Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Digital Risk Management Dialogue Series:
Embracing – and Leading – Digital Transformation
Agenda6:00 – 6:30 p.m.
Registration, Networking
6:30 – 6:45 p.m.
Introductions and Opening Remarks
• Tom Field, SVP Editorial, Information Security Media Group• Ben Smith, Field CTO - US, RSA
6:45 – 8:30 p.m.
Roundtable Discussion
8:30 p.m.
Program Concludes
EXECUTIVE ROUNDTABLESponsored by RSA
Introduction
Digital transformation is a driving force within every enterprise.
Security leaders must adapt to the speed and convenience of
new demands, all the while balancing regulatory requirements,
competitive pressures and cybersecurity risks.
But as organizations move internal applications to the cloud, and as employees, partners and customers
operate outside the traditional perimeter … what is security’s role? How can security leaders ensure they
have the visibility they need into threats and anomalies on their networks? And how can they become
catalysts for change in digital transformation?
The latest edition of our exclusive Digital Risk Management Dialogue Series on Embracing – and
Leading – Digital Transformation will provide for new strategies and solutions to help answer
these questions.
Guided by insights from Ben Smith, field CTO for event sponsor RSA, this roundtable will help define
the topic within the greater context of digital risk management, as well as draw from the experiences
of the attendees who will offer tips on how they have been able to help organizations thrive in digital
transformation. Among the discussion topics:
• Where is your organization in its own digital transformation, and what role does security play?
• What obstacles do you face in enabling digital transformation?
• How does digital transformation fit within the greater framework of digital risk management?
This event will offer an opportunity to talk with your peers about the impact of digital transformation and
how the solution must be part of a bigger strategy to deal with the changing risk and security landscape.
Embracing – and Leading – Digital Transformation 2
Discussion Points
Among the questions to be presented for open discourse:
• What does “digital transformation” mean for your organization?
• Where are you on the road to digital transformation?
• What role does security play in enabling this transformation?
• What are the obstacles that security faces in driving transformation?
• What investments will you make in the coming year to ensure a secure digital transformation?
Embracing – and Leading – Digital Transformation 3
About the ExpertJoining our discussion today to share the latest insights
and case studies is:
Ben Smith
Field CTO - US RSA
With 25 years’ experience in the information security, networking and telecommunications industries,
Smith regularly consults on RSA’s security and risk management solutions. His prior employers include
UUNET, CSC, and the U.S. government, along with several technology-oriented startups. He holds
industry certifications in information security (CISSP), risk management (CRISC), and privacy (CIPT), and
has presented on RSA's behalf internationally at cybersecurity events sponsored by Gartner, FS-ISAC,
SANS, IANS, CERT/SEI, ISSA, (ISC)2, ISACA, MWCA, RMA, BSides, ASIS, InfraGard, HTCIA, SecureWorld,
ICI and other organizations.
About RSA
RSA offers business-driven security solutions that provide organizations with a unified approach to
managing digital risk that hinges on integrated visibility, automated insights and coordinated actions.
RSA solutions are designed to effectively detect and respond to advanced attacks; manage user access
control; and reduce business risk, fraud and cybercrime. RSA protects millions of users around the
world and helps more than 90 percent of the Fortune 500 companies thrive and continuously adapt to
transformational change. For more information, go to rsa.com.
Embracing – and Leading – Digital Transformation 4
About the ModeratorLeading our discussion today is:
Tom Field
Senior Vice President, Editorial Information Security Media Group
Field is an award-winning journalist with over 30 years of experience in newspapers, magazines, books,
events and electronic media. A veteran community journalist with extensive business/technology and
international reporting experience, Field joined ISMG in 2007 and currently oversees the editorial
operations for all of its global media properties. An accomplished public speaker, Field has developed
and moderated scores of podcasts, webcasts, roundtables and conferences and has appeared at the
RSA Conference and on various C-SPAN, The History Channel and Travel Channel television programs.
