Digital Risk Management Dialogue Series: Embracing – and ...monetization opportunities. When we go one layer deeper to extract what exactly a “digital capability” is, we’re

Digital Risk Management Dialogue Series:

Embracing – and Leading – Digital Transformation

Agenda6:00 – 6:30 p.m.

Registration, Networking

6:30 – 6:45 p.m.

Introductions and Opening Remarks

• Tom Field, SVP Editorial, Information Security Media Group• Ben Smith, Field CTO - US, RSA

6:45 – 8:30 p.m.

Roundtable Discussion

8:30 p.m.

Program Concludes

EXECUTIVE ROUNDTABLESponsored by RSA

Introduction

Digital transformation is a driving force within every enterprise.

Security leaders must adapt to the speed and convenience of

new demands, all the while balancing regulatory requirements,

competitive pressures and cybersecurity risks.

But as organizations move internal applications to the cloud, and as employees, partners and customers

operate outside the traditional perimeter … what is security’s role? How can security leaders ensure they

have the visibility they need into threats and anomalies on their networks? And how can they become

catalysts for change in digital transformation?

The latest edition of our exclusive Digital Risk Management Dialogue Series on Embracing – and

Leading – Digital Transformation will provide for new strategies and solutions to help answer

these questions.

Guided by insights from Ben Smith, field CTO for event sponsor RSA, this roundtable will help define

the topic within the greater context of digital risk management, as well as draw from the experiences

of the attendees who will offer tips on how they have been able to help organizations thrive in digital

transformation. Among the discussion topics:

• Where is your organization in its own digital transformation, and what role does security play?

• What obstacles do you face in enabling digital transformation?

• How does digital transformation fit within the greater framework of digital risk management?

This event will offer an opportunity to talk with your peers about the impact of digital transformation and

how the solution must be part of a bigger strategy to deal with the changing risk and security landscape.

Embracing – and Leading – Digital Transformation 2

Discussion Points

Among the questions to be presented for open discourse:

• What does “digital transformation” mean for your organization?

• Where are you on the road to digital transformation?

• What role does security play in enabling this transformation?

• What are the obstacles that security faces in driving transformation?

• What investments will you make in the coming year to ensure a secure digital transformation?


About the ExpertJoining our discussion today to share the latest insights

and case studies is:

Ben Smith

Field CTO - US RSA

With 25 years’ experience in the information security, networking and telecommunications industries,

Smith regularly consults on RSA’s security and risk management solutions. His prior employers include

UUNET, CSC, and the U.S. government, along with several technology-oriented startups. He holds

industry certifications in information security (CISSP), risk management (CRISC), and privacy (CIPT), and

has presented on RSA's behalf internationally at cybersecurity events sponsored by Gartner, FS-ISAC,

SANS, IANS, CERT/SEI, ISSA, (ISC)2, ISACA, MWCA, RMA, BSides, ASIS, InfraGard, HTCIA, SecureWorld,

ICI and other organizations.

About RSA

RSA offers business-driven security solutions that provide organizations with a unified approach to

managing digital risk that hinges on integrated visibility, automated insights and coordinated actions.

RSA solutions are designed to effectively detect and respond to advanced attacks; manage user access

control; and reduce business risk, fraud and cybercrime. RSA protects millions of users around the

world and helps more than 90 percent of the Fortune 500 companies thrive and continuously adapt to

transformational change. For more information, go to rsa.com.


About the ModeratorLeading our discussion today is:

Tom Field

Senior Vice President, Editorial Information Security Media Group

Field is an award-winning journalist with over 30 years of experience in newspapers, magazines, books,

events and electronic media. A veteran community journalist with extensive business/technology and

international reporting experience, Field joined ISMG in 2007 and currently oversees the editorial

operations for all of its global media properties. An accomplished public speaker, Field has developed

and moderated scores of podcasts, webcasts, roundtables and conferences and has appeared at the

RSA Conference and on various C-SPAN, The History Channel and Travel Channel television programs.

