Libby Bevin

Organizations today live in a dynamic environment. Risks to your business activities are everywhere, including among the relationships you have with other parties.

From choosing supply chains to engaging in new partnerships, third-party risks have always been part of the risk assessments that organizations perform (or should perform, at least). Unfortunately, with the advent of cloud services and automation, third-party risks are now one of the most common threats that the modern enterprise faces.

Enterprise risk management (ERM) is the identification, assessment, and mitigation of risks. It requires an organization to develop a series of metrics for its most pressing risks. These metrics are known as “key risk indicators,” or KRIs.

KRIs, supported by risk appetite statements and the organization’s risk management strategy, serve as early warnings of potential risks in various areas of the enterprise. They’re meant to assure stakeholders that risks can be monitored and mitigated quickly.

Like KRIs, key performance indicators or KPIs are metrics designed to give a high-level overview of the company’s effectiveness. They are part of the organization’s performance management. The concepts of KRI and KPI are similar and sometimes confused as the same thing, but they are indeed two different metrics.

While KRIs and KPIs are both important to benchmark and achieve business objectives, they use different approaches. KPIs track and improve the company’s productivity and effectiveness. KRIs complement KPIs by helping to monitor and remove barriers to achieving KPIs. By using KRIs to keep risks in check, the organization will have less interference with its ability to meet the objectives that KPIs measure.

Effective KRIs and KPIs can improve the decision-making of management teams, and foster the creation of practical action plans against the root causes of risks. That reduces the company’s overall risk exposure.

Examples of Key Risk Indicators

Key risk indicators monitor risks to a company’s strategic plan and the company’s particular needs — so KRIs that help one company may not necessarily be appropriate for another company.

Even so, KRIs can be grouped into three main categories:

• Operational indicators: elements that identify a set of risks arising from day-to-day activities;
• People indicators: factors that evaluate the satisfaction of employees and customers, the retention of talent within the organization, and so forth;
• Financial indicators: metrics that help to calculate market risk, competition, or regulatory changes.

Some KRIs can be useful across a broad range of businesses. Following are several examples of financial metrics that can be KRIs:

• Invoices Paid On-Time

  This measures the percentage of invoices paid on time relative to the total number of invoices paid during a given time. This KRI indicates cash flow risks related to receiving on-time payments from customers.

• Days Payable Outstanding

  This metric measures the calendar days that the organization takes to pay its account balances. It indicates cash flow management practices related to meeting short-term financial obligations, usually to suppliers or vendors.

• Value at Risk

  Value at risk is the amount of potential loss (in monetary terms) that the company could incur if its assets lost value. So this metric identifies the appropriate amount of cash that companies should have at their disposal to cover unexpected losses.

Examples of KRIs related to risk management of operations include:

• Percentage of Delayed Projects in Progress

  This KRI is the number of projects currently in process that are delayed compared to the company’s total number of active projects. By measuring the organization’s project management and planning effectiveness, risks to customer satisfaction and cash flows can be identified.

• Percentage of Departments Without KPIs in Place

  This evaluates the number of departments that do not have key performance indicators over the total number of departments within the company. This indicator illustrates gaps of accountability within business units and departments.

• Number of Regulators’ Notifications

  This refers to the number of notifications or findings that the company has received from regulators in a given time frame. A company’s ability to comply with regulations imposed by the relevant regulatory bodies is critical to assure ongoing operations without disruptions.

In today’s heavily digitized landscape, companies increasingly face technical risks, too. These operational risks have the potential to derail production, resulting in costly downtime. To track these risks, some KRIs can be:

• Mean Time Between Failure (MTBF)

  This refers to the average time elapsed between system failures. It is measured from the moment an issue or failure is repaired until another failure occurs, and can shed light on the organization’s overall ability to manage IT systems.

• Mean Time to Repair (MTTR)

  MTTR is the average time needed to complete repairs to a system or application when that system breaks down. It is measured from the time the failure occurs until the system is fully restored.

• Number of System Capacity Overloads

  This is the number of occasions where systems exceed their established maximum capacity. It is measured as a function of request per second within a given time.

