex problems do not always require complex solutions. In fact, simple solutions are likely best, with the caveat that difficulty and complexity could come with implementation. For example, I know I need to go from point A to point B (the simple solution that gets me out of my complex problem), but going on that journey may be very difficult.
Remember, decision-makers do not have the time, and perhaps neither the patience nor tolerance, to navigate a complex or over-engineered solution. A board or C-Suite may need core questions answered, such as:
They want to know the details of the journey (point A to B) and not every pit stop along the way, even if prudent planning requires it. In the end, the question is: “If we undergo this digital transformation route, what are the risks and returns from the investment?” Digital transformation and risk management are connected, so we need a basic framework to tackle the complex problem.
So, what can we use for strategic planning? We already have a good primer. Here is a recap:
As basic as these steps may appear on the surface, they are deep and loaded with intricacies. For example, you will have technical challenges, such as defining your disaster recovery capabilities pre- and post-change. Or, you may need to assess the chance of deploying 5G/edge solutions or whether artificial intelligence is right for you.
Then, there are non-technical challenges that will require your chief information security officer to bring out their best game. Technical and non-technical staff will be forced to speak a common language, almost always dollars and cents.
And there is one of the keys to success: commonality. In order to make sound decisions, you need to trust people are talking apples to apples.
There are some great industry frameworks out there – such as NIST SP 800-30, SP 800-34 and ISO 22301 – which focus on risk management and business continuity. Whichever framework you have deployed, there are a few things that need to happen in order to be successful:
Common understandings are the key. The benefits can be extremely positive if they exist and consequences downright painful if they do not. Your staff and decision makers can get stuck on trying to make sense of what ‘risk’ means. Definition and precision will prevent that.
In closing, digital transformation can happen without risk management, but it is risky. Conversely, if your risk management program isn’t informed by transformation strategies, it could be a possible opening waiting to be exploited. In the end, you can’t do one without the other.
George Platsis works with the private, public and nonprofit sectors to address their strategic, operational and training needs, focusing on projects related …
3 min read – Corporate clients and cloud service providers (CSPs) are both responsible for cloud security. Clients remain accountable for governance and compliance. However, their other duties will vary depending upon the type of cloud deployment. What can cloud-native security controls do for…
4 min read – 5G is a big leap in mobile technology. It presents enterprises and service providers with capabilities for advanced applications, content delivery and digital engagement anywhere. It enables businesses with new use cases and integrated security needs to have a trusted…
4 min read – Will people ever live in a digital world 24/7? Nobody knows for sure, but the metaverse is certainly expanding rapidly. As the world dives deeper into the digital realm, companies need guidance on how to protect their assets and intellectual…
The recent PwC 2022 Global Risk Survey gives a glimpse into what senior leaders think about their business efforts. The report opens with some expected highlights worth repeating: Change is increasingly fast and disruptive The COVID-19 pandemic caused disturbances in the labor and supply markets Geopolitical risk is on the rise New regulations, including an increased emphasis on risk, audit…
Ransomware gangs are major players in the cybersecurity space, especially in recent years. ZDNet reported that ransomware gangs increased their payments by over 311% from 2019 to 2020, with totals for all groups exceeding $350 million in 2020. Ransoms continued rising in 2021. Unit 42, a threat research team at Palo Alto Networks, found that the average payment in 2021…
The average cost of a data breach hit a record high of $4.35 million, a 13% increase in the last two years, according to the 2022 Cost of a Data Breach report. In addition, laws are holding board members personally liable for IT security breaches and ineffective security controls, so it’s easy to see why cybersecurity risk and compliance have…
The Cybersecurity and Infrastructure Security Agency (CISA) recently published a report highlighting a range of critical security vulnerabilities requiring attention from organizations of all types. The report was published with input from the National Security Agency (NSA) and similar agencies worldwide. It should be considered essential reading. Many of the vulnerabilities in the report are not new. Instead, the report…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.
