Security risk management is a necessary part of cybersecurity. It allows for optimization of budget and minimizes damages from cyber attacks. At the enterprise level, risk management becomes more complicated to navigate. Many roles and functions within the company need to be considered. In this article we will discuss 3 major obstacles that need to be overcome in order to implement a good enterprise risk management strategy.

What is enterprise risk management (ERM)?

Risk management refers to the process of assessing, analyzing, and responding to risk. ERM is a specific kind of risk management strategy that enterprises can implement. A defining feature of ERM is that it is an approach that extends beyond just the cybersecurity team and encompasses aspects of the entire enterprise. Instead of having security be kept out of sight and out of mind, other departments and the C-suite take an active interest in managing risk in the most efficient manner possible. Executives get involved by defining risk appetites, making concrete organizational goals, and adjusting budgets according to risks based on assessments performed by security teams.

How does enterprise risk management differ from traditional risk management

Compared to traditional risk management ERM takes a more holistic approach. Traditional risk management looks at more localized risk and does not look at the broader picture of how that risk affects the enterprise. For example, using traditional risk management the security team is more likely to inventory assets only available locally to their department. They may see a certain vulnerability exists and then only consider the risk in terms of direct impact. They might see they are using outdated antivirus protection and then consider what damage malware would do to their systems. This ignores broader implications of risks of malware, such as reputational damage an attack will cause or time executives will need to dedicate to incident response.

ERM looks at all risks security vulnerabilities create for the enterprise. The process dispels the notion that cyber risks are separate from other business risks. Instead, ERM looks at regulatory risks, financial risks, cyber risks, operational risks, and compliance risks as all falling under one large umbrella- enterprise risks. This tends to make managing risk a more accurate and adaptive process, but added complexities of this holistic approach can make implementing ERM difficult.

What are the three biggest obstacles security teams face in ERM?

Many of the obstacles in ERM which make risk management more difficult for security teams stem from complicated enterprise landscapes. Three obstacles which are important to overcome are disjointed governance, risk, and compliance (GRC), difficulties in quantifying risk, and understanding how to influence risk management solutions. Each of these problems arises at different steps in the enterprise risk management process which can be categorized into three categories – risk assessment, risk analysis, and implementing risk reduction.  

Obstacle 1: Disjointed governance, risk, and compliance (GRC)

What is GRC?

Corporate governance is the framework for how a corporation is directed through rules, policies, and processes. In enterprises, governance is generally controlled by the board of directors and other C-suite members. Elements of GRC which have an immediate impact on risk management are controlling risk, ensuring transparency and accountability across an organization, as well as defining strategic business objectives with the interest of corporate stakeholders.

What makes GRC disjointed?

If an enterprise siloes each part of GRC (governance, risk, and compliance management) managing GRC can become disjointed. In siloed enterprises programs and processes do not communicate with each other leading to a lack of efficiency and transparency. 

What problems does this cause for the ERM process?

Several problems arise for security professionals trying to perform enterprise risk management when GRC is disjointed. The first issue comes in the risk assessment process. Taking an inventory of assets is the first step taken when you go to identify risks. When parts of an enterprise are siloed, making an inventory can be difficult as the security team in charge of the risk assessment is not aware of all the assets that may be vulnerable Sourced from coso

This diagram sourced from the coso erm framework demonstrates that governance and culture are the first stepping stones of enterprise risk management. One of the core elements in an effective ERM strategy is that it is an enterprise wide approach. In order to effectively plan a risk management strategy executives have to set expectations of what their risk appetite is (how much risk they find acceptable). Board members and executive leadership also need to have a mutual understanding of their organizational objectives and how security plays a part in that.

Solution – Define the roles of all involved in the ERM process

There are two parts to this solution. The security team needs to define their roles to make the process as efficient as possible, and executives have to take some of the responsibility in ERM as well.

Why are defining roles in ERM efforts within the security team important? What should these roles be? Defining these roles is important because it allows for a written plan to form, and allows all aspects of the security team to be operating efficiently. Defining roles at the executive level is equally important, as they have an integral role in the ERM process.

A basic layout of how security teams and executive teams work together is demonstrated in the graphic above, sourced from NIST’s ERM framework. Security teams focus on the implementation of risk management strategies. Executives’ roles lie in coming up with a common understanding of the enterprise’s risk management plan. This includes risk appetites of the business and what budget they are allocating to security. An intermediary, usually the CISO, will then have communication with the executives.

Exact roles will change depending on the size of the organization and the structure of their security teams. For more reading on this to see how your organization can structure an ERM strategy institutes have put out guidelines for their role recommendations. One example of a list of roles comes from NIST’s framework.

Obstacle 2: difficulties in quantifying risk

What is quantifying risk?

Quantifying risk means putting risk into numerical, data-driven terms. Qualifying risk refers to giving a more subjective interpretation of that risk. Nowadays it is more common for enterprises to stress prioritizing potential risks in a quantified way.

Executives often require that risks be assigned objective values. Most often when we mention quantifying risks we are specifically referring to assigning these risks monetary values. Executives are more likely to take action on risks if they know what the return on investment will look like. Considering executives’ prominent roles in the ERM process, simply telling them a threat is a “high risk” often will not convince them to make budgetary changes.

