Businesses see huge value in their digital assets, and this is fuelling the need to manage associated risks – making DRPS a significant corporate priority.
DRPS is a critical part of the cybersecurity toolset and one that marks an important evolutionary step in the development of advanced threat intelligence-based services. However, DRPS’ emergence is only partly due to its acceptance by senior cyber professionals and experts. Its status as a key component of risk strategy is all about its ability to be understood and embraced by business leaders rather than just people in technical roles.
How DRPS Taps into Tangible Business Value?
DRPS is important because it enables the business to understand risk in the context of digital asset value and the potential impact to the business in terms of revenue and reputation.
Gartner had even published (July 2020) a paper on “Critical Insights in Digital Risk Protection Services” that reflects the expanding value of DRPS across multiple organizational functions from security to sales, marketing, HR, and risk/compliance – going from a 1% target audience for the DRPS category today to 10% by 2025.
It highlights 5 key use cases:
- Mapping digital assets (digital footprinting) and any associated vulnerabilities, misconfigurations, etc. that leave them exposed
- Brand protection, such as preventing cybersquatting, fake profiles/impersonations of key employees, etc.
- Preventing account takeovers, such as credential theft
- Monitoring and mitigating fraud campaigns, such as phishing detection and credit card compromise
- Data leakage protection e.g. of intellectual property
These use cases demonstrate two important principles. Firstly, digital assets exist beyond the ‘owned’ IT estate and the corporate perimeter, such as in cloud applications and databases, third-party supply chains, and social media ecosystems. It’s everything to do with brands, products, and employees. This also makes one organization’s digital footprint unique from all others.
The second key principle is that, as business becomes more digital, the challenge of managing these risks is constantly expanding as organizations progress their digital transformations. In most debates about digital transformation, there are clear ROI-driven business cases spelling out the upside opportunity in relation to cost.
Calculating the ROI is DRPS is closely linked, though somewhat imprecise. You can’t fully realize the opportunity of digital transformation if you fail to manage the risk. In other words, DRPS delivers ROI in the form of risk avoidance – not just in giving expanding digital initiatives a better shot at realizing their value.
DRPS is fundamental to enabling a business to continue functioning and mitigate the risks of cyber-attack, so we should ask whether the question of ROI is even relevant. Businesses have operated risk teams and GRC (governance, risk and compliance) teams for decades, and no one would ever think about questioning their ROI.
DRPS is simply a new digital element that has arisen in line with new digital realities. Shouldn’t the same attitude to ROI apply?
How is Digital Risk Relevant Across the Business?
With or without clear ROI, digital risk prevention successfully transcends departmental lines and becomes directly applicable to specific functions of enterprise organizations.
Obviously, the security department will be concerned with harnessing DRPS capabilities (e.g., to detect fraud campaigns, close down phishing attacks, prevent data leakage, and monitor threats across the open, dark, and deep web) and so will the broader IT function as part of measures to identify and control ‘shadow IT’ and ‘forgotten IT.’ But it’s the other non-IT lines of business where DRPS is relevant and stimulating interest.
For example, marketing’s chief responsibility is the company brand and managing how this is presented to the outside world, what’s communicated by key spokespeople, and how customers and other audiences engage via an increasing number of digital channels. Hence, DRPS capabilities, like brand protection, policing rogue/fake mobile apps, and preventing takeover of corporate/VIP social media accounts, are critical. Success or failure here feeds into the KPIs of the marketing department, which typically relate back to revenue. That’s another positive ROI case for DRPS, especially where it’s used to stop customers mistakenly spending their money elsewhere or being compelled to because the brand is tarnished.
HR departments also have an interest in DRPS, particularly monitoring capabilities of digital collaboration platforms and social media. Are employees compliant with the obligations of certain policies governing, for example, inappropriate conduct, hate speech, etc.? Again, this value is hard to quantify but undoubtedly substantial and labor-saving compared to attempting to manually monitor these platforms. The broader issue of compliance is something that legal departments and risk/compliance teams focus on. Their interest in DRPS would naturally crossover somewhat with HR in cases where intellectual property was at risk. Due diligence projects in relation to third-party contracts and potential M&A would also be strong use cases for employing DRPS to ascertain some form of digital risk assessment prior to a deal. ROI again comes in the form of risk avoidance, cost reduction, and increased efficiency.
The Value of DRPS is Only Realized When Intelligence is Acted Upon
Enterprise cybersecurity budgets were difficult to justify when executive leadership found it hard to balance the costs expended against a measurable return however today, boards are better informed and appreciate the value of security investments to guard against the disastrous consequences of, for example, a major data breach.
But ROI is a blunt tool for decision making in this context. “It is worth the investment?”, and “How can we control costs?” are more applicable.
“What is the potential cost of NOT doing this?” is really the killer question.
When combined with threat intel, its value is non-negotiable.
Independently of whether it can point to an ROI or not, a brand can’t afford to lose customers, get its reputation damaged, lose intellectual property or suffer the regulatory wrath of breaking privacy regulations on personal data.
Why? Because it’s a matter of life or death for a company right now.
So even without ROI, DRPS and TI remain necessary…
It’s a question of safety.
More airbags in your car do not require an ROI, nor does a better alarm system in your house.
But these are still decisions to make to further protect yourself.
With cyber threat levels so high nowadays, can you afford not to?
B. Güney Seyhan
Global Sales Manager
Brandefense
