By Boris Khazin, Global Head of Digital Risk Management Services at EPAM Systems
There’s no doubt that a growing number of challenges have upended the typical business processes. From a global pandemic to regional natural disasters or cybersecurity breaches and the accelerating trend toward remote work opportunities – all have and will continue to impact traditional security methods.
In order to adapt, businesses need to be agile and responsive to these challenges while maintaining the necessary security when working on personally identifiable information (PII), protected health information (PHI), financial information, and other sensitive company information when team members are working remotely or are globally distributed.
DRM Overview
Digital Risk Management (DRM) is a digital-first approach to addressing an organization’s risk management and cybersecurity concerns. Risk management has traditionally been a manual, people-intensive process; it is the last to adopt a digital transformation as other company departments have (i.e., DevOps, and Agile). DRM embraces new technologies for handling traditional risk management using new platforms, such as MetricStream, OneTrust, ServiceNow (GRC) and many others. It utilizes straight-through digital process paths engineered with real-time DRM in place from the board level down to the rest of your staff, with incident detection and alerting.
- Adopting a DRM approach reduces the cost of risk management and the time between risk occurrence and remediation.
- SaaS products are available even despite regional power outages, mirrored and load balanced across multiple servers, multiple backups and provide resilience.
- Integrated DRM can provide intelligent automation (IA) to operational staff inline in business process, amplifying the effect of risk professionals dramatically.
- Risk absorbs cybersecurity as another overlay. DRM also includes organizational planning to reduce the odds of incidents and for resistance response to cybersecurity incidents.
- Risk and responses are easier to visualize through interactive dashboards.
For organizations developing software, it’s recommended to embed Digital Risk Management (DRM) and “compliance as a code” within a Software Development Life Cycle (SDLC) environment. The term “compliance as a code” refers to including risk management, compliance, and in some cases, governance within the entire SDLC. The goal is for DRM to become an active and transparent stakeholder and participant within your SDLC lifecycle. You make risk a part of the development process, from planning to development and testing quality before its release to market.
To accomplish this, DRM embeds staff within development’s Agile/DevOps processes. Build DRM mitigation and occurrence process right into new initiatives from the beginning. DRM is a part of system requirements review, design, and sprint planning includes a DRM stakeholder. This enables organizations to develop software with anticipation of and relevant mitigation of risks throughout its life cycle.
- Assessment of risk becomes an integral part of the SDLC process. This encompasses internal risks for developing the project, anticipating outside threats (i.e., data privacy, cybersecurity), required compliance with regulatory requirements and internal policy and procedure, and using best security practices. It includes governance as needed.
- It becomes easier to plan for, anticipate and mitigate risks throughout the planning, development, and deployment of software and services.
- It focuses on working agilely, rapidly deploying the product with DRM as a shared responsibility of all of those involved in the planning and development of the product.
What additional staff might you need? First, embed a DRM analyst into key agile processes from backlog grooming to sprint planning to enable DRM concerns to be part of the initial feature planning. Allow the team to ask questions about their requirements to ensure compliance and risk are planned for and tested. For example, how might the development of a new feature impact cybersecurity or comply with personally identifiable information (PII) legal requirements? What design considerations within the code and quality assurance test plans should be developed to ensure a truly secure design with less risk? You embed a DRM quality assurance team member who ensures the product meets all DRM requirements before delivery to market.
Zero Trust
Zero Trust provides extra security precautions for your organization’s IT network. It can help make damage more limited from a cybersecurity incident and your network more resilient to them. It includes the realization that cybersecurity incidents occur, even despite the best precautions (due to zero-day attacks, phishing, etc.), including monitoring incidents and plans for a quick rebound.
Zero Trust reduces organizational risk by requiring explicit verification of anything and everything that requests a resource (IPs, machines, etc.) both inside and outside the network perimeter. It employs techniques including dual-factor authentication, which many of us are familiar with when accessing programs and network resources, despite already having primary authentication into your company’s Virtual Private Network. It takes broad precautions to limit an attacker’s lateral network movement and their desire to escalate to greater permissions to limit potential damage if an exploit occurs. It uses network segmentation to isolate the resources available to corner an attacker into just a small section of your network, assign just-in-time, task-limited permissions to all resource requests and methodically deploys encryption throughout all communications and file storage.
Zero Trust is a guilty-until-proven-innocent concept in cybersecurity. It centers on the premise that organizations should not trust anyone by default, inside or outside their network perimeters, but rather maintain strict access controls and verify everything first. This is based on the recognition that traditional security approaches can only do so much to protect data and the users accessing it, especially considering the reality of frequent cyberattacks and data breaches. In fact, the traditional approach’s inherent trust once someone is authenticated through the gated perimeter is a systematic network weakness exploitable by attackers.
Remote Safely
Remote Safely extends Zero Trust to the chair, ensuring security and accountability. Remote Safely enables your staff to securely work remotely on the type of sensitive information that traditionally necessitated using an on-site, secured, Off-site Development Center (ODC) room within the office. Essentially, an ODC is a secure area of the building with cameras recording, security guards, a ban on personal devices with the use of hardened PCs. It’s essential to maintain confidentiality and trust, and to protect your company around shareholder reports, legal processes, mergers and acquisitions, confidential client information, protected health and personally identifiable information (PII), and working on other, similar sensitive company data.
It uses a combination of hardware and software technologies to enable remote work on sensitive client and corporate data. Remote Safely uses Virtual Desktops, artificial intelligence monitoring of biometrics and detection of camera and phone usage of those in the session. Remote Safely is a collaboration between EPAM and Princeton Identity, a global leader in biometric identity management. This unique offering brings the best technologies and industry practices together to achieve a high-security approach to any remote work environment.
With DRM, if a disaster occurs, then you are not required to go on location or to a second location. The organization is able to work from home. You have zero Trust layering to ensure secure work can continue from home for concurrent work and delivery despite challenges. This includes sensitive company secrets that might otherwise require the use of a secure ODC.
Conclusion
With cybersecurity incidents, regional disasters, and trends pushing for more work-from-home and remote work opportunities, it becomes critical that organizations have the necessary tools in place to enable an agile workforce and protect their sensitive information—from any working location.
With a combination of implementing Digital Risk Management (DRM), Zero Trust, and Remote Safely, companies and organizations will be better prepared for disaster recovery. Digitizing governance, risk, and compliance management processes helps to prepare for disasters and operate effectively during them. These solutions can address these challenges and pain points will change the way you confront risk and mitigate any instances of risks more effectively.
Our best suggestion is to find a technology partner who will work with your organization to help balance the convenience of working with both safety and agility through disasters. This will ensure a higher level of security overall, as well as accountability through Zero Trust methodologies.
Boris Khazin is Global Head of Digital Risk Management/Governance, Risk and Compliance at EPAM Systems, where he is passionate about providing solutions that deliver business value and exist at the intersection of people, processes and systems. Mr. Khazin has more than 20 years of management, consulting and product development experience in the financial services and fintech sectors. During his tenure at EPAM, he has led several GRC, business intelligence, enterprise analytics and organizational capability/maturity assessments to help clients identify, define and prioritize frameworks that guide them toward a desired future state. From this, he has developed a keen understanding of opportunities and challenges that arise when organizations adapt to change. Previously, Mr. Khazin worked at multiple financial firms, including UBS, S&P and Bloomberg. He was also an Investment Oversight Officer at TD Ameritrade. Mr. Khazin has a Bachelor of Science in Behavioral Economics from Pennsylvania State University and an MBA from Pace University.