Why is quantifying risk difficult?

Cybersecurity is constantly evolving and relatively new. Little accurate historical data on cyber risks is available and as a consequence potential impacts of risks can be difficult to calculate. Predicting the impacts of a cyber threat can be inaccurate as some impacts are intangible. How do you quantify how much damage an attack will cause to your reputation? How do you know whether an attack will cause a loss of share price and market value of your organization? 

What problems do difficulties in quantifying risk cause for the ERM process?

Issues arise in the risk analysis stage of the process. Risk analysis involves prioritizing risks by looking at the potential impact of a risk compared to the likelihood it will occur. Not only will the analysis show which risks are most pressing, but it also shows which risks your enterprise may decide aren’t worth using additional resources to fix. Ultimately cash flow will all boil down to the risk tolerance of the enterprise as set by executives.

Solution – Methods and tools can be used to best quantify risks in financial terms

Using the Factor Analysis of Information Risk (FAIR) model is a way businesses are able to quantify risk. FAIR breaks down risks into elements that are able to be given a monetary value. Two characteristics used to do this are looking at loss event frequency and loss magnitude. Loss event frequency refers to the frequency at which attacks occur. The loss magnitude refers to the cost of the attack, both directly and indirectly. 

Sourced from FAIR

FAIR looks at the uncertainty in risk by considering how likely each risk is. Likelihood is broken down into four factors- contact, action, capability, and control strength. These look at the frequency with which the threat comes into contact with the asset, the probability the threat will act against the assets, the probable nature of impact on these assets, and the probability the threat will be successful in overcoming protective controls.

Every element within a risk is analyzed by its likelihood. In this way risks are broken down into enough categories that assigning them a value becomes much more accurate than looking at the risk as a whole. It takes risk impacts from being something broad and intangible to something calculable.

While this model provides accuracy it does take more time than qualifying risks. There are many vendor tools that focus on quantifying risks using this model, such as CyberSaint Security, RiskLens, and LogicGate to name a few. Whether your organization quantifies risks using FAIR, vendor tools, or another method, being able to discuss risks in financial terms will help communicate priority to executives.

Obstacle 3: understanding how to influence risk management solutions

Who can influence risk management?

Influencing risks can be a difficult part of enterprise risk management for the security team. The level of communication between C-suite and security teams varies from organization to organization, as well as how much influence the C-suite gives to the security team. At the end of the day, executives are generally making the decisions about the size of the risk mitigation budget. From there the CISO (or highest ranking member of the security team) may or may not have influence over how that budget is allocated.

As we have discussed in another article the communication between the CISO and the C-suite varies. A Ponemon Institute study found that almost a quarter of CISOs had no influence over the security budget, 44% had partial influence, and 34% had total control over budgeting.

The study also found that 63% of the respondents said that they are not regularly briefing the Board of Directors on risks. Having a system where there is no communication between cybersecurity leaders and the C-suite will make enterprise risk management unlikely to work well.

What problems does lack of influence from security leaders cause for the ERM process?

Most steps in the ERM process fail if there is no communication between upper management and security leaders. GRC will be disjointed, risk analyses will not be properly understood, and risks will not be able to be mitigated in an efficient manner.

Communication should be open between security leaders and the C-suite for the process to work. Minimal communication, such as only holding meetings between the CISO and Board of Directors annually, also comes with its own problems. Risk management is an ongoing process. Frameworks usually look at risk management as a cycle instead of a linear process.

Illustration of a risk management process sourced from GTAG’s framework

For this reason, ERM strategy would suggest meetings be held at least several times a year between top security personnel and upper management. But even if meetings are held, how do security leaders influence managing risks?

Solution – frame risk management as a way to save money

While ultimately a lot of the decision making for budgets falls on top management, the security team can address risk in ways to leverage influence. This does not mean in any way to deceive executives. Instead, it means to frame risk in a way that shows how risk management is beneficial to the company rather than just looking at risk as a negative.

Heads of cybersecurity know just how impactful cyber risks can be. While they could try to build the fort Knox of security systems, they have to be mindful that executives are less likely to share this enthusiasm for security. Many executives see security only as an expenditure.

Framing risk management positively builds off of the idea of why it is helpful to quantify risks in financial terms. Instead of solely focusing on where risks can lose a company money, risk management can be looked at as a way to streamline expenditures. After the financial impacts of risks are determined some threats may end up needing less attention than previously thought.

A CISO can tell the board of directors that money can be freed up from one area and moved to another. Everything can be considered in terms of return on investment. Risks can be mitigated, the company can save money, and the enterprise as a whole will be better off when risks are managed efficiently.

The takeaways

Enterprise risk management can be an adaptive solution to handling risk management. It takes an enterprise-wide approach that, when handled correctly, minimizes risks and maximizes budget efficiency. Communication between cybersecurity leaders and executives is important for ERM to function. Quantifying risks in financial terms and then prioritizing them based on returns on investment provide a way to look at risk management as a money-saving process. While ERM may be seen by some as more difficult to implement than traditional risk management processes, the solutions not only help the ERM process but also allow for security to be better integrated into the enterprise as a whole.