While executives and boards once viewed cybersecurity as a primarily technical concern, many now recognize it as a major business issue. Any organization that fails to protect its sensitive digital assets from today's increasingly sophisticated cyberthreats stands to pay a high price. A single serious data breach could result in debilitating operational disruptions, financial losses, reputational damage and regulatory penalties.
Ultimately, business leaders can no longer afford to view cyber-risk in isolation, and neither can CISOs. Rather they should contextualize security initiatives within the broader, organization-wide framework of enterprise risk management. Doing so can help CISOs come to more effective, business-driven decisions that make sense in the big picture.
Enterprise risk management vs. cybersecurity
Cybersecurity and risk management have distinct scopes but significant overlap. Cybersecurity primarily focuses on the protection of digital assets -- such as information systems, networks and data -- from unauthorized access, disruption or theft. It centers on the technical controls, policies and procedures that mitigate cyber-risks.
Enterprise risk management, by contrast, is the process of identifying, assessing and mitigating the mountain of diverse risks -- strategic, financial, legal and operational -- organizations face today. While cybersecurity deals specifically with digital threats, enterprise risk management takes a much broader view, also concerning itself with threats in the economic, environmental, financial, judicial, legislative and social spheres.
To protect the organization most effectively against cyberthreats, a CISO must understand the overall risk landscape. Security leaders should therefore work closely with other risk management executives, among them chief risk officers and chief financial officers, to identify the organization's risk appetite and risk tolerance levels.
After all, it's the business that determines what risks are acceptable, not cybersecurity. Cybersecurity's job is to explain digital risks to the business and mitigate them as the business dictates.
Use enterprise risk management to inform cyber-risk strategies
Ideally, cybersecurity controls and investments align with the organization's risk appetite and risk tolerance levels, thus reflecting the broader enterprise risk management strategy.
With a risk-based approach, security leaders can determine their cybersecurity priorities based on the following:
- How likely a given cyber event is to occur.
- How damaging a given cyber event might be.
- Whether the organization is willing or unwilling to accept the cyber-risk.
- If not, what it would take to reduce the cyber-risk to an acceptable level.
For example, a financial institution would likely rank as significant the risk of unauthorized access to customer accounts. It would therefore prioritize the implementation of strong authentication mechanisms and stringent access control.
The integration of enterprise risk management and cyber-risk management is highly advisable. It does, however, require continuous internal efforts:
- Use enterprise risk management frameworks and methodologies to assess and quantify cyber-risks.
- Conduct regular risk assessments and vulnerability scans to identify weaknesses in the organization's security infrastructure and security controls.
- Hold regular coordinated security exercises across the enterprise to provide further insight into cyber-risk levels and mitigation needs.
- Reference the organization's overall enterprise risk management framework when developing the security program's incident response plans. The goal is to adopt a coordinated and holistic approach to managing and mitigating the aftermath of a cyber incident.
Rather than existing in siloes, enterprise risk management and cyber-risk management strategies should complement and inform each other. By integrating cybersecurity into their risk management frameworks, organizations can more efficiently and effectively protect their most valuable digital assets.