COVID-19 has reorganized the risk landscape for chief audit executives (CAEs), as CAEs have listed IT governance as the top risk for 2021, according to Gartner. Analysts said the pandemic is giving rise to new sets of risks while exacerbating long-standing vulnerabilities.
Gartner conducted interviews and surveys from across its global network of client organizations to identify the top 12 risks, or “Audit Plan Hot Spots,” facing boards, audit committees and executives entering 2021.
Existing risk trends
The report revealed that IT governance is displacing data governance, which was the top entry for 2020 and is in second position for 2021.
“While the pandemic has created new challenges for audit executives to grapple with, what’s most notable is how the current environment has accelerated existing risk trends,” said Leslee McKnight, research director for the Gartner Audit practice.
“The volatility and interconnectedness of the two most important risks, IT and data governance, also shines a light on the importance for firms to rethink their risk governance. Audit leaders should apply dynamic risk governance in order to rethink their approach to designing risk management roles and responsibilities.”
While the top three hot spots audit executives must focus on for 2021 all made appearances in last year’s list, they have all been altered by the nature of working in the pandemic.
Abrupt work-from-home mandates have accelerated digital roadmaps, causing many organizations to vault years forward in the space of a few weeks. This move has spurred the rapid adoption of new technologies both on the employee and customer side, presenting new challenges to productivity, consumer preferences and guarding against security vulnerabilities.
CAEs need to assess how new technology adoption may be hobbling their IT departments’ plans, with IT support incident requests doubling in early 2020 to support a huge increase in work-from-home employees.
Additionally, managing access rights for many more remote workers presents new risks such as “privileged user abuse,” which is expected to climb over the next 12 to 24 months.
The pandemic means that organizations are expected to collect more sensitive personal information from employees and customers than ever before. Yet, data governance practices are regressing, with fewer dedicated resources to data privacy than in previous years.
Organizations face increasingly complex data environments where their data is housed. Growth in software-as-a-service (SaaS) and delays to upgrading legacy systems have created work environments where data is distributed across disparate platforms, software and servers.
Such complexities continue to test audit executives, with only 45% expressing high confidence in their ability to manage data governance risk.
Cyber vulnerabilities are especially acute this year, due to the rapid organizational changes needed to protect employees and serve customers in the midst of a pandemic.
Despite increased cybersecurity spending, only 24% of organizations routinely follow cybersecurity best practices, this will result in cyberattacks that are expected to cost organizations $6 trillion annually by 2021. Drivers of this risk include lapses in security controls and increased employee vulnerability to social engineering.
More than half of employees are currently using personal devices to do work remotely, while 61% have indicated their employer has not provided tools to secure these devices. Additional security lapses include a lack of attention to employee’s home network security and status of antivirus software.
“The pandemic is forcing many audit and risk executives to address their organization’s deficiencies in the most critical areas,” said Ms. McKnight.
“Inadequate data governance and IT security practices will have even steeper consequences in the current environment than pre-pandemic, particularly when considering the types of data many organizations feel compelled to collect as a result of new health and safety measures.”
CIOs and IT leaders who use composability to deal with continuing business disruption due to the COVID-19 pandemic and other factors will make their enterprises more resilient, more sustainable and make more meaningful contributions, according to Gartner.
Analysts said that composable business means architecting for resilience and accepting that disruptive change is the norm. It supports a business that exploits the disruptions digital technology brings by making things modular – mixing and matching business functions to orchestrate the proper outcomes.
It supports a business that senses – or discovers – when change needs to happen; and then uses autonomous business units to creatively respond.
For some enterprises digital strategies became real for the first time
According to the 2021 Gartner Board of Directors survey, 69% of corporate directors want to accelerate enterprise digital strategies and implementations to help deal with the ongoing disruption. For some enterprises that means that their digital strategies became real for the first time, and for others that means rapidly scaling digital investments.
“Composable business is a natural acceleration of the digital business that organizations live every day,” said Daryl Plummer, research VP, Chief of Research and Gartner Fellow. “It allows organizations to finally deliver the resilience and agility that these interesting times demand.”
Don Scheibenreif, research VP at Gartner, explained that composable business starts with three building blocks — composable thinking, which ensures creative thinking is never lost; composable business architecture, which ensure flexibility and resiliency; and composable technologies, which are the tools for today and tomorrow.
“The world today demands something different from us. Composing – flexible, fluid, continuous, even improvisational – is how we will move forward. That is why composable business is more important than ever,” said Mr. Scheibenreif.
“During the COVID-19 pandemic crisis, most CIOs leveraged their organizations existing digital investments, and some CIOs accelerated their digital strategies by investing in some of the three composable building blocks,” said Tina Nunno, research VP and Gartner Fellow.
“To ensure their organizations were resilient, many CIOs also applied at least one of the four critical principles of composability, gaining more speed through discovery, greater agility through modularity, better leadership through orchestration, and resilience through autonomy.”
Composable business resilience
Analysts said that these four principles can be viewed differently depending on which building block organizations are working with:
- In composable thinking, these are design principles. They guide an organization’s approach to conceptualizing what to compose, and when.
- In composable business architecture, they are structural capabilities, giving an organization the mechanisms to use in architecting its business.
- In composable technologies, they are product design goals driving the features of technology that support the notions of composability.
“In the end, organizations need the principles and the building blocks to intentionally make composability real,” said Mr. Plummer.
The building blocks of composability can be used to pivot quickly to a new opportunity, industry, customer base or revenue stream. For example, a large Chinese retailer used composability when the pandemic hit to help re-architect their business. They used composable thinking and chose to pivot to live streaming sales activities.
They embraced social marketing technology and successfully retained over 5,000 in-store sales and customer support staff to become live streaming hosts. The retailer suffered no layoffs and minimal revenue loss.
“Throughout 2020, CIOs and IT leaders maintained their composure and delivered tremendous value,” said Ms. Nunno. “The next step is to create a more composable business using the three building blocks and applying the four principles. With composability, organizations can achieve digital acceleration, greater resiliency and the ability to innovate through disruption.”
Zerologon scored a perfect 10 CVSS score. Threats rating a perfect 10 are easy to execute and have deep-reaching impact. Fortunately, they aren’t frequent, especially in prominent software brands such as Windows. Still, organizations that perpetually lag when it comes to patching become prime targets for cybercriminals. Flaws like Zerologon are rare, but there’s no reason to assume that the next attack will not be using a perfect 10 CVSS vulnerability, this time a zero-day.
Zerologon: Unexpected squall
Zerologon escalates a domain user beyond their current role and permissions to a Windows Domain Administrator. This vulnerability is trivially easy to exploit. While it seems that the most obvious threat is a disgruntled insider, attackers may target any average user. The most significant risk comes from a user with an already compromised system.
In this scenario, a bad actor has already taken over an end user’s system but is constrained only to their current level of access. By executing this exploit, the bad actor can break out of their existing permissions box. This attack grants them the proverbial keys to the kingdom in a Windows domain to access whatever Windows-based devices they wish.
Part of why Zerologon is problematic is that many organizations rely on Windows as an authoritative identity for a domain. To save time, they promote their Windows Domain Administrators to an Administrator role throughout the organizational IT ecosystem and assign bulk permissions, rather than adding them individually. This method eases administration by removing the need to update the access permissions frequently as these users change jobs. This practice violates the principle of least privilege, leaving an opening for anyone with a Windows Domain Administrator role to exercise broad-reaching access rights beyond what they require to fulfill the role.
