Managing Digital Risk: Mapping the New Distributed Risk Landscapes

Moderator:

As information infrastructure is increasingly shared across jurisdictions and sectors, information risk “clusters” suggest opportunities for identifying “best practices” as candidates for standardization of technology and policy/rules. These clusters are based on the types of information interactions engaged in within various communities, each of which has particular risk and value profiles.  These are the information services and products of the future.

In this section of the 2-day Digital Risk Track, we will explore liability risks for monetary and other damages from direct and indirect risks. Consider attenuation and magnification of risks in
data supply chains – is there a “knowledge” component to liability?

After attending this block of sessions you will be able to

• Define the new role for information security professionals.
• Describe both direct, and indirect as well as local and global risks in relation to a shared information “data chain” and how to reduce those risks.
• Discuss why a risk based approach is best when using the Cloud.
• Describe Cloud audit certification and discuss its role in managing the risk of Cloud services.

Digital Risk Officer & Chief Digital Officer

It Takes a Community to Reduce Risk – Company Leadership and Recruitment of Supply Chains Stakeholders in Risk Mitigation Strategies

To help stakeholders balancing their needs to protect the organization against the needs to run the business - this is the new role IT professionals have to take over in the era of digital business. Moving forward, security people aren´t the "defenders against cyber threats" anymore. They are becoming the facilitators of a balance between the needs to protect and the needs to run a business. In digital Business, we are moving things into the cloud. We are moving things into software-as-a service. We don´t have control of them anymore. A lot of the traditional technologies just don´t apply. So we have to start looking at other things like contract clauses and the new types of controls which come along with the new breed of digital risks.

During this session, we will talk and discuss about the new skills required from IT Leadership.  

Recruiting Customers, Suppliers and Even Competitors to Help Reduce Risk

Various types of shared economic interests and risks create communities of interest where separate organizations work together such as in myriad supply chains worldwide. How can COIs come together in structured settings such as technical and policy standards initiatives, government programs, markets and other regulatory and self regulatory contexts to identify common needs and design, develop and deploy mutually acceptable solutions?

One Step Closer to the Unhackable Enterprise: Applying an Effective Information Security Strategy

The threat landscape became wicked and rougher. Governments are desperately  trying to fight the cyber threats. But their efforts will  never satisfy the needs. As a company, community or individual you remain a vulnerable target.

Applying a layered information security strategy can effectively reduce your risk exposure. Define your drivers and long term security goals; involve your  stakeholders; engage your customers, employees and suppliers; clearly communicate and achieve your targets by implementing the security roadmap are the key steps for becoming a security intelligent company who will be better protected against the next attack.

In this revealing presentation, we will share our experiences about building such an effective security strategy.

Cloud Risk Assessment

Assessing and Mitigating Cloud Risks

The modern reality is that even the most technology conservative companies are thinking to shift some of their valuable assets to the cloud. However, since anyone with a credit card can purchase cloud services with a single click, the governance and control of organisations are frequently being circumvented. This can create various challenges for organisations that wish to adopt the cloud securely and reliably.

This session will lead you through various approaches on how to assess and mitigate risks for onboarding cloud solutions.

Key Takeaways:

1. understanding of information risks related to cloud usage.
2. understanding of the concept of dynamic selection of controls, based on data profile, to mitigate cloud risks.
3. application of the proposed framework in daily practice (e.g. by turning it into a software tool that allows quick and easy control selection for employees responsible)

Dynamic Control Selection Framework for Onboarding Cloud Solutions

This talk will propose a data-driven selection of organisational, technical, contractual and assurance requirements, so secure usage of cloud solutions within the enterprise can be guaranteed. The importance of data oriented control selection will be outlined and key control domains will be introduced.

Dynamic Certification of Cloud Ecosystems

Cloud ecosystems are dynamic and flexible enablers for innovative business models. Some business models, especially for the European cloud market, however, still face challenges in security, privacy, and trust.

A common approach among cloud providers addressing these challenges is proving one's reliability and trustworthyness by audit certificates. Basically, audit certificates are based on national and/or international as well as business and/or governmental compliance rules. The most prominent certifications in cloud computing are the "Open Certification Framework (OCF)" of Cloud Security Alliance, EuroCloud's "Star Audit", and "Certified Cloud Service" provided by TÜV Rheinland as well as more general certifications following ISO 27001, BSI Grundschutz, ENISA, and NIST.

This session will discuss the state of the art of auditing and certifying cloud ecosystems and how current certification catalogues and schemes have to be enhanced to meet future requirements - requirements such as dynamic certification, on-demand-audits, and automatic monitoring and evaluations.

Cloud Risk Assessment – An "Action-Oriented” Approach to Merge Engineering, Economic and Legal Analyses.

When moving to the use of cloud services it is most important to take a risk based approach.  However the process involved is often manual and time consuming; a tool is needed to enable a more rapid and consistent assessment of the risks involved.  This session describes why a risk based approach to the use of cloud services is needed.  It introduces the KuppingerCole Cloud Rapid Risk Assessment Tool developed by KuppingerCole to help organizations assess the risks around their use of cloud services together in a rapid and repeatable manner.

After attending this session you will be able to:

• Describe why a risk based approach is needed.
• Describe the KuppingerCole Cloud Rapid Risk Assessment Tool
• Describe the benefits from the use of this tool.

Think Globally, Act Locally

Understanding and Dealing with Macro-Level Risks that Affect your Institution’s Risk Profile

The phrase "think globally, act locally" was initially invoked as a rallying cry of the environmental movement in an effort to help people connect their individual actions to global challenges, and increase their sense of efficacy to effect change by acting in concert to carry shared narratives of environmental risk mitigation into effect.

The concept of "think globally, act locally" has new meaning in the context of business organization risk from IoT, the cloud and other networked information system functions. The local instances of information functions on which businesses increasingly rely are part of data and identity “supply chains” that are hybrids of technology and policy that are themselves increasingly part of vast global networks where individual businesses often perceive a loss of leverage and control and increased risk. In effect, federated and cloud based data and identity functions are enabling these functions to be outsourced, like shipping, payroll, accounting and other company functions that have previously been outsourced to global networks.

There are myriad publicly and privately led initiatives (and many that are hybrids of public and private efforts), through which stakeholders from multiple organizations can work together to design, develop and deploy shared strategies where hybrids of technology and policy offer local solutions to new information and interaction challenges, increasing the sense of control from the cohesion of organizations acting in concert to carry their shared narratives of interaction risk mitigation into effect.