Industry executives and experts share their predictions for 2018. Read them in this 10th annual VMblog.com series exclusive.
Contributed by Sam Abadir, director of product management at LockPath
Building Resiliency Requires Integration, Streamlined Processes, and Flexible Technology Support
Here we are, wrapping up another year and
looking ahead to what the next four quarters may have in store. Many of us are
in dire need of a holiday break - 2017 has been unpredictable and often
punishing. The threats were extraordinary and incessant - from massive breaches
and global ransomware worms to political upheaval and hurricanes. Even for
those who managed to avoid any direct hits, the relentless task of risk
management can be draining. It's time to step back, assess the challenges at
hand, and get ready to face 2018 with confidence.
Staying
in the Game
Enterprises have to do all they can to
strengthen and stabilize their critical infrastructure and operations in order
to develop business resiliency. According to EY, 40 percent of businesses that
experience a disaster go out of business within five years. Consider all the
businesses in Florida, Texas, and the Caribbean islands impacted by Irma and
Harvey. Now imagine four out of ten of them closing their doors permanently.
It's not hard to imagine a massive global cyber attack with similar
repercussions.
Because business continuity and disaster
recovery capabilities are so vital to sustaining embattled enterprises, more
boards and senior executives are taking a broader approach. This includes
expanding BC and DR
operations from solely IT to include executives and business operations owners.
When disaster strikes, it's all hands on deck. So why would we fail to work
across departmental divides when it comes to preventing, defending against, and
responding to crises and attacks?
Centering
Cybersecurity
If you ask most people about the biggest IT
security surprise in 2017, they would say it's the Equifax breach. But the
bigger surprise is that, after all the alarming breaches over the past decade
where 50 million or more accounts were compromised (Anthem, eBay, JPM Chase,
Home Depot, Adult Friend Finder, Target, Sony PS Network, Yahoo, Heartland
Payment Systems, TJ Maxx, and Equifax), a lot of companies still do not have a
considered, monitored, integrated, board-reported approach to cybersecurity.
While Equifax might finally drive home the lesson for some, we probably won't
feel the true impact of that breach for a year or so; long-term consequences
will land in five or more years. What is it going to take for organizations to
make integrated IT security, including cloud security, and risk management a
priority?
In 2018, we will see more breaches at
organizations that do not have an integrated, top-down approach to
cybersecurity. After seeing the heads of Yahoo and Equifax in front of
Congress, I suspect that CxOs and boards of directors will put extra focus on
cybersecurity impacts, leading indicators, and best practices. Cybersecurity
education and internal threats will be a central focus. The dangers of relying
on common but insufficient approaches to cybersecurity (perimeter defense,
signature-based and point solutions, and manual controls) will become apparent.
Boards, executives, and security leaders will also need to focus on
systematizing and enforcing best practices, processes, and policies.
Managing
your Ecosystem
As organizations battle for revenue,
advantage, and customer loyalty in a dynamic, digitally transformed, global
market, they bring in lots of partners, vendors, and point solutions to make it
all happen. In the era of everything-as-a-service, the efficiencies enabled by
MSPs, pay-as-you-go tools, and outsourced infrastructure make it easier for
organizations to innovate, grow, and pivot. Yet, organizations who outsource
critical functions and operations relinquish some control and depend on vendors
and suppliers to conduct business ethically, securely, and effectively.
This presents an opportunity for partners and
vendors who can show that they have mature cybersecurity, compliance and risk
management processes and that they do not expose the organizations to
unnecessary risk. Risk and vendor management technology can help vendors and
outsourcers in their quest to mature these processes, which can, in turn, help
them to gain a competitive advantage.
Developing
Resilience
In 2018, organizations who are maturing
business resiliency, cybersecurity and risk management processes will continue
to adopt cloud-based technologies for integrated risk management. These flexible,
integrated risk management platforms can help you move away from inefficient,
error-prone manual processes. They help you manage, track, communicate, and
coordinate all your governance, risk management, and compliance (GRC)
activities from a central system.
By centralizing and systematizing your GRC
activities, you can reduce costs, increase visibility and accountability, and
make it easier for cross-functional teams to collaborate. These platforms
streamline processes such as: conducting enterprise-wide risk assessments;
obtaining assurances from third parties that they are meeting obligations;
building and testing contingencies for service interruptions; mapping policies
and controls to regulatory standards; establish and monitor key performance and
risk indicators; and respond to threats and incidents.
By decisively adopting digital competencies
around centralized data collection and analysis, automated compliance
monitoring, and enterprise-wide collaboration you can address these complex
challenges, fortify your defenses, respond more effectively to incidents, and
recover operations with speed and agility.
Next
Steps
Business resiliency starts with the tone set
at the top. To lead policy and practice toward stronger security and risk management,
you have to embrace change. IT leaders need the buy-in of board and managers
alike; be prepared to educate them about risks, speak their language, and steer
away from shiny quick fixes.
In the year ahead, it will be important to
focus on internal processes and employee training. You can buy all the GRC
technology you want, but getting the most out of it depends on many factors:
momentum, leadership and culture, expertise, and a nuanced understanding of how
it can support and tie in to your broader risk, security, and compliance
efforts. It often works best to start by going after low-hanging fruit and
early successes to prove value and keep momentum going. In 2018, focusing on
internal threats, third party vulnerabilities, and security fundamentals is a
good bet.
If you integrate GRC and risk management
practices throughout the enterprise and support them with flexible, efficient
technology, your self-regulation efforts will pay off in many ways - and you'll
be prepared to prevail over whatever challenges 2018 brings your way.
##
About the Author
Sam Abadir is
the director of product management at LockPath, a leading provider of governance, risk
management and compliance (GRC) solutions.