Leveraging ERM to drive Information Security (Cybersecurity) results
By Chris Mandel, SVP & Director, Sedgwick Institute
Managing a risk, including cyber risk means identifying, tracking, scoring and valuing, normalizing and trending risk performance, including the net impacts. These steps are performed in accordance with compliance standards and aligned with risk tolerance. Management also includes evaluating how the risk profile (e.g. an enterprise grouping of all defined cyber risks) is changing over time (and we know it is changing) and what key risk impacts the organization is facing from the portfolio of (cyber) risks. This is where the ERM framework and ERM processes can help drive Information Security results.
"Instead, consider ERM as a distinct, enterprise-wide enabler for addressing cyber risk management"
The existence of an ERM framework does not provide a carte blanche solution for cyber risk management or mitigation of undesirable cyber risk outcomes. Instead, consider ERM a distinct, enterprise-wide enabler for addressing cyber risk management. In many cases, in-force ERM processes and protocols provide the “plumbing” InfoSec leaders can immediately access and rely on to more quickly deploy cyberrisk identification, monitor the effects of specific risk mitigation strategies, and capture and analyze overall enterprise-wide cybersecurity results.
The interplay between ERM and InfoSec serves a critical function for the business. It helps to optimize risk management resources to ensure the InfoSec team is effectively able to focus on the cybersecurity battle at hand. Hacker driven intrusions and internal actors, along with many other threat vectors and attack surfaces, keep the InfoSec community scrambling for the best depth of defense and tactical offenses required to maintain up time productivity, lower dwell times, accelerate responses, and ensure overall data governance. Meanwhile, together with ERM, InfoSec faces global regulation of personal data actively shifting underfoot, resulting in increasing complexities and wider adoption of cybersecurity regulatory standards. These newly enacted regulatory standards are providing regulators with an ability to dig deep and assess enterprise-wide cybersecurity risk management. For instance, the National Association of Insurance Commissioners recently said: “State insurance regulators have undertaken a number of steps to enhance data security expectations to ensure these entities are adequately protecting this information. As part of these efforts, the NAIC developed principles for effective cybersecurity that set forth the framework through which insurance regulators will evaluate efforts by insurers, producers, and other regulated entities to protect consumer information entrusted…”
Additionally, the New York Department of Financial Services recently said: “Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.”
It is important to note both regulatory agencies are concerned with evaluating enterprise-wide Cybersecurity risk –which, in turn, leads us back to the enterprise-wide risk management “plumbing” and risk governance processes, and how the ERM-InfoSec interplay can be helpful in achieving organizational risk management objectives.
As an example, we can consider how to utilize the NIST-CSF (National Institutes of Standard and Technology - Cybersecurity Framework) as a starting point for an enterprise-wide cyber risk identification exercise (assessment). The NIST framework offers a diagnostic approach for assessing an organization’s technical cyber risk profile (the current state), versus desired risk tolerance and outcomes (the target state).
Separately, using a similar approach, ERM can be assessed through commonly adopted risk maturity evaluative frameworks. One such framework is the RIMS Risk Management Maturity model (RIMS-RMM). This model shares several common diagnostic themes with the NIST CSF, including evaluations of risk identification, risk culture, risk resiliency, and risk governance.
The common themes between several functional topics within the two frameworks create an opportunity to explore the corollaries between them. Scores can be mapped and linked together effectively creating an integrated overall score, by applying relativity factors that capture the directional relationships between the two frameworks. For instance, how might low technical cyber risk scores, such as weak DLP oversight, inform and potentially change the ERM score addressing risk (data) governance? When properly integrated, the NIST CSF and RIMS RMM, provide a synchronized view on data governance, privacy, and enterprise-wide Cybersecurity performance.
An integrated analysis, such as a combined NIST CSF + RIMS RMM approach, helps an organization accelerate their ERM and InfoSec risk management performance, and increases risk awareness. In turn, increasing risk awareness leads to becoming more risk astute. When an organization is more risk astute, they are maturing in their risk management thinking, as evidenced by positive return on risk investments, and system-wide risk mitigation solutions prioritized and finely attuned to best support organizational growth and profitability. Most importantly, theyare increasing their cyber resiliency while deploying strategic cyber risk management.
The company that achieves successful integration of a robust cyber risk management approach and its ERM framework is at a distinct competitive advantage. Not only is such an organization effectively managing its resources and expenses; it is linking cyber security to its business goals, enterprise risk profile, and strategic vision.