@ISACA Volume 5  6 March 2019

Determining Emerging Risk

By Jack Freund, Ph.D., CISA, CRISC, CISM

Determining what is an emerging risk can be a very difficult prospect for organizations trying to get ahead of bad things that may be coming their way. The definition of “emerging” does little to help us in this regard, stating simply that something is “becoming apparent, obvious.” What is undefined is when a risk becomes apparent or even what it means to have something (specific to cybersecurity) become clearly visible enough to call it obvious. It is also somewhat contradictory to define emerging risk as becoming obvious when obviousness has (or should have) a binary state.

Looking instead to other published lists of emerging risk does little to define the practice of creating and managing emerging risk. Such lists far too often show blatantly obvious things or more often reflect things in the zeitgeist. Even our closest neighbor to cyberrisk—operational risk—produces these lists without much substance. One large operational risk consortium’s January 2019 emerging risk list was published alongside a list of top risk compiled from survey responses (another popular way to compile such lists). Their current top 5 risk factors were: information security (including cybersecurity), conduct, fraud, transaction processing, and technology. Interested in what they called emerging? The list includes: digital disruption and disintermediation, information security (including cybersecurity), geopolitical and macroeconomic, regulatory compliance, and third party.

I included the full lists here because categorically, one could argue that much of cybersecurity can be said to be responsible for much of these areas. While we could debate the relevance of all the items on this list, of particular interest is how one could list information security as both a top risk and an emerging risk. Clearly, we are an industry struggling to provide prioritization in ways that we do not yet understand fully.

All risk analysis has a prospective quality to it; we are never talking about incidents currently under management. Our risk analyses are always about the future state and priority making that needs to occur to ameliorate bad outcomes. Emerging risk analysis requires that we push ourselves out further than that. It does necessitate that we adopt precepts of “future studies” or “futurology” to create the best risk products for our organizations. This type of approach has a clear creative flair; it requires imagining things that have not yet come to pass. Sure, one could list blockchain as an “emerging risk,” but a futurist will predict the fall of public accounting. How you apply this in your organization is to find a place somewhere between the absurdity of science fiction and the foolishness of telling everyone what is already here is “the future.”

Instead, building a good emerging risk product requires a focus on a couple of key components. The first is a solid view of timeline. This means that you must clearly identify when this risk will come into play. This should be more than 1 year out at a minimum; anything less is more of a tactical concern. As always, since we are talking about the future, ranges are necessary for accurately representing timelines and the inherent uncertainty therein.

The second is a clear definition of what an instantiation of an emerged risk looks like. For instance, a popular emerging risk right now is cyberwarfare. Precise definitions of cyberwarfare are varied; however, international law requires some kinetic action to constitute “warfare.” Under this definition, only a small handful of historical events even come close. (Most of what the popular press refers to as cyberwarfare is really espionage or just plain criminal behavior). Regardless, you may find it helpful to craft a specific definition for your organization. For example, cyberwarfare may be on your emerging risk list, but only as it pertains to the healthcare industry, for example. Such narrowing of the scope allows you to define specific indicators that enable you to monitor the landscape for this emerging risk.

Speaking of which, it is important to maintain good key risk indicators (KRIs) for emerging risk. They should be tailored to the definition outlined using the previous guidelines for your organization and specific enough for you to trigger some follow-up activity. It is important to expect these KRIs to have little to no changes for quite some time, as they are measures of events that may ultimately never come to pass. The organization should not panic if a particular emerging KRI is 0 for months or years at a time.

The last component of a good emerging risk product is to clearly articulate what happens when a risk entry comes to pass. If that cyberwarfare event does target your industry and it is very much a current event, what do you expect the organization to do? This has both a strategic and an administrative element to it. There should be some risk response planning that happens so that the control environment is suitable to withstand this new attack. Further, there needs to be some formal retirement of the entry in the emerging risk list and it should find a new home somewhere else such as the organizational risk register, for proper adjudication and treatment. Or if it is determined that an emerging risk can no longer happen, a risk can be retired and removed without a corresponding new risk entry in the register.

Overall, this process and the emerging risk documentation should be reviewed at regular intervals and at least once annually. Following these guidelines will help ensure that the emerging risk product you create is not a duplicate of your existing risk register and helps focus your organization's perspective out into the future.

