Insight by Carahsoft

Agency leaders should turn to a digital risk management approach

Digital Risk Management

Digital risk management is really the concept of understanding all of those risks and being able to at a leadership level think through business process decisions, what I need to act on based on the prioritization of those items.

Quantitative Risk Management

After creating this risk register of those things that are most important to the organization, then underneath those you can start to build out compensating controls or plans to make sure you are reduce or at least track those risks on an ongoing basis.

The term risk management has taken on a whole focus over the last few years.

It may have started with cyber risk, but agencies now are forced to address enterprise risk…supply chain risk…and now a new phase is emerging, digital risk management.

In 2016, GSA issued an enterprise risk management framework to help agency executives understand the steps to better managing all types of risk. The playbook details 10 different risk types, including reputational, operational and cyber information risks.

The playbook states enterprise risk management can help to focus and inform decisions, by defining goals and objectives, advocating for and aligning resources, monitoring progress, and ensuring compliance with applicable laws, regulations, and controls.

But as this idea of digital risk emerges, it’s almost combining several of these individual threats into one bigger category.

Gartner says the failure to manage an agency or organization’s digital risks is likely to sabotage your digital business and expose your organization to potential impacts well beyond a simple opportunity loss. The extent to which CIOs engage in digital risk management can be a crucial factor in avoiding such dangers.

But it’s not just the CIO’s responsibility. The agency’s secretary and deputy secretary as well as others in the CXO community must grasp what these risks are and how to mitigate their impact.

Gartner found in a 2017 CEO survey that 65 percent of the CEOs think their organization is falling behind in risk management investment and discipline maturity, and 77 percent are concerned about new risks associated with digital business initiatives.

So how should agencies manage their digital risks?

Dan Carayiannis, the director of public sector for RSA, said there is an emerging concept across both the public and private sectors where organizations are focusing on digital risk management.

He said decision-makers need to understand so many more risks ranging from reputational to supply chain to business resiliency to cybersecurity.

“There are so many other factors that have caused this to become a much bigger, broader topic that agencies decision makers need contend with,” Carayiannis said on the Innovation in Government Report. “Digital risk management is really the concept of understanding all of those risks and being able to at a leadership level think through business process decisions, what I need to act on based on the prioritization of those items.”

The concept of digital risk management is the next evolution of risk management. It goes beyond cyber or financial or even enterprise risk management.

Carayiannis said the Homeland Security Department’s continuous diagnostics and mitigations (CDM) program is an example of this evolution.

“It’s all about continuous monitoring. Understanding what’s going on across your enterprise and begin able to act on something based prioritization. But basically it’s a gigantic risk management program. It’s defining risk. It’s helping individual leaders within agencies and at the top levels of the government make good, risk based decisions. And a lot of state governments are looking at this now.”

He added CDM and other similar risk-based initiatives puts the government out ahead of many organizations when it comes to understanding and managing digital risks.

While agencies have gotten their respective arms around cyber risk and are doing more to manage supply chain risks, the next area of focus will be on quantitative risk management.

Carayiannis said QRM associates cost factors to the risk.

“What is the cost to me to address something that is deemed a high priority or a vulnerability that needs to be addressed? What is cost to me if don’t do that and something bad were to happen?” he said. “If you are sitting at the highest level of an organization and you have 25 risks that were characterized as ‘critical risks,’ and you have to start making decisions, maybe another factor is the cost to change something. If I spend an inconsequential amount of money to address two of them and I really reduce my risk profile significantly, maybe that’s a good investment. It would be nice to know that if I didn’t spend an inconsequential amount of money and the impact to me would be significant that might also impact my decision. Someone needs to go through process of thinking about this. Someone needs to know what the various cost estimates of doing that are. There are tools that can help.”

Carayiannis said the first step for many agencies is to create a risk register where you identify all the risk factors, including but not limited to personnel, technology, cybersecurity, physical security, supply chain and others.

“After creating this risk register of those things that are most important to the organization, then underneath those you can start to build out compensating controls or plans to make sure you are reduce or at least track those risks on an ongoing basis,” he said.

 

About RSA

Carahsoft Technology Corp., The Trusted Government IT Solutions Provider™, and RSA, a global cybersecurity leader delivering Mission-Driven Security™ have broadened their partnership to deliver IT cyber solutions public sector customers. Carahsoft serves as one of RSA’s government distributors, helping our value-added resellers provide technology solutions to the government through a broad portfolio of contract vehicles.

RSA’s mission-driven security solutions help customers comprehensively and rapidly link security incidents with business context to respond effectively and protect what matters most. With award-winning solutions for rapid detection and response, identity and access assurance, consumer fraud protection, and business risk management, RSA customers can thrive in an uncertain, high-risk world. It’s time for Mission-Driven Security.

 

Resource Center: