 Hello and welcome to this episode of the Security Angle. This is our series focused on all things security. I'm Shelly Kramer, Managing Director and Principal Analyst here at theCUBE Research. And I'm joined today by Joe Peterson, Independent Analyst, Brilliant Engineer and a member of our CUBE Collective Community of Analysts. Welcome Joe, always a pleasure to see you. Thanks for having me, nice to be here. Absolutely. So today, we are gonna talk about enterprise risk management trends and things that we're watching in 2024, things that we're seeing shape up and things that we think you might wanna be thinking about. So business continuity, risk mitigation and enterprise risk management processes, they are not sexy terms by any stretch of the imagination. They all work together and they collectively play kind of an outsized role in business success. So before we dig into the trends that we see happening in 2024, let's take kind of a 30,000 foot view of enterprise risk management and what it does. So ERM is a top-down methodology and it looks at risk management strategically from the perspective of the organization as a whole. I have spent a career as a strategist so this makes perfect sense to me. So the goal with ERM is to be able to identify and assess and prepare for potential business losses or dangers and hazards and other potentials for harm that could interfere with an organization's operations and their objectives and of course this can lead to losses. So the way that I look at this strategically it's about being proactive instead of reactive when it comes to, when you're proactive you can look at risk identification, you can look at how we can mitigate potential risks rather than just simply react when something bad happens and something bad is going to happen. I mean, that's pretty much a given today. So ERM can deliver some big benefits and just a handful of these are of course, the more awareness that you have about potential risk the more of course prepared you can be. Having doubling down on ERM of course leads to increased stakeholder confidence helps improve decision-making, allows organizations to more efficiently use their resources. You can also, this has a big impact on business continuity and just real quickly when you think about business continuity it's business continuity is when something bad happens whether it's a natural disaster or it's a ransomware attack or something else that is unexpected when it happens. Being able to keep business operations moving think about a global pandemic how we were able to keep businesses moving. So business continuity is a really big deal. And lastly, another benefit of ERM is that it helps you more effectively coordinate your compliance and your regulatory concerns and your systems. And of course that's incredibly important too certainly for anybody operating in a field that requires compliance and regulatory it has regulatory oversight. So lots there and let's get a little bit further into what ERM solutions do? Well, I wanna set the table a little bit because ERM solutions are growing, right? According to global newswire the digital risk management market size is gonna surge from 10.58 billion at the end of 2023 to 11.89 billion in 24. One year, one year, right? And so it's going up 12.5%. It's a lot. And when you think about that in terms of IT budgets that are remaining flat, well clearly this is an area where the executives and the board wanna spend money. So what we're seeing today is that risk management has never been more important. You've got things going on like the rapid pace of globalization, the pervasive use of digital technology, increasing savieness of threat actors which we always talk about. And it's a perfect storm for risks that keep emerging and changing and morphing. Well, and I think that we used to operate in much simpler times, right Joe? I mean, and we're both old enough and experienced enough that we've operated in those simpler times. And you weren't always doing business with people across the world. And everything was analog, not digital. And we didn't really have ransomware that we had to worry about and things like that. So we've seen a big transition in the last handful of decades, of course. And we continue to move at a rapid pace. You know, one of the things I always tell people who are complaining about how quickly technology moves and I say, you know, if you stop and think about, if you're uncomfortable with the rapid pace of change that has happened in the last, say three or four years, buckle up Buttercup because it's going to get more rapid and more change. And there is no reason for that to expect for that to change. You know, so I think that I try to set people's minds on that front when I can. So, you know, the top trends that we're seeing from an enterprise risk management standpoint are pretty simple. We're seeing a rise in risk maturity models. We're seeing ERM and GRC interconnection. We're seeing organizations understand how important it is to take a whole, to get a holistic view of risk throughout the organization. We're seeing persona-based risk modeling, which is pretty cool. And we're seeing, of course, the role that AI is playing in augmenting risk management. So I'm going to tackle one of these on our list. And this is the rise of risk maturity models or RMMs. Organizations are considering models that deploy a framework approach. And they're used as a way to manage risk vulnerabilities across different areas of the business. So the goal of RMM is to serve as kind of a benchmarking and an educational tool for improving ERM practices and communication throughout an organization. So when you incorporate elements of existing best practice frameworks and ERM models, the RMM then helps you by categorizing programs into one of five levels of maturity. And again, it's you being able to classify these things. One of it is, is it ad hoc? Is it initial? Is it repeatable? Is it managed? Is it leadership? And when you get to each level of added maturity, each one of these indicates an organization's sort of success in being able to achieve its business objectives and improve performance by utilizing this risk-based methodology. So bottom line, it sounds like a lot of acronyms and a lot of words in there. But the reality of it is if you want to ditch your spreadsheets and automate your vendor risk management program, we don't blame you. And there are a ton of software products in the market that you might want to take a look at as you're evaluating your options. And again, this is just a handful of companies. They include Prevalent and Erevo and BitSight and Koopa and CyberGRX and OneTrust and Process Unity and Security ScoreYard. So if you're thinking about how can we employ software solutions that help get our arms around this, this is definitely something that you want to check out. Yeah, for sure. And the second trend that you mentioned was that ERM is interconnected to governance risk and compliance or GRC. So if you think about it, financial issues were the traditional sort of focal point of ERM, but cybersecurity and then our supply chain, third party relationships, governance, risk and compliance, these things are all sort of folding into the current equation. So the goal is to have this, as you mentioned earlier, this broader understanding of policy, posture, gaps in regulatory compliance, response to incidents, and sort of the automation of audit. So ERM and GRC both have similar elements, but they had tended to serve different purposes. ERM has been a holistic approach to risk management while GRC is more focused on regulatory compliance and risk management initiatives and we're starting to see them fold together. Yeah, well, I mean, it kind of makes sense for them to be folded together, doesn't it? I mean, it does to my brain anyway, you know? So, you know, so what you're saying here, of course, is that the goal, I think of everyone, of everyone who's paying attention, is to have an integrated view of the business. And so you want tools that can span the organization that can quickly capture risk indicators and to show how these things are trending. But then, of course, you want your tools to go a step further and you want tools that can not only provide remediation advice and the ability to cross-check accountability for actions is also really important. So beyond that, organizations want the ability to access and view real-time reporting to assist with management decisions. Okay, I mean, we encounter this all the time. We encounter this whether we're talking about any kind of observability, visibility throughout an organization, when it comes to risk in general, you can't mitigate what you can't see, okay? And that is, I think that every person, certainly in the security sector, is nodding their heads about now, right? Because you can't, and that's really why when you have technology solutions that allow that real-time visibility and real-time access, that is table stakes today. And so if that's not something that you have within your organization, I wholeheartedly recommend that you really look at how you can integrate that into your operations. Because again, you don't know what you don't know and you can't mitigate what you can't see. And just to touch real quickly on some of the software functionality that's available in Enterprise Risk Management Solutions, there are very rich reporting capabilities and you can immediately see how your organization stands from a risk standpoint. And you'll have custom analytics that you can use and you can break down reports to show what you care about. And then you can use that data to build the right reports and the right dashboards. And so again, going back to dashboards and visibility, CISOs and board members and senior executives can all quickly understand the risk posture of an organization by looking at a single pane of glass. Isn't that kind of how you run a company these days? I kind of think it is. Rather than saying, hey, Joe, what is that latest report show? And you having to thumb through things and everything else, single pane of glass right here. And I think that that's really, that's rapidly becoming table stakes at the risk of being repetitive. But better dashboarding means better observability. It means easier communication, it used having access to the data that really matters at the moment that it matters the most and it makes the jobs of risk management pros exponentially easier. And all of these things makes their jobs easier, but it also really mitigates the risk for organizations across the board. I'm not sure what about that we don't want. No, we want all of it, we're here for it. But I think some of the cooler things that are coming out in some of the tools right now is the idea of persona-based risk modeling. And so the idea is to skew the information to the audience. And a couple of examples of that would be, the CEO wants to drive secure business transformation. The CFO wants to reduce business risks and the cost of data breaches, right? They wanna keep, they're always worried about the financial side of things. The COO wants to be more resilient in the business. The CIO wants to make security a fundamental element, foundational element of IT strategy. And the CISO of course wants everything, they want cyber risks to be included in all the decision-making. So I think that the idea of making it personalized and meaningful to that executive and what they're trying to accomplish is a neat twist on things. But we've said this before, Shelley, you can't open up any pieces, you can't open up the internet without reading about AI. So, right? I'm laughing because I knew exactly where you were going. AI. You just, so kind of like, how does AI fold into this equation? Well, as we know, and as we've had many conversations about here on this show, assessing and quantifying AI risk is a challenge for organizations of every side across, every size across the board. So I think that to me, it's so important to be thinking about these things and to be thinking about the things that we're bringing up in terms of enterprise risk management before AI becomes even more widely adopted and more pervasive throughout an organization. And even though AI is on everybody's minds these days and it's a part of every conversation, the reality of it is adoption is happening, but it's happening at somewhat of a cautious pace, which I think is good. And organizations are trying to get arms around policies and use cases and how to protect against cyber threats that are AI powered and all this sort of thing. So, but I think that although AI, being involved in AI powered risk management solutions are great, but AI also brings in new risks that need to be managed. And so, as leaders are thinking about new technologies and they search for solutions that are scalable and adaptable to their businesses, they need to understand of course, how the different types of AI solutions out there can actually help revamp their governance risk and compliance strategies and how it can protect their businesses from risk and how it can help them maintain compliance. And AI helps with this, one of the beautiful things about AI is in many instances, it does the heavy lifting for us and it does it much more rapidly in many instances than humans can. And so AI technology can help with processing massive amounts of data and with data identification and categorization and can help with analysis driven tasks and it can serve up sort of next best step solutions and that sort of thing. So it really helps risk managers respond to potential risks faster and with greater efficiency, which is what we want, right? And so, it also AI powered tech can also help with a number of things. And I'll just tell you a handful of things are quickly being able to identify patterns in data. Humans can do this, AI can do it more rapidly and in many instances more accurately. Streamlining data classifications, same thing, faster, more efficiently, more accurately. And also it can help with the ability to risk score and quantify. And so I think all of those things are tremendously valuable. And I'm going to start with the ability to identify patterns in data. There's not a company that we talk to on a daily basis that's not struggling with data. Okay, the reality of it is silo data is a real problem in just about every organization, right? And so what AI helps do is it helps take in data, identify patterns quickly, test for duplicates or discrepancies in data sets or in risk controls that are already in place. And AI also gives GRC teams kind of a significant leg up when it comes to semantics analysis and NLP processing capabilities that are an intrinsic part of AI powered technology. So what you get with all of this is you get faster, more accurate processes and then you get cost reduction, which is a natural outcome of when you have these processes put in place, when everybody on your team is kind of cooking with gas and understands how things work and everything like that, you've got, again, you've got a substantial cost reduction and efficiency boost when you've got these things in place. That's true. That's true. And I, you know, comes to mind, something comes to mind, a phrase that was used a few years back, data is the new bacon, right? And many of us love bacon. I love bacon and, you know, data is bacon to our business. It's kind of the thing that's important. And one of the things that AI is sort of forcing our hands with is data classification. Why? Because if we're worried about data exfiltration, what data are we worried about leaving? What data are we worried about staying, right? So we are now as IT shops being forced, our hands are forced to classify that data. And AI can help with that streamlining process, right? It can better classify reports and figure out what it is we're looking for and what it is we're worried about, right? And to take that a step further, it could help with risk scoring and quantification. So it can take these reports, especially third party ones, which can be voluminous. And, you know, if you're looking for something to put you to sleep at night, pull out one of these things and read it, right? And it can spot errors, redundancies. It can do things as essentially that humans can't do as quickly. You know, you sit there with your highlighter and the AI is gonna be a lot faster than you are at 10 o'clock at night, ready to go to sleep, right? So it can, it's, people talk about, you know, AI maybe being a threat and in some ways it can be, but it can also be a helper. So something to think about as you're doing your planning. Well, and you know, I'm gonna wrap up this show by saying if you're working on business planning, if you're working on a business strategy, which, you know, I mean, that's something that sometimes I remember, you know, doing this on an annual basis in my world now, it's something that's a continuous basis, right? Because change, continuous change is kind of a given in our world today and not just in the tech industry. So I cannot recommend enough for you, if you're engaged in this process and you're not yet using enterprise risk management solutions that you slide them up a little higher on your list. I know that I can speak for you, Joe, when I say that, you know, enterprise risk management has never been more important to business operations and business continuity and business risk mitigation than it is today. And again, just as a wrap up the top enterprise risk management software trends, we're tracking and believe you're going to be seeing and hearing a lot more about in 2024 and beyond are the emergence of risk maturity models and the connection between ERM and GRC and how important that is and holistic view of risk and how, you know, again, you can't mitigate what you can't see. So think about how important it is to have solutions in place that allow you to have that single pane of truth that place where, you know, anybody can go and see the information that they need that's applicable to them that slides me into the persona-based risk modeling, which I just think is so tremendously important and you hit on something so relevant, Joe. You know, if I'm a CFO, I care completely about things that are completely different than what a CEO might care about or a CTO might care about. So having solutions that are persona-based and allow that persona-based risk modeling, oh my gosh, I think that's really cool. And the last part of, you know, the trends that we're looking at, we'll definitely be talking about this more, but really the role that AI plays in augmenting the risk management part of your business operations. And today AI plays a pretty big role in that and without question, that role is going to continue to grow over time. So with that, thank you for hanging out with us today as we talked about the five top enterprise risk management trends we're tracking in 2024. Joe, it's always a pleasure spending time with you and to our viewing and listening audience. We'll see you here next week.