For example, if a vulnerability isn't patched, there's a risk that attackers will exploit it to steal data.Ī business-focused description of the same problem, however, might be that patching the vulnerability will reduce the probability of a breach to a particular database, which, if exposed, will cost a particular amount of money in lost business, fines and remediation expenses. Cybersecurity leaders who come up from the technical side, as most do, tend to focus on very tactical technical issues, rather than bottom-line impacts. In ERM frameworks, the word "risk" carries a very particular meaning. In fact, many cybersecurity experts throw up their hands in frustration when asked about how they quantify the risk reduction associated with particular mitigation strategies, and instead point to media reports about breaches, cybersecurity frameworks like NIST and FAIR, or operational metrics when asked for validation. There's often a disconnect between the language of security and the language of risk, and that can make it harder for a CSO to play a meaningful role in the enterprise risk management discussion. Now, most organizations understand that cybersecurity is not a problem to be solved but a risk to be managed. "Risks, by nature, can be accepted, mitigated, or transferred," he says. That entails a totally different mindset. "Most of the market is acclimated to the fact that it's no longer if an attack will occur and how we will manage it. "Now, most organizations understand that cybersecurity is not a problem to be solved but a risk to be managed," says Andrew Morrison, leader of strategy defense and response for cyber risk services at Deloitte & Touche. Cybersecurity used to be all about preventing attacks, and a breach either occurred or it didn't. "Regulatory compliance is essential, but insufficient to achieve enterprise resiliency."įocusing on business impact is a different way to think about cybersecurity, and it requires a different mindset than that of tactically responding to cybersecurity threats. "The rapid evolution of threat actor tactics requires consistent evolution of control design and effectiveness," he says. It's not enough to just go by compliance requirements, Routh adds. "Tight alignment with both the ERM and crisis management programs is essential." Security is growing in significance to effective enterprise operational risk managementTight alignment with both the ERM and crisis management programs is essential. "Security is growing in significance to effective enterprise operational risk management," he says. In fact, there's a daily risk score that gets fed into the ERM system.ĬSO Jim Routh is not only responsible for this process, but is also a member of the risk committee that provides governance for Aetna's ERM program. These risks are specific and quantitative. At Aetna, for example, cybersecurity risks are considered part of operational risk in the company's enterprise risk management framework. Quantifying the business impact of a cybersecurity event is a very difficult, if not impossible task, and quantifying the likelihood of such an event is even harder. Risks posed by the cybersecurity threat landscape are increasingly part of the ERM equation, and that poses a challenge for CISOs and other senior security professionals. For low-impact events, even a high probability of occurrence won't affect the company's total risk exposure by much, while for high-impact events, even a low probability of occurrence is potentially devastating. To make the calculation, you take the potential impact of an event and multiply it by the odds of that event happening. What happens if the exchange rate drops and the interest rate rises, if new drugs don't get FDA approval, or if your main warehouse burns down? When companies look at enterprise risk, the traditional approach is to look at financial risks, regulatory risks and operational risks. The goal of an ERM program is to understand an organization's tolerance for risk, categorize it, and quantify it. Enterprise risk management (ERM) is the process of assessing risks to identify both threats to a company’s financial well-being and opportunities in the market.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |