The ReliaQuest Exponent Customer Conference is an exciting and engaging event that brings together hundreds of security professionals and ReliaQuest customers each year to talk security.
One of the greatest aspects of this conference is the diversity of thought from a multitude of industries and sizes. At any given moment I was surrounded by various professionals from different backgrounds. 例如, 在一个30分钟的时间段内, 我和一名海豹突击队队员聊天, NFL后卫, the chief information security officer of a major retailer, 而我的对手, the head of Incident Response for a global manufacturing company. It was fascinating to hear the unique perspectives each of us had on security while discovering how much commonality we shared.
This year, I led a roundtable discussion on digital risk. 在政策部门有些生疏, I employed a tried-and-true trick I learned from my teaching days: ask good, 开放式的问题. So armed with an “official” definition of digital risk from the internet, I asked the participants how they defined “digital risk” and we were off to the races! After some discussion, the group ultimately agreed on this definition:
Digital risk: any risk associated with systems, data and networks.
基于这个定义, everyone agreed that digital risk encompasses a huge area that is only continuing to grow. 在现代社会, it’s nearly impossible to find a business process that is not somehow impacted by digital risk. 结果是, an effective digital risk management program is imperative for every organization regardless of size or industry vertical.
风险登记册被破坏
We next dove head-first into how organizations discover, track, and quantify digital risk. 所有人都同意管理数字风险, we must have a method for quantifying and tracking it over time. One common theme centered around the management of digital risk, 虽然很讨厌吗, the traditional risk register is still alive and well across industries but most agreed that implementing and maintaining the traditional risk register presents several challenges.
主要挑战包括:
- Keeping the risk register up to date, 尤其是在较小的组织中;
- Disconnects between the risk register and strategic business objectives; and
- Quantifying different types of risks, which makes it difficult to compare.
In addition to challenges with the risk register itself, the panel discussed how a poorly implemented risk register can cause more harm than good. 例如, by failing to effectively quantify digital risks in the organization, it is impossible for management to define a risk appetite or make risk-based decisions leading to potentially serious strategic pitfalls.
新兴科技效应
带着清晰的瞄准镜, 常用术语和主要痛点, we discussed how emerging technologies – and emerging threats – affect the risk landscape. In addition to more tangible issues like quantum cryptology threatening our data at rest and in transit, we quickly moved on to the technology on everyone’s mind: artificial intelligence (AI).
现在, 我在网络安全领域工作了很长时间, 我接触过很多vns6060威尼斯城官网人工智能的信息. However, the unique perspectives that surfaced during this roundtable left me surprised. In addition to discussing all the traditional ways AI threatens our organizations, a topic I’ve spent a lot of time thinking about being in the Incident Response business, I was surprised and delighted as the topic quickly shifted away from the doom and gloom of AI, to how AI could be leveraged to enhance Digital Risk Management.
寻找更好的管理方法
正如该集团先前建立的那样, 跟踪是必要的, 记录和量化风险, 但风险登记存在一些困难, 尤其是在较小的组织中. 在这里, I asked the group to brainstorm ideas that could enhance legacy risk registers or replace them altogether.
An interesting idea that emerged from this discussion was using AI to help simulate digital risks that could be difficult to objectively quantify. 大家都认为这是一个很有前途的主意, but caution was warranted as AI “hallucinations” might lead to poorly understood outcomes. In short, understand your AI model well before making decisions based on it.
Another salient point was that the risk management process must remain linked to a firm’s senior leadership strategy. This meant including senior leadership in all phases of digital risk management from mapping to prioritization to mitigation and in the regular care and feeding of a digital risk management program to ensure it continues to identify, 确定优先级并降低风险.
All in all, to manage digital risk, organizations must first take steps to map out specific risks. 从那里, criteria should be assigned to prioritize which risks require immediate action and then begin the mitigation process. While no silver bullet was discovered to end the practice of risk registers, a few notable ideas emerged for enhancing our current processes.