How to Develop Your Key Risk Indicators

An effective KRI is defined according to the particular needs of the company. So having a thorough process to formulate key risk indicators is essential for the risk management strategy of organizations.

This also means that the more information there is available for assessment, the more visible the organization’s risk landscape becomes. Automation plays a crucial role in monitoring KRIs, enabling real-time evaluation of risk metrics and constant modification of risk management strategies and methodologies.

Effective KRIs have some characteristics that make them easy to use and analyze:

• Quantifiable
• Accurately measurable
• Validatable
• Predictable
• Relevant to the associated risk

To start developing KRIs, define the company’s objectives and the means or processes required to meet those objectives. Once you determine these elements, you can extract potential risks or hazards to business goals. By mapping the business strategy, objectives, and associated risks, it is easier to pinpoint which indicators are most relevant to your enterprise.

ZenGRC Helps You Minimize Risks

ZenGRC’s governance, risk, and compliance software simplifies your vendor management process, records tasks from beginning to end, and gathers all vendor management paperwork. This means your teams can communicate more effectively regarding vendor relationships, and better address concerns with suppliers.

The streamlined workflow feature of ZenGRC shows task managers the dates on which suppliers responded to questions and the progress of each task. Consequently, compliance officers no longer have to waste time following up with so many third-party contractors.

ZenGRC’s automatic features handle time-consuming duties for you, enabling you to focus on the larger picture of compliance. As a result, vendor risk management is more efficient and effective.

Contact us today to schedule a free demonstration.

Technology and IT infrastructure are essential assets for businesses today. Without them, daily operations can grind to a halt.

Consequently, assessing the risks to, and mitigating the vulnerabilities in, those assets has become a basic organizational need. Those capabilities are crucial for businesses to optimize efficiency without increasing risks for their stakeholders.

And how can a business develop and use those capabilities? With a cybersecurity operations team.

These teams (also known as security operations centers) are departments created to monitor and analyze the organization’s security posture on an ongoing basis. SOCs exist to detect, analyze, and respond to cyber threats, using monitoring tools, threat intelligence, and other security methods.

SOC teams analyze the operation of databases, servers, endpoints, networks, and other systems for security risk indicators. The SOC then works with incident response teams to assure risk mitigation in real-time and to protect your business from risk.

Should I Assemble a Security Operations Team or Center?

Estimates are that by the end of 2021, cyber attacks will have caused more than $6 trillion in losses — a sum set to double by 2025.

Moreover, cybercriminals have taken advantage of the COVID-19 pandemic to select more vulnerable targets: those with a greater need to keep their operations undisturbed, such as healthcare or other critical infrastructure.

For example, healthcare companies have suffered an alarming number of cyberattacks in recent months, as described in a joint report by the HHS, CISA, and the FBI.

One of the most effective solutions to combat this steep increase in the number and severity of cybersecurity incidents, beyond implementing employee cybersecurity training, is creating SOCs.

An important point to consider when creating a security operations team is the type of business you conduct. For example, some companies may face lower cybersecurity risk, while others may have inherently high risks and strict security regulatory compliance obligations.

In the latter case, cyber security operation teams can facilitate the arduous vulnerability management tasks within financial institutions, healthcare, and technology companies.

Another element to consider is the type of information your organization handles. Several data protection regulations require companies to maintain a robust security architecture and overall security policy to reduce the risk of data breaches. Demanding compliance requirements like that can benefit from a SOC.

The size of the company and its operations can be a crucial factor in determining deploying a cybersecurity operations team. Small companies with low levels of risk may delegate risk monitoring functions to other related departments; large companies may have volumes of risk that require a dedicated SOC.

The Benefits of Having a Dedicated Cybersecurity Operations Center

The most significant benefit of a cybersecurity operations team within your organization is that the team can perform constant threat hunts.

SOCs can also provide a unique perspective of the organization’s security through vulnerability assessments of the enterprise IT infrastructure (endpoints, firewalls, network, storage systems, and others).

Having a team dedicated to the assessment and remediation of vulnerabilities provides an advantage against intrusions, regardless of the type or time of the attack. SOCs typically can identify an attack more quickly, which means less time that your organization is actually under attack.

