Risk managers at FTSE-listed companies discuss some of the biggest challenges and solutions to managing the threats
More and more of the world’s businesses use some form of cloud services to store at least part of their data. A new technological phenomenon, the super-efficient cloud service, is bringing up many challenges for risk managers.
In a roundtable discussion held under Chatham House rule at a recent SR100LIVE event, board engagement, employee education, supply chain issues and establishing a good relationship with IT departments were identified as the main barriers. But the key challenge seems to be in overcoming a knowledge gap, with risk managers expressing differing views. Although some said information security was their top risk, others admitted to having little understanding of the cloud and its risks.
“I ask younger team members to look at the cloud and its threats because they seem to be able to get their heads around it a bit more. I’m the first to admit, it’s a risk I’m really not comfortable with.”
Another participant said: “This is an area I don’t understand, I can’t get my head around it,” adding that his company’s systems are “dated” and that the cloud is viewed only as a business continuity solution.
One risk manager even admitted that “there is no cloud use in our organisation because it is forbidden”, raising eyebrows from some of the other attendees.
A general concern was that cloud computing risk is not always assessed and calculated. “We don’t have a good handle on the amount of cloud in use, I’m not sure that even IT know,” said one participant, stating that department operate in silos and make their own decisions on cloud use.
Another risk manager pointed out that the cloud should be treated in a similar way to any computer outsourcing project. “Outsourcing always brings risks, and what is cloud computing but outsourcing?” he said.
The conversation quickly turned to how the risk function could better engage the board to secure the support needed to help them understand and manage cloud-related risks. Unfortunately it often takes a major data breach such as those suffered by Ashley Madison and TalkTalk to get the attention of a disengaged board.
The table considered whether it would be beneficial to make public or discuss openly any small breach that has affected their companies. Although these incidents may not be reported to the police or picked up by the media, it may help boards to better comprehend the frequency of such incidents and improve board engagement.
As one risk manager put it, “one major breach could be catastrophic”, and that is the message that needs to get to the board.
The risk manager added: “If I could change the word ‘risk’ to ‘protection’ I’d probably have more success at getting attention.”
Employee education
Employees also need to be educated on the importance of data protection, the table agreed. Many employees are unaware of what data their company holds, but research has shown that for most FTSE-listed companies, its employees use approximately 1,000 cloud services. “Of course there are questions about what [companies] might be storing in those services.”
“You’re only as strong as your weakest link”, one risk professional said, “and with many employees bringing their own devices, there is an awful lot of information they could be sitting on that could potentially get hacked. They may have emailed a lot of data to themselves, for instance, because they cannot print at home from their work laptop.”
Another participant suggested that by asking employees to view their company’s data as their own personal data that members of staff may be more encouraged to consider the minimum safeguards needed.
Supply chain risks
Companies should also consider what systems and data protections their subcontractors have in place and with which companies they share their data. “I’m not confident about how secure our subcontractor’s systems are. That’s a concern that I need to address going forward. To do that, I would have to map out all suppliers, but there is some reluctance in mapping it all out because it’s time consuming,” said one risk professional.
Not all data is truly confidential, and data should be treated differently depending on its sensitivity. There was discussion about how to classify data – but doing so accurately may require a lot of admin resource.
Many firms have gone down the route of outsourcing data storage but are not fully aware of how much data is on the cloud. Putting together the jigsaw is a difficult task, especially when it involves contractors that are no longer being used.
“Companies don’t always know where that supply chain of cloud technology ends,” one participant noted. “And when you don’t know where it ends, how can you possibly map out all the risks?”
Close collaboration
To mitigate and manage some of these risks, risk managers will need to work closely with their IT department. However, participants highlighted that most IT managers do not like to report bad news, and they tend not to work with risk managers. It is up to the risk manager to break that silo, said one risk professional.
Collaboration with the IT department will enable better understanding of cloud-related risks, but this could be further improved by harmonising procedures. As one risk manager said: “If we harmonised risk assessments that’d be a major stride forward. This means we will at least be looking through the same lens.”
The risk manager added that they have recently bought a risk management information system that uses metrics familiar to the IT department. As a result, the company has seen several benefits.
Cloud uptake is projected to grow over the next few years and risk managers will have to get their heads around the technology and its potential risks. But, worryingly, 98% of university leavers educated in data analytics get swallowed up by Google and other Silicon Valley tech firms, cited one participant.
So the next big challenge for the risk industry will be a potential lack of talent to help address the issues.
To read more on cloud-related risks, click here
No comments yet