KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Various types of shared economic interests and risks create communities of interest where separate organizations work together such as in myriad supply chains worldwide. How can COIs come together in structured settings such as technical and policy standards initiatives, government programs, markets and other regulatory and self regulatory contexts to identify common needs and design, develop and deploy mutually acceptable solutions?
Various types of shared economic interests and risks create communities of interest where separate organizations work together such as in myriad supply chains worldwide. How can COIs come together in structured settings such as technical and policy standards initiatives, government programs, markets and other regulatory and self regulatory contexts to identify common needs and design, develop and deploy mutually acceptable solutions?
Are there any other questions from the audience before we go to panel? Yes, please.
Let me, Mike. Thanks.
Oh, you're gonna go. Is it twist on this? No.
Yep, Yep. No working. We can repeat the question then. I'll repeat the question. So interesting talk. I was wondering what's the magic formula of linking it or information or digital risk risk. What's the magic Formula. So the question is what's the magic formula for linking it risk to business risk. Should we open it to the panel?
Well, why don't you answer first? So then we can open it to the panel. Panel has some questions also for, for you as well. I don't think there's a magic formula in my experience, but part of the fundamental problem is calling it, it risk if I may, because if you call it, it risk, you already say it's the it risk register and it really doesn't affect the business. Yeah. But all the examples you showed on screen were It exactly. Which is what I was trying to bring out that is actually a business risk rather than just it risk.
So that's a very good question because that's the point that I was trying to make. Thank You. And I think the panelists, we have some comments up here on the panelists.
We, we have mic here on that same issue. I think if you, if you're looking for a magic formula, I'd say the magic formula is, is the CISO. That person is supposed to be the most senior person responsible for the security of information. And for channeling up of those security risks, be they, it, it security risks or facility security risks, or legal security risks or, or whatever. It doesn't matter. Translating those into business demands is one of the key roles of the CISO.
One could argue that if the CISO is, you know, holds a current CSP or a current technical qualification or whatever, there probably not qualified for the role of CISO, the CISO is half business person and, and half security, very little sort of technology per se. Are there models that he or she can adopt? Can you repeat it? The question was, are there models that we can adopt? I don't believe so.
And if there are, and if somebody can think of one, then, then, then fabulous because, but I, I, the reason I don't think there are, is that half the time the CSO reports into the AR into the CIO, and if you're lucky the CFO, and if you're very lucky, the general council or something like that, and that's why the it's so confusing. You it's rare that you would have a COO or a CFO reporting into anywhere else other than the, the COO or even a board.
And it's only when the, well, when we stop talking about Blinky lights and DLP and, you know, millions of dollars of expenditure to, to, to fix our, you know, the number of servers we have, et cetera. So when we stop talking like that, and when we start addressing the business as a business, that the CSO role will get to the position where they can actually be, you know, heard more equally at the board.
So the, the framework that I have adopted in multiple customers is actually by the OGC, the it's called the management of risk framework, M O R everyone knows prince two, sor is a brother or sister of bridge two in terms of it's founded by the same thing. And that normally works because it doesn't take a technology approach, it takes a business approach. So if you do want to try one, one of the frameworks to adopt, and it's fairly straightforward to explain actually, So why don't we start with, why don't we do this? Let's state your comment. Let's include that in your comments generally.
So if each of the panelists can introduce themselves, starting with you, and then if you, if you can make that, the statement you're gonna make about that issue, and then let's move to the, your statement just to kind of opening what we're gonna do is have the panelists, just make a few remarks and then open up to questions for general discussion. But I wanted to make sure that we leave enough time for Stefan's presentation at the end. So please make your comment, but then move right into additional points, please. Okay.
So, well, the magic formula I would say is just ordinary common sense, and it starts from the, from the business perspective, you need to have a policy. What is it, what, from a business perspective, you would consider to be a major risk, and then you need to address those. So it's the common sense will define where you need to go. I would say, but you wanna go from left to right? You Might as well, do you have the microphone? So please just introduce yourself and then go into the points please. So my name is Adriana Norta.
You may hear by the accent, I'm, I'm Dutch, I'm coming from the mobile sector, been involved with mobile wireless telecommunications for some time, been involved, particularly on the operator side, also in a certification of mobile devices and everything you can connect to the internet. And my background is I have a PhD in data privacy, which I think now in today's environment, everything really nicely connects the mobile part, data privacy, part certification, part, the IOT part.
So it's a very nice way of me to, for me to put in a lot of knowledge, I've been able to gain throughout my career in, in, in, at this point in time. And so if you just make any additional remarks that you wanna make for the start the panel. Yeah.
So I, I wanted to come back to the point you made about, you know, people as the solution. And, and I think that is indeed a very important part because technology doesn't stand on its own. It is influencing people's life. It is doing things. And if I just look at, for example, at data and accessing data, you of course can always only focus on the, on, on the hacker side. But I think you need to work with everybody who is in your environment to find a good solutions for your, for the products that the services you're offering.
If I take maybe a slightly out of, out of context example, but if I look for example, at TM, M Tom environment, you will find that many applications are written without thinking about how the application actually will interact, or the device will interact with the mobile network, which can cause huge problems. So there's a typically an example of where you need to be co-working with everybody in the ecosystem to be able to produce the right product, to service your customers.
I think, and we see this in this whole environment, we see this need reoccurring. I also think we need to put the personal, the, the, the, the end user.
If we're talking about more customer say normal customer oriented type of services we need, or, or, or we need to involve them in find the appropriate solutions, because many times your customer, the end user will all also know, will be able to help you in identifying the best way to protect your data, or to even take a different approach and talk, and, and start with the end user him or herself to, to define what it is they want to share and what it is they, they want. They, you would need to know about them to be able to provide your services.
And we had an example this morning on, on, on key in the identity management part section, I think it was, that will be I'm involved with that project. And I think that's a, a different way of approaching the, the topics. Thank you. If you don't mind, hand to Ravi a few comments. Thank You. Hello. So my name's Ravi Bindra. I currently work as the security architect in a Swiss pharma company. My previous role was head of risk management and securities, the other Swiss pharma company. What you said Adriana about common sense, being the cure for most problems. I fully agree.
There's only one problem. Common sense is not common. Yeah.
Here, when we talk about using the community to manage risks or to even address risks, I think if the community means your users, your consumers, your customers, your suppliers, you've lost, they will not help you at all. If you study processes, you study human behaviors. There's nothing in it for them to help you that's even on the it side. That's also on the business side. On the other hand, when you look at it, companies that like Microsoft and Oracle, they all have vulnerabilities.
The vulnerabilities are reported in by the people that use the products that does work, but there's usually a benefit to the people reporting in. If you talk about the community of your it professionals in your organization to help manage your risk, then that helps address the problem that you highlighted, which is there is one it risk manager. What you need to do is to set up a framework where there are people in each department, each group of it, people, your units are the champions, your windows admins, one person, and each one who is responsible for risk in that area.
Then you have a community, correct. And you can tell by the camera, I don't believe in digital. Okay. My name is Stephan van GSK. I'm from Belgium. I'm a I'm C for health insurance, a mutual health insurance company. Some interesting thoughts, some comments later on, I have a presentation, more dedicated towards it. I would say that risk management is an important instrument of reducing risks. It's also a agreed way of, of doing this because you need to, to, to take into account all your compliance regulators and so on, but there, there is room for improvement.
As I call it in my presentation, it's kind of enhanced risk management, besides the enterprise risk and information security risk, you can take into account other things like the, the, the, the things you are obliged to do, the business needs some, some, some changes in, in your organization, provokes yeah. Change. Yeah. Then that's a way to, to, to take that also also to, into account, you have the security community, the competitors, also those kind of things. This is enriching the, the, the, the risk management.
Another thought on that is that if you go into your organization and assign people to manage risk, they need to be aware of it. They need to, to be yeah. Risk manager.
So it's, it's, they need to, to be coached and to learn. And in the end, sometimes it's about quantifying the risk.
You, you qualify it, is it below your risk appetite? It's okay. If it's above, you need to do something, but for people, if they are not used to handle with those that, that kind of risk management, we learned that it's sometimes much easier to work with baselines. And it's much easier to, to say it's a binary way of doing it. Like antivirus. It should be on every workstation, it should be updated and so on. And so on. There is no way of, of, of doing risk management on, on, on top of it.
It's, it's a waste of time even. And I think you can optimize your model by implementing a security baseline with an easy yes or no answer. And so the people know what to do. And above of that, the more dynamic way of, of handling the changes to, to use risk management. Thank you.
In terms, do you have some comments? So my name's Tom Langford, I'm the CISO for the publicist group following their acquisition of sapiens. My previous company, where I was the director of their global security office. I'd like to go back to a very first point that Amar said, and actually asked us, you know, do you agree or not agree? And I'll put my hand up and say, I don't agree, because I think digital risk for me is not a super set of information risk. I think it's, it's the other way round.
I think information risk covers a far broader spectrum information risk will cover, as I've said, in my previous answer, it legal, et cetera, digital, whatever digital might be in my industry, digital means digital marketing. So having a chief digital officer is basically somebody who's in charge of our digital marketing environments. So it's for certainly for me, perhaps for others, I think it's, it's confusing that said, I would suggest use whatever terms work for you and your business and your industry.
Just make sure that when you are communicating to third parties, be they suppliers or clients, or whatever that you try and harmonize your terminology a little bit. Everybody uses their terminology slightly differently. Right. And I think it's important that as long as we understand who we are and what we're doing, and when I talk about an apple, you are also talking about that same apple, then that's, that's fine.
But yeah, I, I certainly, don't just, I certainly don't agree with that, that first, Well, those one of the issues and, and Ste maybe we'll get you up there and, and start to get you prepared, cuz I wanna make sure we have enough time for presentation. Okay. But you know, one of the issues that we have in the, in that area is that Thomas is raising, is that issue of ambiguity.
You know, as, as attorneys, the last two people on the end here were attorneys in those issues. You know, when you're looking at contracts, when you get back to your office and you look at the contracts, look at your compliance policies, et cetera. If you don't know what the word means, that means other people don't know as well. And so that's absolutely critical because it doesn't get tested very often until there's a problem. And that's too late to, in the, in the process, you're set, you're adding risk and exacerbating risk on top of risk.
By allowing those ambiguities, It goes back to the point of speaking the same language, British petroleum, BP, since 10, 15 years. Now, everybody is something digital, something. So they don't call it risk. They call it chief digital, whatever.
So, So I think what we're gonna do Shan's presentation is about half an hour is ideal, but we don't have a half an hour. So we're gonna ask you to go through the presentation if you can, if it works without too much pressure, try to leave, you know, end it like 25 after. So we have a couple of minutes for questions, additional questions, a panel in light of your presentation. Thank you.
