kentoh - Fotolia

Digital risk management strategies for the data-centric business

To offset threats from constantly expanding information volumes, business leaders must rethink how they integrate digital risk management tactics throughout their companies.

The rapid digitization of corporate information has had a positive influence on modern companies' business processes: Data has become infinitely easier for modern companies to preserve, access and share, affording the opportunity to reach more customers and conduct business transactions quicker.

There are business downsides to digitization, however, including the additional risks that come with governing the unprecedented amount of data generated by the typical modern company.

"Your users not only have 10 times the applications that they had 10 years ago, they also have multiple devices that they are creating this data and using it with," said Gartner Research Director Alan Dayley during a session at the 2016 Gartner Security and Risk Management Summit.

Digitized businesses have had to adapt their governance and compliance processes, while considering digital risk management tactics to stay successful in the face of proliferating data. A big obstacle is the risk that stems from keeping unused, "dark" data and "unstructured" information that holds no business value after it is generated.

Instead, dark and unstructured data often just hangs around and is ignored until it creates a legal, compliance or security issue that the company didn't know it had.

"We don't delete things; there is no incentive to delete things," Dayley said. "You just ask for more storage, and you get it most of the time."

Developing -- and sticking to -- deletion schedules

Data retention and deletion schedules can help reduce the risk stemming from dark or unstructured data that provide no use for the business. The schedules have to be followed to be successful, however: A Gartner study predicts that by 2018, 50% of organizations will have documented data deletion policies, but only 10% will fully comply with the policies.

Dayley noted that oftentimes companies will validate keeping useless data because they think it might prove useful for legal or regulatory purposes down the road. But ultimately, storing too much useless data could prove the bigger risk than saving it "just in case."

"One of the things that we have found is that as far as business records and data required for legal hold and regulations [are concerned], only 2% of your unstructured data actually falls into that category," Dayley said. "[If you] have a documented retention policy schema and [don't] adhere to it, you are looking at major sanctions if you get any sort of litigation."

In a perfect world, security should really be integrated into the fabric of the enterprise -- part of the behaviors, the technologies.
Tom ScholtzGartner Research

For these deletion schedules to work, companies have to know what they have: They must conduct a careful inventory of data assets and classify how this information is used for business, as well as GRC, purposes.

And it’s important to remember that although data classification will be vital to success for the digitized business, it still might not help: Gartner predicts that through 2020, 75% of organizations implementing data classification will report limited deployments and tangible benefits.

This is because not enough input is provided by the organization’s numerous information stakeholders – the front-line staff that is familiar with what Gartner Research Vice President Tom Scholtz calls the organization's data "context" and its unique risks.

"You don't get context awareness out of a box," Scholtz said during the Gartner Security and Risk Management Summit.

Integrated digital risk management

Input from across the organization will be required to gain this context awareness for data: Like other aspects of the digitized business, effective digital risk management will be heavily reliant on breaking down barriers between departments. For example, many organizations still fail to develop a consolidated data security policy across silos, making them vulnerable to regulatory noncompliance, security breaches and financial liabilities.

Risk management executives report this lack of cross-organizational collaboration hinders their ability to forecast critical risk, according to Gartner. A carefully planned, proactive IT security and digital risk management policy implemented across the organization can help alleviate this issue. But when developing these policies, it’s important for companies to gain digital risk management insight from inside the organization, rather than relying heavily on external consultants, Gartner Research Director Rob McMillan said during the Gartner Security and Risk Management Summit.

"It's very difficult for an external person to say what the biggest risks for an organization are, because every organization is in a unique situation," McMillan said.

To further offset constantly evolving risks, companies should regularly assess their IT security and GRC investments to make sure they are able to stave off new threats to company data. It's also vital to implement these security technologies and processes across all of the layers of the company -- its applications, infrastructure and all data.

This requires a lot of knowledge, experience and patience that a lot of companies just don't have the resources for, Scholtz added.

"In a perfect world, security should really be integrated into the fabric of the enterprise -- part of the behaviors, the technologies," Scholtz said. "That's not going to happen any time soon."

To help move the integration along, McMillan recommended combining and/or replacing siloed GRC software to create an integrated risk management solution. Companies can then identify gaps in the integrated risk management architecture to further guard against prospective risks, he added.

McMillan also reiterated that it’s important to identify all the company’s relevant GRC stakeholders, including board members and senior executives, early in the GRC integration process. Companies might also consider developing a "digital risk officer" role, a job that McMillan said has become more popular as organizations continue to see how IT and information risk has a causative relationship with business outcomes.

"Risk is not a bad thing; you just have to be smart about how you [manage] it," McMillan said. 

Next Steps

Gartner predicts cybersecurity will continue to be an obstacle for digitized business
Cloud governance tactics to protect your digital assets

Dig Deeper on Risk management and compliance