Enterprise Risk Appetite Frameworks Should Include PAM
By: Orhan Yildirim
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
They are being forced to weigh the pros and cons of security, for example, across a continuum. How many layers of security are too much? How many forms of multifactor authentication should be required, and at what point does security become so onerous it inspires employees, partners and even customers to find workarounds?
A modern Risk Appetite Framework is one that leverages software platforms and automation that simplifies operations while improving security levels. A modern Risk Management Frameworks supports conscious risk-taking that in turn supports more profitability through more productivity, while also addressing what could be catastrophic attacks or unintentional mistakes.
Risk appetite strategy is also being increasingly influenced by regulators who are driving more legislation to, for example, protect consumer privacy or protect public digital infrastructure.
The most robust and successful risk appetite programs are often found in banks and other financial institutions, where the stakes are incredibly high, but where the speed of business is incredibly fast. Trading, for example, moves in milliseconds, and profitable trading strategies often take advantage of making calculated risks (assisted by algorithms and other automated systems).
More and more enterprises and organizations are being asked to provide risk appetite assessments and plans to their Boards, and even shareholders, as the devastating consequences of large attacks are all too clear with financial damage in the hundreds of millions of dollars.
Having a risk appetite posture is no longer a “nice to do” – it is a “must do”.
During the last massive financial crisis in 2008, we learned the hard way that without the appropriate checks and balances provided by the Board and management teams, a culture of excessive risk-taking and leverage was allowed.
Since then, a great deal of progress has been made by management teams and their Boards, who came to realize that they needed to be clear – crystal clear – on the organization’s capacity for risk-taking and in which areas and activities.
While operating in an environment governed, in part, by a risk appetite framework, may feel daunting, it can be made simpler by asking these ten logical questions:
- Where is our greatest risk?
- What elements within the organization are changing and how does that impact our risk posture?
- Where do we stand with digital transformation efforts and how are we protecting digital assets which are becoming the life blood of our business going forward?
- Who is responsible for setting risk tolerance levels and managing them?
- How are outside forces creating more risks (for example cyberattacks)?
- What is our position on internal threats and how are we managing those?
- When our risk policies are breached, what is our response and escalation plan?
- How quickly will we know and how skillfully can we quickly stop a potentially catastrophic event?
- Which departments contribute and how are those departments collaborating in planning, then responding, to incidents?
- Based on competitive, regulatory and technology changes, what might our risk appetite framework look like in 5 years?
Privileged Access Management solutions, like those Ironsphere is leading the market in, can be a significant part of any risk management stance, as only those who are authorized to access or change any network, system or other asset can do so. PAM solutions, like ours, must be extremely open and agile, scalable and adaptable, and easily integrated into a comprehensive IT environment. You cannot manage what you do not measure, and another tremendous benefit coming from an Ironsphere solution is real time reporting, as well as auditing functions enabling more visibility and therefore control.
Please contact us if you’d like to learn more: firstname.lastname@example.org.
Securing Increasingly Decentralized Corporate Environments in 2021: Changes and Challenges for Access Management
It is understandable that many IT leaders are solid fans of the centralized approach to cybersecurity, arguing that it allows companies to better assess and manage their risks by being able to control every application, device and access privilege, by user.read more
The debate on centralized vs. decentralized IT has been going on for decades, and there are solid arguments for both choices. The rise of the cloud changed everything, and today “shadow IT” continues to challenge CIOs and CISOs who are charged with protecting the assets of their organizations while also not restricting the number of productivity tools available which employees and contractors continue to find and use rather than using “official” applications.read more
2020 was a year of tremendous chaos and stress on many levels and stretched the limits of IT teams who were responsible for securing corporate assets, as entire companies sent employees home to work, including those same IT teams. A new generation of IT heroes was born, and CIOs, CISOs, and IT analysts and managers stepped up to address uncommon challenges, even as cyberattacks grew to all-time highs.read more