Digital transformation — largely accelerated by 2020’s shift to remote work models — has altered business operations from a visible set of centrally managed technology assets to a highly distributed, opaque set of digitally-enabled processes, products, and services. This has created the need to be ever more vigilant about new digital risks and their potential to cause damage to the business. IBM reports the average cost of a data breach reached a record high of 4.35 million in 2022, a 12.7% jump from 2020. Yet, existing methods for managing information security are lagging dangerously.
An AuditBoard flash poll of information security professionals in April and May 2022 found traditional InfoSec approaches have become fragmented, labor-intensive, and largely insulated from the business. The 2022 Security Risk Trends report explores how changes in the business landscape are rendering current information security models obsolete. This report covers how InfoSec professionals can prioritize limited resources (both human and technological) to address relevant business risks and, in the process, strengthen overall assurance efforts. Download the full report, 2022 Security Risk Trends: InfoSec Must Transform to Keep Pace With Digital Business, and continue reading below for an overview of the report’s key findings.
Digital Risk Lurks in the Shadows
Today, data is informing and driving areas of technology in the business reaching beyond IT into operational processes, products, and services. For example, robotics has become increasingly standard in manufacturing, while digitization is changing healthcare from telehealth to robot-assisted surgery. New digital technologies can fall under the category of shadow IT, the use of IT devices, software, and services outside the ownership or control of IT organizations. AuditBoard’s Security Risk Trends survey found over 70% of organizations view shadow IT as a very important or important issue.
This distributed set of digital technologies and risks has become more difficult to manage from an IT perspective. Nearly 50% of survey respondents are relying on surveillance and monitoring software to manage shadow IT (Figure 2). However, by definition, shadow IT lies outside the physical or digital domain of centralized IT. Therefore, digital risks fueled by shadow IT cannot be effectively monitored via surveillance software, which ultimately provides only a false sense of security. To be effective, controls must be designed and integrated into the use of shadow IT by the true risk owners — the business itself.
The Role of Third Parties and Business Operations in Digital Risk
As organizations increasingly rely on outsourced or offshored digital products and services, the IT organization may find itself unprepared to support the rapid innovation of third-party technology. InfoSec teams need to spend a greater percentage of their time understanding the third-party risk environment and how it ties into their critical business processes and objectives.
Unfortunately, InfoSec functions have struggled to adapt to these changing needs. AuditBoard’s Security Risk Trends survey found that nearly three-quarters of respondents feel their company is not very well aligned on their largest cybersecurity risks and how to best manage them.
Outdated Collaboration and Communication Methods
Further, AuditBoard’s Security Risk Trends survey reveals the business areas experiencing the most digital transformation — business operations, finance, people, sales, and marketing — are the ones with the least influence on building cyber security alignment, a significant area of digital risk impact.
Moreover, InfoSec teams spend the majority of their time coordinating with related corporate risk management functions (IT, internal audit, and GRC) — rather than collaborating with their business partners. However, because digital risk emanates from the business itself, it is necessary for InfoSec to shift its primary focus from coordinating with similar functions to collaborating closely with its business partners. The key to risk management success is to assign risk accountability to the ultimate risk owners.
As businesses prioritize digitization, it is crucial that InfoSec pivots from a traditional risk management strategy to match the rapidly changing digital risk landscape. To effectively manage digital risk, InfoSec professionals and business leaders must work in tandem to increase their mutual understanding and mitigation efforts around digital risk. For a deeper dive into the survey results — and three imperatives for InfoSec to turn digital risk into competitive advantage — download the full 2022 Security Risk Trends report.