Beware of sharks
Advanced preparation for attacks like these requires a fundamental paradigm shift in organizational boundary definitions away from a legacy mentality to a more modern cybersecurity mindset. The traditional castle model assumes all threats remain outside the firewall boundary and trust everything either natively internal or connected via VPN to some degree.
Modern cybersecurity professionals understand the advantage of controls like zero standing privilege (ZSP), which authorizes no one and requires that each user request access and evaluation before granting privileged access. Think of it much like the security check at an airport. To get in, everyone —passenger, pilot, even store staff— needs to be inspected, prove they belong and have nothing questionable in their possession.
This continual re-certification prevents users from gaining access once they’ve experienced an event that alters their eligibility, such as leaving the organization or changing positions. Checking permissions before approving them ensures only those who currently require a resource can access it.
My hero zero (standing privilege)
Implementing the design concept of zero standing privilege is crucial to hardening against privilege escalation attacks, as it removes the administrator’s vast amounts of standing power and access. Users acquire these rights for a limited period and only on an as-needed basis. This Just-In-Time (JIT) method of provisioning creates a better access review process. Requests are either granted time-bound access or flagged for escalation to a human approver, ensuring automation oversight.
An essential component of zero standing privilege is avoiding super-user roles and access. Old school practitioners may find it odd and question the impact on daily administrative tasks that keep the ecosystem running. Users manage these tasks through heavily logged time-limited permission assignments. Reliable user behavior analytics, combined with risk-based privileged access management (PAM) and machine learning supported log analysis, offers organizations better contextual identity information. Understanding how their privileged access is leveraged and identifying access misuse before it takes root is vital to preventing a breach.
Peering into the depths
To even start with zero standing privilege, an organization must understand what assets they consider privileged. The categorization of digital assets begins the process. The next step is assigning ownership of these resources. Doing this allows organizations to configure the PAM software to accommodate the policies and access rules defined organizationally, ensuring access rules meet governance and compliance requirements.
The PAM solution requires in-depth visibility of each individual’s full access across all cloud and SaaS environments, as well as throughout the internal IT infrastructure. This information improves the identification of toxic combinations, where granted permissions create compliance issues such as segregation of duties (SoD) violations.
AI & UEBA to the rescue
Zero standing privilege generates a large number of user logs and behavioral information over time. Manual log review becomes unsustainable very quickly. Leveraging the power of AI and machine learning to derive intelligent analytics allows organizations to identify risky behaviors and locate potential breaches far faster than human users.
Integration of a user and entity behavior analytics (UEBA) software establishes baselines of behavior, triggering alerts when deviations occur. UEBA systems detect insider threats and advanced persistent threats (APTs) while generating contextual identity information.
UEBA systems track all behavior linked back to an entity and identify anomalous behaviors such as spikes in access requests, requesting access to data that would typically not be allowed for that user’s roles, or systematically accessing numerous items. Contextual information helps organizations identifying situations that might indicate a breach or point to unauthorized exfiltration of data.
Your compass points to ZTA
Protecting against privilege escalation threats requires more than merely staying up to date on patches. Part of stopping attacks like Zerologon is to re-imagine how security is architected in an organization. Centering identity as the new security perimeter and implementing zero standing privilege are essential to the foundation of a security model known as zero trust architecture (ZTA).
Zero trust architecture has existed for a while in the corporate world. It is gaining attention from the public sector since NIST’s recent approval of SP-207 outlined ZTA and how to leverage it for the government agencies. NIST’s sanctification of ZTA opened the doors for government entities and civilian contractors to incorporate it into their security model. Taking this route helps to close the privilege escalation pathway providing your organization a secure harbor in the event of another cybersecurity perfect storm.
COVID-19 has accelerated the push toward digital business transformation for most businesses, and legal and compliance leaders are under pressure to anticipate both the potential improvements and possible risks that come with new legal technology innovations, according to Gartner.
Legal technology innovations
To address this challenge, Gartner lists the 31 must watch legal technologies to allow legal and compliance leaders to identify innovations that will allow them to act faster. They can use this information for internal planning and prioritization of emerging innovations.
“Legal and compliance leaders must collaborate with other stakeholders to garner support for organization wide and function wide investments in technology,” said Zack Hutto, director in the Gartner Legal and Compliance practice.
“They must address complex business demand by investing in technologies and practices to better anticipate, identify and manage risks, while seeking out opportunities to contribute to growth.”
Analysts said enterprise legal management (ELM), subject rights requests, predictive analytics, and robotic process automation (RPA) are likely to be most beneficial for the majority of legal and compliance organizations within a few years. They are also likely to help with the increased need for cost optimization and unplanned legal work arising from the pandemic.
Enterprise legal management
This is a multifaceted market where several vendors are trying to consolidate many of the technologies on this year’s Hype Cycle into unified platforms and suites to streamline the many aspects of corporate governance.
“Just as enterprise resource planning (ERP) overhauled finance, there is promise for a foundational system of record to improve in-house legal operations and workflows,” said Mr. Hutto. “Legal leaders should take a lesson from ERP’s evolution: ‘monolithic’ IT systems tend to lack flexibility and can quickly become an anchor not a sail.”
Legal application leaders and general counsel must begin with their desired business outcomes, and only then find a technology that can help deliver those outcomes.
Subject rights requests
The demand for subject rights requests (SRRs) is growing along with the number of regulations that enshrine a data subject’s right to access their data and request amendment or deletion. Current regulations include the CCPA in the U.S., the EU’s GDPR and Brazil’s Lei Geral de Proteção de Dadosis.
Many organizations are funneling their subject access requests (SARs) through internal legal counsel to limit the potential exposure to liability. This is costing, on average, $1,406 per SAR.
“In the face of rising request volumes and significant costs, there is great potential for legal and compliance leaders to make substantial savings and free up time by using technology to automate part, if not most, of the SRR workflow,” said Mr. Hutto.
This is a well-established technology and the market is mature, so it can be relatively simple to use “out-of-the-box” or via a cloud service. Typically, the technology can examine data or content to answer the question, ”What is likely to happen if…?”
“Adoption of this technology in legal and compliance is typically less mature than other business functions,” said Mr. Hutto. “This likely means untapped use cases where existing solutions could be used in the legal and compliance context to offer some real benefits.
“While analytics platforms may make data analysis more ‘turnkey’ extracting real insights may be more elusive. Legal and compliance leaders still should consider and improve the usefulness of their data, the capabilities of their teams, and the attainability of data in various existing systems.”
Robotic process automation (RPA)
RPA’s potential to streamline workflows for repetitive, rule-based tasks is already well-established in other business functions. Typically, RPA is best suited to systems with a standardized — often legacy — user interfaces for which scripts can be written.
“Where legal departments already use these types of systems it is likely that RPA can drive higher efficiency,” said Mr. Hutto. “However, not all legal departments use such systems. If not, it could make sense to take a longer view and consider investing in systems that have automation functionality built in.”
Gartner advice is to consider these four technologies is not solely based on their position on the Hype Cycle. Legal and compliance leaders should focus on the technologies that have the most potential for driving the greatest transformation within their own organizations in the near to medium term; the position on the Hype Cycle is part of that but not the whole story.
For example, Mr. Hutto said blockchain is a technology that has the potential to make a successful journey to the Plateau of Productivity within five years. But for now, its application will likely be limited to quite a narrow set of use cases, and it is unlikely to be transformational for corporate legal and compliance leaders.
The importance of monitoring is often left out of discussions about DevOps, but a Gartner report shows how it can lead to superior customer experiences.
The report provides the following key recommendations:
- Work with DevOps teams during the design phase to add the instrumentation necessary to track business key performance indicators and monitor business metrics in production.
- Automate the transmission of embedded monitoring results between monitoring and deployment tools to improve application deployments.
- Use identified business requirements to develop a pipeline for delivering new functionality, and develop monitoring to a practice of continuous learning and feedback across stakeholders and product managers.
While the report focuses on application monitoring, the benefits of early DevOps integration apply equally to database monitoring, according to Grant Fritchey, Redgate DevOps Advocate and Microsoft Data Platform MVP: “In any DevOps pipeline, the database is often the pain point because you need to update it alongside the application while keeping data safe. Monitoring helps database developers identify and fix issues earlier, and minimizes errors when changes are deployed.”
Optimizing performance before releases hit production
Giving development teams access to live monitoring data during database development and testing, for example, can help them optimize performance before releases hit production. They can see immediately if their changes influence operational or performance issues, and drill down to the cause.
Similarly, database monitoring tools can be configured to read and report on deployments made to any server and automatically deliver an alert back to the development team if a problem arises, telling them what happened and how to fix the issue.
This continuous feedback loop not only reduces time spent manually checking for problems, but speeds up communication between database development and operational teams. Most importantly, this activity all takes place on non-production environments, meaning fewer bad customer experiences when accessing production data.
This increased focus on monitoring is prompting many high performing DevOps teams to introduce third-party tools which offer more advanced features like the ability to integrate with the most popular deployment, alerting and ticketing tools.
A good example is the financial services sector. Redgate’s report revealed that 66% of businesses in the sector now use a third-party monitoring tool, outpacing all other sectors. And while 61% of businesses deploy database changes once a week or more, compared to 43% across other sectors, issues with deployments are detected faster and recovered from sooner.
The Gartner report states: “By enabling faster recognition and response to issues, monitoring improves system reliability and overall agility, which is a primary objective for new DevOps initiatives.”
Many organizations are discovering there are big advantages in including the database in the monitoring conversation as well.
In one form or another, APIs have been around for years, bringing the benefits of ease of use, efficiency and flexibility to the developer community. The advantage of using APIs for mobile and web apps is that developers can build and deploy functionality and data integrations quickly.
API security posture
But there is a huge downside to this approach. Undermining the power of an API-driven development methodology are shadow, deprecated and non-conforming APIs that, when exposed to the public, introduce the risk of data loss, compromise or automated fraud.
The stateless nature of APIs and their ubiquity makes protecting them increasingly difficult, largely because malicious actors can leverage the same developer benefits – ease of use and flexibility – to easily execute account takeovers, credential stuffing, fake account creation or content scraping. It’s no wonder that Gartner identified API security as a top concern for 50% of businesses.
Thankfully, it’s never too late to get your API footprint in order to better protect your organization’s critical data. Here are a few easy steps you can follow to mitigate API security risks immediately:
1. Start an organization-wide conversation
If your company is having conversations around API security at all, it’s likely that they are happening in a fractured manner. If there’s no larger, cohesive conversation, then various development and operational teams could be taking conflicting approaches to mitigating API security risks.
For this reason, teams should discuss how they can best work together to support API security initiatives. As a basis for these meetings, teams should refer to the NIST Cybersecurity Framework, as it’s a great way to develop a shared understanding of organization-wide cybersecurity risks. The NIST CSF will help the collective team to gain a baseline awareness about the APIs used across the organization to pinpoint the potential gaps in the operational processes that support them, so that companies can work towards improving their API strategy immediately.
2. Ask (& answer) any outstanding questions as a team
To improve an organization’s API security posture, it’s critical that outstanding questions are asked and answered immediately so that gaps in security are reduced and closed. When posing these questions to the group, consider the API assets you have overall, the business environment, governance, risk assessment, risk management strategy, access control, awareness and training, anomalies and events, continuous security monitoring, detection processes, etc. Leave no stone unturned. Here are a few suggested questions to use as a starting point as you work on the next step in this process towards getting your API security house in order:
- How many APIs do we have?
- How were they developed? Which are open-source, custom built or third-party?
- Which APIs are subject to legal or regulatory compliance?
- How do we monitor for vulnerabilities in our APIs?
- How do we protect our APIs from malicious traffic?
- Are there APIs with vulnerabilities?
- What is the business impact if the APIs are compromised or abused?
- Is API security a part of our on-going developer training and security evangelism?
Once any security holes have been identified through a shared understanding, the team then can collectively work together to fill those gaps.
3. Strive for complete and continuous API security and visibility
Visibility is critical to immediate and continuous API security. By going through step one and two, organizations are working towards more secure APIs today – but what about tomorrow and in the years to come as your API footprint expands exponentially?
Consider implementing a visibility and monitoring solution to help you oversee this security program on an ongoing basis, so that your organization can feel confident in having a strong and comprehensive API security posture that grows and adapts as your number of APIs expand and shift. The key components to visibility and monitoring?
Centralized visibility and inventory of all APIs, a detailed view of API traffic patterns, discovery of APIs transmitting sensitive data, continuous API specification conformance assessment, having validated authentication and access control programs in place and running automatic risk analysis based on predefined criteria. Continuous, runtime visibility into how many APIs an organization has, who is accessing them, where they are located and how they are being used, is key to API security.
As organizations continue to expand their use of APIs to drive their business, it’s crucial that companies consider every path malicious actors might take to attack their organization’s critical data.
Only 12% of CISOs excel in all four categories of the Gartner CISO Effectiveness Index.
“Today’s CISOs must demonstrate a higher level of effectiveness than ever before,” said Sam Olyaei, research director at Gartner.
“As the push to digital deepens, CISOs are responsible for supporting a rapidly evolving set of information risk decisions, while also facing greater oversight from regulators, executive teams and boards of directors. These challenges are further compounded by the pressure that COVID-19 has put on the information security function to be more agile and flexible.”
The survey was conducted among 129 heads of information risk functions, across all industries, globally in January 2020. The measure of CISO effectiveness is determined by a CISO’s ability to execute against a set of outcomes in the four categories of functional leadership, information security service delivery, scaled governance and enterprise responsiveness.
Each respondent’s score in each category was added together to calculate their overall effectiveness score. “Effective CISOs” are those who scored in the top one-third of the CISO effectiveness measure.
Top-performing CISOs demonstrate five key behaviors
Of the factors that impact CISO effectiveness, five behaviors significantly differentiate top-performing CISOs from bottom performers. On average, each of these behaviors is twice as prevalent in top performers than in bottom performers.
“A clear trend among top-performing CISOs is demonstrating a high level of proactiveness, whether that’s staying abreast of evolving threats, communicating emerging risks with stakeholders or having a formal succession plan,” said Mr. Olyaei. “CISOs should prioritize these kinds of proactive activities to boost their effectiveness.”
The survey also found that top performing CISOs regularly meet with three times as many non-IT stakeholders as they do IT stakeholders. Two-thirds of these top performers meet at least once per month with business unit leaders, while 43% meet with the CEO, 45% meet with the head of marketing and 30% meet with the head of sales.
