Getting Started with Enterprise Cyber Risk Management (ECRM) | Overseeing the Development of Your ECRM Framework and Strategy

(This post originally appeared on January 7, 2023 in my Enabling Board Cyber Risk Oversight? blog at Getting Started with Enterprise Cyber Risk Management (ECRM) | Overseeing the Development of Your ECRM Framework and Strategy )

Getting Started with Enterprise Cyber Risk Management (ECRM) | Overseeing the Development of Your ECRM Framework and Strategy

Board members, C-suite executives, and staff, here’s an excellent New Year’s Resolution – Act now! Resuscitate your enterprise cyber risk management program (ECRM)!?

Introduction

As if you haven’t heard the admonition enough, a recent interview in an MIT Sloan Executive Education post stated: Cyber risk is so significant that a responsible board can no longer ignore it or just delegate it to risk management experts. In fact, an organization’s board of directors holds a uniquely vital role in safeguarding data and systems for the future because of their fiduciary responsibility to shareholders and their responsibility to oversee and mitigate business risk.[i]

While you might think that as a non-public company, you need not be concerned with SEC rule-making, think twice. In Overview of the SEC “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure” Proposed Rule Changes, I kick off a series that covers, among other topics, specific disclosures the SEC would require, including board engagement and expertise with cybersecurity. In the Epilogue to SEC Cyber Series - Should Private Companies Care about Proposed SEC Cyber Disclosure Requirements? , I provided my?top 7 reasons?why private companies should care about proposed SEC cyber disclosure requirements:

Getting Started

There are many ECRM concepts you can adopt and actions you can take.?In this post, I will discuss both, emphasizing what the board can do to oversee the development of your ECRM framework and strategy.

First, some essential concepts you should embrace:

• First and foremost, cyber risk management is a business issue, not an “IT problem.” A strong, proactive ECRM program can be a business enabler.
• Recognize that those bad things related to cyber risks have happened to thousands of organizations. They will continue to happen.
• Embrace the reality that cyber risks have evolved. Cyber risk management is no longer simply a matter of compliance or security; in healthcare, cyber risk has also grown to encompass issues related to patient safety and medical professional liability.
• As a C-suite executive or board member, remember that your role is to become an ECRM enabler, not necessarily an ECRM expert.
• Adopt and communicate strong ECRM governance principles.
• Ensure that your organization’s vision, mission, strategy, values, and services drive your ECRM program and, therefore, your cybersecurity plan.
• Align your assets and ECRM work with your business strategy and objectives; prioritize everything.
• Make ECRM a “team sport.” Insist on cross-functional engagement and accountability by lines-of-business, functional, and process owners.
• Be creative in funding your ECRM program. Consider reductions in your cost of capital, insurance premium savings, and captive insurance grants as sources of funds.
• Critically evaluate your current ECRM situation. Would your current situation/program pass a regulatory audit?
• Focus on your organization’s unique assets and their exposures, not a third-party controls checklist.
• Insist on a risk-based approach to ECRM versus a controls checklist-based approach.

In my book Stop the Cyber Bleeding[ii] , I recommend six specific, tangible initial actions your organization can take to jump-start a new ECRM program or reinvigorate an existing one.?They are:

1. Conduct Ongoing Enterprisewide Risk Analyses
2. Establish Board and Executive Team Governance
3. Adopt the NIST Cybersecurity Framework
4. Implement the NIST Managing Information Security Risk Process
5. Engage Your Executive Risk Insurance Brokers
6. Measure the Maturity of Your ECRM Program

Specifically, regarding overseeing the development of your ECRM framework and strategy, from the recommended actions above, I will draw from the second action item—Establish Board and Executive Team Governance—and the fourth item—Implement the NIST Managing Information Security Risk Process.

A well-documented process, including developing and documenting an ECRM Framework and Strategy and supporting policies and practices, is key to the success of your ECRM program. ?However, it is critically important that this work be completed by a cross-functional working group, under the supervision of the C-suite, with oversight by the Board.?Do not delegate this foundational work to a single person or role in your organization—not the Chief Risk Officer, Chief Information Officer, or Chief Information Security Officer.

