The Cipher Brief's Private Sector column focuses on national security thought leadership in the private sector.
Andrew Razumovsky is Principal of CANDA Solutions, providing Risk Management, Enterprise Security, Cloud and Agile services to Fortune 1000 companies and Government agencies.
OPINION — Many in our society today recognize the threat to National Security from cyber and IP theft. Foreign adversaries are constantly exploiting US know-how, supply chains to target the latest innovative technologies, systems, infrastructure, equipment and information used every day by government, corporations and individual citizens. It will require significant determination from security professionals and executives to enable a process that encompasses planning and management of all tactical and strategic activities involved in accessing Operational, IT, Cyber, Supply Chain and others risks.
On September 17, 2020, FBI Director Christopher Wray described China’s unmatched success in stealing American intellectual property as “the greatest transfer of wealth in the history of the world.” The National Counterintelligence Strategy (February 2020) highlights the strategic objectives: protect the National Security Infrastructure, reduce threats to Key US Supply Chains, and counter the Exploitation of the US Economy and Foreign Intelligence Cyber and Technology Operations. Similarly, the National Strategy for Critical and Emerging Technologies released in October 2020 is based on the fundamental pillars promoting the National Security Innovation Base and protecting Technology Advantage.
The Defense Industrial Base (DIB) working in a close partnership with Government agencies should act now to change their reactive risk management practices to proactive ones. In most cases, the best possible solution is a centrally run risk management function that breaks down silos and represents all business units to inform on the relevant and prioritized risks. This approach could remove duplication efforts and accelerate the integrated risk into a strategic organizational agenda.
One of the viable options is an Integrated Risk Management (IRM) function focused on the enterprise-wide risk visibility. According to Gartner, risk quantification and analysis, and operational and business model resilience should be a first priority to the C-Suite and Boards. IRM generally is not focused on the compliance like many expensive GRC (Governance, Risk, & Compliance) tools on the market. Main IRM goals are performance, assurance and resilience achieved via capability to facilitate, centralize and simplify Risk Management across different, typically siloed parts of any enterprise.
In order to achieve a holistic, true enterprise-wide risk view an integrated and collaborative approach is absolutely essential. Many enterprises will have to build and evolve practices and processes supporting a risk-aware culture to enable technologies that will improve strategic and operational decision making and performance. This integrated sight of how well an organization manages its unique set of risks, might be accomplished with a “top-down” approach and linking strategic efforts to an organization’s risk profile. Others might put efforts in the “bottom-up” method, primarily focusing only on the individual lines of business. The key to IRM success is the dependency on an integrated view, through threat/risk information sharing built on a solid foundation of framework, metrics and systems, connecting business functions/units and resolving complex interdependencies.
The risk owners ultimately bear responsibility for the risk level assessments, considering business consequences and focusing on the most impactful risks, defining and implementing risk response and mitigation plans to bring risks within acceptable tolerance. This hybrid top-down and bottom-up approach brings the best of both worlds, achieving consistency and comprehensive coverage while embedding accountability and leveraging expertise of the people in the organization closest to the risks.
One recently established methodology to enterprise-wide risk is based on the security convergence model, bringing all core business functions (Security, including Personnel, Cyber and Physical; IT; Human Resources; Legal and Acquisitions) together to break down stove-piped systems. It enables enterprise risk understanding - complexity, dependencies, impacts and mitigations in a singular way – using one holistic, contextual, risk-centric view. Empowered by AI (Artificial Intelligence) and Risk Orchestration capabilities, this tactic enables a security convergence model and risk mosaic which should be evaluated by different parts of an organization to enable meaningful risk assessment, mitigation and enforcement. Risk mitigation always should be based on risk reduction, avoidance, transfer or acceptance.
Lastly, this approach must consider high-visibility, low-probability events without compromise of the comprehensive approach. Organizations investing in the Intelligent Automation (IA) - defined as improving operations and business processes combined with integrated AI capabilities – will be winners because of results driven by consistent quality, scalability, resilience and business agility. Key challenges that must be considered are privacy, change management, increased compliance requirements and distributed teams. With limited budgets and resources, one sustainable and relatively low-cost solution might be to embrace a holistic view of the dispersed systems steered by data-driven decision-making based on automation, AI, transformed and standardized business processes, mostly remote and digital workforce, metrics and reporting.
Read more private sector-driven national security insights and perspectives in The Cipher Brief