“CISOs have historically built fruitful relationships with IT executives, but digital transformation has further democratized information security decision making,” added Daria Krilenko, senior research director at Gartner.
“Effective CISOs keep a close eye on how risks are evolving across the enterprise and develop strong relationships with the owners of that risk – senior business leaders outside of IT.”
Effective CISOs are better at managing stress
The survey also found that highly effective CISOs better manage workplace stressors. Just 27% of top performing CISOs feel overloaded with security alerts, compared with 62% of bottom performers. Furthermore, less than a third of top performers feel that they face unrealistic expectations from stakeholders, compared with half of bottom performing CISOs.
“As the CISO role becomes increasingly demanding, the most effective security leaders are those who can manage the stressors that they face daily,” said Mr. Olyaei.
“Actions such as keeping a clear distinction between work and nonwork, setting explicit expectations with stakeholders, and delegating or automating tasks are essential for enabling CISOs to function at a high level.”
Liability for cyber-physical security incidents will pierce the corporate veil to personal liability for 75% of CEOs by 2024, according to Gartner.
Due to the nature of cyber-physical systems (CPSs), incidents can quickly lead to physical harm to people, destruction of property or environmental disasters. Gartner analysts predict that incidents will rapidly increase in the coming years due to a lack of security focus and spending currently aligning to these assets.
The funcion of CPSs
CPSs are defined as systems that are engineered to orchestrate sensing, computation, control, networking and analytics to interact with the physical world (including humans). They underpin all connected IT, operational technology (OT) and Internet of Things (IoT) efforts where security considerations span both the cyber and physical worlds, such as asset-intensive, critical infrastructure and clinical healthcare environments.
“Regulators and governments will react promptly to an increase in serious incidents resulting from failure to secure CPSs, drastically increasing rules and regulations governing them,” said Katell Thielemann, research vice president at Gartner.
“In the U.S., the FBI, NSA and CISA have already increased the frequency and details provided around threats to critical infrastructure-related systems, most of which are owned by private industry. Soon, CEOs won’t be able to plead ignorance or retreat behind insurance policies.”
The financial impact of CPS attacks resulting in fatal casualties is predicted to reach over $50 billion by 2023. Even without taking the actual value of a human life into the equation, the costs for organizations in terms of compensation, litigation, insurance, regulatory fines and reputation loss will be significant.
“Technology leaders need to help CEOs understand the risks that CPSs represent and the need to dedicate focus and budget to securing them,” said Ms. Thielemann. “The more connected CPSs are, the higher the likelihood of an incident occurring.”
Many enterprises not aware of CPSs already deployed in their org
With OT, smart buildings, smart cities, connected cars and autonomous vehicles evolving, incidents in the digital world will have a much greater effect in the physical world as risks, threats and vulnerabilities now exist in a bidirectional, cyber-physical spectrum.
However, many enterprises are not aware of CPSs already deployed in their organization, either due to legacy systems connected to enterprise networks by teams outside of IT, or because of new business-driven automation and modernization efforts.
“A focus on ORM – or operational resilience management – beyond information-centric cybersecurity is sorely needed,” Ms. Thielemann said.
Bring your own PC (BYOPC) security will reach mainstream adoption in the next two to five years, while it will take five to 10 years for mainstream adoption of secure access service edge (SASE) to take place, according to Gartner. Hype cycle for endpoint security, 2020 “Prior to the COVID-19 pandemic, there was little interest in BYOPC,” said Rob Smith, senior research director at Gartner. “At the start of the pandemic, organizations simply had no … More
The post Bring your own PC and SASE security to transform global businesses appeared first on Help Net Security.
Senior executives reported concerns around renewed outbreaks of the COVID-19 pandemic as their top emerging risk in the second quarter of 2020, according to Gartner.
Gartner surveyed 131 senior executives across industries and geographies on the top concerns facing their businesses with results showing that the second wave of COVID-19 topped executives’ concerns, even as many regions are struggling with the first wave of the virus.
Concerns related to the financial implications of the pandemic were present throughout the top 10, with executives in particular expressing concerns about their organizations’ new working conditions and strategic responses to the crisis.
“Executives have been grappling with reopening strategies, complicated by different stages of the coronavirus in different regions. It’s now becoming clear that a ‘re-exit plan’ will also be a required part of any such strategy.”
Executives worry about strategic responses to pandemic
While external factors have played an unusually large role in shaping senior executives’ views about risk since the start of the year, it’s notable that two of the top three risks highlighted by executives in 2Q20 were internally focused: developing an effective new working model for employees and customers, and responding strategically to new conditions created by the pandemic.
Regarding the two internal risks related to the pandemic, these are the recommendations:
- The new working model – While executive teams continue to grapple with the requirements of reopening, such as ensuring adequate social distancing measures, transforming workplaces and managing staggered employee schedules, Mr. Shinkman said that employees and customers will also need psychological guidance and encouragement with how to act in this new environment. Risk managers are collaborating across functions to work holistically on these issues while also encouraging scenario planning to reflect the unsettled nature of the ongoing pandemic.
- Strategic corrections – As many organizations move from a pure survival posture to attempting to seek a more effective position in the new operating climate, the pitfalls of overcorrecting or not taking into account regional differences in working conditions could hobble any attempt at a robust recovery. Mr. Shinkman noted an opportunity for risk leaders to complement the work of strategy and finance colleagues by identifying the leading indicators that matter both from a defensive and opportunistic point of view.
Macro risks extend beyond COVID-19
While COVID-19 remains the most immediately visible external threat to executives, additional risks including the status of US/China trade talks and the upcoming US election also landed in the top five emerging risks globally.
“Some of the highest velocity emerging risks over the next 12 months have political and social risk implications,” said Mr. Shinkman.
“These are not areas that large enterprises have a strong history of navigating fluently and will require their risk teams to take proactive steps to understand how potentially historic shifts will alter the business operating environment.”
The average $5 billion company incurs delays of roughly 5 weeks per year in new product launches due to missed risks, with a $99 million opportunity cost, according to Gartner.
Opportunity costs from missing risks
A survey of more than 382 strategic initiative leaders quantified the cost of missing risks in strategic initiatives. For an average $5 billion revenue company it amounts to $99 million annually in opportunity cost from delayed new product launches alone. Initiatives where unexpected risks are not surfaced and mitigated in a timely fashion are delayed by an average of five weeks per year.
Moreover, in a related survey of 111 emerging risk management (ERM) leaders just 6% felt that their organization’s risk response was timely during strategic initiatives.
“These findings show that risk response usually is not timely,” said Emily Riley, senior principal, research in the Gartner Audit and Risk practice. “But they also show the huge cost of an untimely response. The recent COVID-19 pandemic illustrates the need for an agile response to unexpected risks.”
Benefits of a timely risk response
Experts looked at how strategic initiatives performed against several measures and how this was affected by the timeliness of risk responses.
“The performance benefits of a timely risk response stand out clearly,” said Ms. Riley. “There’s a business opportunity here because ERM leaders expressed their desire to be more involved in supporting strategic initiative success.”
Seventy six percent of ERM heads said they wanted to increase the proportion of their time they spend on strategic initiatives. More than half said that their involvement should come at the earliest stages of a strategic initiative. Yet currently just 11% feel they are involved before an initiative’s execution.
