The R3 Marketscape
Within this Marketscape, the first “R” characteristic is how Responsive the organization is to new opportunities. (Some refer to this characteristic of an organization as it’s Risk Appetite.) We measure responsiveness on a scale from Digital Trepidation (e.g., market followers) to Transformation (e.g., market leaders); as both institutional fear and the Cyber Entropy™ resulting from untamed Digital Transformation are powerful market forces which nearly every organization must balance today.
The second “R” characteristic is how Responsible the organization is in supporting its obligations to stakeholders, minimizing risk while optimizing value. (Some refer to this characteristic of an organization as it’s Risk Tolerance.) We measure responsibility on a scale from Preservation to Protection. These are also powerful market forces pulling on organizations today, where they must choose whether to simply preserve their current value (minimizing investments in “due care”) or proactively protect the business as Threats continue to increase unchecked in both quantity and sophistication.
The third “R” characteristic represents the Risk Discipline which the organization demonstrates in their Risk Management program within its Information Security & Privacy Strategy. We measure risk discipline on a scale representing the focus on Efficiency versus Effectiveness. Organizations which focus primarily on metrics which represent the efficiency of their information security & privacy, rank far left on this scale. While those which focus on actual effectiveness of their controls can directly demonstrate the impact on the business from their investments in information security & privacy.
Patterns in this Marketscape
Mapping organizations along these 3 vectors of the R3 Marketscape we find they tend to cluster together in easily recognizable patterns.
The first obvious pattern is that of “Cyber Complacency”. Here in the lower-left of the R3 Marketscape we find organizations that demonstrate lower responsiveness to market opportunities (e.g., Digital Trepidation) and a predominant focus on simply preserving current value. These “Risk Ignorant” organizations tend to be unaware of the inherent risks surrounding them, and implicitly accept much of that Risk by emphasizing efficiency and cost containment in their investments in Information Security & Privacy.
The next familiar pattern describes organizations constantly seeking a state of “Cyber Tranquility”. This upper-left corner of the R3 Marketscape is where “Risk Averse” organizations tend to recede while investing more responsibly in proactive protection measures; often deferring or completely rejecting the risks associated with new opportunities, ultimately hindering the growth of the business. It is worth noting and somewhat unsurprising that Cyber Insurance providers (underwriters) are most comfortable writing policies for organizations in this corner of the R3 Marketplace.
The third pattern (in the lower-right of the R3 Marketscape) groups together organizations mired with untamed “Cyber Entropy™”. The environments within these “Risk Taker” organizations demonstrate the exact opposite of “Zero Trust” – all devices, software, data, traffic and entities on their networks are implicitly trusted and assumed to be supporting some new transformative initiative. Here, the principle of “Least Privilege” is deemed too restrictive. Administrative privileges are ubiquitous and considered an entitlement. End-of-Life (EOL) devices and software abound, foreshadowing the Cyber Zombie Apocalypse. Unauthorized shadow IT initiatives thrive. Undisciplined Digital Transformation has led to IoT devices continuously invading unsegmented corporate networks. OT/ICS/SCADA systems and networks may connect directly to the corporate backbone. And conventional perimeters have dissolved as core business systems have migrated to “the cloud”. Where Risks are not explicitly accepted, these organizations often attempt to transfer the Risk to their 3rd party service providers.
The fourth and final pattern is that of “Cyber Prosperity” depicted in the upper-right of the R3 Marketscape. Unfortunately, most organizations arrive in this hallowed corner of the Marketscape only after experiencing and surviving a significant digital compromise or data breach on their journey into “Cyber Entropy”; and receding at least once into that safe zone of “Cyber Tranquility” where defensive investments in protection are most common.
Risk Disciplined Organizations
These “Risk Disciplined” organizations show the greatest promise as they continuously work to mitigate their Risks; seeking responsible ways to say “Yes” to new business opportunities and challenges while driving down the Residual Risks to acceptable levels. Many of these organizations demonstrate the maturity of their Risk Discipline through concepts including:
- Enterprise-scale Risk Scenarios based upon specific Threats, Vulnerability, and Consequences; used to structure clear communication between the executive team and the board.
- To Prioritize these Risk Scenarios, the leadership team regularly collaborates to assess each Scenario qualitatively and quantitatively.
- Control Matrices are associated with each Risk Scenario enumerating Defense-in-Depth along the basic dimensions of Control Type (administrative, physical, and technical) and Control Objective (preventative, detective, and corrective).
- Risk Level Agreements™ (RLA) are documented for each Risk Scenario, describing the decisions to accept, reject, mitigate and/or transfer the Risks based upon a cost-benefit analysis (CBA).
- Information Security & Privacy Strategies are developed and continuously evolved which include Strategic Objectives and Key Initiatives based upon these RLA and Control Matrices.
- And Trust Through Transparency is a fundamental business principle supporting top-line revenues with annual 3rd party industry certifications (e.g., ISO 27001, SOC 2, etc.).
The inevitable Cyber Entropy brought on by contemporary market forces such as today’s Digital Transformation, demands this level of mature Risk Discipline, continuously balancing the need to be both Responsive & Responsible in pursuing new market opportunities.
Phenomenati has introduced this R3 Marketscape as a means to Bring Order to Chaos for our clients; helping organizations describe where they are today, where they want to be in the future, and the path that journey will likely take.