Modern technology is hugely beneficial to virtually all aspects of modern business, from customer interaction to information security. The trouble is, as technology evolves, so too do the techniques used by hackers and cyberterrorists seeking to access sensitive company information. This forces companies to try to stay one step ahead of these threats and incorporate risk management processes to protect sensitive corporate data.
In part two of this three-part video, shot at the Marcus Evans Enterprise Risk Management Conference in Chicago earlier this year, SearchCompliance Editor Ben Cole sits down with five risk management professionals to discuss how cybersecurity and technological trends are influencing businesses' risk management processes.
What are some of the current trends in technologies that could have a negative impact on organizational risk management?
Adi Agrawal (executive director, enterprise risk management, Chicago Mercantile Exchange): I think negative impact is a point of view. So just using the prior examples of cloud and social media, I think the impact is depending on your point of view and where you're looking at the problem from. I look at these as opportunities if addressed appropriately. Now, any uncertainty if you don't address it appropriately is going to have negative consequences for you -- potential negative consequences.
What I see, given the business that we are in, is cyberthreats that are very rapidly moving from state-sponsored to commercial espionage, because the toolkit that is available to these folks has become a lot more sophisticated. And we have a regulatory and legal framework across the world that is just not equipped to deal with it. I think, for technology, that is a current and fast-developing next frontier. We've had reports from Mandiant most recently about Chinese state-sponsored cyberattacks and cyberterrorism, and I think that's just one example. Companies have to get a lot better at cybersecurity, at technology security.
Every progress we make, someone else is making their own leaps and bounds in terms of their ability to attack and infiltrate our system.
Sean Browning, director of enterprise risk management, Vectren Corp.
The other, sort of related trend is regulatory. The regulatory landscape is becoming more and more uneven across the world. It doesn't sound technology-oriented, but it's going to have a very direct impact on technology.
Frank Fiorille (senior director, risk management, Paychex Inc.): I think the 'big four' that I like to say are cloud, social, mobile and big data, just to give you some examples, with big data right now and what that does to overall compliance risk.
Emerging technologies -- whether it's mobile, social, cloud or big data -- are presenting potential privacy issues with big data. Companies are trying to figure out all these vast amounts of data and what they can do to leverage that to gain market share -- creating potential compliance and operational risk.
Sean Browning (director, enterprise risk management, Vectren Corp.): When I think about trends in technologies, in the utility space, there are a lot of differences, a lot of things that are changing. One of them is meters -- automated meter systems for people. That's changing the way the customers interface with the utility in terms of the price of their demand, and the way that they manage their demand, and the cost of their energy needs. As a critical infrastructure entity, [it's important] just having the technological capability to be able to be responsive to new threats as they emerge and to have the infrastructure in place to be able to monitor and evaluate what you're doing.
Legislation can only affect that -- again, it's touching on IT, but all of these things together are really challenging our organization to be able to prepare and deal with these things as they come in. We have a fairly mature cybersecurity program, but every step of the way, every progress we make, someone else is making their own leaps and bounds in terms of their ability to attack and infiltrate our system.
Victor J. Haddock (senior vice president, internal audit, Magellan Health Services): I think there's a couple that we, coming from an audit background, are aware of and [are] tracking from a risk perspective: mobile technologies and mobile computing, and this massive move to smartphones, iPads and all these other technologies that we're using to now do business.
Those technologies pose the risk of being stolen on the road with a lot of intellectual property. In the case of our industry -- health care -- with patient information, they're more accessible. They have a lot of processing power today, and a lot of things that you can do with those. We're using iPads to do presentations on potential new clients, and to show results. So all of a sudden, you have all these vehicles that we didn't have before and could be either a privacy or risk issue. It could be intellectual property getting in the hands of somebody else. So I think those mobile technologies very certainly are something we need to be very conscious about going forward from a control and risk perspective.
Another area we've seen and moved [toward] recently [is] work-at-home programs, where a lot of employees work in their own home, accessing corporate networks in settings that perhaps may not have the right security, or there is risk for somebody in the house, for example, obtaining information that used to be just in a physical location or an office. What is the extent of those programs' effectiveness? How do we secure the work environment for our people? How do we deal with workers-comp-type of issues in a home setting, and the technology that you have to provide so that it can be more productive or effective?
More on risk management processes
Q&A: The keys to corporate risk management
Compliance reporting forces risk management evolution
As you know, we all have personal broadband at home, but is that enough when you have somebody who is supposed to log in to our network, and [are concerned about] the speed of that, and accessing information? There's a number of issues there of risk [with] work-at-home programs that companies need to be conscious about. I think the recent news is seeing some companies rethinking those issues and saying, "Is there a value here or not?" I think those organizations need to develop some good strategic objectives around it, then evaluate the risk and then put some programs around it.
Tate Mitchell (director, internal audit, Aegion Corp.): Right now, the big thing I've seen a lot of companies are worrying about is their disaster recovery program. That, of course, includes business continuity. We just went through a big program with IBM and put that in place. It took us about five or six months, and the nice thing about this program is that they can have us up and running within 24 hours.
In the St. Louis area, as you can imagine, being around a couple of rivers, we're in a floodplain. Back in 1993, we were underwater. So for us -- and I'm sure with a lot of other companies with the way things are going nowadays with natural events and terroristic events -- it's very beneficial for a lot of companies to beef up that disaster recovery area to ensure, if there is an event, that within 24 to 48 hours, they've got to be back up and running with their technology and have access to their data as quickly as possible.
Also, their people need to know if their building, say, [is] underwater or destroyed by an earthquake; they've got to get back to work as soon as possible. I think that's probably an area that most companies have now realized that that's the direction they have to go in as quickly as possible -- and invest into it.