In my last blog in my Riskicist’s Guide, I posed the Theory of Exponential Growth highlighting the rapid change of risk in today’s world and the need for automation. With automation we can gain better visibility. We then have much more data to drive insights and actions – BUT as things move faster we need to better understand WHEN to deal with an issue as well as how it impacts the business. This brings me to another aspect of my riskics – TIME. The most constant, ever present variable in hyper risk management is TIME. In fact, time could be one of the most critical variables in the Digital Risk Management transformation.
For example, most data classification schemes are one-time affairs and answer What is the value of this piece of data today? However, the value of data – the currency of the digital transformation – can change over time. I wrote about this in a blog in 2014 entitled “The Data Classification Curve”. In a nutshell, the criticality, value or sensitivity of data depends on time – financial numbers go from extreme confidentiality to public knowledge overnight; the sensitivity of personal data hits a threshold as elements are combined or collected over time.
The point is risk associated with your business, like data sensitivity, goes up or down depending on time. When we apply that concept to our traditional definition of likelihood and impact, we clearly can see both are affected by time. The likelihood of an event may go up or down depending on the time of day. The impact of a financial system outage at the end of the quarter is different than the middle of the quarter.
This leads to my next theory:
Measurement of risk will REQUIRE an element of TIME.
Risk when approached with this concept of time becomes less of a dashboard more like a stock ticker. A loss exposure at one time could be $3M, another time $1M, another time $5M… it all depends on time. Going back to our traditional risk formula, risk still depends on likelihood and impact – but each must be considered in relation to time.
This concept could be applied to any gap identified during a risk or compliance process. It could also apply to prioritization of events and alerts. RSA’s experience gives us a leg up in helping risk management processes utilize time as an input. RSA Netwitness’ user behavior analytics and RSA’s Adaptive Authentication risk engine already uses this type of approach.
Time as an input to risk management processes in the digital era affects calculating risk exposure and driving action. A security incident may be more or less critical based on the time of the day. A Business Continuity plan may need to factor in the time of the month of a potential event. Not that you would leave an event to chance or ignore something based on this time element but the timing of events will need to factor into prioritization and measurement.
As risk management processes begin to become more and more data driven, fueled by the digital transformation of the business, there will be a need to tighten up the response to that data and prioritize based on the data. As insight into risks are produced, time will be a major input into what actions are needed, when they are needed and how to prioritize those actions. Risks will need to be prioritized not only on automated business context flowing in from different systems – but prioritized based on the time.
Join me for my last theory in my next blog as I wrap up my Riskicist's Guide to the Universe.