The 10-second version is this: Digital resilience is a fundamental change in understanding and accepting the true relationship between technology and risk. IT risk (or cyber risk, if you prefer) is actually business risk, and always has been.
What’s wrong with the old way of understanding IT risk?
Over the past few decades the world has witnessed a massive digital transformation. Businesses began moving their value-generating engines to interconnected systems and putting greater reliance on internet communication. Employees began using email and workstations, and by this point are even connected at the hip by way of mobile devices. Servers—previously a collection of warm, whirring monoliths in a room downstairs—now exist in the cloud. Corporate dependence on technology is not only all-encompassing, it is growing deeper and even more fundamental as the years go by. Because the fastest, best organizations are also the ones continually adopting better technology, there is no way to stop or even slow this continuing digital transformation.
To get a sense for the scale of the problem, let’s dial it back down to the IT risks that exist for a very small business. Even the simplest of mom-and-pop operations are subject to the digital transformation—consider the barest minimum of business computing: a spreadsheet on a workstation containing customer records. An entire small business can live in that file, but that file must be stored somewhere secure, must be backed up, and must have appropriate permissions. And that file faces a number of ongoing risks—its host machine contracting malware, hardware failure, weak passwords, malicious actors, and so on. Now extrapolate that out to the size of an enterprise—countless sensitive files spread among thousands of employees and thousands of servers with an ever-changing infrastructure—and it is easy to see one way in which the quantification of IT risk becomes very complicated, very quickly.
A fact often overlooked by executives and risk managers is that with every change comes a new, and perhaps different, type and amount of risk. Consider each server that gets added, each user account created, each software package installed, even individual ports opened—practically every IT action represents some type of risk. For older businesses (and by older, let’s say 50 years or so—old enough to have a “before computers” phase) IT crept into business operations over the course of years and decades, and for them the disparity between IT complexity and the understanding of IT risk can be even more profound.
The first instinct when realizing the scale of IT risk is to lock everything down as much as possible. And that’s prudent to a degree, but if you go too far, you run the risk of grinding business operations and innovation to a halt—which is another type of risk in itself. As is the case so often in life, neither polar extreme is ideal and the appropriate balance must be found. That is the challenge, and really the art, of digital resilience—recognizing and understanding IT risk as business risk, and making the most appropriate decisions going forward. Denying digital resilience by marginalizing IT risk as “an IT problem” or “something for the CISO to worry about” is a critical error which actively harms the organization.
IT managers, CIOs and CISOs tend to speak practically a different language than CEOs, CFOs and CROs on the matter of risk. This makes it difficult for the IT side to request resources and difficult for the C-suite to comprehend their true risk of data breaches and service outages.
UpGuard bridges that gap. By gathering information about the configuration state of servers and devices, analyzing it for certain factors (such as the rate of unplanned change, known software vulnerabilities present, and other key indicators) and compiling it into a single risk score, everyone involved gains new insight into how likely (or not) the organization may be to encounter breaches or unplanned outages. We call this score CSTAR, and it is in use in corporations around the world enabling executives to better understand their own business and the threat landscape at large.
Upon achieving the ability to assess risk, businesses can begin to manage it. Knowing the risk profile of each system allows businesses to direct resources to avoid misconfigurations, remove vulnerabilities, and introduce testing protocols calibrated to the criticality of the asset. Not to beat a dead horse, but it is important to understand that those actions on their own do not reduce risk. A total security freeze may lessen certain technical risks, but may increase other business risks by starving the types of strategic initiatives that result in value.
In many ways, digital resilience does for business risk what DevOps did for software development—it connects teams to share information effectively, strengthens business processes and produces a better end result.
All the information needed to perform a CSTAR assessment is bundled into the UpGuard platform. Learn more about CSTAR.
Read Blog >
The UpGuard Website Risk Grader provides a low friction way to get an initial assessment of a business' risk profile.
Read Blog >