Conceptually, effective risk management is quite simple.
The_Right_Information | Qualified_Decision_Makers >> Effective_Risk_Management_Decisions
Yet, in practice, executing on all of the tasks and sub-tasks implicit in this “simple” formula has given rise to the $28B Enterprise Governance, Risk and Compliance (EGRC) market – a market that shows no sign of contracting and is on track to exceed $64B by 2025 (see 2019 Grand View Research Report).
Knowing what information is “the right information,” getting that information on a timely basis, and doing so at a reasonable cost with a high degree of confidence is hard.
When the information you seek is embedded inside complex development organizations – many of whom are not even a part of your organization but embedded inside your supply chain – it is exponentially more difficult – but not impossible.
Cultivating decision makers that have the expertise to interpret “the right information” in the context of your organization’s risk appetite and tolerance requires an ongoing, sustained organizational commitment.
Adding the specialized technology and development process savvy required to interpret Development and DevOps data (app risk data) in this same light may seem like a bridge-too-far, but it doesn’t have to be.
“It is impossible to achieve an acceptable level of loss exposure if your visibility into the risk landscape has gaping holes.” Freund | Jones. Measuring and Managing Information Risk. Elsevier Science. Kindle Edition.
A risk landscape is made-up of sub-domains including your assets, threats, the state of your controls, etc. Without visibility into each (all) of these, you may well be on track to fall prey to Freund & Jones dire prediction above.
From an enterprise governance, risk and compliance management perspective, application risk management cannot be categorized as an asset management problem or a threat assessment problem or a control problem – application risk management is all of these (and more).
Applications share a unique development, manufacturing and distribution pipeline that, when combined with their ubiquity and importance, stress every facet of effective risk management practices and tools. While this is not a “new fact,” regulations and legislation are increasingly including explicit (often prescriptive) application risk management obligations (backed by enforcement and penalties).
In an era where meeting the letter of a current law is nowhere near enough to satisfy auditors, regulators, investors, or consumer markets – improving application risk visibility (and management) is being re-prioritized to sit right alongside effective data protection and identity management.
How would you rate your organization’s App Risk Landscape Visibility?