Monthly Archives: November 2015
You must be logged in to view this document. Click here to login
Technology and the proliferation of data have opened up a realm of new possibilities for business growth and created an immense depth of financial information to report. Audit committees, executive management and shareholders expect their auditors to keep pace with the evolution of technology and be prepared to leverage it so that they can deliver deeper insights based on new capabilities and the increased level of data that is available.
Technology is the factor that will have the greatest impact on the audit profession, according to a Forbes Insights/KPMG survey of 151 financial executives, audit committee chairs and members, academics, audit associates and accounting students.
R.I.S.K. is the next generation chief risk/audit/compliance/IT security officer who is capable of processing billions of bits of data, analyzing behavioral patterns, assess changes in internal controls and tackle cyber risks within seconds of an attack. R.I.S.K. does not command a salary, go on vacation, require a pension or healthcare benefits nor complain about not having enough budget or resources to get their job done.
What is R.I.S.K.? Risk Intelligent Systems Knowledgeware is a concept that I created to describe a collection of informatics applications that are in development today designed to tackle the challenge of tomorrow’s complex risk problems. If you think this is some far-fetched science fiction story about risk management you simply have not done your homework. Let me explain why risk management, as you know it today, will never be the same and is going through a major transformation never before seen.
Intelligence and security informatics (“ISI”) is defined as the development of advanced information technologies, systems, algorithms, and databases for international, national, and homeland security-related applications, through an integrated technological, organizational, and policy-based approach. Academics, military researchers, systems programmers and information security engineers are exploring a range of advanced technologies to address tomorrow’s threats. Disparate teams from around the world are separately; and in collaborative partnership, working on first generation smart systems to redefine how risk management and cyber security will be prosecuted in the very near future. While it is true that much of this research is very early stage it is also true that practical applications are being used today.
What is driving this change? Every organization is impacted by the speed of change and volumes of data generated by regulation and our 24/7 online, on-all-the-time, networked environment. Whether you work in a government agency, small business or global corporate enterprise humans candidly cannot keep up without the assistance of technology. It would be naïve to assume that risk, audit, IT security and compliance professionals have the ability to assess the health of an entire organization by reviewing a fraction of the internal controls and enterprise threats that endlessly flow through every firm.
Risk professionals spend 80% or more of their time focused on high frequency, low impact risks because it is easy to capture yet only creates a false sense of security. The phenomenon is called cognitive overload and creates a distraction from the true risks that threaten organizations. This is the primary reason organizations are “surprised” when a major control failure disrupts business or security professionals fail to keep up with cyber threats. Conventional risk practice is not enough! Unfortunately, risk professionals cling to ineffective risk practice without questioning outcomes or seeking alternatives.
So what are the implications of this transformation in risk management? First of all, it is important to understand that this change has already begun and will speed up rapidly as new technology is brought to bear to address risks. Open source intelligence is increasingly being used in security related applications. Hundreds of cyber security vendor applications have been launched in the last 3-5 years and behavioral defense systems have been deployed to identify patterns of insider threats to proprietary corporate data.
As these systems and their developers learn from their early stage experience more advanced applications will be deployed very rapidly. Artificial intelligence and machine learning are playing a larger role in cybersecurity, which can in theory help companies identify risks and anticipate problems before they occur. The idea is to create software that can adapt and evolve to combat ever-changing attack strategies, or identify patterns of suspicious behavior.
Traditional security mechanisms have leveraged rule, pattern, signature and algorithm-based approaches to detect threats, and that’s a problem, according to Paul Stokes, CIO of the University of Victoria in British Columbia. “These approaches require constant care and feeding to identify and mitigate security threats,” he said. “I think machine learning changes the game.”
The risk professional of the future will be more defined in skill set and come from a diverse set of deep domain expertise beyond audit, legal, operations or generalist oriented backgrounds. Risk engineers will increasingly become a new title bestowed on security professionals able to design or deploy systems with intelligence custom fit to the organization’s risk. The cost of risk, compliance and audit will be streamlined and spread across resources more effectively targeting real threats to the enterprise. These changes were unimaginable a mere 5 years ago but are becoming a reality today.
The question is are you prepared or do you ignore the change until you are replaced by R.I.S.K.?