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely

to information security and risk management. Each of our 28 media properties provides education,

research and news that is specifically tailored to key vertical sectors including banking, healthcare

and the public sector; geographies from the North America to Southeast Asia; and topics such as

data breach prevention, cyber risk assessment and fraud. Our annual global summit series connects

senior security professionals with industry thought leaders to find actionable solutions for pressing

cybersecurity challenges.

For more information, visit www.ismg.io.


NOTE: In advance of this event, ISMG’s Tom Field spoke about

digital transformation with Ben Smith of RSA. Here is an excerpt of

that conversation.

Defining Digital Transformation

TOM FIELD: What does “digital transformation” mean for different

types of organizations, depending on their technological maturity?

BEN SMITH: While there are plenty of definitions throughout the

industry relating to this concept, I like to always start with a practical

approach, something that makes sense in the real world that you

and I inhabit.

Digital transformation is the application of digital capabilities to

products, services and processes in order to increase customer

value, optimize operational efficiencies and develop new

monetization opportunities. When we go one layer deeper to extract

what exactly a “digital capability” is, we’re looking at adjectives

such as electronic, scientific, data-driven, quantified, instrumented,

measured, mathematic, calculated and/or automated.

That’s not to say that this is the only way to think about this concept.

Maybe you want to bring your customer more squarely center to

how you think about this challenge. Digital transformation puts

technology at the heart of an organization’s products, services and

operations – to help accelerate the business and to competitively

differentiate itself – in order to improve the experience for its

customers.

Every organization has top-level strategic business initiatives.

Digital transformation enables those initiatives to be driven with

data analytics to deliver new insights. Employing digital capabilities

such as agile software development with continuous delivery helps

you accelerate and adapt to change while developing reusable

processes. And deploying new applications and smart devices

makes your transformation tangible. This, in turn, drives the creation

of new data which will be leveraged for continued enhancements

to your products, operations and value to your end users and

customers.

Understand that digital transformation is not a product. It is not a

service. It is not a skill. And you cannot buy it.

If it’s not all of these things, then what is it? Digital transformation is

an essential bulwark against obsolescence. Accenture researched

companies’ survival over the past two decades and concluded

that just over half of the companies which were in the Fortune

500 in 2000 no longer exist today. RSA’s parent organization,

Dell Technologies, estimates based on customer and prospect

interactions that 45 percent of businesses today are actively

concerned about becoming obsolete within the next three to five

years. An even higher percentage, almost 80 percent, view digital

startups as active threats to the business, both in the short term and

DIGITAL RISK MANAGEMENT DIALOGUE SERIES:

Embracing – and Leading – Digital TransformationQ&A with Ben Smith of RSA

“Understand that digital transformation is not a product. It is not a service. It is not a skill. And you cannot buy it.”

Ben Smith


long term. These numbers are powerful defensive drivers for many

organizations.

Looking at everything we’ve talked about so far, it’s a big wave. And

because of the size and speed of these changes which are crashing

through our industries today, there is an accompanying outsized

risk that mature organizations recognize and factor into their overall

strategic planning – and that’s where the concept of digital risk

management enters the picture. We’ll get into that a bit later.

The Role of Security

FIELD: What role should security play in enabling this

transformation?

SMITH: It’s not an exaggeration to say that security is a leading,

if not the primary, technical challenge for most organizations in

their digital transformation journey. And making things even more

interesting is that security and risk management must be factored

into these projects – this is not optional.

Security teams are frequently an afterthought when new initiatives

are being developed. Why is this? Security is hard. Security has a

reputation. It’s often regarded as the department of “no” – slowing

initiatives, changing scope, blocking initiatives or even canceling

them outright.

This is a common view from many teams outside security, especially

teams that are chartered with driving that enterprisewide, high-

visibility, short-timeline digital transformation project. If I know that

any function, security or otherwise, is only going to slow down

my progress, maybe I can push them to the end of the project ...

you know, demonstrate that we did involve them as required, but

only at the end, after we’ve got enough momentum and support

so that nothing can stop us. This move is in the playbook in many

organizations.