Jack Freund, Ph.D., CISA, CRISC, CISM, is director, cyberrisk management for TIAA, member of the Certified in Risk and Information Systems Control (CRISC) Certification Working Group, coauthor of Measuring and Managing Information Risk, 2016 inductee into the Cybersecurity Canon, IAPP Fellow of Information Privacy, and ISACA’s 2018 John W. Lainhart IV Common Body of Knowledge Award recipient.


Do You Know Your DNS Security Risk?


If your enterprise has a Domain Name System (DNS) infrastructure, its security should be assessed. Ponemon Institute’s DNS Security Risk survey helps illustrate a global perspective of enterprise security in terms of malware and data exfiltration that uses DNS.

To help determine your organization’s visibility into the security of its DNS infrastructure, ISACA and Infoblox present the “What’s Your DNS Security Risk? Insights From Recent Ponemon Survey” webinar. In it, the use of threat intelligence, the effectiveness of threat intelligence and the efficiency of security operations will be reviewed. This webinar takes place on 12 March at 11AM CDT (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.

Chintan Udeshi, product marketing manager at Infoblox, has more than 5 years of experience in the tech industry, including tenures at Apple, Symantec and Cisco, working primarily on cloud and security products. He is responsible for bringing Infoblox security products and solutions to market. Udeshi will use his experience managing security products to help ensure that you know how to best assess your enterprise’s DNS infrastructure.

To learn more about this webinar or to register for it, visit the What’s Your DNS Security Risk? Insights From Recent Ponemon Survey page of the ISACA website.


Auditing CASBs


Source: D_BANK;
Getty Images

Cloud computing continues to rise in popularity due to its ability to cut costs, downsize data centers, personalize service coverage from cloud service providers (CSPs) and provision faster. Despite all these positives, it can be challenging to configure security correctly and manage identity and access. Cloud Security Access Brokers (CASBs) can help enterprises implement these considerations. As such, ISACA has released the Cloud Access Security Broker (CASB) Audit Program to help your enterprise audit its cloud computing implementation, and it includes instructions on how to audit:

  • General administration—Service level agreements (SLAs), audit reporting and compliance
  • Identity and access management—User management, privileged access and data access
  • Configuration—Deployment (gateway, log collection and inline)
  • Security—Vulnerability management, asset protection and physical security (data center)
  • Program management—Change management and data loss prevention (DLP)

Conducting a formal assessment of the enterprise’s cloud technology and CASBs allows auditors to assess the management practices of CSP vendors while also ensuring the safe implementation of the enterprise’s cloud computing solution.
To download this audit program, visit the Cloud Access Security Broker (CASB) Audit Program page of the ISACA website.


Understand the Future of Data Protection and Privacy by Attending Virtual Summit


Participate in dynamic discussions with fellow IS/IT professionals around critical issues affecting your data protection and stakeholder privacy in a free, half-day virtual summit. ISACA virtual summits give you access to live presentations and opportunities to connect with peers around the world. In the Virtual Summit—The Future of Data Protection and Privacy, you will learn to improve your organization’s risk, control and data protection strategy, and hear a panel discuss data protection and EU General Data Protection Regulation (GDPR) implementation.

ISACA, ACL, Netwrix and OneTrust will present the Virtual Summit—The Future of Data Protection and Privacy. The event takes place on 21 March at 9AM CDT (UTC -5 hours), and ISACA members can earn up to 4 free Continuing Professional Education (CPE) credit hours by attending the summit.

To learn more about this event or to register for it, visit the Virtual Summit—The Future of Data Protection and Privacy page of the ISACA website.


Using Technology and Your ISACA Member Advantage


Source: Qi Yang;
Getty Images

Today, supercomputers are generating advanced algorithms and big data tools to provide intelligent vertical solutions for a wide range of industries. The developments provide significant improvements in demand-forecasting accuracy, improve the speed and accuracy of medical devices such as computerized tomography (CT) scans, and improve efficiency in everything from jet engine repairs to retail inventories.

New technologies, such as those that supercomputers are utilizing today, are accessible at a discount to ISACA members through the ISACA Member Advantage program. This program gives ISACA members access to special offers and programs through discount partners. Right now, ISACA members can instantly save on Lenovo products with their ISACA membership. Visit the Lenovo Official Affinity Site to use this member benefit. Other partners currently include HotelStorm, Vegas.com, GE Appliances, PrivacyArmor, Office Depot, OfficeMax, UPS, Hertz, Avis, Budget, Wyndham, TNT Vacations, CruisesOnly and Collette Guided Tours.

For more information on other discounts available to ISACA members, visit the ISACA Member Advantage page of the ISACA website.