The world is perpetually moving onwards and upwards with cloud adoption.
This phenomenon is no longer surprising or in-and-of-itself noteworthy. In fact, according to recent research, 92% of global enterprises used public clouds in 2021. While there will always be a few inevitable holdouts, soon, nearly all organizations will embrace the cloud in some form or another.
But amidst this shift, there are the ever-growing corporate risks associated with reliance on cloud technology. December 2021’s repeated AWS outages serve as a stark reminder that, despite tremendous benefits, cloud dependence can be a double-edged sword for many enterprise organizations.
Mission-critical issues, such as the need to minimize reliance on concentrated platforms, the necessity to avoid outages, data exposure prevention and more, have now moved the issue from IT manager and developer discussions to full C-suite level priorities, with the goal of removing and reducing risk wherever possible.
Risk is inevitable
Of course, all organizations have some corporate risk — there’s just no way around it. Truth be told, the only way to prevent modern risk altogether would be to go back to the Stone Age and miss out on the huge benefits that come with advanced technology; and even then, companies might still wind up exposed to other types of business risks. In the modern cloud and Software as a Service (SaaS)-based ecosystem, however, corporate risk is clearly something that not only has to be accepted, but properly managed as well.
But this undertaking of trying to decipher and then manage risk has proven to be a challenge. The risk management community continually struggles to build generic models that adequately address these issues, especially while balancing the need to justify risks to business stakeholders. Leadership wants to understand these risks in terms of dollars and cents rather than technical jargon or qualitative input.
For sustained success, security leaders must get a clear view of the risks their companies face, understand how to measure them, invest in them properly, and, when required, defend against them on an ongoing basis.
To this end, in 2017, Gartner coined the term Integrated Risk Management (IRM), which delineates a way to look at and address risk management across the organization to make better, more informed decisions for optimized results. With parameters to address risk identification, assessment, response, communication and monitoring, IRM creates an achievable pathway for this.
In theory, that is.
During the risk identification stage in the IRM model, the responsible party identifies the risk via assessments and/or meetings with stakeholders. The risks are then collected into a spreadsheet or other static legacy solution. They are then analyzed with existing IRM tools, which feed predefined formulas based on manual input from the risk manager in an attempt to try to prioritize those that are most pressing.
But what if companies could incorporate objective data — such as intelligence that has been pulled directly from sources — into the risk assessment? What if, instead of basing risk management on interviews, assessments and gut feelings — and then relegating that information to a static spreadsheet — it could be defined according to the underlying live data and used to make impactful, data-based decisions in real time?
The future of IRM lies in quantifying risk with live — and most importantly — objective data.
Data: The key to truly understanding risk
Instead of relying on inherently unreliable elements like spreadsheets, workflow GRC tools and one-on-one conversations, the use of normalized and structured data collected from all applications a company uses can provide a full, comprehensive picture regarding the risks the company is facing in reality. In place of feelings and potentially subjective assessments, data can express the true story behind the scenes and give companies a far more accurate observability tool with which to understand the corporate risks they must address and then act in time upon it. From there, companies can create a true risk matrix to prioritize what needs to be addressed first, and so on.
Risk professionals will tell you they already do rely on real data gathered from the field during their last survey. In truth, this isn't the same as data continuously and independently pulled directly from sources. Shifting to a true data-based IRM approach gives companies the ability to objectively view their risks to enable maximum understanding of risk posture. Data should serve as a company’s North Star when trying to understand where to allocate resources and funds for risk management, and can help drive efficiency — saving stakeholder time by cutting down on less-than-objective assessments and meetings.
To quote Suhail Doshi, CEO of Mixpanel and member of Forbes 30 Under 30, “Most of the world will make decisions by either guessing or using their gut. They will be either lucky or wrong.” With data to drive decision-making in the corporate risk assessment process, organizations can finally stop relying on luck to get it right. In the world of the cloud, data is the real and only future for successful risk quantification.