Enterprise risk management is a well-established discipline for quantifying and assessing organizational risks....
Practitioners of ERM typically rely on structured frameworks that often have roots in actuarial science, accounting and anti-fraud. For instance, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM framework was developed in the late 1980s by five U.S. accounting and auditing organizations. Similarly, the Society of Actuaries has developed the chartered enterprise risk analyst credential, which focuses on the organizational impact of various risks -- operational, investment, strategic and reputational.
For cybersecurity professionals, these frameworks pose something of a challenge: There's no clear-cut way to map cybersecurity risk in their definitions of enterprise risk. A cybersecurity breach may affect all aspects of an organization -- i.e., operations, investment, strategy and reputation. As a result, cybersecurity professionals find themselves wasting time and effort in the attempt to classify cybersecurity risks within the framework, rather than being able to use the framework to determine a course of action.
There's also a more subtle problem with these frameworks: They define cybersecurity risk primarily in negative terms, as "chance or probability of loss." Technology practitioners know intuitively, if not explicitly, that loss is not the whole story. Risk almost always has two sides. The risk of doing something is often counterbalanced by the risk of not doing it. For instance, moving workloads to cloud services may expose an organization to the cybersecurity risk of data loss or breach -- but the risks of prohibiting the use of cloud services can be lowered agility and the loss of competitive advantage.
One important recommendation to cybersecurity professionals is to work with a framework that includes a more nuanced definition of risk than the actuarial and accounting frameworks do. An example is the International Organization for Standardization (ISO) 31000 suite of standards, which defines risk as "the effect of uncertainty on objectives" -- a definition that explicitly encompasses positive as well as negative outcomes. ISO 31000 also takes a higher-level approach, defining generic guidelines for the design, implementation and maintenance of risk management processes throughout an organization. It's designed for a broad group of stakeholders, including executives, operational managers and auditors, as well as professional risk managers.
For security professionals, this kind of higher-level cybersecurity risk framework is ideal because it provides a straightforward way to respond to risks once identified and to articulate mitigation strategies in a straightforward fashion. Cybersecurity risk can be handled in several ways:
- It can be avoided by prohibiting a specific action, such as not permitting workloads to be moved to the cloud.
- It can be explicitly accepted by taking an action, such as permitting workloads to be moved to the cloud to obtain competitive advantage.
- It can be removed or mitigated via technical or operational measures, such as deploying cloud access security broker technology and hiring cloud security specialists.
- It can be mitigated via contractual measures, such as obtaining cybersecurity insurance that explicitly protects cloud-based resources.
This means that cybersecurity specialists can spend considerably less time and effort trying to map the cybersecurity risks into a predefined framework and more time and effort on determining the strategy appropriate to each risk.
In sum, cybersecurity professionals should do their utmost to work with risk management frameworks such as ISO 31000, COSO and others that provide a broader definition of risk -- positive as well as negative. They should also emphasize a range of strategies for dealing with cybersecurity risk, including not just technical and operational enhancements but also cybersecurity insurance and the strategic option of simply accepting the risk.