Organizations are not investing enough in managing digital risk: Atul Gupta, KPMG

Digital risk v/s Cyber risk: Atul Gupta, Partner & Head of IT Advisory and Cybersecurity Leader at KPMG explains the differences between digital risk & cyber risk and why the enterprise needs to invest more in managing digital risk.

atul gupta 1200x800 1 003
KPMG

Focus on cybersecurity has become the prerogative of every business unit in an organization – right up to the CEO. There's no slowing down from here on, and this will only intensify in the years to come.

While the C-suite and the board have woken up to the criticality of managing cyber risks, it falls woefully short when it comes to dealing with digital risks. A recent KPMG survey revealed that a vast majority of organizations are spending a fraction of their digital transformation budgets on managing digital risk.

digitalrisk1200 KPMG

The Digital Risk Landscape - KPMG

To get a thorough understanding of how digital risk differs from cyber risk and what makes it critical in the modern enterprise, CSO India spoke with Atul Gupta, Partner & Head of IT Advisory and Cybersecurity Leader at KPMG.

Gupta brought to light the significance of managing digital risk and how shadow IT makes the situation graver than it already is; the need for CISOs to adopt a different stance; and the rising sense of cyber-certainty among CEOs.

Edited excerpts:

One stat that stands out in KPMG’s report is that 89 percent of respondents believed that less than three percent of the digital transformation budget is allocated to managing digital risks. Should we be worried about this finding?

Our survey revealed that the industry is not spending enough on either of these - neither time nor money. Maybe they are still focusing on cyber risk – and cyber risk has made it to the agenda of the board and the C-suite.

If digital risk is not managed well, I think it will be a catch-up game of significant difficulty for organizations. And that's why we wanted to organizations to start questioning if they had the right skills aboard to help manage digital risks.

Now it's important to note that it's not the same as cyber risk. Cyber risk is just one of the components of digital risk. Digital risk talks about having a broader level of trust – it brings in more transparency.

Atul, since you brought up the issue of finding the right skill set, the KPMG report also revealed that the lack of skill set ranks among the top three reasons for high digital risk. Also, could you throw some light on the other two top-ranking factors: organizational risks and vulnerable systems?

It is very easy to incorporate digital into an organization today, but it is creating the risk of developing separate technology environments – what we typically call ‘shadow IT'. 

Quite often, the technology function does not even get to know about it. It all works very well until the organization is faced with an incident. Organizations sometimes undermine the associated risks. 

CISOs need to be independent and have a more comprehensive view, rather than just a technology risk view. The question that arises now is: Do organizations have the skillset required to assess the digital risks they are faced with. And digital risks are broader when compared to cyber risks.

Coming to skillsets – now that’s a big one! The CISO’s role had been established to manage cyber risks – someone who needs to be independent, having a more comprehensive view and not just a view centered on technology risks.

Now you must remember that digital risk is broader than just cyber risk.

That brings us to the next question: digital risk v/s cyber risk – how do they differ?

There are various comprehensive cybersecurity frameworks being used today, for instance, the NIST cybersecurity framework is now the de facto global standard. 

When it comes to digital risks, the questions are becoming much broader, and are not confined to cyber alone. One of the questions being raised is: How can we bring in more transparency and give greater visibility?

Today we are leveraging technologies that can learn on their own and our assumption is that the data is the right sort of business data and has the right data ethics.

How are we giving an assurance that the same technology will not be used in unethical ways? And factors like this are bringing about a huge shift in the way digital risks need to be looked at.

A lot more transparency needs to be brought in, a lot more assurance around how a trusted environment is created.

Our study clearly indicates that at this point in time, a lot of organizations are going through that ‘growth phase’ of digital – which is the adoption of digitalization to gain business benefits, but they are not adequately focused on the investments that need to be made to manage digital risks.

There are fairly comprehensive cybersecurity frameworks in place today – the NIST cybersecurity framework being the de facto global standard. However, do we have frameworks around digital risks at this point in time? Maybe not – not as comprehensive as cybersecurity frameworks.

There used to be a time when there was a significant difference between the maturity levels around cyber risk in the US or Europe compared to what existed in India. But that time-frame has reduced to around 6-9 months at this point in time.

However, a lot of organizations in India are still using the same frameworks which were built around the traditional cyber risk areas.

The silver lining is that CISOs are now aware – 90 percent of them are saying they’ll be focusing more on managing digital risks. There’s a paradox, though – less than 50 percent of the respondents believed that CISOs should be the one dealing with digital risk. This clearly indicates that organizations are not managing risks too well.

Now the report also highlights that the Chief Digital Transformation Officer should be the one responsible for managing digital risks. In your opinion, do you believe digital risks should be left to the CDO or is it a CISO’s prerogative?

Good you brought that up, that’s the conversation we want to build upon – we’ve seen the digital officer is emerging to be a terminology being discussed all across the C-suite.

If I look at the traditional ‘3 lines of defense' model, there’s a very clear need to have the C-suite look at someone who can handle digital risk. It’s still at a very theoretical stage, so we may just see the CISO stepping up to look at digital risk in a more holistic manner.

Atul, let’s wrap up on a discussion around “cyber-certainty”. You had stated that you see a rising sense of cyber-certainty among CEOs. Could you throw some light on this, and what explains the increased focus around this factor?

Now we know seeing is believing – the number of cyber incidents has gone through the roof. Everyone is well-connected in the industry and it’s become evident to them that this is not just a theoretical risk but a business risk. And a lot of Indian organizations are getting exposed to that risk.

This is making CEOs realize that the perpetrators are always ahead of the defense mechanisms. The next step organizations need to focus on is putting risk management to practice. This involves deploying better controls or putting offensive, preventive, or deceptive technologies in place.

We might expect challenges around the lack of skills when it actually comes down to mitigating the risks.

P.S: On a slightly different note, CSO Online also brought up the trend of data localization, and how far that can go in mitigating risk. Gupta minces no words when he says: “Data localization is more of a compliance requirement, but will it help in managing risks in a better manner? No, I think that’s a myth.”

Copyright © 2019 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.