Risk management and assessment is the practice of assessing an organization’s security systems against possible vulnerabilities and gaps to determine how much “risk” is acceptable as part of doing business. Factors like compliance, emerging threats and changes in technology and business operations all play an immense role in how security experts manage the risk their organizations are willing to take on, and how much they will invest in their cybersecurity infrastructure.
As we pass the halfway point of 2021, we look back to some of the trends that have played a role in risk management and assessment. In some ways, the story of risk in 2021 is heavily dictated by 2020, as the COVID pandemic has fundamentally altered how companies in multiple industries worldwide continue to do business.
What is Modern Risk Management in 2021?
Risk management in 2021 is a mixed bag, predominantly because many businesses do not see risk as a significant part of their business strategy. According to McKinsey, many businesses are still looking at security maturity as a defining factor, although there is a significant move to a risk-based approach to security that can reduce costs while improving cyber hygiene overall.
On the one hand, we have regulated industries like defense contracting, healthcare and government IT support. The rules and regulations governing cyber hygiene and compliance in these industries almost always require some form of risk assessment and management. Outside the U.S., regulations like GDPR also require risk management procedures that are planned, documented and executed to protect customer information from potential threats.
When risk management is codified into law, the impetus to conform in order to even do business under those jurisdictions places downward pressure on the adoption of risk management processes. This is both good and bad; good, because all data-driven businesses should implement some form of risk management, and bad in that these companies often start to see risk as another item on a laundry list of compliance demands.
On the other hand, there are large swaths of industries that do not require risk management or only do through non-legal means. For example, risk management is a part of the PCI framework, and while non-compliance is not punishable by law it can harm your organization’s ability to process credit card payments. SOC 2 audits also contain significant risk management requirements, but it is also a voluntary audit.
But risk management as a practice is at its foundation a balancing act between total security and total business and operational freedom. That is when considering risk, you are moving between two priorities:
- Cybersecurity, in which user data must be protected, business secrets kept secret and systems secured against an unauthorized breach. The tougher the security, the more it costs in terms of money, maintenance, implementation and upgrades. Additionally, more stringent security can make it more difficult to “easily” do business, requiring extra steps or higher levels of access for employees to accomplish their tasks.
- Business Growth, where you seek to, whenever possible, expand business opportunities and break down barriers between customers or clients and your products and services.
The truth is that complete and total cybersecurity is impossible, and unfettered business growth with no ethical concern for customer data or IT integrity is undesirable (and, in cases of regulated industries, unlawful). With the shifts in demographics, workloads, work styles and online behaviors that have inevitably come out of the COVID-19 pandemic, managing risk and the balance between security and businesses is all the more important.
Risk Management Trends in 2021
With that in mind, there have been a few trends emerging when it comes to both cybersecurity and risk. These include:
- Simulation: Continuous testing and monitoring are critical for successful cybersecurity, and more organizations are using Breach and Attack Simulations (BAS) to not only test systems but gather information on security gaps. This data is critical in effectively documenting and implementing risk assessments on an iterative basis.
- Machine Learning and AI: Closely related to simulation, more companies are turning to high-performance cloud and AI to help gather insights and analytics on security gaps and risk. This includes the ability to automate risk assessments over time and to conduct “intelligent: risk analytics over interconnected systems.
- Identity and Access Management: While IAM isn’t a new discipline, the complex weave of bots, users and cloud environments presents a unique challenge to assessing risk associated with identity theft. Currently, some enterprise businesses are integrating traditional IAM to include the identification of machine agents accessing their systems.
- Emphasizing Remote Access Security Risks: With the uptick of work-from-home arrangements and distributed teams, it seems like remote work will remain a dominant form of employment for 2021. This fact, of course, can introduce several security issues into any infrastructure, and risk assessments will inevitably begin prioritizing the potential costs and benefits of such arrangements in their metrics.
- Resiliency as a Risk Factor: Direct security threats are always part of the risk management equation. As companies move into increasingly digital, distributed and data-driven business models, however, the real question of resiliency during crisis plays a role in risk. The 2008 financial crisis fundamentally changed how FSIs model risk and resiliency, and the increasing volume and severity of cyber warfare in 2020 and 2021 are doing the same in IT-driven industries like national defense, healthcare and the national energy and utility grid. Modern risk management models will increasingly focus on resiliency and damage recovery as much as they do mitigation and remediation.
Continuum GRC Automates Risk Assessment
The question of risk, while often common in large enterprise and government contracting, can seem daunting to smaller businesses. The truth is that as even SMBs turn to cloud computing and analytics to accomplish business goals, they too must consider risk as part of their overall strategies.
SMBs don’t need to worry about how to successfully manage risk or conduct assessments on their own. Continuum GRC offers several approaches to supporting risk management for our clients. We are experienced with rigorous risk frameworks, including NIST 800-30, RMF, ISO/IEC 27005 and COSO ERM, and we implement risk assessments and management in our automated platform. More importantly, we bring decades of collective experience in cybersecurity and risk assessment to enterprise businesses and SMBs alike.
Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and find out how we can help your organization protect its systems and ensure compliance.