How to Create a Dedicated Security Operations Center

To develop a dedicated SOC within your organization, consider several key elements to assure its effectiveness.

First, develop a strategy for your organization. Evaluate the organization’s current capabilities in the face of risks. Specifically examine your organization’s monitoring, detection, response, and recovery processes.

Next, design a solution for the deficiencies found. Based on practical cases, you should define base solutions that can meet the company’s future needs according to its objectives.

After developing the functional requirements, choose a SOC model that addresses those issues and then design a technical architecture: threat lifecycles, information systems, workflows, and automation areas.

It is essential to use security monitoring tools to collect as much relevant information as possible for security operations, even within cloud environments. Automation will allow the SOC to leverage large volumes of data and identify suspicious or malicious activity, and then triage those indicators based on their severity and area of impact.

Then, prepare the security operations center’s environment, assuring that the team members’ devices are free of malware and that robust authentication methods are in place.

Finally, implement the program, periodically evaluate it, and improve elements within the SOC regarding the model, the roles of the members, or the tools in place.

ZenGRC Is Integral to Cybersecurity Operations

When you can’t see the broad picture, you struggle to control your IT systems’ weaknesses. To comprehend your entire risk environment, you must analyze your company as a whole rather than just the sum of its parts.

ZenGRC is an integrated platform that monitors your organization’s risk management activities in real-time and regularly.

Through automation and integration, ZenGRC provides a comprehensive picture of your vulnerabilities, resulting in visibility and scalability throughout your whole organization.

Schedule a demo now to discover more about how ZenGRC can assist you in eliminating vulnerabilities and keeping your business safe.

Artificial intelligence (AI) is here to stay. Every day, businesses find more activities that can be optimized thanks to the efficiency and effectiveness of this evolving technology. Within marketing, customer service, and even security, the power of information management and AI has advanced the standards for companies in a highly competitive environment.

AI tools have their own set of operational and functional advantages, and their own risks, too. That’s why companies should carefully evaluate the use of AI within their operations, and understand the risks and rewards you assume when adopting this technology.

Society still doesn’t have a consensus on exactly what we mean by the phrase “AI,” so we cannot refer to a single phenomenon. Broadly speaking, however, we can say that artificial intelligence adapts to meet users’ needs by analyzing usage patterns among various data sources or general guidelines within a sea of information.

Platforms such as Trello have already begun to include AI features based on machine learning to predict the recurring activities of their users. Other applications have adapted their business model based on AI technologies such as QuillBot, a rephrasing service powered by natural language processing.

Enterprise risk management can also use these technologies to simplify business processes and use resources effectively.

Is Artificial Intelligence a Game Changer in Risk Management?

It’s more accurate to say that in the fullness of time, AI will be a game-changer — but perhaps not quite yet. AI is changing the game one step at a time.

For example, banks and financial technology (fintech) companies are implementing risk management systems with AI solutions to facilitate decision-making processes, reduce credit risks, and provide financial services tailored to their users through automation and machine learning algorithms. AI’s ability to analyze large amounts of information substantially improves the identification of data relevant for cybersecurity risk management, risk assessment, and accurate business decision-making.

Some specific use cases that have benefited from AI integrated with risk management systems include:

Threats Analysis and Management

Machine learning engines can analyze large amounts of data from various sources. This information generates real-time prediction models that allow risk managers and security teams to address risks quickly. The models are fundamental to develop early warning systems that assure the uninterrupted operation of the organization and the protection of its stakeholders.

Risk Reduction

AI also provides the ability to evaluate unstructured data about risky behaviors or activities in the organization’s operations. AI algorithms can identify patterns of behavior related to past incidents and transpose them as risk predictors.

Fraud Detection

Fraud detection traditionally requires intense analysis processes for financial institutions and insurers. AI systems can substantially decrease the workload of these processes and reduce fraud threats by using machine learning models that focus on text mining, social media analysis, and database searches.

Data Classification

AI tools can also process and classify all available information according to previously defined patterns and categories and monitor access to these data sets.

How to Use Artificial Intelligence in Your Risk Management Plan

Unfortunately, these benefits do not come without risks. When implementing AI technologies, companies must pay special attention to their associated challenges, such as protecting the data collected and used, along with the costs of implementation.