Unexpected risks and information roadblocks
“The problem we often see is initiative teams are not getting the information they need to act on risks in a timely manner,” said Ms. Riley. “This is one area where ERM teams can add value.”
This can have several root causes. Sometimes many individuals are involved in an initiative without clear accountability to one another. There is also often a sensitivity to candidly sharing information about threats to high stakes projects. Another common cause is a focus on performance metrics that overshadows forward-looking considerations.
“ERM’s role should be to connect initiative teams with subject matter experts, to facilitate opportunities for anonymous sharing of concerns, and to develop risk indicators that consider leading indicators of project success,” said Ms. Riley.
Since the onset of COVID-19, more than half of legal and compliance leaders believe that cybersecurity and data breach is the most-increased third-party risk their organizations face, according to Gartner.
Which third-party compliance risk has increased (or could increase) the most at your organization as a result of COVID-19?
Third-party compliance risk
“Remote working has been hastily adopted by suppliers to keep their business running, so it’s unlikely every organization or employee is following best practices,” said Vidhya Balasubramanian, managing vice president in the Gartner Legal and Compliance practice.
“Legal and compliance leaders are concerned about the new risks this highly disruptive environment has created for their organizations.”
Bribery and corruption, privacy, fraud, and ethical conduct were all noted as the most-increased third-party risks (10% of respondents for each) for a signification number of respondents.
“Legal and compliance leaders need to act now to mitigate third-party risk while still enabling their supply chain partners to flex to the current pressures on the system,” said Ms. Balasubramanian.
“This will likely mean managing the contractual risks and opportunities of current relationships, mitigating emerging issues, and streamlining due diligence for new third-parties. Legal and compliance leaders will also be looking at other ways to reduce the compliance burden on third parties.”
Navigate the contractual relationship
Legal and compliance leaders are managing the contractual risks of disrupted supply chains by:
- Working with procurement or supply chain leaders to identify which critical suppliers have manufacturing facilities, or a portion of the workforce, located in high risk areas.
- Contacting high-risk, critical suppliers to understand their preparedness for COVID-19, and the likelihood that they will meet contractual obligations.
- Anticipating ongoing financial or business disruption by conducting a review of existing contracts with high-risk suppliers to identify those with force majeure and other relevant clauses.
Mitigate amplified third-party risks
Several emerging practices from the survey respondents were identified:
- Reviewing third-party compliance activities, including third-party work from home policies, as well as privacy and security training plans
- Updating contracts to include clauses intended to mitigate cybersecurity & data privacy risks (e.g., clauses on VPN use, data use)
- Reducing the compliance burden on suppliers by:
- Entering into temporary “workaround agreements” by amending contracts to maintain services in a remote environment
- Postponing supplier audits until later in the year
- Modifying payment structures to those suppliers needing to boost cash flow
Streamline third-party due diligence
Emerging practices in this area include:
- Talking to functional partners about working with new third parties if needed to alleviate supply chain issues.
- Identifying critical, zero tolerance risks and revising due diligence processes to flag these.
- Identifying and prioritizing critical third parties and helping them manage risk throughout the pandemic.
- Conducting remote audits.
- Decreasing the amount of information requested from potential suppliers about general risks.
“Legal and compliance leaders have had to pivot quickly to support their supply chain and other business partners as part of this rapidly shifting third-party risk landscape,” Ms. Balasubramanian said.
“The most progressive companies have approached this crisis as an opportunity to clarify and streamline compliance obligations, strengthen current relationships, and focus their risk management efforts on the most critical, urgent risks.”
Human error and complex cloud deployments open the door to a wide range of cyber threats, according to Trend Micro.
Cloud security issues
Gartner predicts that by 2021, over 75% of midsize and large organizations will have adopted multi-cloud or hybrid IT strategy. As cloud platforms become more prevalent, IT and DevOps teams face additional concerns and uncertainties related to securing their cloud instances.
This report reaffirms that misconfigurations are the primary cause of cloud security issues. In fact, 230 million misconfigurations are identified on average each day, proving this risk is prevalent and widespread.
“Cloud-based operations have become the rule rather than the exception, and cybercriminals have adapted to capitalize on misconfigured or mismanaged cloud environments,” said Greg Young, vice president of cybersecurity for Trend Micro.
“We believe migrating to the cloud can be the best way to fix security problems by redefining the corporate IT perimeter and endpoints. However, that can only happen if organizations follow the shared responsibility model for cloud security.”
Criminals capitalizing on misconfigurations
The research found threats and security weaknesses in several key areas of cloud-based computing, which can put credentials and company secrets at risk. Criminals capitalizing on misconfigurations have targeted companies with ransomware, cryptomining, e-skimming and data exfiltration.
Misleading online tutorials compounded the risk for some businesses leading to mismanaged cloud credentials and certificates. IT teams can take advantage of cloud native tools to help mitigate these risks, but they should not rely solely on these tools, the report concludes.
Best practices to help secure cloud deployments
- Employ least privilege controls: Restricting access to only those who need it.
- Understand the Shared Responsibility Model: Although cloud providers have built-in security, customers are responsible for securing their own data.
- Monitor for misconfigured and exposed systems: Appropriate tools can quickly and easily identify misconfigurations in your cloud environments.
- Integrate security into DevOps culture: Security should be built into the DevOps process from the start.
Organizations’ current approach to risk governance is not sufficient to tackle the complex risk environment organizations are facing today, according to Gartner. The COVID-19 pandemic is just the latest in a line of recent risk events showing how organizations are not properly set up to manage risk, especially fast-moving ones.
The research showed that 87% of audit departments say their organization uses a “three lines of defense” (3LOD) model for risk governance. This model states that line management should act as the first line of defense, identifying risks and implementing controls.
Risk and assurance functions such as legal, compliance and enterprise risk management (ERM) should act as a second line, overseeing and monitoring risk management processes. Finally, internal audit should act as a third line, taking a birds’ eye view of the effectiveness of controls and risk management.
“Traditional approaches fail because they can’t effectively deal with fast-moving and interconnected risks. Pandemic is a rapidly developing type of risk that needs a dynamic risk management (DRG) set-up,” said Malcolm Murray, vice president and fellow, research for the Gartner Audit and Risk practice.
“The coronavirus pandemic demonstrates why organizations need a new approach for governing the management of the many complex risks they face in today’s world,” said Mr. Murray.
“Adopting the DRG principles helps organizations ensure they have the appropriate governance for different kinds of risks, with the right kind of risk management activities and the right people involved.”
Dynamic risk governance
The effectiveness of DRG was measured in a survey to over 200 organizations, looking at whether traditional or dynamic approaches to governing risk management led to better risk management behaviors and better risk outcomes. The three pillars of DRG each increased the occurrence of high-quality risk management behaviors:
- Risk-tailored governance (18% increase) – The governance model should depend on the risk’s speed, the organization’s risk tolerance and internal constraints rather than relying on a one-size-fits-all level of scrutiny, such as centralized oversight for all risks or models based on industry norms. Corporate leaders should have the final say here, because the governance model should be determined based on the company strategy. A benefit of placing this authority with senior management rather with than the board and the assurance functions is more rapid response. These top executives can take faster action.