Let me turn to two practical, tangible, actionable steps you can take to oversee the development of a useful ECRM Framework and Strategy.?

Governance

Good governance is the starting point for any transformational program. For most organizations, establishing, implementing, and maturing an ECRM program must be as transformational as their digitization or ESG programs.?As I wrote in a recent post entitled Privacy, Security, ESG - Inextricably Linked, they are inextricably linked.

Governance can be defined as a system of processes and controls that ensures that stakeholder needs, conditions, and options are evaluated to determine balanced, agreed-upon enterprise objectives to be achieved, setting direction through prioritization and decision-making, and monitoring performance and compliance against agreed-upon direction and objectives.[iii]

At the risk of grossly oversimplifying it, in practice, I’ve come to define governance as a set of interrelated questions: Who makes what decisions? How and when do they make those decisions? And what data and facts do they use to make those decisions?

Concerning ECRM governance, the board's role is to set direction and provide ongoing oversight. In other words, the board establishes and communicates, “This is where we are going (concerning ECRM), and this is why we are going there.” C-suite executives and their teams are then responsible for execution.

Formalizing and communicating ECRM governance are classic “set the tone at the top” moves that Boards must undertake.?What form might governance take??

In my experience working with organizations to establish, implement, and mature ECRM programs, I have found that a three-tiered ECRM governance model is most effective. However, the model will vary by the size and resources of each organization. The three tiers in this governance model include:

• Tier 1: The entire board or designated board committee (e.g., Audit Committee, Risk Committee, or a specific ECRM Oversight Committee) sets direction, articulates principles, and provides oversight.
• Tier 2: An ECRM Executive Steering Committee (including the CEO and their entire team) ensures the execution of the ECRM program.
• Tier 3: An ECRM Cross-Functional Working Group (depending on your organization, may include representatives from legal, risk management, finance, HR, audit, compliance, privacy, IT, clinical engineering, security, quality, and others as appropriate) executes the steps to establish, implement, and mature the ECRM program.

Each of the three tiers should have a formal, written charter that delineates the group’s decision-making authority, structure, scope of responsibilities, work processes to be followed, etc.?The NACD publication “Principles for Board Governance of Cyber Risk" is an excellent resource for those participating in Tier 1 board-level governance.[iv]

ECRM Framework and Strategy

Once you have an appropriate governance structure with proper cross-functional engagement from across the organization, the next critical step is to develop your organization’s ECRM Framework and Strategy document.

The ECRM Cross-Functional Working Group would be responsible for drafting the ECRM Framework and Strategy document, covering: ECRM Principles, ECRM Strategic Objectives, Scope of The ECRM Strategy, Responsibility for and Governance of the ECRM Strategy, ECRM Glossary of Terms, ECRM Framework, ECRM Process, ECRM Maturity Model, Risk Appetite, ECRM Framing Guidance, ECRM Constraints, ECRM Risk-Assessment Guidance, ECRM Risk-Response Guidance, ECRM Risk-Monitoring Guidance, ECRM Automation Tools, Records, Reporting, and Documentation, Summary of ECRM Roles and Responsibilities, ECRM Budget by Line-of-business.

The Executive Steering Committee would review and revise the document as needed and ultimately recommend it to the Board Committee for approval.

No doubt, the elements of a well-designed ECRM Framework and Strategy are comprehensive and extensive.?At the same time, agreeing on an approach before launching your ECRM program is essential. Realistically, I expect all organizations to have some cybersecurity activity underway; I hope so!?Even if it turns out that you are retrofitting an ECRM Framework and Strategy into existing activities, it is still a fundamentally vital step to take.

The National Institute of Standards and Technology (NIST) Special Publication 800-39, Managing Information Security Risk, describes NIST’s recommended risk management process.[v] ?The first step in this process is Frame. Think of this process step as creating your organization’s ECRM Framework and Strategy document. NIST states, “The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions.”[vi] In addition, documenting your risk management strategy in your ECRM Framework and Strategy document provides your organization with a shared vocabulary to discuss risk.