The following procedure can be used to implement AI models within your company, both to reduce “AI risk” and to take advantage of the benefits that these tools can bring to your organization:

Ideation

The first step to implementing a risk management system supported by AI is to identify the organization’s regulatory and reputational risks. Conduct a risk assessment, based on current frameworks and your company’s organizational values. Use it to determine the data you need to collect and how you want to process that information.

Data Sourcing

Based on previous risk assessments, it is possible to define which data sets are suitable for AI model processing and which ones aren’t. So think carefully about what data to use and where you can source that information. Even at the operational level, choosing the right data sets influences the quality of the results, so data sourcing becomes a crucial step for the implementation of the ecosystem.

Model Development

Once you have useful data, build a useful model. Consider the level of transparency you want in AI operations, since some AI tools aren’t recommended for high-risk activities. Review any regulatory limits on how AI can be used for certain business processes, and how the AI will further business objectives your organization has.

Monitoring

Like other risk management tools, the use of AI must be constantly evaluated and adjusted. It’s critical to consider the changing needs of the organization and the possible drawbacks that this technology may present.

ZenGRC Has Risk Management Solutions

ZenGRC is a governance, risk, and compliance platform that assists you in implementing, managing, and monitoring your risk management framework and remedial assignments.

Its workflow-tagging feature empowers risk management strategies by allowing you to assign tasks for risk assessment, analysis, and mitigation. Duties and tasks can be prioritized so everyone understands what to accomplish and when to do it. Its user-friendly interface simplifies the evaluation of pending and finished activities.

The ServiceNow connection enables communication with ZenGRC in both directions. ZenGRC can assist you in streamlining the administration of all your crucial regulatory compliance frameworks, including PCI, ISO, HIPAA, and others.

Get started on the path to worry-free risk and compliance management. Contact us for a free demo.

As cyber threats and data breaches proliferate, organizations need a better way to protect their sensitive data. One specific need: effective and efficient data security models.

A security model includes procedures to validate security policies and to implement vital business processes and workflows in your security program. A security model also specifies the data structures and techniques required to enforce security policies.

Several such security models are now available, including the Bell-LaPadula Model, the Biba Model, the Clark Wilson Model, and the Harrison-Ruzzo-Ullman Model.

Why do models matter? Because the traditional approach of application-centric architecture is framed in terms of business processes and workflows, with specific data sources enabling particular functions.

This approach, however, ends up creating silos of data, and also leads to inconsistencies and redundancies that make it harder to safeguard data and assure compliance across the entire enterprise — which is what the enterprise needs these days, since secure, compliant access to data is what drives business performance.

To overcome these limitations and better protect their data, organizations need a data-centric approach to security.

What Is a Data-Centric Architecture?

In a data-centric architecture (sometimes known as a data-centered architecture or simply data centricity), applications are considered transitory. Data is the primary asset, and the data model precedes application implementation.

A data-centric architecture is not the same as a data-driven architecture. A data-driven organization acquires, ingests, and analyzes large volumes of data. More often than not, however, different datasets have different data models, which all exist within a single data lake.

There is little or no effort to harmonize these models. So as the number of data sources and types increases, inconsistency in format, structure, and security becomes a big problem in the data lake.

In a data-centric architecture, all data in the data lake is cataloged for easier analysis. Moreover, there is a predefined architecture as well as standardized model templates, where applications are developed around data instead of the other way around.

What Is Data-Centric Security?

A data-centric approach to security allows organizations to better protect their enterprise information from unauthorized access, theft, compromise, or misuse.

Most legacy security technologies focus on where data is, such as on which endpoint, server, or network. The main drawback of this approach is that if the information moves, it is often left unprotected.

Data-centric security focuses on what needs to be protected rather than where the data actually is. It identifies sensitive data and applies policy-based protection to secure that information throughout the data lifecycle, regardless of its location.

Typically, data-centric security models leverage software agents installed on IT assets where sensitive data is created or stored.

The agents are managed and controlled from a centralized data management console, where the appropriate level of security is defined for each data type and use case.

