Vertrags-Compliance, IT-Sicherheit und andere Risiken
Stochastische Phänomene und die Lösung im betrieblichen Alltag
We think we are safe:
A vendor management process, a contract database, Software Asset Management - what else can happen.
A cyber security vulnerability management system, good asset visibility, a SOC - we have all our ducks in a row.
Right?
Go on to topic 1; with a few examples:
The year is 2017: Indirect use / Digital Access, an innovation, due to a single ruling of the High Court of London, is shaping up as a great success story within the manufacturer. 54 million pounds of re-licensing (plus 4 million interest since 2011)! Litigation loser Diageo thought it was safe; for six years. But was it compliant?
Let's continue with the examples: Let's assume that a code scanner finds an open source library in our company's self-developed core system that has not been licensed (and disclosed) accordingly. Some of the developers are already in semi-retirement. How do we proceed, we are no longer compliant?
It's 2018, the year of the GDPR. Non-compliance all over. And our contract management has not helped. We write policies, encrypt, add AVV, demand information from the cloud provider, and get none. The data protection authorities threaten us. A years-long employment program. And what about our compliance?
Now to IT security: We think we are safe; all components have been tested. All right, but what about the overall system of our architecture, as well as that of our value-adding partners? And then there are the users, with all their input. The next attack is bound to come. Were we compliant then?
Anno 2024: NIS2. The new directive will become mandatory; forcing many, for example, to have an 'attack detection system'. But what is it? Well, the dispute with the insurance company in the event of a claim will show it. After the fact. So are we compliant?
The solution: acting and deciding with stochastics. Away from deterministic thinking; it no longer meets reality. Meaning? We have residual risks, all over. They will materialize, that's for sure. Only the time is not. Mors certa, hora incerta.
Audits may come, and additional payments. Attacks will come, and mitigation efforts (or damages). What can we do: learn from the financial industry. They had their innovation: the MaRisk (Minimum Requirements for Risk Management. Since 2005. With attached employment program).
We, too, will have to think further, in the direction of state-of-the-art risk management, see above. Terms such as risk profile, quantification, adequacy and sustainability will reach us. Let's not wait and see.
Author: Dirk Michael Ockel