About ISMG
Information Security Media Group (ISMG) is the world’s largest media organization devoted solely
to information security and risk management. Each of our 28 media properties provides education,
research and news that is specifically tailored to key vertical sectors including banking, healthcare
and the public sector; geographies from the North America to Southeast Asia; and topics such as
data breach prevention, cyber risk assessment and fraud. Our annual global summit series connects
senior security professionals with industry thought leaders to find actionable solutions for pressing
cybersecurity challenges.
For more information, visit www.ismg.io.
Embracing – and Leading – Digital Transformation 5
NOTE: In advance of this event, ISMG’s Tom Field spoke about
digital transformation with Ben Smith of RSA. Here is an excerpt of
that conversation.
Defining Digital Transformation
TOM FIELD: What does “digital transformation” mean for different
types of organizations, depending on their technological maturity?
BEN SMITH: While there are plenty of definitions throughout the
industry relating to this concept, I like to always start with a practical
approach, something that makes sense in the real world that you
and I inhabit.
Digital transformation is the application of digital capabilities to
products, services and processes in order to increase customer
value, optimize operational efficiencies and develop new
monetization opportunities. When we go one layer deeper to extract
what exactly a “digital capability” is, we’re looking at adjectives
such as electronic, scientific, data-driven, quantified, instrumented,
measured, mathematic, calculated and/or automated.
That’s not to say that this is the only way to think about this concept.
Maybe you want to bring your customer more squarely center to
how you think about this challenge. Digital transformation puts
technology at the heart of an organization’s products, services and
operations – to help accelerate the business and to competitively
differentiate itself – in order to improve the experience for its
customers.
Every organization has top-level strategic business initiatives.
Digital transformation enables those initiatives to be driven with
data analytics to deliver new insights. Employing digital capabilities
such as agile software development with continuous delivery helps
you accelerate and adapt to change while developing reusable
processes. And deploying new applications and smart devices
makes your transformation tangible. This, in turn, drives the creation
of new data which will be leveraged for continued enhancements
to your products, operations and value to your end users and
customers.
Understand that digital transformation is not a product. It is not a
service. It is not a skill. And you cannot buy it.
If it’s not all of these things, then what is it? Digital transformation is
an essential bulwark against obsolescence. Accenture researched
companies’ survival over the past two decades and concluded
that just over half of the companies which were in the Fortune
500 in 2000 no longer exist today. RSA’s parent organization,
Dell Technologies, estimates based on customer and prospect
interactions that 45 percent of businesses today are actively
concerned about becoming obsolete within the next three to five
years. An even higher percentage, almost 80 percent, view digital
startups as active threats to the business, both in the short term and
DIGITAL RISK MANAGEMENT DIALOGUE SERIES:
Embracing – and Leading – Digital TransformationQ&A with Ben Smith of RSA
“Understand that digital transformation is not a product. It is not a service. It is not a skill. And you cannot buy it.”
Ben Smith
Embracing – and Leading – Digital Transformation 6
long term. These numbers are powerful defensive drivers for many
organizations.
Looking at everything we’ve talked about so far, it’s a big wave. And
because of the size and speed of these changes which are crashing
through our industries today, there is an accompanying outsized
risk that mature organizations recognize and factor into their overall
strategic planning – and that’s where the concept of digital risk
management enters the picture. We’ll get into that a bit later.
The Role of Security
FIELD: What role should security play in enabling this
transformation?
SMITH: It’s not an exaggeration to say that security is a leading,
if not the primary, technical challenge for most organizations in
their digital transformation journey. And making things even more
interesting is that security and risk management must be factored
into these projects – this is not optional.
Security teams are frequently an afterthought when new initiatives
are being developed. Why is this? Security is hard. Security has a
reputation. It’s often regarded as the department of “no” – slowing
initiatives, changing scope, blocking initiatives or even canceling
them outright.
This is a common view from many teams outside security, especially
teams that are chartered with driving that enterprisewide, high-
visibility, short-timeline digital transformation project. If I know that
any function, security or otherwise, is only going to slow down
my progress, maybe I can push them to the end of the project ...
you know, demonstrate that we did involve them as required, but
only at the end, after we’ve got enough momentum and support
so that nothing can stop us. This move is in the playbook in many
organizations.
But of course, these are the same organizations that do not realize
that the relative pains from a highly publicized breach, a series of
bad headlines negatively impacting your brand, and a customer
base that is much less willing to do business with you, all far
outweigh any effort you might expend by involving security in
your project, not at the end, but absolutely at the beginning. If you
happen to be one of the companies that has experienced any or all
of these challenges, you get it. Our goal is to help everyone else
realize this before it’s too late and the damage is done.
Treat security as a partner, not a nuisance, and both sides will
appreciate the better outcome. It’s the difference between a built-in
solution and a bolted-on solution. Organizations that are forced to
retrofit security too late in the process are those whose projects are
ultimately at increased risk.
I’m not telling you that the security team doesn’t have its own
burden here. Getting to the table early as a partner in these
projects doesn’t always naturally occur. If this sounds like I am
describing your organization, large or small, let me encourage you
to remember this one key fact: Effective relationships usually start
between people, not departments. There remains a large gap in
communications between security and the business, even within
what are otherwise mature organizations. Get to know your peers
within the lines of business you are charged with securing. What
might sound like insignificant opportunities, such as sharing coffee
or a meal, can be a great way to get to know the other side. At its
core, this is less a technology problem and more a communication
problem.
And yes, from a technology perspective, there are certainly
challenges. Perhaps the biggest that I haven’t yet addressed is that
too many companies are suffering – I use that word deliberately –
suffering from a siloed, fragmented security toolset. There are plenty
of vendors promising to consolidate your security tools into a single
pane of glass.
But mature organizations are starting to realize and appreciate that
security is one tool within a broader risk management function.
You want to find vendors and partners who have come to the
same conclusion, who are building and delivering solutions that
acknowledge this reality.
The Obstacles
FIELD: What are the obstacles that organizations often face in this
transformation?
SMITH: Let’s recognize, and dispense with, the low-hanging
obstacles that you and I will probably agree are common to
many major technology initiatives: not enough budget, lack of
executive support, not having the right skills on staff, lack of
urgency, an unclear path to profitability and the weight of legacy
systems dragging down the speed of delivering on your digital
transformation goals. I mentioned some of these obstacles when we
were talking about the security team.
But let me broaden the scope here. The prevalence of technology
across modern organizations, especially those in the midst of a
digital transformation effort, is dramatically increasing the speed,
scale and scope of cyberthreats, which represents the biggest facet
of digital risk. This is typically the domain of the security team, but
security is only part of the solution here.
While the traditional, siloed areas of risk, such as security,
compliance and resiliency, remain important, businesses need to
rethink and operationalize the necessary integration between the
“It's not an exaggeration to say that security is a leading, if not the primary, technical challenge for most organizations in their digital transformation journey.”
Embracing – and Leading – Digital Transformation 7
risk and IT security teams to keep pace with their growing digital
footprints and exposure to digital risk.
Gartner buried a nugget of wisdom within one of its recent analyst
reports: “The failure to manage your digital risks is likely to sabotage
your digital business and expose your organization to potential
impacts well beyond a simple opportunity loss.”
Those last six words – “well beyond a simple opportunity loss” –
point clearly to a huge obstacle where even mature organizations
are struggling: the concept of risk tolerance and how we all need
to think about how short-term impacts affect our long-term digital
transformation goals. And you won’t understand your risk tolerance
until you get your arms around your risk appetite.
Your organization’s risk appetite defines the maximum amount of
risk your organization is willing to take to achieve strategic business
objectives. Deciding the types and amounts of risk to take and
managing risk within those constraints is essential to increasing the
likelihood that your organization will meet its objectives. In effect,
your organization’s risk appetite sets the parameters for prioritizing
which risks need to be addressed and treated.
