When I joined Uber, an immediate challenge we faced was designing a robust, scalable risk taxonomy and quantification strategy with board-ready metrics and reporting. Coming from a compliance background at Microsoft Azure, I knew it was important to have a solid risk quantification process that could be scaled across issues, exceptions, post incident reviews, risk calibrations, internal audit findings management, and the cyber steering committee— and most importantly, it needed to be trusted and understood by the board. We ultimately sought to provide a more relevant and current view of risk by moving from our compliance-driven cadence of reporting every quarter to a real-time, predictive risk intelligence layer.As part of Uber’s ongoing effort to strengthen our security and protect our global operations, we are recognizing the significant advantages of AI-driven risk management, particularly its ability to adapt and respond to evolving threats in real time. In this blog, I will share insights about AI risk management advancements and how they can help drive innovation in identifying, assessing, mitigating, and reporting risks.The scale and complexity of UberAt Uber, we handle close to 200 unique data sources, each unique and complex. The question before us was: How do we manage and make sense of this massive amount of data to drive actionable insights? A comprehensive real-time risk assessment and threat response approach became pivotal in enhancing our risk management strategy. To give you a sense of our scale, Uber operates in more than 110 countries and nearly 12,000 cities, facilitating 28 million trips per day and boasting 2.2 million merchants on UberEats. Our mission is to reimagine the way the world moves for the better. Movement is our lifeblood, and we are constantly pushing to improve how we operate.This commitment to movement and the scale at which we operate introduces significant complexity and risk. With such a vast operation, protecting our enterprise, drivers, riders, and expanding service lines is an enormous task. Before embarking on our AI risk management journey in our unique environment, it became abundantly clear that maximizing the effectiveness of such a solution is dependent on establishing clear, enterprise-wide cyber hygiene practices and processes. Cyber hygiene fundamentalsRegardless of whether you choose to purchase or build your own AI-driven risk management tool, we have learned that it’s important to take the time to lay the groundwork. At Uber, our planning and preparation involves these cyber hygiene fundamentals: Consensus: Getting buy-in from departments such as IT, finance, and security is crucial. Establishing a common risk taxonomy in unison with risk appetite framework, advance risk scoring method (using FAIR) and ability to scale it across business units and service lines was essential to ensure everyone is speaking the same language. Baselines: We define our risk score schema (for example, low, medium, high severity or a numerical system) and spell out how ratings could be translated into meaningful and digestible information for the board. The color codes are replaced by a range of scores and how they tell a story based on the deviation from the normal behavior. Data sources: With the vast amounts of data coming in from multiple sources, we decide where to start: with entities, assets, IPs, or cloud projects. Performing real time dynamic risk assessments and creating data pipelines requires meticulous planning and coordination.Relevance: Before even considering deployment, we determine how to integrate, configure and scale compliance, audit, and operational requirements within a risk management framework. We understand that it’s essential to continuously monitor, automatically test key controls and update our risk register to ensure it remains useful, actionable, and meaningful. Obtain buy-in by correlating risk to the bottom lineRisk quantification is always challenging, especially when you try to get buy-in from senior leadership. The common questions are: Why should they care? How much money is at stake? Where should they invest? To address these, you need a robust model that could translate technical risk into simple financial terms that the board could understand. It should also address external regulatory posture. At Uber, we need various models and tools baked into an AI-driven risk management solution to give executive teams detailed analyses of potential financial impacts, including Monte Carlo simulations, a method that determines the probability of an outcome from a range of outcomes with random variables. Another valuable framework is MITRE ATT&CK®, a knowledgebase of adversary tactics and techniques. The combination of these predictive methodologies quickly identify risk in granular detail, show potential risk over time, pinpoint the key attributes of risks, and calculate financial loss metrics.This approach would not only help us gain board approval for proposed security initiatives, but also align our risk management strategies with business objectives. For example, by demonstrating the potential financial loss from specific risks, we could prioritize investments in mitigating those risks more effectively.The benefits of AI-driven risk managementIntegrating AI into our risk management processes