15 Aug Digital Transformation Is Risky Business; CISOs Ponder The ROI
Will large organizations bet on something that transcends cybersecurity? Sponsored by RSA Security
– Steve Morgan, Editor-in-Chief
Sausalito, Calif. – Aug. 15, 2019
Part 2 of a 4-part series of CISO interviews on digital transformation.
Rohit Ghai, president of RSA Security, asks compelling questions designed to head off potentially disastrous consequences at the world’s largest organizations. For instance, a couple of years ago, he asked, “Is the cyber-world doomed to be unsafe forever?”
Now Ghai has the full weight of his entire company around a bold question they’ve aimed at C-Suite executives, CISOs (chief information security officers), IT and security leaders globally: What is digital risk?
RSA explains that digital risk refers to the new and often unexpected consequences of digital transformation, and it’s becoming a top concern for business and IT executives.
“Digital transformation is not something new. It is true about everything we have done in the past and everything we are going to do in the future,” says Zulfikar Ramzan, Ph.D., chief technology officer (CTO) at RSA Security. “To be successful, we have to engender trust in new technologies, and managing digital risk is about fostering that trust. The more trustworthy people believe technologies are, the more likely they will take that leap of faith to embrace and adopt them.”
In an interview with Cybercrime Magazine at RSA Conference USA 2019 in San Francisco earlier this year, Ghai took it a step further when he said that digital risk management is a broader concept than cybersecurity.
Ghai calls digital risk both a boardroom topic and a team sport that requires IT and the security office to work together with business stakeholders.
CISOs on Digital Risk Management
In the interest of educating the market and sharing ideas on how to address digital risk, Cybercrime Magazine has been interviewing, as part of a Q&A series, high-profile CISOs at large enterprises to get their perspectives on digital transformation, digital risk, and to learn how their organizations are handling it. Cybercrime Magazine developed the questions with RSA. What follows is the second Q&A in the four-part series.
- Roland Cloutier is senior vice president and CISO at ADP, one of the world’s largest providers of business outsourcing solutions. Prior to nearly a decade with ADP, Cloutier was CSO at EMC Corporation. He has more than 30 years of experience working in U.S. government, law enforcement, and information security.
- Kathy Hughes is vice president and CISO at Northwell Health, which employs more than 68,000 healthcare professionals, making the non-profit New York state’s largest private employer. Hughes previously held senior IT and security positions at The Estée Lauder Companies and Stony Brook University Hospital.
- Matthew Dunlop, Ph.D. is vice president and CISO at Under Armour, a leading inventor, marketer and distributor of branded performance athletic apparel, footwear and accessories. Previously, he was a colonel in the U.S. Army from 1989 to 2019 and held positions with the U.S. Army Cyber Command, including director, Applied Research and Development Division; director, Cyber Response Team; and director of operations, Joint Force Headquarters – Cyber.
Digital Risk Q&A
Organizations are pursuing digital transformation to remain competitive in the market. Do you think there are unintended consequences of adopting new technology?
Roland Cloutier: As in any digital business initiative, the use of technology often introduces new risks. Unintended consequences are essentially the results of business risk being realized; they can be managed and, in many cases, greatly reduced if appropriate care is taken up front in the process to evaluate business risk.
Kathy Hughes: Yes, there are inherent risks of adopting digital transformation which can be mitigated through a comprehensive risk management program. Unintended consequences of adopting new technology could lead to a breach, misdiagnosis, patient dissatisfaction or clinical staff frustration.
Matthew Dunlop: Absolutely. Any time an organization considers adding technology to improve business practices or collecting more data in the hopes of better understanding business or customer needs, there is a risk of exposure. This exposure can come from increasing the attack surface into the organization or not properly safeguarding sensitive data. As companies pursue digital transformation, it is critical that cybersecurity is part of the transformation planning and is properly resourced to safeguard new technologies.
What would you say are some of those unintended consequences more specifically?
Roland Cloutier: Each digital transformation initiative has its own specific set of downstream, residual risks that occur. In general, I have seen that many sectors produce several thematic issues that typically fall into four buckets; financial, cloud, third-party risk, and data defense or compliance.
Many organizations miscalculate the adoption of new technologies, frameworks and digital services or do not have a lifecycle risk management approach to understanding potential financial implications. As new digital transformations expand or gain scope creep, so do costs and assumptions. Without appropriate business case processes and financial management plans, businesses sometimes overextend to ensure the success of the initiative is far beyond what they originally intended.