- Activity-based risk governance (22% increase) – This means dispensing with the idea that only the first line owns all risk activities, and assigns accountability for risk management tasks without regard for the borders between first/second/third line. Senior management – not assurance functions – should determine who will decide the task owners for a particular risk. For some risks, it will not matter which exact function is accountable for each activity – as long as there is specific accountability assigned.
- Digital-first risk governance (18% increase) – This means considering digital solutions during creation of the governance framework for the risk, not as an afterthought. For instance, if large parts of the risk management can be automated, then fewer functions need to be involved.
Adopting the DRG principles is beneficial
When looking at the risks related to the coronavirus pandemic specifically, adopting the DRG principles is beneficial at all three stages of dealing with the risk – response, recovery and restoration.
For the first stage, adopting DRG means quickly identifying who in senior management should own the governance of the risk and quickly setting up an initial governance model that considers the fast speed of the risk. It means identifying the key risk management activities for this stage of the risk and assigning clear accountability for these to appropriate parties.
In subsequent stages, when attention shifts towards recovery and restoration, applying the DRG principles allows organizations to regularly revisit whether the risk is governed in the right way. Once there is more visibility to the path of the risk, additional risk management activities can be added, such as adding a focus on monitoring the risk and assessing longer-term impact.
“This isn’t just about risk managers, this is about the board of directors and senior management making risk governance a key consideration so that organizations become more resilient against fast-emerging risks, such as coronavirus,” said Mr. Murray. “The DRG methodology applies equally to the many fast-emerging risks presented by digitalization.”
A five-phase strategic and systematic approach to strengthen the resilience of organizations’ current business models is key to business continuity during the coronavirus pandemic, according to Gartner.
“Companies tend to have traditional business continuity strategies and plans that focus on the continuity of the resources and processes but omit the business model,” said Daniel Sun, research vice president at Gartner. “However, the business model itself can be a threat to continuity of operations in external events, such as the global outbreak of COVID-19.”
CIOs can play a key role in the process of raising current business model resilience to ensure ongoing operations, since digital technologies and capabilities can influence every aspect of business models.
Phase 1: Define the business model
Facing the contingency of COVID-19 outbreaks, companies should first focus on their core customers that are essential to their continuity of operations, and then refer to a process of defining their current business models by asking questions focused on their customers, value propositions, capabilities and financial models.
Although CIOs do not normally lead the process of defining business models, they should proactively engage with senior business leaders to run through 10 key questions regarding current business models. This is foundational for CIOs to actively participate in modifying current business models.
Phase 2: Identify uncertainties
This step can be carried out through a strength, weakness, opportunity and threat (SWOT) analysis, or by brainstorming. Given the wide range of uncertainties and threats, this step can benefit from a heterogeneous group of participants with diverse backgrounds and interests, particularly where IT is normally involved.
Companies should focus on the risks that the uncertainty poses to the components of the business model.
“CIOs should participate in, or coordinate, the brainstorming sessions to identify any uncertainties from COVID-19 outbreaks,” said Mr. Sun. “CIOs can share some of IT’s potential uncertainties and threats, such as issues with IT infrastructure, applications and software systems.”
Phase 3: Assess the impact
Multidisciplinary members should form a project team to assess, or even quantify, the impact of the identified uncertainties. CIOs can provide the potential impacts from an IT perspective.
Phase 4: Design changes
At this point in the process, the emphasis is to develop tentative strategies rather than estimate their feasibility. Selecting and executing changes will follow in the next phase. CIOs and IT should leverage digital technologies and capabilities to facilitate the designed changes.
Phase 5: Execute changes
The decision on which changes to execute is principally a decision for senior leadership teams. The strategies for changes defined in Phase 4 provide essential input for this decision process. Senior leadership teams should select the strategies they feel most compelling to implement, which is often based on both economic calculations and intuition.
“Once senior leadership teams select the business and IT change initiatives, CIOs should apply an agile approach in executing the initiatives. For example, they can form an agile (product) team of multidisciplinary team members, enabling the alignment between business and IT and ensuring delivery speed and quality,” said Mr. Sun.
“In crises such as the COVID-19 outbreak, agility, speed and quality are crucial for enabling the continuity of operations.”
88% of organizations have encouraged or required employees to work from home, regardless of whether or not they showed coronavirus-related symptoms, according to a Gartner survey of 800 global HR executives.
Nearly all organizations (97%) have canceled work-related travel, more than an 80% increase since March 3.
“As the COVID-19 crisis disrupts organizations across the globe, HR leaders must respond quickly and comprehensively, considering both immediate and long-term talent consequences,” said Brian Kropp, chief of research for the Gartner HR practice.
How organizations are addressing coronavirus-related absences
The survey shows that organizations, trying to balance employee needs with financial realities, are employing a variety of approaches to time-off policies in response to COVID-19. Nearly half (48%) of employers require employees to use sick leave first, then vacation leave and finally potential PTO for coronavirus absences.
Twenty percent of organizations increased PTO for individuals who are sick and/or caring for a sick family member; 18% of organizations have granted additional PTO for parents who are caring for children whose schools are closed.
“Our research shows that only a minority of employers plan to downsize or ask employees to take unpaid leave,” added Mr. Kropp. “Instead, most organizations are focusing on measures such as more effective use of technology and freezing new hiring to cut costs.”
Organizations are employing several cost-cutting measures
The survey shows that most employers plan to cut costs while minimizing impact to pay for existing employees when possible. Seventy percent of organizations report that the main cost-cutting measure they plan to use is more effective use of technology. Nearly half of organizations plan to freeze new hiring.
A greater percentage of organizations plan to reduce work for external partners rather than employees — one-fifth of organizations plan to stop or limit consultant spend and/or reduce the number of contract workers. Only 10% of employers plan to reduce working hours, and just 6% report asking employees to take unpaid leave.
To manage remote talent during the COVID-19 crisis, there are recommendations for HR leaders.
Provide direction, confidence and resilience
Employees are relying on leaders at all levels of the business to take action and set the tone. Communications from senior business leaders to managers should prioritize associate health and business sustainability.
Communicate regularly with employees, maintaining an open dialog. The survey found that 56% of organizations have communicated a plan of action to employees in the event the COVID-19 outbreak.
Contextualize coronavirus for the organization
Leaders should be a trusted source for accurate and up-to-date information on coronavirus and how it is impacting the organization. Avoid sharing information from social media; leverage trusted resources such as the World Health Organization and the Centers for Disease Control and Prevention.
Contextualize information and data as much as possible so that it specifically relates to the organization.
Encourage intentional peer-to-peer interactions
With reduced or no face time in the office, employees should maintain regular professional and personal interactions with their peers. The survey found that 40% of organizations have set up additional virtual check-ins for employees with managers and 32% of organizations have introduced new tools for virtual meetings.
HR leaders should encourage employees to leverage communication platforms they already use, either at work or in their personal lives, to create new ways to work together.
Establish team guidelines
Remote work looks different for each employee depending on their needs and those of their families. With unprecedented school closures, many employees must take on a double role as they support their children and families throughout the workday.
Organizations can meet employees’ needs by empowering teams to adapt to their conflicting time demands. For instance, teams can set “core team times” when all team members are available to collaborate.
Provide flexibility for employees’ remote work needs
When preparing for employees’ eventual return to the office, empower employees to make choices best suited for their needs and comfort levels. Where possible, allow employees to decide when to return to the office.
Enable essential employees whose work requires them to return to the office to choose the hours that work best for them to return to avoid peak commute times.