would automate many routine tasks, such as gathering, normalizing, and analyzing data from diverse sources. The goal is to free up our skilled professionals to focus on strategic initiatives. This shift would significantly improve our overall security posture and operational efficiency. For instance, AI can analyze vast amounts of data to identify patterns and perform contextual pattern matching to predict risk levels, acceptance or remediation criteria on a high risk finding. This proactive approach helps predict, prioritize and mitigate risks before they escalate.The use of AI in risk management also provides other benefits:Enhanced decision-making: AI-driven insights enable data-driven decisions. By analyzing historical data and identifying trends, it helps with forecasting potential risks and developing strategies to mitigate themScalability: AI solutions can scale to handle large volumes of data, making them ideal for organizations like Uber with vast and complex operations. This scalability ensures that our risk management processes remain effective as we continue to grow.Improved accuracy: AI algorithms can process and analyze data with a level of accuracy that is difficult to achieve manually. This accuracy is critical in identifying subtle indicators of risk that might otherwise go unnoticed.The road aheadAs we grow in size, maturity, and complexity, my team’s responsibility and mission is to embed the “risk fabric” into our daily lives. This includes working with business partners and sub-service lines, engineering teams, support, infrastructure, compliance, safety, and trust.For those of you starting your journey in AI-driven risk management, my advice is to focus on getting your cyber hygiene, centralized controls directory and risk ranking framework all aligned to produce context driven signals. Understand your data sources, establish clear risk taxonomies, and ensure continuous monitoring and evaluation. These steps are critical in building a resilient and effective risk management framework. Uber’s journey with Zscaler has been nothing short of transformative. The platform has enabled us to scale our operations securely, enhance our risk management capabilities, and achieve better visibility and control over our global network. I am excited about Zscaler’s current risk management offerings, like Zscaler Risk360, that would bring AI and data integration seamlessly into zero trust architecture. We’re looking forward to learning more about how the solution facilitates and speeds up informed decision-making and helps streamline risk management processes. Watch Hardik’s full Zenith Live ’24 keynote session here.
[#item_full_content] When I joined Uber, an immediate challenge we faced was designing a robust, scalable risk taxonomy and quantification strategy with board-ready metrics and reporting. Coming from a compliance background at Microsoft Azure, I knew it was important to have a solid risk quantification process that could be scaled across issues, exceptions, post incident reviews, risk calibrations, internal audit findings management, and the cyber steering committee— and most importantly, it needed to be trusted and understood by the board. We ultimately sought to provide a more relevant and current view of risk by moving from our compliance-driven cadence of reporting every quarter to a real-time, predictive risk intelligence layer.As part of Uber’s ongoing effort to strengthen our security and protect our global operations, we are recognizing the significant advantages of AI-driven risk management, particularly its ability to adapt and respond to evolving threats in real time. In this blog, I will share insights about AI risk management advancements and how they can help drive innovation in identifying, assessing, mitigating, and reporting risks.The scale and complexity of UberAt Uber, we handle close to 200 unique data sources, each unique and complex. The question before us was: How do we manage and make sense of this massive amount of data to drive actionable insights? A comprehensive real-time risk assessment and threat response approach became pivotal in enhancing our risk management strategy. To give you a sense of our scale, Uber operates in more than 110 countries and nearly 12,000 cities, facilitating 28 million trips per day and boasting 2.2 million merchants on UberEats. Our mission is to reimagine the way the world moves for the better. Movement is our lifeblood, and we are constantly pushing to improve how we operate.This commitment to movement and the scale at which we operate introduces significant complexity and risk. With such a vast operation, protecting our enterprise, drivers, riders, and expanding service lines is an enormous task. Before embarking on our AI risk management journey in our unique environment, it became abundantly clear that maximizing the effectiveness of such a solution is dependent on establishing clear, enterprise-wide cyber hygiene practices and processes. Cyber hygiene fundamentalsRegardless of whether you choose to purchase or build your own AI-driven risk management tool, we have learned that it’s important to take the time to lay the groundwork. At Uber, our planning and preparation involves these cyber hygiene fundamentals: Consensus: Getting buy-in from departments such as IT, finance, and