Because many of the initiatives embrace advanced technologies and cloud platforms, the initial failures I’ve seen often end up in this bucket. Whether you’re using the cloud as a software provider, infrastructure provider or platform provider, the reality is: it is not your enterprise data center. The method and manner in which you manage these digital technologies, the requirements to protect and defend it, the skills needed by your employees to operate successfully in the cloud, and any expenses necessary to ensure quality service delivery across the entirety of your business process varies from provider to provider. Risks such as inappropriate data disclosure, new vulnerabilities introduced into your business process or soaring financial costs due to commercial contract or liability issues are often some of those unintended consequences that occur when using cloud.
Third-party risks also tend to be grossly unplanned for or misunderstood in the concept of digital transformation. Often within these types of transformations, business ecosystems continue to grow through the use of third-party services, partners or technologies. When you introduce microservices into core parts of your service delivery or product capability, that in and of itself introduces new risks. The unintended consequences typically manifest themselves during service outages, disaster recovery scenarios, technology troubleshooting and so on. Because organizations at times don’t take the risk management approach, they forget that it is necessary to document the entirety of the end-to-end business process, their business ecosystem, and allow appropriate time to plan for each one of those major areas.
Finally, the totality of all of the above issues equates to risks for those organizations that must adhere to industry, governmental, and commercial compliance issues whether or not they’re regulated. How data is moved, how data is protected, who has access to the information, and what are the contractual requirements that your customers expect, all come into play even if you move to a more diverse and cloud-enabled digital ecosystem. When organizations don’t involve those groups or experts in the planning process, they often to achieve the necessary compliance controls necessary for their business.
Kathy Hughes: In healthcare, the unauthorized or malicious use of PHI (protected health information) is a serious unintended consequence of digital transformation. Some specific examples include cybercriminals gaining access to PHI to order prescriptions, file false tax returns or perpetrate blackmail. Another unintended consequence of digital transformation is something we at Northwell Health call “digital drowning,” which refers to providers getting so overwhelmed with data from wearables, remote monitoring devices and other digital patient engagement tools that they can’t distinguish the truly important data, which may put the patient at risk. Finally, we’re also really concerned about an unintended consequence we call dehumanization. That’s when a lack of personal interaction with patients, which is so critical to the healing process, adversely affects patient outcomes.
In the industry in which you work, what are some of the ways organizations are innovating?
Roland Cloutier: In the human capital management, technology and diversified services industries there is an incredible amount of innovation ongoing. Of course, the big push over the last several years has been in cloud and native cloud development, but as more organizations move workloads to the cloud, they’re taking advantage of process optimization opportunities which then drives new innovation technology such as automation. Robotic process automation, third-party cloud-based microservice technologies, machine learning and even AI are all key areas of development and innovation in our business and industry segments.
Kathy Hughes: Northwell’s innovation strategies include new ways of interacting with customers (patients), improving the quality of care delivered and new ways to enable staff efficiency and improve job satisfaction.
Matthew Dunlop: In retail, most organizations are looking for ways to better understand customer needs and improve the customer experience. One way retail companies are achieving this is through the use of data analytics. Technology can also help with things like improving online shopping, reducing lines in stores, and enhancing the overall shopping experience.
What are some of the technologies they’re adopting?
Roland Cloutier: RPA, AI and machine learning are all being developed in both core business product processing and business management. As important to the technologies themselves is service management architecture technologies and cross-platform controls that enable the use of new innovative technologies and services.
Kathy Hughes: Patient engagement apps to manage administrative interactions (e.g. scheduling and billing) and direct care needs (results portals, communication channels to physicians, clinical chatbots, telehealth); sensors / wearables to enhance both inpatient and outpatient monitoring; AI-based predictive modeling for clinical image interpretations, operational predictions (e.g. hospital throughput) and patient risk stratification; robotic process automation to facilitate user interactions with legacy platforms; biometric patient identity; and hospital voice-enabled bedside assistants.
How big of a challenge do you think these new digital risks are for businesses?
Roland Cloutier: Digital risks for businesses are huge. Businesses today operate end to end in a digital ecosystem that enables, operates and delivers value to their customers and shareholders from ideation to delivery to revenue recognition. The inability to understand the risks associated with these changes, the missed opportunities to instantiate risk frameworks that help evaluate and reduce risk and the lack of transparency around digital business risk at a leadership level can lead to disastrous outcomes.
Organizations must create a balanced risk framework approach to get that transparency of risk, to manage risk as a business issue not just an audit or security problem, and to make risk management an integral part of the business planning process.
Kathy Hughes: In general, the challenges are significant, but vary. In some cases, the technology solves a significant problem with minimal workflow changes such as robotic process automation. In other cases, significant workflow engineering is required such as the use of chatbots for patients which requires escalation protocols for clinical issues requiring human intervention. Additionally, the expanded use of IOT devices and innovation require continual evaluation of capabilities to align potential risk exposure against expected value.
Matthew Dunlop: Any time an organization integrates a new technology, there is an added risk to the organization. This can be mitigated by bringing in security and privacy to the initial project planning.
Do you think organizations are adequately prepared to manage those digital risks?
Roland Cloutier: I do believe that most organizations are adequately prepared to manage their digital risks. Over the past several years the maturity of enterprise risk efforts has moved from just the financial sector into many different industries and new process and technology efforts have enabled this integration of business planning, technology risk assurance and management oversight in ways we haven’t seen before. Businesses that understand this have the opportunity to enhance and alter their existing risk programs to adequately support their digital transformation efforts.
Kathy Hughes: The evolving nature of digital risk and the fast pace which technology is progressing makes it challenging for any industry, including healthcare, to adequately manage digital risk. Using a variety of risk mitigation and assessment strategies, standardized technologies and awareness training approaches, digital risk can be appropriately maintained within acceptable tolerance levels.
Matthew Dunlop: Challenges arise from not only the technology itself, but from seams that may result from integration. Organizations have no choice, but to account for the added risk. Not doing so, leaves the company ignorant of potential exposure.
How do you think security and risk teams could be working together to address this challenge?
Roland Cloutier: Interestingly enough, I don’t really distinguish between security and risk programs. The residual impact to an organization not appropriately performing its security function in a risk-balanced way leads to unplanned and unnecessary risk. Likewise, risk organizations that act independently without clear integration or insight into security services, controls, or even incidents, operate without a full picture of the true risk within any given business environment. The reality is: All security programs must be based on a balance-risk foundation and in fact should embrace an integrated risk portfolio of operational risk assurance in each one of their specialty areas.
Kathy Hughes: Northwell’s security and risk management teams currently work collaboratively to address digital risk based on a common understanding of enterprise risk using various risk mitigation strategies. These include contract language (which contains liability limits, indemnification clauses, right to audit/monitor, etc.), incident response plans, insurance policies and a comprehensive risk management program.
Matthew Dunlop: Deploying technology safely is a joint effort between IT, cybersecurity, legal, privacy, and risk. It is important that all parties are part of project planning and execution.
Is your organization looking for new ways to address and manage digital risk?
Roland Cloutier: ADP has been on a two-year risk innovation journey involving five independent parts of our business including: enterprise risk management, audit, global security, IT and global compliance. These teams have come together to create a single pane of glass and integrated risk portfolio that enables and supports a single global taxonomy and controls risk framework. Our new integrated risk assurance program is focused on making the best use of our resources worldwide, creating converged risk practitioners that understand multiple segments of risk and engineering a global platform for deep transparency into risk issues across all businesses, all practice areas and creating better insight and actionability based off total end-to-end risk information. From a business risk perspective, we’ve reduced multiple risk touchpoints up to 80 percent and financial costs by nearly 50 percent in some areas. Our enterprise risk management organization has a top-down and bottom-up capability to deep dive across all business segments with real-time information to support the decision-making requirements of our leaders globally.
Kathy Hughes: Northwell continually evaluates new ways to manage risk through people, process and technology. Strategies involving continuous awareness training, vulnerability assessments, automated detection and response technologies, threat intelligence sources, managed services and behavior analytics are some of the ways we are enhancing our risk management program.
Matthew Dunlop: As new risks pop up every day, organizations are continuing to look for more effective ways to recognize and address those risks.
Asking questions does not remove the digital risk that organizations are faced with today, but it’s a step in the right direction. Rohit Ghai and RSA are pushing the envelope with questions more so than with anything else. And the CISOs are clearly responding.
– Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.
Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.
SPONSORED BY RSA
RSA delivers a unified, business-driven approach to security and integrated risk management—one that positions your organization to thrive in the face of rapidly changing digital risks.
At RSA, we believe some things should never change—like having the power to grow your business or the ability to secure what matters most. Like knowing the simple act of working in the cloud is safe, or that the much less simple act of protecting the public, is possible.