With cyberattacks becoming more devastating and complex, cybersecurity is at the forefront of public and government attention.

But is cybersecurity getting the attention it deserves from senior leaders—and is information about cyber risks being properly integrated into organisations’ risk management strategies?

This month, the National Institute of Standards and Technology (NIST) published the latest in a series of reports that aim to integrate cybersecurity into organisations’ enterprise risk management (ERM) strategies.

The report contains some helpful advice about how cybersecurity teams can aggregate and communicate information about cyber risks to senior leaders to help them make important risk decisions with cybersecurity in mind.

New NIST Report- Integrating Cybersecurity Into Enterprise Risk Management

Coordinating Cyber Risk and Enterprise Risk Management

The NIST report, titled NISTIR 8286C: Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight, aims to help improve coordination between cybersecurity risk managers and “those managing risk at the most senior levels”.

The key purpose of the report is to try to put systems in place to help leaders make informed risk decisions.

“Managers at all enterprise levels depend on senior leaders to define the mission and objectives

for the enterprise, and those senior leaders depend on risk practitioners to take appropriate

actions and to report those actions in a consistent and timely manner,” the report states.

This is the third report in a series of NIST companion publications supplementing NISTIR 8286, published in October 2020.

Taken as a whole, the series ultimately seeks to integrate cybersecurity and enterprise risk management (ERM) as a response to the “frequency, creativity, and severity of cybersecurity attacks”.

This latest NIST report covers the following activities:

  • Ongoing assessment and reporting

  • Adjustment to risk direction and processes (including input from external stakeholders)

  • Integration of cybersecurity into an enterprise risk management (ERM) profile

  • Aggregation and normalisation of risk registers

Risk Registers Don’t Automatically Reduce Risk

A lot of NIST’s work in the area of cybersecurity and ERM has focused on creating risk registers.

Risk registers are an essential component of most organisations’ risk management operations. But creating a list of potential risks is not the end goal—risk registers need to help inform the operational decision-making that ultimately mitigates risk.

The NISTIR 8286C report thus seeks to help integrate cybersecurity risk registers—and cybersecurity risk management in general—into a company’s overall ERM profile and drive better-informed decisions with cybersecurity in mind.

Implementing the recommendations in the report should allow senior leaders to adjust governance components—such as policy, procedures and structures—based on the results of cybersecurity risk management activities.

Aggregating, Communicating and Acting On Cyber Risk Data

The report is 35 pages long and requires background knowledge of previous publications in the NISTIR 8286 series. 

Here’s an overview of the activities and recommendations NISTIR 8286C describes:

  • How to aggregate and normalise cybersecurity risk management data from multiple sources

  • How to integrate information about cyber risks into an enterprise-level cybersecurity risk register

  • How to implement an enterprise governance system that helps maintain a comprehensive cybersecurity management program

  • Which processes will help reliably monitor cyber risk conditions, evaluate options for responding to changes, and adjust your risk management strategy

Again, the activities and recommendations draw heavily from previous NIST reports 8286A abd 8286B.

Communication Is Key

As noted, the key aim of NIST’s report is to improve “communication and coordination” between those working directly with cybersecurity and the senior leaders that makes crucial decisions about risk.

The report provides a number of recommendations about aggregating cyber risk information, presenting it coherently, integrating the information into overall risk management profiles, and then making high-level, strategic decisions informed by cyber risks.

This should ultimately help ensure that cyber risks are taken sufficiently seriously and help organisations make the changes necessary to become more secure.