CyberSaint Blog | Expert Thought

Use the NIST RMF to Drive Integrated Risk Management Adoption

Written by Kyndall Elliott | June 8, 2021

Risk management has developed significantly from when it was first introduced. In the 16th and 17th centuries, notions of risk management evolved into something more akin to how we see it in the cybersecurity landscape today. The amount of risk for voyages would be weighed and calculated, and at the end of the day, someone would decide whether the complex risk environment was worth the possibility of losing the entire shipment or if the risk was acceptable enough to take the gamble on the product being shipped. 

An integrated risk management (IRM) framework paves the way for business success. Gartner defines IRM as “practices and processes supported by a risk-aware culture and enabling technologies that improve decision making and performance through an integrated view of how well an organization manages its unique set of risks.” A key distinction in Gartner’s definition of IRM is the integration with enterprise risk management (ERM) relating to strategic risks impacting operational and IT risk management objectives. IRM excludes the broader management of risks beyond operational technology and IT.

CISO’s are ultimately responsible for data protection and information security, and in this new remote world, their job is more challenging than ever. Integrated risk management combines modern risk solutions with more familiar ones, making it ideal for modern enterprises. 

IRM is more effective at managing risk long-term and effectively securing sensitive information, but those with legacy systems are sometimes hesitant to make such a significant change. However, even augmenting current systems (instead of ripping and replacing completely) with IRM capabilities can make an enormous difference. It gives organizations options to leverage tools and techniques to grow and expand into newer, more thorough ways of managing risk without overhauling a system completely, which can also be very expensive, especially for those companies hit hard by COVID-19.

According to Gartner, although interest in cybersecurity risk management has grown, only 37% of board respondents feel confident or very confident that their company is adequately secured against a cyberattack, compared to 42% in 2017. A slightly higher percentage (49%) are confident or very confident in the ability of management to address cyber risk. But more than one-fifth of directors (22%) expressed dissatisfaction with the quality of cyber-risk information provided to the board by management.

Why is risk first important?

2020 has proven that a new mindset is required to address cyber risk. Security needs to be framed not only around digital risk but financial and operational risk as well. Corporate risk continuously pressuring security teams. At this point, immature organizations are not only endangering sensitive information but client trust as well when they approach risk from a compliance-only perspective. With financial losses also on the table from poor risk management, not addressing control gaps is riskier than ever.

Quantifying risk is a relatively new practice. While the need for concrete cyber risk quantification has emerged, the landscape of risk assessment frameworks to quantify risk are still fragmented. Cyber risk quantification is often viewed as an impractical process that is ambitious but, overall, relatively futile given the novelty of the concept. The return on security investment (ROSI) is challenging to measure, and the results are challenging to condense into a business-friendly context. 

This approach has pushed CISO’s to favor a qualitative approach to risk evaluation. As demand for digital transformation grows, CISOs are under more pressure than ever before to effectively communicate risk to a broad audience, including C-suite executives and company employees.

Management has developed separately from cybersecurity teams in a lot of organizations. This limits cybersecurity professional’s options to develop solutions ideal for the whole company. The first step to getting the organization on the same page is to frame cybersecurity practices in a business context. Especially initially, security leaders must tell a story to illustrate how to build a security culture that orbits around business objectives instead of nebulous controls that are mandated by specific sectors of a government or regulatory body.

IT GRC legacy systems don’t offer modern enterprises enough insight into real-time risk. Most solutions are modular, impeding communication between data because the information is too siloed. We often talk about “glass-box” vs. black-box in cybersecurity when discussing the theory of transparent risk quantification vs. shielded risk quantification.

The fact of the matter is that black-box solutions rely on proprietary methodologies and unvetted practices to deliver sources of risks, “glass-box” solutions empower security leaders to employ industry-leading, gold-standard methodologies and frameworks that can be easily explained to both technical and business-side stakeholders.

How to evolve into taking to a risk first approach 

Risk is such a nuanced creature that it’s impossible to definitively say, “this is the best way to approach it”. It’s easy to look at specific industries as well and see how low their risk tolerance is and equate it to never taking risk at all--which can handicap a business’s growth and disregards the facets of proactive risk management. There should be a distinction between low-risk appetite and low-risk tolerance. 

It can be difficult for businesses and individuals to look at risk in a healthy manner that isn’t associated with failure. CISOs can be fearful of losing their positions after a breach. Security teams can be fearful of losing reputations or income if a vulnerability is exploited. It’s safer and easier to fall into risk aversion entirely, instead of taking advantage of intelligent risk-taking with calculated precision that leaves room for growth and protects you as much as possible at the same time. 

When framing the discussion around a risk first approach, it is important to veer away from technical terms that don’t tell a story of what you’re trying to accomplish with a risk first approach. Some questions to consider when you’re crafting a narrative are, “why do we need to change now? What are our competitors doing that outperforms us?”

The concept of “shared risk-taking” also helps an organization create a cohesive set of risk first practices. In this approach, it’s not just the CISO deciding on the risk appetite of the company. Instead, the c-suite and the whole security team work in tandem to influence company culture as a whole and create an environment conducive to team strategy instead of siloed teams that rarely communicate inter-department. 

The goal is to get the company on board with a proactive risk management strategy instead of just focusing on compliance. Communication about policy and procedure is vital too. The C-suite and board must be on the same level as the CISO to effectively manage threats. Without that, the lack of transparency will create friction between different sectors of the organization, including the CISO and C-suite. Everyone must come to an understanding of the importance of increasing the company’s maturity scale. In fact, Gartner predicts that through 2024, more than 75% of prosecuted compliance violations will result from failure to coordinate compliance policies and implementation with security and risk managers.

Conclusion

In a recent study conducted by Gartner, a correlation was found between shared risk-taking and innovation effectiveness: those who shared risks managed to increase innovation effectiveness three times more than those who went through training on risk-taking skills.

IRM is a relatively recent development in cybersecurity. Its predecessor, GRC, was created in the late ’80s to manage digital risk, financial risk, operational risk, and more. However, as the world turns toward digital solutions, security leaders managing compliance and risk across digital spaces are consistently playing catch up with their dated systems. GRC is no longer enough to securely manage the modern risk profiles, and threats organizations are facing. 

To learn more about how risk first cybersecurity is driving IRM adoption, check out our webinar. To see how CyberStrong can augment your current IT GRC stack, contact us.