But of course, these are the same organizations that do not realize

that the relative pains from a highly publicized breach, a series of

bad headlines negatively impacting your brand, and a customer

base that is much less willing to do business with you, all far

outweigh any effort you might expend by involving security in

your project, not at the end, but absolutely at the beginning. If you

happen to be one of the companies that has experienced any or all

of these challenges, you get it. Our goal is to help everyone else

realize this before it’s too late and the damage is done.

Treat security as a partner, not a nuisance, and both sides will

appreciate the better outcome. It’s the difference between a built-in

solution and a bolted-on solution. Organizations that are forced to

retrofit security too late in the process are those whose projects are

ultimately at increased risk.

I’m not telling you that the security team doesn’t have its own

burden here. Getting to the table early as a partner in these

projects doesn’t always naturally occur. If this sounds like I am

describing your organization, large or small, let me encourage you

to remember this one key fact: Effective relationships usually start

between people, not departments. There remains a large gap in

communications between security and the business, even within

what are otherwise mature organizations. Get to know your peers

within the lines of business you are charged with securing. What

might sound like insignificant opportunities, such as sharing coffee

or a meal, can be a great way to get to know the other side. At its

core, this is less a technology problem and more a communication

problem.

And yes, from a technology perspective, there are certainly

challenges. Perhaps the biggest that I haven’t yet addressed is that

too many companies are suffering – I use that word deliberately –

suffering from a siloed, fragmented security toolset. There are plenty

of vendors promising to consolidate your security tools into a single

pane of glass.

But mature organizations are starting to realize and appreciate that

security is one tool within a broader risk management function.

You want to find vendors and partners who have come to the

same conclusion, who are building and delivering solutions that

acknowledge this reality.

The Obstacles

FIELD: What are the obstacles that organizations often face in this

transformation?

SMITH: Let’s recognize, and dispense with, the low-hanging

obstacles that you and I will probably agree are common to

many major technology initiatives: not enough budget, lack of

executive support, not having the right skills on staff, lack of

urgency, an unclear path to profitability and the weight of legacy

systems dragging down the speed of delivering on your digital

transformation goals. I mentioned some of these obstacles when we

were talking about the security team.

But let me broaden the scope here. The prevalence of technology

across modern organizations, especially those in the midst of a

digital transformation effort, is dramatically increasing the speed,

scale and scope of cyberthreats, which represents the biggest facet

of digital risk. This is typically the domain of the security team, but

security is only part of the solution here.

While the traditional, siloed areas of risk, such as security,

compliance and resiliency, remain important, businesses need to

rethink and operationalize the necessary integration between the

“It's not an exaggeration to say that security is a leading, if not the primary, technical challenge for most organizations in their digital transformation journey.”


risk and IT security teams to keep pace with their growing digital

footprints and exposure to digital risk.

Gartner buried a nugget of wisdom within one of its recent analyst

reports: “The failure to manage your digital risks is likely to sabotage

your digital business and expose your organization to potential

impacts well beyond a simple opportunity loss.”

Those last six words – “well beyond a simple opportunity loss” –

point clearly to a huge obstacle where even mature organizations

are struggling: the concept of risk tolerance and how we all need

to think about how short-term impacts affect our long-term digital

transformation goals. And you won’t understand your risk tolerance

until you get your arms around your risk appetite.

Your organization’s risk appetite defines the maximum amount of

risk your organization is willing to take to achieve strategic business

objectives. Deciding the types and amounts of risk to take and

managing risk within those constraints is essential to increasing the

likelihood that your organization will meet its objectives. In effect,

your organization’s risk appetite sets the parameters for prioritizing

which risks need to be addressed and treated.

