With cyberattacks becoming more devastating and complex, cybersecurity is at the forefront of public and government attention.
But is cybersecurity getting the attention it deserves from senior leaders—and is information about cyber risks being properly integrated into organisations’ risk management strategies?
This month, the National Institute of Standards and Technology (NIST) published the latest in a series of reports that aim to integrate cybersecurity into organisations’ enterprise risk management (ERM) strategies.
The report contains some helpful advice about how cybersecurity teams can aggregate and communicate information about cyber risks to senior leaders to help them make important risk decisions with cybersecurity in mind.
Coordinating Cyber Risk and Enterprise Risk Management
The NIST report, titled NISTIR 8286C: Staging Cybersecurity Risks for Enterprise Risk Management and Governance Oversight, aims to help improve coordination between cybersecurity risk managers and “those managing risk at the most senior levels”.
The key purpose of the report is to try to put systems in place to help leaders make informed risk decisions.
“Managers at all enterprise levels depend on senior leaders to define the mission and objectives
for the enterprise, and those senior leaders depend on risk practitioners to take appropriate
actions and to report those actions in a consistent and timely manner,” the report states.
This is the third report in a series of NIST companion publications supplementing NISTIR 8286, published in October 2020.
Taken as a whole, the series ultimately seeks to integrate cybersecurity and enterprise risk management (ERM) as a response to the “frequency, creativity, and severity of cybersecurity attacks”.
This latest NIST report covers the following activities:
Ongoing assessment and reporting
Adjustment to risk direction and processes (including input from external stakeholders)
Integration of cybersecurity into an enterprise risk management (ERM) profile
Aggregation and normalisation of risk registers
Risk Registers Don’t Automatically Reduce Risk
A lot of NIST’s work in the area of cybersecurity and ERM has focused on creating risk registers.
Risk registers are an essential component of most organisations’ risk management operations. But creating a list of potential risks is not the end goal—risk registers need to help inform the operational decision-making that ultimately mitigates risk.
The NISTIR 8286C report thus seeks to help integrate cybersecurity risk registers—and cybersecurity risk management in general—into a company’s overall ERM profile and drive better-informed decisions with cybersecurity in mind.
Implementing the recommendations in the report should allow senior leaders to adjust governance components—such as policy, procedures and structures—based on the results of cybersecurity risk management activities.
Aggregating, Communicating and Acting On Cyber Risk Data
The report is 35 pages long and requires background knowledge of previous publications in the NISTIR 8286 series.
Here’s an overview of the activities and recommendations NISTIR 8286C describes:
How to aggregate and normalise cybersecurity risk management data from multiple sources
How to integrate information about cyber risks into an enterprise-level cybersecurity risk register
How to implement an enterprise governance system that helps maintain a comprehensive cybersecurity management program
Which processes will help reliably monitor cyber risk conditions, evaluate options for responding to changes, and adjust your risk management strategy
Again, the activities and recommendations draw heavily from previous NIST reports 8286A abd 8286B.
Communication Is Key
As noted, the key aim of NIST’s report is to improve “communication and coordination” between those working directly with cybersecurity and the senior leaders that makes crucial decisions about risk.
The report provides a number of recommendations about aggregating cyber risk information, presenting it coherently, integrating the information into overall risk management profiles, and then making high-level, strategic decisions informed by cyber risks.
This should ultimately help ensure that cyber risks are taken sufficiently seriously and help organisations make the changes necessary to become more secure.