Cyber Risk Management maturity during digital transformation is associated with enhancing brand trust and reliability. Recovery from disruptions during COVID-19 pandemic has been slow and sporadic. Targeted and accelerated digital transformation initiatives can bring back company stature and relevance by adjusting to reduced budgets, shifting resources to diversify revenues and speeding IT modernization to enhance digital resiliency.
Threatening to halt this recovery are the ever-increasing successful security attacks across industry verticals, notably sensitive information disclosures, phishing, ransomware, and routine system availability failures. Companies of all sizes are exposed to these threats but few are equipped to provide rapid response. How prepared is your company?
Here’s the list of fundamental cyber risk management imperatives to accelerate digital transformation recovery.
Implement Modular Strategy
Delays in risk management decisions during digital transformation rollout are often due to management misalignment on cyber risk accountability. Companies should stop associating cyber risk as a technology function and realign it with the objective to improve timely and adequate response to security events. Constant discovery of security weaknesses and exploits caused by opportunistic threat actors during COVID-19 recovery makes this realignment even more critical and urgent.
Dismantling monolithic cybersecurity and compliance activities, and replacing them with modular capabilities enables activities distribution for ideal responsiveness and reduces friction between stakeholders. Constant improvements to program maturity can be achieved through continuous monitoring of security and compliance posture while keeping controls volatility to a minimum.
Manage Technical Debt
Companies taking the fastest course to meet business process changes during COVID-19 pandemic are accumulating technical debt and thereby increasing security exposure to opportunistic threat actors. Rapid response to cybersecurity events while managing technical debt requires complementing on-demand security assessments and risk management activities with security controls engineering, configuration assessments and adaptive security monitoring.
Incorporating security by design paradigm into digital resiliency initiatives speeds up recovery from COVID-19 by ensuring cyber risk analysts are not chasing irrelevant or non-contextual weaknesses. DevSecOps and Zero Trust Architecture concepts have proven to accelerate security and compliance considerations and should be applied during digital transformation recovery.
Modernize Privileged Access
Cybersecurity controls for privileged users who are defined as entities with greater entitlements as compared to others should be re-engineered from traditional multi-channel to omnichannel capabilities. Adopting enhanced user access controls, securing user relationships and maintaining activities traceability are the key facets in minimizing friction and transforming the customer experience.
One-size-fits-all cybersecurity controls approach directed by an enforcement mandate have failed to consider dynamically changing user characteristics. Accelerated migration to the new normal will require identity management and access control systems make rapid control decisions based on dynamic human and non-human (aka bots) attributes including location, business operating timeframes, toxic access combinations, device and user type.
Maintain Controls Transparency
Improving response time for cybersecurity events during digital transformation recovery can only be achieved by maintaining practitioner level understanding of cybersecurity controls and demanding their continuous monitoring. Security by trust without verification impedes companies from achieving strategic objectives.
Whether homegrown or on-premise hosted or Cloud, cybersecurity standards should be constantly updated to measure and maintain controls effectiveness. Adopting standards should be non-negotiable for foundational cybersecurity controls including timely patching, vulnerability assessments on updates and upgrades, privileged access management, adaptive authentication, encryption and periodic backup.
Conclusion
Cyber risk management maturity journey during digital transformation recovery begins with justifying incremental cybersecurity investments by adopting modular capabilities that are distributed for optimal responsiveness. As the new normal is formalized, an effective cyber risk program implements contextual activities to constantly monitor controls, measures control effectiveness and adapts to detect scenarios of risk with full stakeholder transparency. There will be more implementation guidance on these imperatives as the recovery continues.
This article is originally published in Cyber Security Hub by Vijay P Vedanabhatla