Within the organization’s overall risk appetite, digital risk appetite

specifically defines the maximum amount of loss or harm an

organization is willing to take related to its technical infrastructure

or use of technology. This appetite will influence how priorities

are determined for a host of efforts, including business resiliency,

data privacy and information security. Because digital initiatives are

based largely on data, your digital risk appetite will also regulate

your approach to determining the maximum amount of loss,

destruction, alteration or unauthorized disclosure of information your

organization is willing to tolerate (whether its own information or the

information it maintains for customers, partners and counterparties).

It is important to understand that digital risk appetite is not a strictly

technical issue. Rather, it ties together operational risk, information

risk and enterprise risk, and it requires conversation across

technical and nontechnical functions. The strategic conversation

must encompass the risk the organization is willing to take on

and the priority that should be placed on digital risk management.

Defining and communicating risk appetite is critical in helping your

organization know where to invest time and resources for the

greatest impact.

As organizations extend technology deeper into their day-to-day

business operations, they inevitably introduce digital risk. Digital

risk refers to unwanted and often unexpected outcomes that stem

from digital transformation, digital business processes and the

adoption of related technologies. Establishing a digital risk appetite

determines what level of risk the organization is willing to accept

and what level of investment the organization is willing to make to

manage the risk. Achieving this balance is critical in allowing the

organization the freedom to innovate and drive growth through

digital initiatives, while identifying and treating risks arising from

emerging digital business operations.

I pivoted a bit away from your central digital transformation

question, but only to emphasize that digital risk is a fundamental

building block which is sometimes overlooked or otherwise not fully

appreciated in even the smallest of digital transformation projects. I’ll

come back around to give you some more color on this point a little

later.

Proactive Partners

FIELD: How can these entities overcome these obstacles and be

proactive partners in digital transformation?

SMITH: While I’ve talked a bit already about many challenges and

some solutions, there are some key higher-level characteristics

we’ve seen repeatedly through working with our customers and

prospects – threads of strength which usually illuminate a path to

a successful digital transformation initiative. Let me give you two or

three here.

“Establishing a digital risk appetite determines what level of risk the organization is willing to accept and what level of investment the organization is willing to make to manage the risk.”


Digital transformation is at its core all about challenging old ways

of working. Successful organizations are the ones encouraging

experimentation, and not just by the designated transformation

team. Just about every organization you and I know has a

tremendous amount of tacit expertise and innovation embedded

throughout – why not leverage this as an opportunity to solicit and

extract that value?

Is there a collaboration component to your initiative? Are you

actively soliciting ideas and feedback, preferably in a public,

transparent forum designed to foster communication between your

known experts and your unknown, waiting-to-emerge experts? And

what about your partners – are you including them as a customer as

part of your digital transformation initiative?

Several of these initiatives have self-service as a core component

– how can we make it easier (and faster) for employees to fix

something that is broken, or to request a new service from the

employer? Reducing friction is always a worthy goal. I am particularly

interested in seeing how some organizations are buying into the

“citizen developer” model, whether that applies to applications or

simply workflows. If your creation and development tools are easier

to consume and leverage, then you may find you have a much

larger group of developers already on staff – folks who might then

contribute to further accelerate your organization’s success.

Don’t be afraid to toot your team’s horn throughout this process.

There really is a marketing component to digital transformation

efforts, which many companies just don’t think about. McKinsey

ran a survey a few years ago showing that respondents were eight

times more likely to report a successful transformation project where

there was regular communication about progress toward the goal.

Bite-sized updates aren’t just easier to prep, they are easier for your

employees and partners to consume. The same survey showed

that post-transformation, fully half of all respondents wished there

had been more time spent developing and communicating a clear

change story for the benefit of employees. We humans are story-

telling (and story-listening) machines; smart organizations leverage

this to reach their digital transformation goals.

A Broader Strategy

FIELD: Are organizations approaching digital transformation as

a single challenge to be addressed, or is it viewed as just one

component of a larger digital risk management strategy?

SMITH: This is an especially interesting question. These two

concepts, digital transformation and digital risk management, are

closely connected with one another – or at least, they should be. Is

one a subset of the other? I can argue both sides of that card, but

the real answer is that they are each essential.

