GRC Tuesdays: Cyber and Enterprise-Wide Risk Management – Bridging the Visibility Gap
Albeit not a cyber expert, I find myself more and more drawn into associated discussions because Cyber Risk Management and Enterprise Risk Management are really starting to “merge”. And this makes perfect sense since no risk occurs in silo. A Cyber risk could have direct reputational or financial impact on the organization in addition to its direct operational impact.
Unfortunately, there’s often a perception that Enterprise Risk Management is “old school”, and that Cyber Risk Management is the new kid on the block with a more advanced risk framework required. The result is that the 2 worlds are therefore still mostly kept segregated meaning that Boards and Management aren’t getting a full understanding of the overall business risk exposure when it comes to cyber threats.
This is a phenomenon that leading provider of research and analysis on the global market for risk technology – Chartis Research, calls the “visibility gap”.
The question that needs to be answered therefore is: How can we close this visibility gap?
Closing the visibility gap
Going back to Chartis and one of their publications – Bridging the Gap: Integrating GRC and Cyber Risk, they mention that “the CISO’s objective is to give the board the information it needs to make faster and better security decisions in the context of often critical business strategies”. And to do so, they propose the creation of a cybersecurity dashboard that would integrate with the other Governance, Risk, and Compliance areas:
I personally think that this is a great idea, and, as a matter of fact, it’s something that my colleague Gabriele Fiata had already started working on for the SAP Cyber-security Dashboard. This is an art-of-the-possible dashboard built with the integration between SAP Security Solutions and SAP Analytics Cloud. The SAP Cyber-security Dashboard provides helicopter views on the overall security posture of the company:
Nevertheless, I think there are steps that need to be performed before this dashboard can be used – so that all risk-related data can be consolidated and that we are not comparing apples and pears.
And this is actually one of the core aspects of an organization’s cyber risk program as per Chartis’ report mentioned above: “Designing and implementing a core risk system”.
Step 1: Map the terminology
This is of course not specific to Cyber and Operational risks, the issue of naming conventions exists for financial risks, environmental risks, legal risks, etc. Each risk universe seems to have its own “specificities” and lingo. But ultimately, what we are all trying to identify is what could cause a disruption to the business and needs to be mitigated. As long as every team is working on the same assumptions, then it’s a good start. Aligning terminologies would therefore be a first logical step.
Step 2: Align the scales
One of the major hurdles that I encounter when talking with customers is that risk assessment scales are all over the map: operational risks use 5 impact scales, cyber only 3 and legal only uses a quantitative approach for instance. As a result, simply importing cyber risks into the enterprise-wide risk universe will create severe discrepancies.
A good option I found was to relate all scales to a range of dollar (or euro, yen, etc.) value. Even if risk owners are not asked to assess the financial impact of every root cause or vulnerabilities, qualitative or scoring scales themselves could be related back to a quantitative impact. By this token, comparability is then made possible regardless of the assessment method: qualitative, quantitative or scoring.
Step 3: Link the events
Now that all events are located in the same universe, what about linking them?
As mentioned in introduction, a cyber risk will have more than IT impacts: it will have effects on the operations, potentially introduce non-compliance issues, lead to loss of reputation, and so on.
All these are risks already recorded in the risk register. By linking the risks to recreate the entire causal chain, it will be possible to improve the mitigation strategy!
One of the key challenges highlighted in Chartis’ report is “Allocating adequate budgets to cyber risk management”. For me, only if decision makers are provided with the entire impact can they decide to allocate sufficient resources to adequately respond to the cyber risk. And this is achieved by linking the events… and by an efficient reporting.
Step 4: Enjoy a unified reporting
As per an EY Global Board Risk Survey from 2020, only “21% [of board members] are very satisfied with the accuracy, completeness and breadth of the risk reports they do receive”.
Boards typically receive once or twice a year a status of risk management. A lengthy document (or on the contrary sometimes just a simple graph) with the risk exposure of the company.
But since it has been manually put together, it can date from a few weeks at best to a few months at worse. As a result, the information displayed is outdated.
With a single dashboard automatically displaying all risks information – regardless of origin, Board members are able to get a consolidated view of whether more or less risks are endangering the achievement of their objectives. Should they be concerned or interested, they can further drill-down into the information and even to the most granular level: the risk event itself and its Risk Owner.
What about risk velocity?
When discussing this topic of Cyber and enterprise-wide risk integration with Brian Tremblay, he mentioned that he thought that there might be a flaw in one of the dimensions of Cyber risks as it is performed today. From a cybersecurity perspective, most efforts are put in assessing the harmful impact of a vulnerability on the enterprise asset(s) – for instance a software issue, a malicious action, a system configuration error, etc. That is of course perfectly valid, but may leave aside a critical component: the time aspect.
When looking at the Common Vulnerability Scoring System (CVSS), the time aspect is taken into account over the lifetime of the vulnerability, “as exploits are developed, disclosed and automated and as mitigations and fixes are made available”. Nevertheless, the velocity – or speed at which a vulnerability can become an issue for the company is usually not included in the risk assessment.
Interestingly, this is an aspect that “traditional” Enterprise Risk Management already caters for. And, even though it is not used very widely – “velocity” or “speed on onset” of a risk is a common assessment measure available in most risk management software. So why not give it a try and maybe make it an optional assessment criterion going forward until such time as risk owners are ready to document it systematically?
What about you, how does your company integrate its cyber and enterprise-wider risks? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard