• United States




Rising complexity, higher stakes for enterprise risk management

Oct 18, 20195 mins
Risk ManagementSecurity

As the pace of business and a shifting threat landscape challenge enterprises, optimizing risk has become a moving target.

Cloud security threats  >  Lightning strikes a digital landscape via binary clouds.
Credit: Robertiez / Getty Images

Cyber risk has understandably become a focal point for enterprise risk managers, but the risk landscape is multi-layered and extends beyond the realm of cybersecurity. In addition to contending with a daunting array of cyberthreats, enterprises are determining how much risk they are willing to accept in deploying emerging technologies, working through a heightened focus on customer privacy and adjusting to changes in the regulatory environment.

New industry research from ISACA, CMMI Institute and Infosecurity shows that enterprises are struggling to manage and optimize their risk, not only when it comes to confronting cyber risk, but in gathering a firmer handle on the holistic enterprise risk environment. Below is my perspective on three data points from the research that I found to be particularly significant:

The shifting threat landscape is wreaking havoc

Changes/advances in technology and changes in types of threats were pinpointed by survey respondents as the top two cybersecurity challenges organizations face today, even moreso than other response options, such as too few security personnel and inadequate security budgets.

This data point reinforces that the unprecedented pace of technological change – and the corresponding domino effect on the threat landscape – is placing a heavy strain on the capabilities of enterprises to effectively and securely leverage these new technologies. Security and enterprise risk programs that were sufficient five years ago – or, in some cases, maybe even five months ago – can be inadequate in holding up to new risks that emerge.

Risk management is about optimizing risk, not removing it from the equation altogether, so these challenges should not preclude enterprises from thoroughly testing and exploring how emerging technologies can be deployed to create efficiencies and spark innovation.

The ISACA study found that while nearly two-thirds of respondents’ have defined processes for risk identification, only 38 percent feel that those processes are at either the managed or optimized level of the maturity spectrum for risk identification. This points to a high adoption, but low optimization trend, demonstrating room for improvement in terms of enterprises actually taking action to address risk, and not just setting up the framework.

Security and risk professionals must revisit their processes, pursue the ongoing training and knowledge resources needed to understand how these technologies are reshaping the risk environment, and communicate those risks clearly to enterprise decision-makers who might be tempted to green-light deployments based on market pressures without first conducting the needed level of due diligence.

Cloud was identified as the emerging technology that most increases risk

By an overwhelming margin, cloud is deemed to be the technology that most expands risk (70 percent of respondents say it increases risk, compared to the next highest response option, Internet of Things, which came in at 34 percent).

As the survey report notes, “There is a good reason why the cloud percentage is so high – practitioners are intimately familiar with the challenges of cloud, including compliance and regulatory challenges, data sovereignty, lack of direct operational control over service provider environments, shadow adoption, and numerous other pain points.”

Essentially, cloud-related risk is much more of a known commodity than risk related to more recent, emerging technologies. However, if organizations align their cloud projects to business strategies and provide relevance governance oversight, cloud risk can be appropriately mitigated.

This data point also raises questions about how technologies that are less mature than cloud – such as artificial intelligence and blockchain – will impact enterprise risk as adoption increases and more use cases arise. Each technology brings its own set of risks and potential misuses that will need to be accounted for in enterprises’ risk programs.

Reputational risk should not be overlooked

Respondents identify reputational risk as the second-most critical area of risk facing their organizations today, behind only information/cybersecurity risk. While respondents naturally identify cyber risk as a leading concern, given the volume and increasing sophistication of the current threat landscape, ultimately, reputational risk can have an even longer-term impact on an organization. There are countless examples of enterprises that have become embroiled in a public relations crisis and never fully recovered – or if they do, only after several years of concerted time and expense dedicated to rehabilitating their brand image.

Of course, cyber risk and reputational risk often go hand-in-hand, given that the fallout from major breaches and other cyber incidents can have a direct and serious impact on an enterprise’s reputation with customers and the general public. But reputational damage also can arise from a variety of other sources, such as fiscal mismanagement, penalties from regulatory compliance oversights and a lack of transparency with customers when it comes to how their personal data is being leveraged. 

Even greater challenges ahead

The considerations mentioned above are just some of the many topics that enterprise risk leaders will need to work through in the 2020s and beyond. The risk environment will only become more complex in the new decade, as the aforementioned pace of technology-driven change will further accelerate, with the evolving cybersecurity landscape and the rise of AI factoring prominently into that equation. Managing and optimizing risk have long been essential objectives for high-performing enterprises, but the stakes are rising – as is the degree of complexity.


Experienced leader and board member, international authority in cybersecurity, with a proven track record in developing and managing strategy, programs and initiatives. Innovative thinker, with several international patents to his name, proven successful communicator and consensus builder across borders and cultures.

Chris is Director and Past Chair of the Board of ISACA, an international non-for-profit association with more than 200 Chapters, serving more than 160,000 IT, Cybersecurity, Information Security, Audit, Risk and Compliance professionals, in 180 countries. He has served ISACA as Chair of the Board for 2 consecutive terms (2015-2016 and 2016-2017) and as director of the BoD for 9 terms (2010-2014 and 2015-present).

Chris is also a Board Member at INTRALOT a leading gaming solutions supplier and operator active in 42 regulated jurisdictions around the world. Prior to his role he has served as Group CEO, Group Chief Services and Delivery Officer, Group Director of Technology Operations and Group Director of Information Security.

He has also served as a member of the Permanent Stakeholders Group (PSG) of the European Network and Information Security Agency (ENISA) from 2012 to 2015. Chris has been working in the area of information technology for 20 years, he holds 3 patents, 6 awards and has authored more than 150 publications.

He holds a degree in Electrical and Computer Engineering and a Ph.D. in Information Security.