Online media outlet TechTarget recently visited the 2014 Advanced Cyber Security Center (ACSC) conference right in our hometown of Boston, MA. Their findings? A successful cybersecurity risk management framework must be built around “Coordination. Cooperation. Collaboration.”
“You are not going to eliminate the risk of attacks, you are going to manage the risk,” said Michael Chertoff, former secretary of the U.S. Department of Homeland Security. Chertoff directed organizations to focus on threat management – i.e. the identification, prioritization, and mitigation of risk.
Chertoff also highlighted another fundamental of Enterprise Risk Management: shared, cross silo intelligence.
The experts say that Cyber Risk Management must be governed by an ERM software. Risk can materialize from anywhere across the enterprise, and the experts at ACSC correctly identified areas like the supply chain, gaps in IT infrastructure, and front line employees as potential sources of risk.
Aggregating, prioritizing, and mitigating risk in these areas requires GRC software capable of managing information across functions, and involving individuals in the risk management process that would not typically communicate their knowledge in an actionable manner.
In other words, ERM and Cyber Risk Management programs cannot be another silo of enterprise governance, and regardless of which standards and framework you choose, involving individuals at the front lines of the organization must be a priority.
Finally, past disruptive events, like the Heartbleed OpenSSL flaw, demonstrated a need for a cross-silo approach to assessing the control environment of an organization. While you can never be perfect, learning from the past to prepare for the future enables organizations to more effectively respond to new and emerging threats. Integrated risk management software provides a virtual “Health Check” at the activity level where the risk will materialize, allowing you to see where your organization stands in relation to the earlier stages of your program, and providing metrics to measure risk management effectiveness.