Digital risk management is a byproduct of today’s digital

transformation efforts which we are seeing across the industry. In

the pursuit of modernization, digital technology offers organizations

opportunities to transform their operations, resulting in increased

speed, agility and efficiency – these tend to be common goals in

most digital transformation efforts.

However, much as I discussed earlier, the explosion of information,

users, connected devices, digital channels and third-party

applications introduces new threats and risks. This technical

complexity, combined with a cybersecurity talent shortage and

organizational silos, can create an abundance of new opportunities

for adversaries, who have more tools, resources and patience than

ever before. Finally, governing bodies are trying to drive more

accountability for data security and privacy by enforcing risk-

based requirements versus prescriptive checklists. Security and

risk requirements are converging to shift the conversation from

technology-focused security issues to a business risk and litigation

challenge.

In our digital world, both good things and bad things can happen

more quickly, and with greater impact, than ever before. A solid

digital transformation strategy has, as a cornerstone, a healthy

respect for the accompanying digital risks which may be introduced.

What’s scary is that many companies today are still operating in

yesterday’s model of (pre-digital) business risk.

Business risk has been around for as long as we’ve had businesses,

and digital risk is a fundamental component of business risk

today. It’s all about understanding the implications of bringing new

technology into your organization. It’s all about walking before

you run into rolling out that new platform, or working with that new

partner, or storing your data with that new cloud provider. It’s all

about stopping to realize that time pressures, frequently coming

from the market and competition, often drive us to rush that new

product, platform or relationship into production, before taking a

hard look at the risks of this “new” approach. We sometimes paper

over those gaps to get the job done on time.

These gaps are where digital risk lives, often silently. Whether

through an accident, or a deliberate action by an external adversary

or an inside threat within your own company, if you haven’t

surveyed, inventoried and quantified these new digital risks, you are

setting yourself up for some pain at some point in the future, sooner

than you’d like to realize.

“The explosion of information, users, connected devices, digital channels and third-party applications introduces new threats and risks.”


Let me net it out for you: Don’t start your digital transformation

project without first understanding the accompanying digital risk.

How can you make the correct decision to proceed without this

step?

RSA’s Digital Management Strategy

FIELD: How does this topic fit within RSA’s digital risk management

strategy?

SMITH: Let’s start by acknowledging that many folks have no idea

that RSA is in the digital risk management business. But we are, and

we have been for almost a decade, and we offer substantial subject

matter expertise in this area.

We are proud of our almost four-decade heritage as a pioneer in

the information security space, from our encryption algorithms to

our authentication technologies, to our risk management, network

visibility and anti-fraud portfolios. One of the reasons that the RSA

product portfolio is smaller and more focused than in years past was

the realization that we needed to take another approach to how we

think about risk more holistically, above and beyond the information

security space. Business risk is what most organizations struggle

with today – how to see it, how to measure it, how to minimize it.

Information security is just a subset of business risk.

And if you are living here in the twenty-first century, digital risk is just

another way to look at that central business risk challenge. Living

on the internet today provides significant advantages to how we all

do business: It is faster; we can reach our customers more directly;

we can more quickly see trends and come up with new products

or services to offer. This comprehensive interconnectivity makes it

easier to do business.

But being so interconnected also increases our digital risk, often

substantially. We are interdependent on our third parties – including

our cloud providers – to accomplish our business goals. An outage,

or an attack, on a part of your infrastructure can be amplified and

move much more quickly across your environment due to how

interconnected we all are. Managing digital risk is a fundamental

challenge where even successful organizations struggle.

Central to our philosophy of helping our customers effectively

manage their digital risk is leveraging models, or frameworks, which

can serve as a blueprint for action as well as a means to benchmark

progress over time.

“Don't start your digital transformation project without first understanding the accompanying digital risk. How can you make the correct decision to proceed without this step?”


There are a huge number of frameworks which exist in the

information security and risk management space. We realized

that we could provide more value to our customers not by simply

pointing to this group of models, but by bringing to the table our

own expertise and real-world experience gained through our RSA

Risk & Cybersecurity Advisory Services (RCAS) team.

