- Research & Insights
- About Us
- Become a client
Let’s say it loud and clear. A lack of effective controls will put your RPA environment at risk and will hold back your ability to scale. The hard truth is that most organizations have deployed RPA in a rush, treating security as an afterthought.
Organizations serious about scaling RPA should treat security as a foundational requirement. As RPA Center of Excellence (CoE) leads and IT and security executives, it is your job to deploy a meaningful security framework that addresses your critical security and compliance requirements.
Deploying RPA should be a walk in the park, but it can quickly turn into a trek through Jurassic Park if you don’t focus on the security that matters.
Enterprise applications require enterprise-grade security, and it’s not just large enterprises that should care about the security of their RPA environment. You can’t ignore these four key controls:
Over the last few years, the main security focus has been on bot access and, more particularly, managing underlying privileges in the myriad of target applications. It is certainly important to control the level of access you grant to your bots. But even more important is to control what your bots can do, and the code governs their conduct.
Give your bots a wide range of capabilities (in the interest of reusability and expandability) and use the code to control their ability to exploit these capabilities.
What matters is enforcing security checks when building your code and preserving their integrity during subsequent changes. “In Code We Trust” should be the motto of every RPA CoE.
Focus on two areas:
We can define the risk associated with a bot outcome as the probability of an error multiplied by the cost of an error. The resilience of your bot determines the probability of an error, and you can deem it resilient if it can withstand or recover quickly from contextual changes (process and technology). The cost of an error is the impact of a failure on existing operations. Quantifying how much money you could potentially lose due to a bot failure is a difficult but necessary exercise.
Keep the risk dimension in mind when defining the criticality of each bot and deriving the necessary security monitoring activities. A higher error cost or probability requires a higher level of continuous monitoring. You can’t survive in the long run with manual monitoring only, and you should aim to deploy from day one automated monitoring mechanisms.
For bots involving relatively little risk, out-of-the-loop problems are unlikely to have much impact, even if there is a complete failure.
For these critical bots, you must formally document and communicate a business continuity plan. Each bot should have a tailored action protocol to guide RPA operators during the recovery process. Remember, business users may not be as skilled in performing the recovery activities, so ensure ongoing training refreshers.
There is one thing for sure that will bring your RPA journey to a grinding halt: the inability of your auditors to rely on the controls governing your RPA environment.
Focus on the controls that matter most and incrementally increase the level of automation when possible. It is not enough to just design good controls. What is even more important is to preserve the operating effectiveness over time, which mainly relies on proper end-to-end governance.
You must also do it at the right cost. Your internal security and IT functions should lead this effort with the help of dedicated service providers that will provide the right mix of expertise and labor arbitrage.