Voltaire is attributed with saying, “If you wish to converse with me, define your terms”[vii] , which I wrote about in a recent post, Voltaire and Cyber Risk Management .

The post underscores the importance of shared understanding.?I’ve been using that Voltaire quote for 12+ years because of the constant miscommunication in the inconsistent practice of cyber risk management.?If your organization cannot come to a mutual understanding of basic cyber risk management terms and terminology, you will unlikely ever be effective at cyber risk management.?

I encourage you to develop an ECRM Framework and Strategy document that includes as one of its very first sections a glossary of terms.?Circulate and socialize this glossary and agree on critical cyber risk management terms and concepts. One of the best references on the subject—and my primary go-to resource—is the glossary compiled by the Computer Security Resource Center (CSRC) at NIST.[viii] ?

Finally, you may wish to use the short video clips on my YouTube channel, “Stop the Cyber Bleeding Putting Enterprise Cyber Risk Management (ECRM) Into Action,” which can be accessed at https://www.youtube.com/@stopthecyberbleeding/videos to guide the development of your ECRM Framework and Strategy.

Questions Management and Board Should Ask and Discuss

1. What team of executives should be assembled to examine the new SEC requirements, monitor the rule change process, and report to the board?
2. What standing board or ad hoc committee will oversee the work of this executive team reviewing the new SEC requirements? Or will it be the whole board?
3. What clarifications need to be made regarding the role of management vis-à-vis the role of the board regarding these potential SEC changes?
4. What is your ability today to meet these future SEC requirements? What is the level of cybersecurity expertise on your board today? Is anyone on the board capable of understanding enterprise cyber risk management (ECRM) issues?
5. Does your organization have a good governance structure in place, one that clearly articulates who makes what ECRM decisions and how and when using what data and facts?
6. Is the board setting clear expectations of management regarding their roles and responsibilities in ECRM with the current level of cybersecurity expertise on your board?
7. Would a multi-tier governance structure like the one described in this post benefit your organization?
8. What board committee has responsibility for ECRM??Does language in this committee’s charter cover ECRM?
9. Are your organization’s line-of-business, process, and functional leaders fully engaged in managing your cyber risks?
10. What ECRM framework, if any, has your organization adopted? How is it being used?
11. What ECRM process, if any, has your organization adopted? Is it an industry-standard approach, such as that advanced by NIST?

Endnotes

[i] MIT Sloan Executive Education. "3 Questions: Why cybersecurity is on the agenda for corporate boards of directors." November 30, 2022. Available at https://news.mit.edu/2022/cybersecurity-corporate-boards-directors-1130

[ii] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n

[iii] Chaput, Bob. “CEO-to-CEO: Top 5 questions CEOs should ask themselves & board about risk management.” IT Toolbox Blog. (n.d.). Accessed November 11, 2019. https://it.toolbox.com/blogs/bobchaput/ceo-to-ceo-top-5-questions-ceos-should-ask-themselves-board-about-risk-management-111914

[iv] NACD. "Principles for Board Governance of Cyber Risk". March 2021.?Available at https://www.nacdonline.org/applications/secure/?FileID=319863

[v] Managing Information Security Risk. NIST Special Publication 800-39. National Institute of Standards and Technology (NIST). March 2011. Accessed December 17, 2019. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

[vi] Managing Information Security Risk. NIST Special Publication 800-39. National Institute of Standards and Technology (NIST). March 2011. Accessed December 17, 2019. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

[vii] Quotable quotes. Goodreads. “If you wish to converse with me, define your terms.” Accessed December 21, 2022. Available at https://www.goodreads.com/quotes/7799868-if-you-wish-to-converse-with-me-define-your-terms

[viii] Glossary. Computer Security Resource Center (CSRC). National Institute of Standards and Technology (NIST). Accessed December 21, 2022. Available at https://csrc.nist.gov/glossary/