By: Syed Abdur, VP, Product Management & Marketing, Brinqa
It is not uncommon for two people to talk about enterprise cyber risk management and walk away with different understandings of the topic. What enterprise cyber risk management is can even vary within an organization, often depending on which function you belong to – business, IT, InfoSec, or another. It is important to establish a common understanding of this important discipline since the proper execution of enterprise cyber risk management is so critical to an organization.
Defining Enterprise Risk
Business leaders generally are referring to some force outside of their control that may damage corporate assets when talking about risk. The risk gamut can range from critical systems being held hostage by ransomware, to exposure of confidential client information. It’s a critical focus because a company’s executives have a duty to protect shareholders’ assets from risks, particularly financial damage. Enterprise risk refers to this idea in a big company context. It is critical for enterprise risk management to include a cyber component, especially as business functions and processes move to the cloud, and as businesses undergo rapid digital transformation.
Clarifying Enterprise Cyber Risk Management
It can be a difficult endeavor to come to a practical understanding of enterprise cyber risk management. One reason is that the Enterprise Risk Management (ERM) field is large and diverse. There are multiple frameworks for ERM, which take different angles to address the problem. For example, the COSO ERM framework focuses on financial risk, including risks from fraud or bad debt.
The Chief Risk Officer (CRO) is responsible for ERM in many organizations, but often the focus is mostly in the context of compliance. As a result, the organization may be required to meet some cybersecurity standards. However, it is important to not make compliance the primary driver for cyber risk management strategies and goals. For example, an organization may be compliant with the law but still be at serious risk from a cybersecurity perspective. In addition, the CRO may have no corporate mandate to deal with cyber risks.
The absence of a common understanding and clear definition leaves too much ambiguity for the various stakeholders to execute on a unified plan and strategy. To be effective, enterprise cyber risk management must be a continuous, consistent process that brings together people, processes and information across business, IT and Information Security teams.
Enterprise Cyber Risk Defined
Enterprise cyber risk in our context can be defined as any situation where a cyber-borne threat affects business value or operational effectiveness of a corporate asset in a negative way. This is a far broader definition of cyber risk than is normally used in cybersecurity circles. CISOs tend to view risk in context of digital assets, for example any threats to destroy data or software, or disrupt networks. However, enterprise cyber risks are far more widespread in nature. Consider these examples:
- Customers’ confidential information being compromised causing diminished brand reputation
- Hacking of IT systems leading to physical damage or even fatalities
- DDoS attacks resulting in critical business applications being unavailable and financial losses
As you may recall, the handling of the Equifax breach a few years ago led to significant outrage from the public and caused considerable damage to the Equifax brand. Key executives, including the CEO, abandoned ship in the weeks and months following the disclosure. The company faced more than 240 class action lawsuits and investigations from state and federal agencies, including the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC). Equifax reported it recorded $87.5 million for expenses related to the breach that quarter. While a web application vulnerability was determined to be the cause of the breach, the extensive damage to the business and brand was a result of Equifax’s inability to manage and understand enterprise cyber risk.
Enterprise Cyber Risk Management’s Main Challenge
There is no final, end goal in enterprise cyber risk – it’s an ongoing endeavor. Consider the literally hundreds of millions of new cyber threats that appear every year. Corporate assets are exposed to cyber threats in almost every imaginable way. Especially with work from home (WFH), the attack surface area is immense these days, including every endpoint, application, data store and infrastructure element. And, all of these are dynamic, including applications that are constantly changing, and operating systems and hardware which are being continuously updated. In addition, connections between a company, its partners and the outside world are never static.
Cyber risk management challenges revolve around maintaining control and awareness in a hugely complex and rapidly shifting environment. The lack of understanding of the Information Security function in most organizations further complicates this. Confusion abounds around the roles, responsibilities, and division of InfoSec and IT. One way to think about it is to consider IT and InfoSec as essential but ancillary functions (such as legal, HR, etc.) that exist together to support the business. Neither function is accountable to the other, but rather is accountable to the business and exists to help the enterprise reach its ultimate goals.
The Approach to Enterprise Cyber Risk Management
Considering that IT and cybersecurity work together to achieve common goals, we can begin to put a practical framework together for enterprise cyber risk management. For the most part, InfoSec usually has good visibility into IT data and processes and works extensively on this information to accomplish various assessment and monitoring activities to identify gaps, vulnerabilities and threats. However, to effectively evaluate the associated cyber risks, we must understand the potential impacts of these weaknesses and threats to the business. This can be accomplished by building relevant and accurate business context into the cyber risk analysis process.
While it may seem daunting at first, most enterprises have the information somewhere within the enterprise to build business context. Business continuity and disaster recovery (BC/DR) initiatives can report the business impact of technical assets. Data protection programs can provide details about which areas of the infrastructure process sensitive and confidential information. Compliance initiatives monitor the status of assets that must be tracked in accordance with various standards. What most organizations struggle with are the data management capabilities and analytical maturity needed to incorporate and operationalize this information.
Establishing the right ownership and accountability model for cyber risk is also very important. Repeated alerts and notifications from InfoSec may go unresolved, but making the business owner part of the risk remediation process can have a very different effect. In this way, cybersecurity is simply facilitating the conversation between responsible and accountable stakeholders. Making business users part of the risk ownership and escalation chains ensure that those directly impacted by the problem have a say in how and when it is addressed.
A cyber risk management platform can facilitate this process. It can aggregate all the data required for cyber risk analysis – across business, IT, and cybersecurity data sources. The platform can normalize and correlate risk data so enterprise risk managers can discover the connections between technology assets and understand the threats and impact on the business. Armed with this knowledge, risk managers can prioritize vulnerabilities and focus mitigation efforts on the most critical risks and most valuable assets. An organized, data-centric approach to enterprise cyber risk management can bring the CISO and CRO, and their distinct perspectives on cyber risk, together for a shared business purpose. Properly correlated and interpreted risk data creates the common ground necessary for a truly enterprise-wide approach to cyber risk management.
Related:Â Basic Cyber Requirements Becomes Mandatory for IoT Devices
