Cyber Risk: The Poster Child for Enterprise Risk Management
Enterprise risk management (ERM) is often viewed as a bureaucratic and unnecessary process, subtly or overtly motivated by regulation, accompanied by internal risk leadership kingdom building, and suggesting an unclear value proposition. Occasionally, these perceptions are correct and ERM fails. Yet, there is hope for a successful ERM approach with the right motivations and when designed and implemented with the real business goals and culture of the organization in mind. This is when ERM becomes an invaluable approach to learning about and managing truly destructive risks. A successful ERM approach also creates a clearer lens for seeing and responding to emerging risks, including potential impacts, and helping to prioritize the more valuable solutions. The resulting ERM processes are, however, often fraught with hurdles and barriers, preventing many organizations from achieving a level of risk intelligence and maturity beyond ad-hoc decision making.
Few risks affect organizations with the diversity, impact and pervasiveness of cyber. As we are now a truly internet connected and dependent world, few organizations escape material exposure to this ever-evolving risk and its wide range of impacts; fewer still seem to have effective plans for cyber risk mitigation or an ability to calculate the value “in play” gained, or not, from their cybersecurity strategies. This is not to say many organizations haven’t or aren’t trying to address cyber risk. Beyond regulatory requirements, no effective governance structure today would allow management to ignore or not actively investigate this growingly complex enterprise-wide risk. Even so, why would cybersecurity become a clarion call for ERM? What role does ERM play in helping to solve the cyber dilemma, and to assess this critical cross enterprise risk? We are glad you asked.
Every organization needs to approach risk management in a way that is effective for itself and its key stakeholders, both internal and external
Every organization should approach risk management in a way that is effective for itself and its key stakeholders, both internal and external. This sounds good but, as mentioned above, is hard to accomplish. ERM often means something much less than a comprehensive, multi-step framework and numerous processes addressing a full gamut of ERM components. ERM should at least mean, however, that those elements which most meaningfully contribute to solving the problem (i.e. understanding and controlling the risk) are employed. Certainly, at a minimum, this means identifying and valuing the significance of the exposure, treating it appropriately, and then monitoring its status until it is no longer a significant threat. However, is it necessary to first build up a risk culture, create a risk appetite, implement a risk tolerance strategy, appoint risk liaisons across the business, establish ERM committees, and invest in sophisticated risk modeling? Likely not, unless your key stakeholders suggest or regulation requires otherwise. ERM processes can easily become overly complicated and burdensome, often working to slow down or complicate risk identification and mitigating responses and unnecessarily constraining the business. Further, many ERM processes focus repetitively on risks with a potential for the most obvious and severe impacts (larger inherent risks), sacrificing an ability to otherwise tease out emerging risks and those subtle, often related, frequency risk impacts (lower level risks), which may be slowly (or rapidly) correlating across the business. ERM frameworks that primarily focus on a severity approach, unfortunately, result in a blurry ERM lens and may inadvertently expose the organization to emerging and systemic risk blind-spots. A good example of an emerging risk blind-spot are the various risks found today within a category of risks associated with information security (i.e. ‘cyber risks’).
Cyber risks are a notably different type, when compared to the types of risks historically addressed within an enterprise-wide risk management framework. Why? Cyber risk management is analogous to identifying and responding to risk impacts from multiple, simultaneous “smart tornadoes”. (e.g. advanced persistent threats)
For example, consider these two facts: 1) cyber risk can be high frequency and low severity, or high frequency and high severity, at the same time;2) cyber risk “impacts” vary widely depending on the complexity of known and unknown harm incurred, the success rate of harm incurred, and internal acceleration of any such harm (dwell time, lateral movement, then organizational detection and response). These variables create an infinite number of impacts and costs, matrixed across a business. This is an unusual risk behavior, to say the least, and today’s dynamic cyber risk ecosystem creates a delicate challenge for many in the information security profession. When a person proclaims, “don’t worry, we have cyber risk covered” (i.e. managed, or otherwise solved), then they are suggesting an ability to foresee the future. In other words, they are implying they generally knowhow those smart cyber tornadoes are going to behave outside, inside, and throughout the business, every day. As we know, tornados don’t lend themselves to such predictability.
Admittedly, for most, it is difficult to acknowledge what we do not know, and especially, the vulnerability we may have in facing a first-of-its kind risk management challenge –with various risks we are unlikely to completely mitigate. However, as more and more businesses engage cloud service providers and actively increase use cases for Internet of Things (‘IoT’) endpoints, organizational key stakeholders, such as Boards of Directors, regulators, and rating agencies, are becoming increasingly concerned about how management is identifying gaps in cybersecurity efforts. There is active movement by these stakeholders to test and confirm risk management processes are in effect and that the enterprise is identifying and responding proactively to risks associated with those smart cyber tornadoes.
It is important to understand even if an organization believes it “has cyber risk covered”, by its current information security (‘InfoSec’) approach; there is still, for many, a critical regulatory requirement to rigorously assess and document the extent of the cybersecurity risk threat. Failure to adequately identify, test, monitor, trend, and actively report on enterprise-wide cyber risks creates significant financial, regulatory, reputational, and operational exposure for the organization. Static reports that capture log data but, are not otherwise normalized or matched to enterprise risk profiles and controls, are arguably not offering complete or robust information to the enterprise, for either historical or prospective time periods–and, when we say a risk is managed, it is important to note we are applying a risk management term of art–where regulators often have definitions and tests required to demonstrate assurance.
Bob Ackerman recently wrote an article championing a rationale for how standardizing cyber threat terms will produce a common enterprise-wide language, and better inform organizational enterprise and InfoSec risk management strategies.
The concepts include current standardization efforts underway, including a recent effort by Office of the Director of National Intelligence (ONI) in developing a set of common definitions to unify cyberthreat descriptions within the intelligence community. Jim Richberg, National Intelligence Manager (NIM) for cyber, Office of the Director of National Intelligence, recently said, “Cyber is still in its infancy compared to anything else we are dealing with both as an intelligence community and as a society,”. We couldn’t agree more.
In solving for cybersecurity risk management, organizations must deploy their best risk management thinking, bringing innovation, terminology, and standardized terminology into play, similarly to the principles and processes deployed by ERM. This includes developing a risk nomenclature that can be leveraged across the business.