Let’s Talk About Risk
Hey everyone. Rock here. Let me just say what you already know.
"Your organization MUST treat cybersecurity as an ENTERPRISE RISK instead of only as an IT risk that "those tech guys" will handle."
The usage of the cloud, and other transformational technologies, such as the Internet of Things, has exploded throughout all organizations. This has increased YOUR organization's attack surface and the likelihood of an attack.
Protecting all data, workflows, and processes all of the time is impractical…ESPECIALLY considering the constantly evolving threat landscape and dynamic nature of most company's organizational structure, strategy, and Board-level involvement.
The odds of success in doing so are exceedingly low, AND the cost is infeasibly high.
Due to ongoing high-profile cybersecurity breaches and incidents, the Securities and Exchange Commission established an Enforcement Cyber-Unit Division that has published numerous documents offering guidance to Boards of Directors.
That new guidance covers disclosure obligations relating to cybersecurity risks and cyber incidents.
If you want results, YOU need to start at the top—not the bottom!
THERE IS A BETTER WAY!!!
Cybersecurity risk should be…must be integrated into YOUR firm's overall Enterprise Risk Management (ERM) program to address the challenge of security and privacy in today's global landscape.
The goal of ERM is to understand an organization's tolerance for risk, categorize it, and quantify it.
Many organizations do not have a formal ERM program, but someone is undoubtedly responsible for enterprise risk. This may be the General Counsel or the Chief Financial Officer. MAKE THEM YOUR FRIEND!
Risk is secondary to their primary role! Help them help themselves! They have likely wanted to form a formal ERM program but have neither the time nor knowledge. Volunteering to help them will ensure that cybersecurity risk is integrated into the overall Enterprise Risk Plan.
What's next?
Back to the Board of Directors!
BoD's love "best-practices" and "frameworks" versus the perception of "making it up as you go."
In 2017, the Committee of Sponsoring Organizations of the Treadway Commission (COSO for short) re-developed their ERM framework. That framework addressed the fact that BUSINESS RISK has evolved to include CYBER RISK.
Some benefits of using that framework to integrate cybersecurity risk into YOUR ERM program include:
Securing the involvement of senior leadership and the Board in cybersecurity initiatives.
Better alignment of cybersecurity with strategic business objectives.
Raising cybersecurity's profile within the organization to ensure that enterprise risk is more accurate.
Tailoring risk profile to reflect specific threats to the organization and the industry as a whole.
INcreasing visibility and transparency to drive better identification and treatment of risk.
More cost-efficient risk treatment
The COSO ERM framework details guiding principles that are grouped into five risk management components.
Governance and Culture.
Strategy and Objective-Setting.
Performance.
Review and Revision.
Information, Communication, and Reporting.
Notice how these objectives tie as much to your company's executive leadership and Board of Directors as they do to your function!
Can you afford not to be the leader in this transformative way of addressing cyber risk?
Over the next several weeks, I will address how managing cybersecurity risk can be weaved and molded into each of these five components. I am looking forward to your comments, but if you want to have a discussion, just send me a message, and we can set something up. Stay tuned!