Author: Mandar Salvi
Even today, many organisations still consider cybersecurity as an add-on or supporting function rather than a business enabler. Failing to prioritise cybersecurity or engage security experts often results in a weak security strategy and implementation plan. I have seen on many occasions initiatives resulting in failures which could have been avoided by enabling an Enterprise-wide Risk Management strategy.
Why big companies are falling short in their cybersecurity efforts
The bigger the organisation, the larger the dilemma when it comes to balancing security investments with business requirements. Organisations spread across multiple locations or business units, subject to different regulatory and legal requirements, definitely face this challenge.
As a result, many focus on introducing security strategies at a business unit level rather than taking an organisation-wide approach. At best, this often results in duplicated efforts, and at worst, critical business, financial and reputational failures.
An effective strategy relies on an appropriately skilled team - I believe that many organisations are still not managing this properly. Assigning ‘responsibilities’ to individuals who are inexperienced with business cybersecurity commonly results in a botched implementation. If this gap is adequately addressed, the success of the organisation’s security initiatives will be ensured.
Many large businesses also try to adopt “one-size-fits-all” cybersecurity strategy and/or solutions. Often, this forces them to implement strategies that don’t align with their business objectives.
This is where Enterprise Risk Management (ERM) comes in. ERM is a holistic strategy designed to assess and address risks at an organisational level, to avoid classic security implementation nightmares. It is recommended that ERM should always be enabled, even if the organisation plans to cover one department or business unit at a time.
Understanding Enterprise Risk Management
ERM is a solution primarily designed for big organisation security challenges, but it can be useful to small and medium organisations that have predefined business objectives and need to sustain financial stability and secure their assets.
An effective ERM ensures that the organisation first identifies its critical business processes, including underlying assets, and then devises a strategy to implement controls to address risks associated with these assets and business environments.
This provides a baseline and promotes a proactive approach to security, enabling organisations to identify and respond to new, emerging or unexpected risks or events by using a mix of prevention and detection mechanisms.
Further down the lifecycle, a well-established ERM also enables organisations to achieve overall risk reduction with measured return on investment (ROI), rather than just investing in security implementations without an effective strategy.
How ERM solves security challenges for enterprises
The key to ERM is its holistic approach. Having a team of ERM experts always helps clarify the security posture and enables an effective implementation across an entire organisation. This allows the business to monitor the effects of cascading risks, which are usually missed in an unstructured approach. As such, ERM enables an environment where management can make informed decisions at an organisational level.
Executing your ERM model to better manage security risks
There are five core stages of the ERM model:
- Setting objectives and designing ERM strategy
- Identifying threats and risks
- Conducting a Risk Assessment
- Formulating a Statement of Applicability and a response to these risks
- Reporting and monitoring on a regular basis
Organisations need to design a threat profile and identify the risk applicable to their critical processes and environments.
Risks are identified across all strategic, operational and technical areas of the organisation, linking internal and external stakeholders such as suppliers, third and fourth parties.
This is reviewed on a periodic basis to ensure that any material change in business domain, risk landscape, organisation structure, policies and procedures, etc. do not affect the security posture of the organisation.
Finally, it's important to develop criteria to measure ERM effectiveness. There are multiple vectors that can be used for this, such as “mean time to resolve incidents”, identifying when critical business components come back online, and when normal business function is recovered.
ERM success should not be measured by just achieving “fewer incidents”, as sometimes this can simply indicate a failure of systems to detect or prevent, rather than an effective implementation.
In the current environment, just being "Security Aware" doesn’t suffice. An effective ERM will enable an organisation to develop a "Security Culture" which will complement their security initiatives.
Organisations can use security best practices and/or ERM frameworks like ISO 31000, COBIT, COSO, etc. to design their own strategy and approach.
It is very important for organisations to understand that ERM is not just a project, but a continuous journey of safeguarding their interests, values, business and underlying assets, in an ever-changing risk world.