Within the organization’s overall risk appetite, digital risk appetite
specifically defines the maximum amount of loss or harm an
organization is willing to take related to its technical infrastructure
or use of technology. This appetite will influence how priorities
are determined for a host of efforts, including business resiliency,
data privacy and information security. Because digital initiatives are
based largely on data, your digital risk appetite will also regulate
your approach to determining the maximum amount of loss,
destruction, alteration or unauthorized disclosure of information your
organization is willing to tolerate (whether its own information or the
information it maintains for customers, partners and counterparties).
It is important to understand that digital risk appetite is not a strictly
technical issue. Rather, it ties together operational risk, information
risk and enterprise risk, and it requires conversation across
technical and nontechnical functions. The strategic conversation
must encompass the risk the organization is willing to take on
and the priority that should be placed on digital risk management.
Defining and communicating risk appetite is critical in helping your
organization know where to invest time and resources for the
greatest impact.
As organizations extend technology deeper into their day-to-day
business operations, they inevitably introduce digital risk. Digital
risk refers to unwanted and often unexpected outcomes that stem
from digital transformation, digital business processes and the
adoption of related technologies. Establishing a digital risk appetite
determines what level of risk the organization is willing to accept
and what level of investment the organization is willing to make to
manage the risk. Achieving this balance is critical in allowing the
organization the freedom to innovate and drive growth through
digital initiatives, while identifying and treating risks arising from
emerging digital business operations.
I pivoted a bit away from your central digital transformation
question, but only to emphasize that digital risk is a fundamental
building block which is sometimes overlooked or otherwise not fully
appreciated in even the smallest of digital transformation projects. I’ll
come back around to give you some more color on this point a little
later.
Proactive Partners
FIELD: How can these entities overcome these obstacles and be
proactive partners in digital transformation?
SMITH: While I’ve talked a bit already about many challenges and
some solutions, there are some key higher-level characteristics
we’ve seen repeatedly through working with our customers and
prospects – threads of strength which usually illuminate a path to
a successful digital transformation initiative. Let me give you two or
three here.
“Establishing a digital risk appetite determines what level of risk the organization is willing to accept and what level of investment the organization is willing to make to manage the risk.”
Embracing – and Leading – Digital Transformation 8
Digital transformation is at its core all about challenging old ways
of working. Successful organizations are the ones encouraging
experimentation, and not just by the designated transformation
team. Just about every organization you and I know has a
tremendous amount of tacit expertise and innovation embedded
throughout – why not leverage this as an opportunity to solicit and
extract that value?
Is there a collaboration component to your initiative? Are you
actively soliciting ideas and feedback, preferably in a public,
transparent forum designed to foster communication between your
known experts and your unknown, waiting-to-emerge experts? And
what about your partners – are you including them as a customer as
part of your digital transformation initiative?
Several of these initiatives have self-service as a core component
– how can we make it easier (and faster) for employees to fix
something that is broken, or to request a new service from the
employer? Reducing friction is always a worthy goal. I am particularly
interested in seeing how some organizations are buying into the
“citizen developer” model, whether that applies to applications or
simply workflows. If your creation and development tools are easier
to consume and leverage, then you may find you have a much
larger group of developers already on staff – folks who might then
contribute to further accelerate your organization’s success.
Don’t be afraid to toot your team’s horn throughout this process.
There really is a marketing component to digital transformation
efforts, which many companies just don’t think about. McKinsey
ran a survey a few years ago showing that respondents were eight
times more likely to report a successful transformation project where
there was regular communication about progress toward the goal.
Bite-sized updates aren’t just easier to prep, they are easier for your
employees and partners to consume. The same survey showed
that post-transformation, fully half of all respondents wished there
had been more time spent developing and communicating a clear
change story for the benefit of employees. We humans are story-
telling (and story-listening) machines; smart organizations leverage
this to reach their digital transformation goals.
A Broader Strategy
FIELD: Are organizations approaching digital transformation as
a single challenge to be addressed, or is it viewed as just one
component of a larger digital risk management strategy?
