Skip navigation
All Places > Products > RSA Archer Suite > Blog > 2018 > June
2018

It can be lonely sitting out on Risk Management Island.  I have some good news for you - your closest friend, Compliance, has dropped a break in your lap – GDPR.  I know it isn’t easy to see it but GDPR can be a rallying cry to improve your risk management, security and compliance world.  Although the deadline was over a month ago, companies continue to adjust their processes in response to the regulation.

 

GDPR and the Risk Management Process

There are certainly many dimensions to GDPR – from the technology implications to the business operations changes needed.  One area I would like to highlight is the risk assessment angle of the GDPR.  This is an emerging topic in the regulatory compliance world.  No longer are regulators saying you must do A, B and C.  They are requiring a risk based approach – meaning, your company has to determine the risks and design and operate controls that effectively manage that risk.  We see this not only in GDPR but other regulations, PSD2 for instance, and it is a trend that will continue.

Organizations need to bulk up their risk assessment processes – how are risks identified and assessed, how are decisions made to address those risks, then how are the risks treated and monitored.   This must be a demonstrable process that can be inspected.   Those steps and the decisions made during the process should be documented to show how the organization arrived at its conclusions.

 

GDPR changes things from a ME thing to a WE thing.   Rally the troops.  Your friend Compliance will appreciate it.

 

The Labor Shortage

If you haven’t noticed yet, the U.S. Economy is booming!  The U.S. unemployment rate reported for May  stood at 3.8%.  Not too many years ago, 5% unemployment was considered by most economists as full employment. For information security teams, this translates into a huge labor shortage.  The Wall Street Journal recently reported the “…demand for cybersecurity workers is outpacing supply by so much that by 2022, North America will have 265,000 more data-security jobs than skilled workers”   And it’s not just in North America.  Australian press has reported there is a serious talent war over the shallow pool of risk managers in Australia. While in the EU and U.K., the rise of the data protection officer is the hottest tech ticket in town as a result of the EU General Data Protection Regulation.

 

Going up: Data Breaches and Vulnerabilities

All of this demand for information security professionals coincides with a massive information security workload.

 

(1) The Breach Level Index indicates that breaches are continuing to grow nearly 100% per year:

 

 

(2) According to the NIST National Vulnerability Database statistics, vulnerabilities continue to increase dramatically in number and severity.

 

Accelerated Change

Executive leadership is rabid to go digital fast, and information security teams have to figure out how to keep up in order to protect the organization.  According to the KMPG 2018 Global CEO Outlook Survey

  • Only 37% of companies, across all industries, have on average, converted to digital. That means there’s still 63% to go.
  • 91% of U.S. CEOs are personally ready to lead a radical operating model transformation
  • 59% believe agility is the new currency of business

 

Information Security Governance Changing

The information tech talent shortage coupled with increasing breaches, increasing vulnerabilities and accelerated change have largely undermined the confidence CEOs have in their organization’s information security programs.

 

 

These forces have led to greater scrutiny of information security by Executives and Boards of Directors, who are now mostly requiring that IT Security budgets be approved by them directly, while CTOs, CIOs, and CISOs appear to no longer have much autonomy over their budgets.

 

Not only is budget approval of information security programs being escalated higher in the organization but leaders and boards want to know that the money they are allocating is having a positive impact. A recent Deloitte poll of more than 1,130 C-suite and other executives indicated that 62.7% believe Board of Directors will expect better reporting on the effectiveness of their cyber security program.

 

Where are all of the Security Professionals?

All of these factors are congealing into what I would call a mega trend for information security professionals.  The technical and human resource challenges of information security must be countered with smarter and more efficient risk management.  Risk management teams must adopt business context-based information security risk management to prioritize initiatives and communicate with the C-Suite and Board (RSA calls this Business Driven Security); and they must implement tools across all aspects of information security risk management and governance that efficiently recaptures precious time from each team member so that it can be reallocated to more important problems.  It is only in this way that information security leaders stand a chance to survive this mega trend.

Summer – it’s finally here! (well, at least in the northern hemisphere) It’s warmer, people are going outside, planning vacations, having barbeques, and taking it easy. As much as we here at RSA Archer believe in taking some well-deserved summer vacation, we’re also hard at work planning the RSA Archer Summit, taking place in Nashville, Tennessee, from August 15 – 17. If you haven’t registered, here’s the link – don’t miss this great, RSA Archer-focused event!

 

If you have a role at any level in: integrated risk management (IRM), internal audit, business continuity, third party governance, IT security risk management, compliance or any other related function, you’ll want to attend the Summit, where you’ll learn about using RSA Archer to: 

 

  • Improve compliance testing across diverse functional teams through an enterprise-wide, consolidated quality control program
  • Create greater efficiencies for compliance teams and improve executive oversight
  • Move from a compliance mindset to a culture of risk management through continuous risk management
  • Avoid key cultural and communication pitfalls in implementing IRM
  • Help Internal Audit become an early adopter of IRM
  • Support business compliance and risk management goals and activities
  • Enable an agile approach to implement IRM while providing business value and remaining lean and fast
  • Adapt and mature your cyber security program

 

As you can see, there’s something for everyone – from compliance to risk management; from business to IT; and for each of the three lines of defense. Everyone can benefit from attending the Summit.

 

Another great aspect of the Summit is most of the speakers are RSA Archer customers, and there is an all-star lineup again this year from almost every industry you can imagine, and if all this didn’t pique your interest, then check out the working groups you can sign up for in the areas of:

 

  • IT and Security Risk Management
  • Regulatory and Corporate Compliance
  • Archer System Administration
  • Digital Risk Management
  • Integrated Risk Management
  • RSA Archer User Experience
  • Quantifying Cyber Risk

 

Finally, if you’re mainly coming for the networking, that’s ok because you’ll have plenty of time to get to know your peers, and the events each night are awesome!

 

Hey, it’s Summer – time to party! I hope to see you at the RSA Archer Summit!

Filter Blog

By date: By tag: