Getting on Top of Enterprise Cyber Risk Management
By Syed Abdur
It’s common for two people to discuss enterprise cyber risk management without sharing a common understanding of the topic. What is enterprise cyber risk management, anyway? The answer can vary within an organization, often depending on whether you belong to business, IT, InfoSec or another function. It’s worthwhile to try to establish a common understanding of this important discipline since a lot is riding on the proper execution of enterprise cyber risk management.
What is Enterprise Risk?
When business leaders talk about risk, they generally mean the likelihood that some force outside of their control is going to damage corporate assets. This might mean a fire burning down a warehouse or a computer virus erasing intellectual property. Implied in this is the idea that a company’s executives have a duty to protect the shareholder’s assets from the risk of financial damage. Enterprise risk refers to this idea in a big company context. As businesses undergo rapid digital transformation and an increasing number of business functions and processes move to the cloud, it’s imperative that enterprise risk management include a cyber component.
Keeping Cyber Risk Management Discussions on Track
Getting to a practical understanding of enterprise cyber risk management can be a challenging proposition. It’s not anyone’s fault; the enterprise risk management (ERM) field is large and diverse. There are multiple frameworks for ERM, each of which come at the problem from different angles. The COSO ERM framework, for example, is primarily about financial risk, such as fraud or bad debt. Other frameworks are more suited to risks that can be covered by insurance and so forth.
In many enterprises, the chief risk officer (CRO) is responsible for ERM, but mostly in the context of compliance. They are tasked to ensure the enterprise stays in compliance with laws such as Sarbanes-Oxley, GDPR and HIPAA. As part of the mandate to be compliant, the organization may be required to meet some cybersecurity standards. However, it’s dangerous to make compliance the primary driver for cyber risk management goals and strategies. It is possible to be compliant with the law but still be at serious risk from a cybersecurity perspective.
Further, the CRO may have no practical mandate to deal with cyber risks. They may need to defer to or work in tandem with the chief information security officer (CISO). The absence of a clear definition and common understanding leaves too many rabbit holes for the various stakeholders to fall into. To be effective, enterprise cyber risk management must be a continuous, consistent process that brings together people and information across business, IT and information security.
Understanding Enterprise Cyber Risks
Enterprise cyber risk, for our purposes, is any situation where a cyber-borne threat negatively affects the business value or operational effectiveness of a corporate asset. This is a far broader definition of cyber risk than is normally used in cybersecurity circles. CISOs tend to look at risk in terms of digital assets—threats to destroy data and software or disrupt networks, for example. However, enterprise cyber risks are far more extensive in nature. Examples include:
- Diminished brand reputation caused by customers’ confidential information being compromised.
- Physical damage or even fatalities caused by hacking operational technology (OT) systems.
- Financial losses due to critical business applications being unavailable as a result of DDoS attacks.
Let’s look at the case of the Equifax breach. In September 2017, the credit rating agency announced that hackers had exploited a web application vulnerability to gain access to personal and confidential information for nearly 150 million people. The compromised data included Social Security numbers, birth dates, addresses, driver’s license numbers and credit card information. The unauthorized access began in mid-May and continued through July. The extent and severity of the breach and the lack of an appropriate response from Equifax resulted in serious consequences for the business.
The handling of the breach and subsequent disclosure and response drew outrage from the public and likely caused significant damage to the Equifax brand. Several key executives including the CEO “retired” in the weeks and months following the disclosure. The company faced more than 240 class action lawsuits and investigations from state and federal agencies, including the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC). Equifax reported that during the third quarter of 2017, it recorded $87.5 million for expenses related to the breach. While a web application vulnerability was the cause of the breach, the extensive damage to the business was a result of its inability to understand and manage enterprise cyber risk.
The Challenge of Enterprise Cyber Risk Management
Enterprise cyber risk is not finite. In fact, it’s endless. We’re not just talking about the literally hundreds of millions of cyberthreats that appear every year. Corporate assets are exposed to cyberthreats in almost every imaginable way. The attack surface area is immense, including every endpoint, application, data store and infrastructure element. And, none of these are static—applications are constantly changing; operating systems and hardware are continuously being updated. Connections between a company, its partners and the outside world are always in flux.
In practical terms, the challenges in enterprise cyber risk management revolve around maintaining awareness and control in a massively complex and rapidly shifting environment. This is further complicated by a flawed understanding of the information security function in most organizations. Who within the enterprise does cybersecurity serve? Who is the internal “client” for InfoSec? Is IT accountable to InfoSec, or is it the other way round? One way to try to make sense of this is to think of IT and InfoSec as essential but ancillary functions (like legal, HR, etc.) that exist within the enterprise to support the business. Neither function is accountable to the other but rather to the business, and exist to help the enterprise reach its ultimate goals.
Approaching Enterprise Cyber Risk Management
With a more nuanced understanding of how business, IT and cybersecurity work together to achieve common goals, we can begin to put together a practical framework for enterprise cyber risk management. InfoSec typically has good visibility into IT processes and data and works extensively on this information to accomplish various monitoring and assessment activities necessary to identify gaps, vulnerabilities and threats. However, to evaluate the associated cyber risks effectively, we must understand the potential impact of these weaknesses and threats to the business. This can be done by building relevant and accurate business context into the cyber risk analysis process.
While it may seem daunting at first, most enterprises have the information required to build business context somewhere within the enterprise. Business continuity and disaster recovery (BC/DR) initiatives can report the business impact of technical assets. Data protection programs can provide information about which parts of the infrastructure process sensitive and confidential information. Compliance initiatives monitor the status of assets that must be tracked in accordance with various standards. What most organizations struggle with are the data management capabilities and analytical maturity necessary to incorporate and operationalize this information.
It’s equally important to establish the right ownership and accountability model for cyber risk. Repeated alerts and notifications from InfoSec may fall on deaf IT ears, but making the business owner a part of the risk remediation process can have a very different effect. In this updated model, cybersecurity is simply facilitating the conversation between responsible and accountable stakeholders. Making business users part of the risk ownership and escalation chains ensures that those directly impacted by the problem have a say in how and when it is addressed.
A cyber risk management platform can facilitate this process. It can aggregate all the data required for cyber risk analysis—across business, IT and cybersecurity data sources. The platform can normalize and correlate risk data so enterprise risk managers can see the connections between technology assets, threats and impact to the business. Armed with this knowledge, risk managers can prioritize vulnerabilities and focus mitigation efforts on the most critical risks and the most valuable assets. An organized, data-centric approach to enterprise cyber risk management can bring the CISO, CRO and their distinct perspectives on cyber risk together for a shared purpose. Properly correlated and interpreted risk data creates the common ground necessary for a truly enterprisewide approach to cyber risk management.