SMITH: This is an especially interesting question. These two
concepts, digital transformation and digital risk management, are
closely connected with one another – or at least, they should be. Is
one a subset of the other? I can argue both sides of that card, but
the real answer is that they are each essential.
Digital risk management is a byproduct of today’s digital
transformation efforts which we are seeing across the industry. In
the pursuit of modernization, digital technology offers organizations
opportunities to transform their operations, resulting in increased
speed, agility and efficiency – these tend to be common goals in
most digital transformation efforts.
However, much as I discussed earlier, the explosion of information,
users, connected devices, digital channels and third-party
applications introduces new threats and risks. This technical
complexity, combined with a cybersecurity talent shortage and
organizational silos, can create an abundance of new opportunities
for adversaries, who have more tools, resources and patience than
ever before. Finally, governing bodies are trying to drive more
accountability for data security and privacy by enforcing risk-
based requirements versus prescriptive checklists. Security and
risk requirements are converging to shift the conversation from
technology-focused security issues to a business risk and litigation
challenge.
In our digital world, both good things and bad things can happen
more quickly, and with greater impact, than ever before. A solid
digital transformation strategy has, as a cornerstone, a healthy
respect for the accompanying digital risks which may be introduced.
What’s scary is that many companies today are still operating in
yesterday’s model of (pre-digital) business risk.
Business risk has been around for as long as we’ve had businesses,
and digital risk is a fundamental component of business risk
today. It’s all about understanding the implications of bringing new
technology into your organization. It’s all about walking before
you run into rolling out that new platform, or working with that new
partner, or storing your data with that new cloud provider. It’s all
about stopping to realize that time pressures, frequently coming
from the market and competition, often drive us to rush that new
product, platform or relationship into production, before taking a
hard look at the risks of this “new” approach. We sometimes paper
over those gaps to get the job done on time.
These gaps are where digital risk lives, often silently. Whether
through an accident, or a deliberate action by an external adversary
or an inside threat within your own company, if you haven’t
surveyed, inventoried and quantified these new digital risks, you are
setting yourself up for some pain at some point in the future, sooner
than you’d like to realize.
“The explosion of information, users, connected devices, digital channels and third-party applications introduces new threats and risks.”
Embracing – and Leading – Digital Transformation 9
Let me net it out for you: Don’t start your digital transformation
project without first understanding the accompanying digital risk.
How can you make the correct decision to proceed without this
step?
RSA’s Digital Management Strategy
FIELD: How does this topic fit within RSA’s digital risk management
strategy?
SMITH: Let’s start by acknowledging that many folks have no idea
that RSA is in the digital risk management business. But we are, and
we have been for almost a decade, and we offer substantial subject
matter expertise in this area.
We are proud of our almost four-decade heritage as a pioneer in
the information security space, from our encryption algorithms to
our authentication technologies, to our risk management, network
visibility and anti-fraud portfolios. One of the reasons that the RSA
product portfolio is smaller and more focused than in years past was
the realization that we needed to take another approach to how we
think about risk more holistically, above and beyond the information
security space. Business risk is what most organizations struggle
with today – how to see it, how to measure it, how to minimize it.
Information security is just a subset of business risk.
And if you are living here in the twenty-first century, digital risk is just
another way to look at that central business risk challenge. Living
on the internet today provides significant advantages to how we all
do business: It is faster; we can reach our customers more directly;
we can more quickly see trends and come up with new products
or services to offer. This comprehensive interconnectivity makes it
easier to do business.
But being so interconnected also increases our digital risk, often
substantially. We are interdependent on our third parties – including
our cloud providers – to accomplish our business goals. An outage,
or an attack, on a part of your infrastructure can be amplified and
move much more quickly across your environment due to how
interconnected we all are. Managing digital risk is a fundamental
challenge where even successful organizations struggle.
Central to our philosophy of helping our customers effectively
manage their digital risk is leveraging models, or frameworks, which
can serve as a blueprint for action as well as a means to benchmark
progress over time.
“Don't start your digital transformation project without first understanding the accompanying digital risk. How can you make the correct decision to proceed without this step?”