With the spread of the coronavirus (COVID-19), CIOs should focus on three short-term actions to increase their organizations’ resilience against disruptions and prepare for rebound and growth, according to Gartner.
“With such a dynamic situation like COVID-19, it has the potential to be as disruptive, or more, to an organization’s continuity of operations as a cyber intrusion or natural disaster,” said Sandy Shen, senior research director at Gartner.
“When traditional channels and operations are impacted by the outbreak, the value of digital channels, products and operations becomes immediately obvious. This is a wake-up call to organizations that focus on daily operational needs at the expense of investing in digital business and long-term resilience.”
CIOs are recommended to focus on three short-term actions to provide support to customers and employees and ensure continuity of operations.
Source digital collaboration tools with security controls and network support
Various quarantine measures and travel restrictions undertaken by organizations, cities and countries have caused uncertainties and disruptions as business operations are either suspended or run in limited capacity.
In organizations where remote working capabilities have not yet been established, CIOs need to work out interim solutions in the short term, including identifying use case requirements such as instant messaging for general communication, file sharing/meeting solutions, and access to enterprise applications such as enterprise resource planning (ERP) and customer relationship management (CRM), while reviewing all security arrangements to ensure secure access to applications and data.
Organizations also need to deal with staffing shortages to maintain basic operations. CIOs can work with business leaders to conduct workforce planning to assess risks and address staffing gaps, such as identifying mission-critical service areas.
CIOs can see how digital technologies such as AI can be used to automate tasks, for example, candidate screening and customer service.
Engage customers and partners through digital channels, maintain sales activities
Many organizations already engage customers over digital platforms, such as branded sites and apps, online marketplaces and social media. But offline face-to-face engagement still plays a big role.
Workplace collaboration, video conferencing and livestreaming solutions can serve various customer engagement and selling scenarios. Organizations should also enable customers to use self-service via online, mobile, social, kiosk and interactive voice response (IVR) channels.
“The value of digital channels becomes obvious as market demand shrinks and as people rely more on online platforms for daily supplies. Organizations can leverage digital channels, such as online marketplaces and social platforms, to compensate for some of the demand loss.” said Ms. Shen.
“They can set up official pages/accounts and integrate commerce capabilities to enable online selling. They should also quickly adapt products to make them suited for selling through digital channels.”
Establish a single source of truth for employees
Confusing data from unverified sources — or the sheer lack of data — can lead to ill-informed decisions being made, escalating employee anxiety and making organizations underprepared for returning to normal operations. Such anxiety can be somewhat relieved if organizations can leverage data to support better decision making and communicate progress more efficiently to employees.
“Organizations can offer curated content, drawn from internal and external sources, to provide actionable guidance to employees. These sources include local governments, healthcare authorities and international organizations, such as the World Health Organization (WHO). HR and corporate communications leaders may be involved to vet the content and interpret the company’s policies,” said Ms. Shen.
“Organizations should set up a site, app or hotline to share this information on a regular basis. Employees can also use these platforms to notify the company about their health conditions and seek emergency support and care services.”
Many enterprises and sectors are unaware of the 5G security vulnerabilities that exist today. Choice IoT says it’s critical for businesses to have a plan for discovering and overcoming them at the outset of a 5G/IoT platform rollout to avoid future cybersecurity disasters.
There is a big difference between the promise of 5G low latency, higher bandwidth, and speed for businesses versus the security of 5G. While many are excited about Gartner’s prediction of $4.2 billion being invested in global 5G wireless network infrastructure in 2020, few discuss the business costs of its unheralded security holes.
That’s an ongoing conversation that 5G and IoT solutions experts like Choice IOT’s CEO Darren Sadana are having with enterprises with 5G plans on the drawing board. “Businesses will need a strategy for overcoming 5G’s inherited security flaws from 4G or face major losses and privacy catastrophes.”
5G is poised to drive IoT, industrial IoT (IIoT), cloud services, network virtualization, and edge computing, which multiplies the endpoint security complications. Although the manufacturing sector cites IIoT security as the top priority, the combination of 5G security vulnerabilities may come back to haunt them.
Pinpointing 5G security vulnerabilities
According to an Accenture study of more than 2,600 business and technology decision makers across 12 industry sectors in Europe, North America and Asia-Pacific, 62% fear 5G will make them more vulnerable to cyberattacks. At the root of the problem is the reality that many of the security problems stem from the software-defined, virtualized nature of 5G versus the hardware foundations of earlier LTE mobile communication standards.
It’s central role in IoT is a strength and a weakness where endpoints are highly localized and beyond the network edge. The 5G network promises of device authentication, device encryption, device ID, and credentialing are positives, but the flip side is that many of those pluses also carry security dangers.
The nature of how signals and data are routed in 5G/IoT networks can lead to Mobile Network mapping (MNmap), where attackers can create maps of devices connected to a network, identify each device and link it to a specific person. Then there are Man-in-the-middle (MiTM) attacks that enable attackers to hijack the device information before security is applied.
There are also supply chain security challenges with platform components bought from overseas that harbor inherent security flaws. This can be seen in the backdoor vulnerabilities alleged to be purposely built into mobile carrier networks supplied with equipment from Chinese equipment giant Huawei.
The back doors would allow malicious actors to get target location, eavesdrop on calls, and enable the potential for ransomware injection into a 5G network targeting a mobile carrier.
Other vulnerabilities covered across the wireless and IoT sectors include SIM Jacking, Authenticated Key Exchange protocols (AKA) and a host of base station backdoor vulnerabilities.
IoT for everything from smart homes, medical devices and machine to machine (M2M) operation to smart cities/power grids and autonomous vehicles are threat targets. They all give attackers multiple ways to manipulate interconnected IoT devices communicating data via 5G networks.
DDoS attacks, the ability to take control of video surveillance systems and medical devices, and more are all possible due to this broader attack surface and inherent 5G vulnerabilities.
Plugging the holes
The picture doesn’t have to be a bleak one for businesses and enterprises that want to maximize the benefits of 5G while eliminating its vulnerabilities across sectors like healthcare, utilities, finance, automotive, communication and many others.
A U.S. Senator, recently called on the FCC to require wireless carriers rolling out 5G networks to develop cybersecurity standards. Sadana and other experts make it clear that assessment, discovery, and planning are key. They form the foundation for 5G/IoT platform buildout vulnerability identification and system modifications that encompass IT/OT and wireless connectivity.
Sadana points to the NIST National Cybersecurity Center of Excellence (NCCoE), which is developing a NIST Cybersecurity Practice Guide. This will demonstrate how the components of 5G architectures can be used securely to mitigate risks and meet industry sectors’ compliance requirements across use case scenarios.
“While this goes a long way to providing a standardized practices roadmap for companies in creating 5G platforms that are secure, it’s only a start,” explained Sadana. “5G is still the wild west with things changing every day, so businesses need IoT/IT security expert partners that can help them plan from the ground up.”
Just 12% of more than 1,500 respondents believe their businesses are highly prepared for the impact of coronavirus, while 26% believe that the virus will have little or no impact on their business, according to a survey by Gartner.
“This lack of confidence shows that many organizations approach risk management in an outdated and ineffective manner,” said Matt Shinkman, vice president in the Gartner Risk and Audit practice. “The best-prepared organizations can expect to enjoy many business advantages over their less-prepared peers as they minimize the disruption caused by the coronavirus.”
