The busy folks at NIST have just released the official version of NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM). It focuses on converging cybersecurity risk management (CSRM) and enterprise risk management (ERM) programs.
It is a very timely document. Just last week the US Office of the Comptroller of the Currency (OCC) assessed a $400 million civil money penalty against Citibank related to deficiencies in enterprise-wide risk management, compliance risk management, data governance, and internal controls.
So what was the issue? Risk management requires identifying and understanding the various types of risk that an enterprise faces, determining the probability that these risks will occur, and estimating their potential impact. Even though cyber risk is only one portion of the spectrum of an enterprise’s core risks, digitalization is making cyber risk a growing factor in overall enterprise risk.
Risk management begs the question – what is risk? One good definition of risk is “the effect of uncertainty on objectives”, making risk management processes to minimize uncertainty in order to safeguard the enterprise’s mission, finances and reputation in the face of natural, accidental, and adversarial threats.
OK, so we’ve defined risk. So what is risk management? The key to managing anything is defining objectives and measuring outcomes. No news here – who hasn’t heard of management by objectives. Managing risk is no different.
The first step in measuring risk is defining a risk appetite – i.e. the amount of risk an organisation is willing to accept in pursuit of its mission/vision. Risk appetite is defined by risk objectives established by the organisation’s leadership through policy. Risk appetite isn’t an absolute, but has a tolerance defining the acceptable level of variance relative to the achievement of those objectives (see figure 1). Risk management is the continuous improvement process of applying controls to business processes without exceeding the organization’s risk appetite.
Figure 1. Risk appetite vs. risk tolerance
The gist of the new NIST guidelines are that cybersecurity needs to move away from an absolute view based only on threats and mitigations, to a continuous improvement risk approach based on explicit organisational risk appetite.
Orchestra is building a platform to do just that – enable organisations to explicitly define their risk appetite and use that to verify and monitor its security controls.