Embracing – and Leading – Digital Transformation 10
There are a huge number of frameworks which exist in the
information security and risk management space. We realized
that we could provide more value to our customers not by simply
pointing to this group of models, but by bringing to the table our
own expertise and real-world experience gained through our RSA
Risk & Cybersecurity Advisory Services (RCAS) team.
And so we rolled out a family of “RSA Risk Frameworks” at our
annual RSA Conference 2019. Think of these frameworks as maturity
models – models which we’ve designed and developed through
thousands of engagements across some of the most complex
business and technology environments out there today, and based,
in part, on industry standards, including the NIST Cybersecurity
Framework, COBIT 5, the FAIR methodology and others, all in
support of helping our customers move forward and succeed during
their digital risk management journey.
Four of these RSA Risk Frameworks are available today: cyber
incident risk, third-party risk, dynamic workforce risk, and multi-cloud
risk. An additional four frameworks (focusing on business resiliency
risk, data governance and privacy risk, process automation risk
and compliance risk) will be available toward the end of 2019. All
these frameworks aim to group organizations into one of three
general maturity levels or tiers: basic effectiveness, foundational
effectiveness and operational excellence.
Visualize these as horizontal tiers, where success might be
reflected in your starting in a less mature state in the bottom tier
and subsequently moving up the stack to the next tier over time.
Because each of these four frameworks is focused on a different
use case, this is where we get into the specifics.
The RSA Risk Framework for Multi-Cloud Risk is an especially useful
example in the context of digital transformation, since a common
thread across many digital transformation initiatives is moving
services or data to the cloud. In this framework, there are four main
capabilities we can help you measure – visualize these capability
areas as vertical pillars, with the maturity tiers overlaying these
pillars horizontally.
These four key capability areas are all about identifying the business
processes your cloud providers are supporting, your contracting and
governance practices, how you manage the identities and access
management involved with these cloud platforms, and finally your
compliance-oriented procedures around assessment, measurement
and reporting. An output of the services conversation we have in
conjunction with the RSA Risk Framework for Multi-Cloud Risk is
a discrete numeric score across each of these four areas and an
aggregate score to total everything up.
These scores are something quantifiable that can be measured
today and then measured again in the future to see how much you
are improving over time. So as an example, you may be approaching
operational excellence today in your cloud provider contracting
function, but maybe you are a little less mature and closer to
foundational effectiveness when it comes to how you manage
those supporting cloud-based identities and access, as well how
you govern and assess those platforms. And again, as an example,
this might be where you acknowledge that you are also operating
only at basic effectiveness when it comes to defining and enforcing
KPIs (key performance indicators) relating to the business processes
your cloud providers support. We’ll score you in each of these four
key areas, prepare a gap analysis and make recommendations for
improvement.
I haven’t talked about any RSA products here, and that is by
design. While we have some excellent offerings in the visibility, risk
management, identity and anti-fraud areas, we think that managing
your digital risk starts with a higher-level conversation to better
understand your business challenges – that was a key driver for us
as we developed and released the RSA Risk Frameworks, as they
represent several core challenges we’ve seen repeatedly across our
customer base.
We would welcome the opportunity to demonstrate to you that
we can help you navigate this critical journey by asking the right
questions, helping you recognize where digital risk lies within your
business, and how to address it. n
“We would welcome the opportunity to demonstrate to you that we can help you navigate this critical journey by asking the right questions, helping you recognize where digital risk lies within your business, and how to address it”
Embracing – and Leading – Digital Transformation 11
Notes
Embracing – and Leading – Digital Transformation 12
Notes
Embracing – and Leading – Digital Transformation 13
902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io
About ISMG
Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information
security and risk management. Each of our 28 media properties provides education, research and news that is
specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from
North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud.
Our annual global Summit series connects senior security professionals with industry thought leaders to find
actionable solutions for pressing cybersecurity challenges.
Contact
(800) 944-0401 • [email protected]
CyberEd