And so we rolled out a family of “RSA Risk Frameworks” at our

annual RSA Conference 2019. Think of these frameworks as maturity

models – models which we’ve designed and developed through

thousands of engagements across some of the most complex

business and technology environments out there today, and based,

in part, on industry standards, including the NIST Cybersecurity

Framework, COBIT 5, the FAIR methodology and others, all in

support of helping our customers move forward and succeed during

their digital risk management journey.

Four of these RSA Risk Frameworks are available today: cyber

incident risk, third-party risk, dynamic workforce risk, and multi-cloud

risk. An additional four frameworks (focusing on business resiliency

risk, data governance and privacy risk, process automation risk

and compliance risk) will be available toward the end of 2019. All

these frameworks aim to group organizations into one of three

general maturity levels or tiers: basic effectiveness, foundational

effectiveness and operational excellence.

Visualize these as horizontal tiers, where success might be

reflected in your starting in a less mature state in the bottom tier

and subsequently moving up the stack to the next tier over time.

Because each of these four frameworks is focused on a different

use case, this is where we get into the specifics.

The RSA Risk Framework for Multi-Cloud Risk is an especially useful

example in the context of digital transformation, since a common

thread across many digital transformation initiatives is moving

services or data to the cloud. In this framework, there are four main

capabilities we can help you measure – visualize these capability

areas as vertical pillars, with the maturity tiers overlaying these

pillars horizontally.

These four key capability areas are all about identifying the business

processes your cloud providers are supporting, your contracting and

governance practices, how you manage the identities and access

management involved with these cloud platforms, and finally your

compliance-oriented procedures around assessment, measurement

and reporting. An output of the services conversation we have in

conjunction with the RSA Risk Framework for Multi-Cloud Risk is

a discrete numeric score across each of these four areas and an

aggregate score to total everything up.

These scores are something quantifiable that can be measured

today and then measured again in the future to see how much you

are improving over time. So as an example, you may be approaching

operational excellence today in your cloud provider contracting

function, but maybe you are a little less mature and closer to

foundational effectiveness when it comes to how you manage

those supporting cloud-based identities and access, as well how

you govern and assess those platforms. And again, as an example,

this might be where you acknowledge that you are also operating

only at basic effectiveness when it comes to defining and enforcing

KPIs (key performance indicators) relating to the business processes

your cloud providers support. We’ll score you in each of these four

key areas, prepare a gap analysis and make recommendations for

improvement.

I haven’t talked about any RSA products here, and that is by

design. While we have some excellent offerings in the visibility, risk

management, identity and anti-fraud areas, we think that managing

your digital risk starts with a higher-level conversation to better

understand your business challenges – that was a key driver for us

as we developed and released the RSA Risk Frameworks, as they

represent several core challenges we’ve seen repeatedly across our

customer base.

We would welcome the opportunity to demonstrate to you that

we can help you navigate this critical journey by asking the right

questions, helping you recognize where digital risk lies within your

business, and how to address it. n

“We would welcome the opportunity to demonstrate to you that we can help you navigate this critical journey by asking the right questions, helping you recognize where digital risk lies within your business, and how to address it”


Notes


Notes


902 Carnegie Center • Princeton, NJ • 08540 • www.ismg.io

About ISMG

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information

security and risk management. Each of our 28 media properties provides education, research and news that is

specifically tailored to key vertical sectors including banking, healthcare and the public sector; geographies from

North America to Southeast Asia; and topics such as data breach prevention, cyber risk assessment and fraud.

Our annual global Summit series connects senior security professionals with industry thought leaders to find

actionable solutions for pressing cybersecurity challenges.

Contact

(800) 944-0401 • [email protected]

CyberEd

Documents

Digital Risk Management Dialogue Series: Embracing – and ...monetization opportunities. When we go one layer deeper to extract what exactly a “digital capability” is, we’re