Benefits of a Data-Centric Approach to Security

The study Making Your Business Cyber-Resilient In 2021 found that most organizations struggle to manage and mitigate cyber risks while keeping the business running.

Part of this is due to the COVID-19 pandemic, which not only changed how organizations work; it also created new threat opportunities for bad actors to attack organizations and their assets. In this landscape, legacy security technologies that focus on protecting data by location are no longer effective or adequate.

In the coming years, data volumes will continue to grow, IT architectures will move further away from traditional network-based models, and perimeter breaches will become even more common.

Data-centric security will become critical to protect organizations from evolving cyber threats and sophisticated threat actors. This paradigm emphasizes more robust data security controls, endpoint security, and identity and access management to deliver the following benefits:

More Reliable Data Protection

Every time a new data file is created or an existing file is modified, the data-centric security system automatically scans it to determine whether the file contains sensitive data. If the file does, the security system automatically applies the appropriate policy-based protection.

End-users are not involved in the process, minimizing the potential for error while maximizing data protection.

Access Only for Authorized Users

In data-centric security, a zero-trust approach is preferred. Based on the principle of least privilege, only authorized users can access protected data, which keeps unauthorized users out and reduces the possibility of a data breach.

Strong Cyber-resiliency

A data-centered architecture empowers organizations to better prepare for, respond to, and recover from cyber threats.

In the post-pandemic world, where organizations experience more frequent and more serious cyber threats, they need a way to remove data silos and continually protect their data, even if other networks and device protections fail.

Data-centric security provides such a method. Organizations can also build “crisis shock absorbers” to maintain business continuity and assure disaster recovery.

Such cyber-resilience enables businesses to reduce risk, protect revenues, and accelerate digital transformation to boost enterprise competitiveness and growth.

Key Components of a Data-Centric Security Architecture

In general, successful implementations of data-centric security consists of these components:

Policy-Based Protection

Data-centric security leverages policies to protect all kinds of data automatically from unauthorized users and threat actors, to prevent data breaches, and to assure that security awareness is embedded throughout the organization.

Centralized Management and Agents

Centralized management is critical to assure consistent and reliable data protection. It ensures that all data is protected according to security policies and remains available to authorized users whenever required.

It also enables the organization to retain complete control over data throughout the data lifecycle, from the moment a file or database record is created.

Agents installed on the IT assets monitor file activity, communicate with the management console to receive policy updates, and provide data for logging and monitoring.

Gapless Protection

When data moves among platforms, devices, or networks, it gets decrypted and is often stripped of protection.

Network- and device-centric security strategies cannot help in such cases, leaving gaps that increase the risk of exploitation by hackers and malicious insiders. Data-centric security eliminates such security gaps.

It offers continuous protection and cross-platform operability to protect sensitive data wherever it’s stored and shared.

Data Discovery and Automation

Automated workflows are vital to data-centric security, allowing employees to do their jobs seamlessly without jeopardizing the organization’s data.

Automation continuously monitors file activity and assures that all security policies are applied in real-time across the enterprise data ecosystem without delays or gaps.

Integration

The best data-centric security solutions integrate with other elements of the organization’s IT infrastructure, including ERP systems, proprietary applications, and productivity tools, to manage and secure all sensitive data appropriately.

Auditing and Reporting

To detect emerging threats and assure compliance with regulatory mandates, auditing and reporting are essential. All data-related activities are logged and reported, adding a layer of security and control.

Usually, the management console provides detailed reports about the location of sensitive data and who can access it.

How ZenGRC Helps Businesses with Data Security

A data-centric model improves enterprise-wide visibility into given applications, tools, and devices. It also consistently and automatically protects sensitive data, minimizing the probability of a data breach and its associated financial, regulatory, and reputational burdens.

To do all this, a robust data-centric security platform like ZenGRC is business-critical.

ZenGRC simplifies security, compliance, audit, risk, governance, and policy management through a single, comprehensive platform.

It reveals risks to information systems across the enterprise, shows where risk is changing, and provides the tools necessary to quickly address critical threats to data, no matter where it resides.

With ZenGRC, your organization can effectively protect its data from internal and external threats and meet all compliance goals.

Contact Reciprocity to learn more about the ZenGRC platform.