Nearly all cybersecurity regulations and industry standards start with a risk assessment process. However, for many organizations, formalizing their series of risk reviews into an enterprise cyber risk management framework can feel overwhelming. Operationalizing your security risk by developing an enterprise risk management framework can provide a more effective strategy for the long term.
What is an enterprise cyber risk management framework?
Before developing an enterprise risk management (ERM) framework, you need a strong understanding of the benefits it gives to your organization.
An enterprise risk management framework referred to as an integrated framework by some regulations and industry standards, requires you to identify known risks, review any changes made to your IT portfolio, assess new risks, and work with management to determine how to improve the risk reporting.
Functionally, by continuously iterating this series of steps, you create an overarching program with repeatable actions that more proactively address risks and enhance risk response activities.
How to establish organizational objectives
The first step to developing a successful ERM framework is to create a cross-functional team and determine the organization’s most imperative business goals. In many organizations, this team includes the IT department, line of business leadership, and senior executive leadership.
For example, if your company is moving towards a cloud-first or cloud-only strategy, the team should include:
- Chief Information Officer: to assess new technologies such as Software-as-a-Service (SaaS) tools
- Chief Information Security Officer: to review the technology’s security posture
- Chief Executive Officer: to align technology decisions with business strategies
- Chief Financial Officer: to review costs associated with strategies and technologies
- Chief Compliance Officer: to ensure compliance with standards and regulations
- IT Auditor: to provide insight into controls and security documentation
- Relevant Department Directors: to explain how their technology choice increases their departments’ effectiveness and revenue generation
Each internal stakeholder has different needs and concerns so by bringing them together your organization can make more informed decisions.
Why you need to start by identifying risks
As part of developing an ERM framework, you need to identify risk across your current IT portfolio. The basic premise underlying this step is that you can’t secure everything, but you definitely can’t secure the locations that you don’t know exist. As your organization builds out its digital transformation strategy, you expand the attack surface.
For example, you should ask:
- What are the systems, software, and networks?
- What types of data do you collect, transmit, and store?
- Where do you collect, store, and transmit data?
- What devices are connected to your networks?
- Who connects to your networks and from where?
Understanding all the potential locations, data types, and users that can pose a risk to your information security posture means that you have a deeper understanding of potential threats and can create stronger risk mitigation strategies.
How to assess risks after identifying them
Once you identify the risks, you need to examine the level of risk associated with each one. Since not all assets are equally important, you need to think like a malicious actor and decide what resources are most important.
When assessing risk, you should start by looking at the highest risk data types, systems, networks, and software. Some questions to ask include:
- Do you collect personally identifiable information (PII)?
- Do you store PII?
- Where do you collect, store, and transmit PII?
- What devices are connected to your networks and systems?
- What software are you using?
- What cloud services are you using?
Depending on the sensitivity of data and the location where you store it, the risks can be set as low, medium, or high. For example, publicly available information stored in an on-premises database that doesn’t connect to the internet is a low risk. Meanwhile, PII stored in a cloud database might be high risk since misconfigurations can leave it exposed to the world, creating a data breach.
Why analyzing risks matters
Analyzing risk takes the identification and assessment steps and levels them up a bit. Now that you know what data you have, where it resides, who uses it, and the different types of risk involved, you can analyze the risk more effectively.
Just like not all risks are equal, the likelihood of a data breach varies and the impact a data breach has on your organization varies. The general equation for analyzing risk is:
Impact of Data Incident X Likelihood of a Data Incident/Costs Incurred
For example, if a database that doesn’t store any sensitive data is breached, the costs incurred and impact would be low. Therefore, even if a high likelihood of incident exists, the low costs and impact mean that the risk is low or medium. However, if you store cardholder data on a segmented network, the impact would be high – both financial and reputational – and so would the costs incurred. Thus, even if the likelihood is medium or low, this area of your IT portfolio is likely a high risk overall.
How to establish a risk tolerance
Once you’ve analyzed all risks, you need to determine your risk tolerance. Some risks might be refused, such as no longer collecting certain types of user data, because they provide too little value to the company compared to the level of risk involved. In some cases, you will accept the risk because the location, data type, or service is imperative to continued business operations. You might also choose to transfer risk by hiring a vendor or purchasing cyber risk insurance. Finally, many organizations set controls, such as encryption, to mitigate risks.
Once you’ve established your risk tolerance and discussed it with the internal stakeholders, you can put a plan into place.
How to continuously monitor and iterate your risk management processes
Even after deciding to transfer or mitigate risk, your organization needs to continuously monitor for new risks. IT portfolios, particularly with the ability to up- and down-scale cloud services, are no longer static. Whether you’re adding new applications or increasing processing power with workloads or containers, your IT ecosystem continues to evolve.
Similarly, malicious actors continue to evolve their threat methodologies. When developing your ERM, you need to incorporate continuous monitoring to protect the organization. As part of this process, you want to consider monitoring:
- Network access for suspicious traffic
- Vendors’ controls’ effectiveness
- Encryption for data-in-transit and at-rest
- Cloud locations such as databases, workloads, and containers
- Web applications and access portals
- Security updates for mission-critical software and services
Since malicious actors will be actively looking to exploit weaknesses across the ecosystem, you need to ensure that your ERM planning includes owned IT and vendor IT controls.
How SecurityScorecard enables the development of an ERM framework
SecurityScorecard’s security ratings platform makes it easier for organizations to assess risk across their connected IT ecosystems. Our platform provides easy-to-read scores using an A through F rating system for at-a-glance visibility into controls’ effectiveness.
For organizations developing an ERM framework, SecurityScorecard’s ten risk factors provide a starting point for looking at high-risk networks, services, and software. Then, by looking at the individual scores provided across the ten groups of risk factors, organizations can prioritize the areas that need strengthening.
With organizations rapidly moving to cloud-first IT infrastructures, SecurityScorecard enables them to accelerate their risk, security, and compliance strategies.