Why Digital Risk Protection Isn’t Just an IT Issue Anymore
Around 70% of companies are investing in digital transformation, even as the global economy takes a turn in 2020.
While the business advantages of digital transformation are widely understood, organizations are often much slower in understanding associated digital risks as business risks.
Enterprise leadership tends to view digital risk as a technical, IT problem (for valid reasons, which we’ll get into later). But digital risk protection is becoming relevant to multiple enterprise teams, helping drive revenue and protect against business risk on multiple levels.
Companies that see digital risk solely as a technical issue jeopardize themselves by underinvesting in digital risk protection, creating organizational silos, and becoming more vulnerable to attack and resulting business loss.
To address this gap, corporate security must be able to clearly understand and communicate digital risks as business risks and bring on solutions that enable org-wide adoption.
How Digital Risk Protection Is Changing
When digital risks are seen as business risks, what does this relationship actually look like? This usually requires translating digital compromise to dollar value lost.
For example, according to IBM’s 2020 Cost of a Data Breach Report, a single breached customer record costs a company $150 on average—including the cost of detection, lost business, response efforts, and communication with regulators. In this way, it’s possible to assess business risk as it relates to cyber compromises like data breaches, malware, or distributed denial of service.
But digital risks are no longer just cyber attacks.
Online spaces, including social media and the surface, deep, and dark webs, are also valuable for identifying many other business risks. For example, early detection of harmful viral content or disinformation implicating your company could result in business loss and long-term brand damage affecting revenue and corporate relationships.
Anonymized forums and messaging platforms can also signal attempts at fraud or theft from customers and staff, which could result in significant financial loss or shrink over time.
There’s also value in using social chatter and other online content to monitor for physical threats targeting an enterprise, as well as assessing global environments where business may be expanding. This intel is valuable for evaluating potential risks in new regions—especially if travel is restricted, supply chains are involved, or on-the-ground context is crucial for driving business decisions.
If it’s not already obvious from these examples, digital risk protection is no longer just relevant for cybersecurity and technical teams. It’s also integral to other business roles like marketing, PR, legal and compliance, fraud prevention, business development, and physical security.
Where Current Approaches Break Down
Even as digital risks gain a wider impact on business operations, companies often fail to approach digital risk protection as a business strategy.
Case in point: inadequate digital risk protection funding. According to the 2018 FTSE 350 Cyber Governance Health Check, only 46% of businesses have a dedicated cybersecurity budget. This might not be surprising when you consider how organizations currently understand and delegate digital risk protection.
For one, board members, executives—and let’s be honest, most non-technical departments—are often entrenched in viewing digital risk as an IT problem. As a result, corporate teams tend to be segregated when it comes to handling digital risk, especially as more non-cyber teams, like those mentioned earlier, become involved.
Many DRM tools, which help users identify and analyze threats online, are also designed after traditional threat intelligence software, which empowers individual users with technical IT backgrounds. This further silos digital risk protection strategies within the enterprise.
Moreover, the C-suite simply doesn’t have much time to spend with security officers to fully understand the business impacts of digital risk. An ERM Initiative report suggests that most of these meetings last 30 minutes or less on a quarterly basis at most. In these brief meetings, security officers may also struggle to translate technical, digital risks into language their associates understand clearly as business risks.
This communication breakdown has massive impacts on the organization’s risk profile. Without understanding the true business impacts of digital risk, executives and board members may fail to make informed decisions from the top, which affects the entire organization in the event of a crisis.
At the end of the day, business leaders must answer to regulators, stakeholders, and the public when an incident does occur. With data laws like the GDPR and CCPA in place, global business leaders are now responsible for understanding the impact of digital risk from a business, legal, and ethical perspective.
Making the Shift Towards an Org-Wide Strategy
How do cybersecurity managers and CISOs support digital risk protection as a wider business strategy?
This often comes down to improving communication between technical and non-technical teams—in other words, using plain language to translate digital risk into business risk. (Check out this RSA session by Avertro’s Ian Yip for some guidance on cybersecurity-executive communication.)
Rather than reporting on technical metrics, cybersecurity managers must be able to present dollar values saved or lost by digital risk solutions and security compromises—and bake “why this matters from a business perspective” into every board and executive conversation.
Simplicity should also be prioritized in digital risk protection tools and software. Organizations need to equip their teams with solutions intuitive enough for non-technical users who require digital risk intelligence but maintain the depth of data and functionality required for technical users. Some emerging digital risk protection solutions also offer usage permission options to support collaboration within and across departments, helping avoid organizational silos.
Org-wide security awareness training can also inform staff about the business impacts of digital risk and enforce best practices to protect the enterprise.
Ideally, these solutions will result in:
- A more holistic digital risk protection solution that considers all enterprise operations in its strategy
- Accessibility for non-technical teams like marketing and compliance who increasingly require digital risk data
- Org-wide buy-in and understanding of digital risk as business risk—particularly from the C-suite—with the goal of driving adequate funding and better decision-making
- Business leaders taking on some digital risk protection ownership to support an already understaffed and overburdened cybersecurity workforce
- Better response to digital threats and fewer financial and reputational damage
While digital transformation has a plethora of business advantages, organizations are likely to encounter serious security challenges if they don’t also prioritize digital risk protection.
But this doesn’t stop at allocating more resources to corporate security departments. Companies must also understand and implement DRM as a business strategy that drives revenue and affects all enterprise operations.
Without a fundamental shift in the way digital risk is understood, businesses endanger their capital and reputation as the online threat landscape continues to grow.