Cyber and ransomware attacks have bumped up the priority list of board-level decision makers, and for good reason - 75% of UK businesses have been affected by an attack. However, what is often overlooked is the role of technology risk management. Organisations now have more distributed, complex and, ultimately, risky, technology infrastructure than ever before. Hybrid working, supply chain challenges, as well as untracked mispractice, such as unsanctioned applications and password files, are adding to this complex picture. And, with out-of-date, inaccurate and manual technology risk management, tech and business leaders aren’t always well equipped to tackle the growing level of technology risk.
It is, therefore, a crucial time to embrace and further a new, data-driven technology risk management paradigm. Nimbus Ninety, in partnership with Tanium, brought together technology and business leaders to share experiences of implementing, adopting and communicating a new approach to technology risk management. The evening, full of insightful debate, cat stories and food, began with a scene-setter from Oliver Cronk, Chief IT Architect for EMEA at Tanium.
A DATA-DRIVEN APPROACH TO TECHNOLOGY RISK MANAGEMENT
Oliver began by highlighting how a data-driven approach to technology risk management can overcome common challenges and create opportunities for greater business value. At its core, a data-driven approach helps create visibility of exposure, which Oliver argues, is foundational in technology risk management. Organisations, empowered by these insights, will be able to prioritise high-risk areas and, in turn, secure, streamline and update their technology infrastructure. It also allows organisations to look beyond cyber security and, instead, proactively manage problems such as unsanctioned applications and password files. Finally, Oliver suggested, as seen with customer-facing technologies, a data-driven approach will help to break down silos and empower decision-makers to gain value from technologies. Members then broke into a roundtable discussion. Some key takeaways were:
An initial discussion focussed on how data-driven insights might drive greater ownership of risk and vulnerabilities. Data gives organisations not only the visibility to identify and address issues but also widens accountability beyond the board level. Similarly, visibility might foster collaboration and sharing of problems as accountability becomes spread across the organisation. Other members suggested that this accountability might help identify and solve other problems, for example the technology risk associated with having too many applications, and subsequent removal, may help save an organisation money in the long term.
Given the cross-industry nature of members in the discussion, it was clear that this new paradigm is not one-size-fits-all. This was most notable when discussing nuances between highly regulated industries, such as financial services and insurance, and those less regulated industries. Members noted that regulation may dictate technology risk management requirements and usage. Less regulated industries might be better situated to further the new technology risk management paradigm.
There was lively debate around how a new paradigm might trigger greater innovation across technology and business. For instance, a clearer, real-time picture of technology risk management might encourage a shift in the narrative surrounding cybersecurity prevention, which is often framed as reactionary, expensive and impactful on business as usual. Further discussion was had about how technology risk management might incorporate risks associated with climate imperatives, geopolitical change and the metaverse.
The biggest topic of discussion was how members might go about building and communicating a business case for technology risk management. Communicating the business value and ROI is difficult and even when tech leaders are equipped with the technology risk data, it can be overlooked and not acted upon. Members suggested data might not align with board imperatives or be misunderstood as boring and ineffectual. Members were clear, if technology risk management is to affect business decisions, developing a clear communication, or ‘storytelling’, strategy is key.
In fact, members suggested a number of strategies in this area. A number of members suggested that a technology risk rating, in the style of credit rating, might be a realistic option. Combining both quantitative and qualitative measures is also important, such as cyber attack probabilities. Others suggested principles including keeping communication universal, nuanced and contextual. Additionally, storytelling should be framed in line with board-level objectives. Here, leaders might also want to include geography, industry and organisation-based case-studies.
This event was held in partnership with Tanium.