security is crucial. Establishing a common risk taxonomy in unison with risk appetite framework, advance risk scoring method (using FAIR) and ability to scale it across business units and service lines was essential to ensure everyone is speaking the same language. Baselines: We define our risk score schema (for example, low, medium, high severity or a numerical system) and spell out how ratings could be translated into meaningful and digestible information for the board. The color codes are replaced by a range of scores and how they tell a story based on the deviation from the normal behavior. Data sources: With the vast amounts of data coming in from multiple sources, we decide where to start: with entities, assets, IPs, or cloud projects. Performing real time dynamic risk assessments and creating data pipelines requires meticulous planning and coordination.Relevance: Before even considering deployment, we determine how to integrate, configure and scale compliance, audit, and operational requirements within a risk management framework. We understand that it’s essential to continuously monitor, automatically test key controls and update our risk register to ensure it remains useful, actionable, and meaningful. Obtain buy-in by correlating risk to the bottom lineRisk quantification is always challenging, especially when you try to get buy-in from senior leadership. The common questions are: Why should they care? How much money is at stake? Where should they invest? To address these, you need a robust model that could translate technical risk into simple financial terms that the board could understand. It should also address external regulatory posture. At Uber, we need various models and tools baked into an AI-driven risk management solution to give executive teams detailed analyses of potential financial impacts, including Monte Carlo simulations, a method that determines the probability of an outcome from a range of outcomes with random variables. Another valuable framework is MITRE ATT&CK®, a knowledgebase of adversary tactics and techniques. The combination of these predictive methodologies quickly identify risk in granular detail, show potential risk over time, pinpoint the key attributes of risks, and calculate financial loss metrics.This approach would not only help us gain board approval for proposed security initiatives, but also align our risk management strategies with business objectives. For example, by demonstrating the potential financial loss from specific risks, we could prioritize investments in mitigating those risks more effectively.The benefits of AI-driven risk managementIntegrating AI into our risk management processes would automate many routine tasks, such as gathering, normalizing, and analyzing data from diverse sources. The goal is to free up our skilled professionals to focus on strategic initiatives. This shift would significantly improve our overall security posture and operational efficiency. For instance, AI can analyze vast amounts of data to identify patterns and perform contextual pattern matching to predict risk levels, acceptance or remediation criteria on a high risk finding. This proactive approach helps predict, prioritize and mitigate risks before they escalate.The use of AI in risk management also provides other benefits:Enhanced decision-making: AI-driven insights enable data-driven decisions. By analyzing historical data and identifying trends, it helps with forecasting potential risks and developing strategies to mitigate themScalability: AI solutions can scale to handle large volumes of data, making them ideal for organizations like Uber with vast and complex operations. This scalability ensures that our risk management processes remain effective as we continue to grow.Improved accuracy: AI algorithms can process and analyze data with a level of accuracy that is difficult to achieve manually. This accuracy is critical in identifying subtle indicators of risk that might otherwise go unnoticed.The road aheadAs we grow in size, maturity, and complexity, my team’s responsibility and mission is to embed the “risk fabric” into our daily lives. This includes working with business partners and sub-service lines, engineering teams, support, infrastructure, compliance, safety, and trust.For those of you starting your journey in AI-driven risk management, my advice is to focus on getting your cyber hygiene, centralized controls directory and risk ranking framework all aligned to produce context driven signals. Understand your data sources, establish clear risk taxonomies, and ensure continuous monitoring and evaluation. These steps are critical in building a resilient and effective risk management framework. Uber’s journey with Zscaler has been nothing short of transformative. The platform has enabled us to scale our operations securely, enhance our risk management capabilities, and achieve better visibility and control over our global network. I am excited about Zscaler’s current risk management offerings, like Zscaler Risk360, that would bring AI and data integration seamlessly into zero trust architecture. We’re looking forward to learning more about how the solution facilitates and speeds up informed decision-making and helps streamline risk management processes. Watch Hardik’s full Zenith Live ’24 keynote session here.