Most respondents (56%) rate themselves somewhat prepared, and 11% said they were either relatively or very unprepared. Just 2% of respondents believe their business can continue as normal, highlighting the huge range of businesses that could be affected by the outbreak.
Twenty-four percent of respondents expect little disruption, while the majority expect business to continue at a reduced pace (57%), to be severely restricted (16%) or to be discontinued altogether (1%).
Hoping it will all just go away
The challenge lies partly in the ambiguity inherent to managing an emerging risk such as coronavirus. Organizations often have policies in place to deal with most risks, but they don’t activate them until it’s too late because no one is owning the risk or taking it seriously until it is fully manifested. The threshold for a risk to generate executive action is often too high to enable an effective response.
“Board members tend to deal with emerging risks by just assuming they will go away and instead focus their attention on what is most important today,” said Mr. Shinkman. “In good times this methodology is reinforced because sometimes emerging risks really do just go away. It’s when they don’t that problems inevitably emerge.”
Having an enterprise risk management (ERM) function in place means that an organization is more likely to see risks coming and then mitigate the impact of those emerging risks more swiftly and effectively. Gartner’s view is that a focus on impacts rather than specific scenarios is best practice for ERM.
“It’s nearly impossible to predict exactly if or how a particular scenario will unfold or even when,” said Mr. Shinkman. “That’s what creates the ambiguity and often inaction around emerging risks. It’s much more effective to focus on potential impacts and how to mitigate them.”
Mitigating the effect of specific impacts on an organization
Pandemic provides a perfect example of how this approach works – companies that wait until the emerging risk is already impacting operations and/or many employees will likely find themselves playing catch up and losing ground to companies that were better prepared.
Companies can get better prepared by considering what interim events could occur that would suggest that a pandemic, or similar emerging risk, is about to sharply increase in terms of its impact or likelihood.
By using an ERM approach to identify and prepare for those specific events – and setting up mechanisms to monitor for them – the best companies are better positioned to avoid major disruption.
For those dealing with a crisis response to the coronavirus in their organization, they should have planned responses to specific impacts. For example, what will the company do if one employee gets sick? Ask all employees to self-isolate? Are work-from-home procedures sufficiently mature to support that or will work have to stop? Do suppliers or clients need to be notified? Is finance able to support operations in the event of anticipated losses?
Using an impacts-based method makes it very clear when to trigger a response plan and to start mitigating the effect of specific impacts on an organization. Also having response plans that react to specific impacts means it is simpler to communicate the plan to staff, so that all employees can play a part in managing risk. In fast-moving situations such as this, the more people who are owning risk, the more likely it is that an organizational response will be timely.
“Avoid constructing elaborate ‘what if?’ scenarios and focus on what is known,” said Mr. Shinkman. “Many organizations likely already have plans in place to deal with the types of disruption they are facing because of the coronavirus. The job of risk management is to ensure the right plans exists and make sure they get used at the appropriate moment.”
Only half of the vulnerabilities in cloud containers ever posed a threat, according to a Rezilion study.
The top 20 most popular container images on DockerHub were analyzed to discover that 50% of vulnerabilities were never loaded into memory and therefore did not pose a threat, regardless of Common Vulnerability Scoring System (CVSS) scores and despite vast resources in budget and manpower spent on patching or mitigation.
By triaging vulnerabilities using a continuous adaptive risk and trust assessment (CARTA) approach and then prioritizing treatment of those that are commonly targeted, companies can significantly reduce their security budgets or free up manpower to focus on other critical issues.
Firms with good security posture are equally breached
According to IDC, enterprises are spending 7-10% of their security budget on vulnerability management as daily operations become increasingly more dependent on cloud services. Vulnerability scanners overload and confuse security teams with mountainous results that would be impossible to patch all at once.
The existing prioritization practices such as CVSS provide no notable reduction of breaches in organizations with mature vulnerability management programs. Firms with good security posture are equally breached by known vulnerabilities as those with poor security posture.
A risk-based approach to vulnerability management
Gartner recommends that “security and risk management leaders should rate vulnerabilities on the basis of risk in order to improve vulnerability management program effectiveness”.
Gartner also predicts that “by 2022, approximately 30% of enterprises will adopt a risk-based approach to vulnerability management” and “by 2022, organizations that use the risk-based vulnerability management method will suffer 80% fewer breaches.”
“A vulnerability is only as dangerous as the threat exploiting it and in some instances during our research, we found the figure dropped to as low as 2%. By focusing on actual vs. perceived risk, we found the security industry has been unnecessarily exaggerating the number of vulnerabilities security teams must address, which has dangerous ramifications to the cloud security landscape,” said Shlomi Boutnaru, CTO at Rezilion.
“A continuous adaptive risk and trust assessment-based approach reduces friction and overhead by identifying vulnerabilities running in memory and then prioritizing treatment to those vulnerabilities commonly targeted by hackers as well as any that don’t have mitigations.”
Over 40% of privacy compliance technology will rely on artificial intelligence (AI) by 2023, up from 5% today, according to Gartner.
The research was conducted online among 698 respondents in Brazil, Germany, India, the U.S. and the U.K.
“Privacy laws, such as General Data Protection Regulation (GDPR), presented a compelling business case for privacy compliance and inspired many other jurisdictions worldwide to follow,” said Bart Willemsen, research vice president at Gartner.
“More than 60 jurisdictions around the world have proposed or are drafting postmodern privacy and data protection laws as a result. Canada, for example, is looking to modernize their Personal Information Protection and Electronic Documents Act (PIPEDA), in part to maintain the adequacy standing with the EU post-GDPR.”
Privacy leaders are under pressure to ensure that all personal data processed is brought in scope and under control, which is difficult and expensive to manage without technology aid. This is where the use of AI-powered applications that reduce administrative burdens and manual workloads come in.
AI-powered privacy technology lessens compliance headaches
At the forefront of a positive privacy user experience (UX) is the ability of an organization to promptly handle subject rights requests (SRRs). SRRs cover a defined set of rights, where individuals have the power to make requests regarding their data and organizations must respond to them in a defined time frame.
According to the survey, many organizations are not capable of delivering swift and precise answers to the SRRs they receive. Two-thirds of respondents indicated it takes them two or more weeks to respond to a single SRR. Often done manually as well, the average costs of these workflows are roughly $1,400 USD, which pile up over time.
“The speed and consistency by which AI-powered tools can help address large volumes of SRRs not only saves an organization excessive spend, but also repairs customer trust,” said Mr. Willemsen. “With the loss of customers serving as privacy leaders’ second highest concern, such tools will ensure that their privacy demands are met.”
Global privacy spending on compliance tooling will rise to $8 billion through 2022
Through 2022, privacy-driven spending on compliance tooling will rise to $8 billion worldwide. Privacy spending is expected to impact connected stakeholders’ purchasing strategies, including those of CIOs, CDOs and CMOs. “Today’s post-GDPR era demands a wide array of technological capabilities, well beyond the standard Excel sheets of the past,” said Mr. Willemsen.
“The privacy-driven technology market is still emerging,” said Mr. Willemsen.
“What is certain is that privacy, as a conscious and deliberate discipline, will play a considerable role in how and why vendors develop their products. As AI turbocharges privacy readiness by assisting organizations in areas like SRR management and data discovery, we’ll start to see more AI capabilities offered by service providers.”