Series Introduction - Overseeing the Development of Your ECRM Framework and Strategy

(This post originally appeared on January 30, 2023, in my Enabling Board Cyber Risk Oversight? blog at?Introduction – Series Introduction - Overseeing the Development of Your ECRM Framework and Strategy)

Blog #1 of ~15 in ECRM Framework & Strategy Series

Series Introduction - Overseeing the Development of Your ECRM Framework and Strategy

In my recent post, Getting Started with Enterprise Cyber Risk Management (ECRM) | Overseeing the Development of Your ECRM Framework and Strategy, I discussed two initial critical steps in the journey to establish, implement, and mature an enterprise cyber risk management (ECRM) program: 1) establishing governance; and, 2) developing and documenting your approach to ECRM; that is, building your ECRM Framework and Strategy.

As I discussed in Stop the Cyber Bleeding[1], creating an ECRM program requires the leadership of the C-suite executives and the board's oversight. ECRM is not an “IT problem”; it can become a business enabler if appropriately handled. To successfully leverage ECRM as a business enabler, the C-suite and board must engage.?

The most critical decision the C-suite must make, and the board must oversee, is HOW your organization will undertake ECRM.?An ECRM Framework and Strategy delivers on the HOW. This series dives deeper into overseeing the development of your ECRM Framework and Strategy.

Over a series of a dozen+ posts, I will explain what constitutes an ECRM Framework and Strategy, who should be involved in its development, what content should be included, why the document must be treated as a living, breathing, evolving document, and when it should be updated.

Why Start Here

In Governance, Risk Management, and Compliance, Richard Steinberg discusses ten potential pitfalls that directors must avoid, including two that are particularly relevant here:

• 4. Presuming top management knows what the critical risks are.
• 5. Thinking you're apprised of critical risks when you're really told about problems.[2]

Setting forth and agreeing upon HOW your organization will undertake ECRM will help avoid these two pitfalls.

The National Institute of Standards and Technology (NIST) Special Publication 800-39, Managing Information Security Risk, describes NIST’s recommended risk management process— i.e., risk framing, risk assessment, risk response, and risk monitoring.[3]?

The first step in this process is Frame. Think of this process step as creating your organization’s developing your ECRM Framework and Strategy and documenting it. NIST states:

“The purpose of the risk framing component is to produce a risk management strategy that addresses how organizations intend to assess risk, respond to risk, and monitor risk—making explicit and transparent the risk perceptions that organizations routinely use in making both investment and operational decisions.”[4]

Not to confuse an ECRM process with an ECRM framework, which I will differentiate in an upcoming post, I want to point out that adopting the NIST Cybersecurity Framework[5] (which I recommend) begins with two initial steps that are totally aligned with risk framing as a first overall step. These two steps:

Step 1: Prioritize and Scope. Identify business objectives and priorities to inform decision-making around cybersecurity implementation and scope.

Step 2: Orient. Identify systems and assets, regulatory requirements, and overall risk approach.

In other words, both the NIST process and NIST framework suggest starting out by creating the context within which ECRM will be conducted. ECRM is about identifying and managing your unique cyber risks in the context of your organization’s unique vision, mission, strategy, values, and services.

As NIST states, as its principal output, risk framing produces a risk management strategy that addresses how organizations intend to assess, respond to, and monitor risk. The risk management strategy clarifies the specific assumptions, constraints, risk tolerances, and priorities/trade-offs used within organizations to make investment and operational decisions.[6]

Without a well-articulated and agreed-upon ECRM Framework and Strategy, lines-of-business, functional, and process owners will likely have divergent, if not conflicting, views on what constitutes cyber risk and how the enterprise will manage it.

Content in Your ECRM Framework and Strategy

Let me start with a pro forma table of contents to provide a sense of what should be considered, decided upon, and documented:

Pro Forma ECRM Framework and Strategy

Table of Contents

1. Document Management
2. Table of Contents
3. Executive Summary
4. Introduction
5. ECRM Guiding Principles
6. Scope of the ECRM Strategy
7. Business Strategic Objectives
8. ECRM Strategic Objectives
9. Responsibility for and Governance of the ECRM Strategy
10. ECRM Framework
11. ECRM Process
12. ECRM Maturity Model ??
13. Risk Appetite and Risk Tolerance???????????
14. Risk Framing Standards, Policies, and Procedures
15. Risk Assessment Standards, Policies, and Procedures
16. Risk Response Standards, Policies, and Procedures
17. Risk Monitoring Standards, Policies, and Procedures
18. ECRM Education and Training Plan
19. ECRM Automation and Technology Tools????????
20. Records and Reporting????
21. Summary of Roles and Responsibilities
22. ECRM Budget/Philosophy??????????
23. APPENDICES?????

For some, certain items in the table of contents may look like technobabble.?Worry not, I’ll discuss what should be covered in each section to enable you, as a C-suite executive or board member, to become an ECRM enabler, not necessarily an ECRM expert.?On the other hand, what appears above is all about risk management, a principal responsibility of all boards.

A well-documented process, including developing and documenting an ECRM Framework and Strategy and supporting policies and practices, is key to the success of your ECRM program. ?

It is critically important that this work be completed by a cross-functional working group, under the supervision of the C-suite, with oversight by the Board.?Do not delegate this foundational work to a single person or role in your organization—not the Chief Risk Officer, Chief Information Officer, or Chief Information Security Officer.

Responsibility for Your ECRM Framework and Strategy

In Getting Started with Enterprise Cyber Risk Management (ECRM) | Overseeing the Development of Your ECRM Framework and Strategy, I made the point that good governance is the starting point for any transformational program. For most organizations, establishing, implementing, and maturing an ECRM program must be as transformational as their digitization or ESG programs. In my experience working with organizations to establish, implement, and mature ECRM programs, I have found that a three-tiered ECRM governance model is most effective. See Getting Started with Enterprise Cyber Risk Management (ECRM) | Overseeing the Development of Your ECRM Framework and Strategy for more information in which I explained the roles of an ECRM Cross-Functional Working Group, Executive Steering Committee, and Board Committee.

The ECRM Cross-Functional Working Group would draft the ECRM Framework and Strategy document. The Executive Steering Committee would review and revise the document as needed and ultimately recommend it to the Board Committee for approval.

Summary

No doubt, the elements of a well-designed ECRM Framework and Strategy are comprehensive and extensive.?At the same time, agreeing on an approach before launching your ECRM program is essential. Realistically, I expect all organizations to have some cybersecurity activity underway; I hope so!?Even if it turns out that you are retrofitting an ECRM Framework and Strategy into existing activities, it is still a fundamentally vital step to take.

In the upcoming posts in this ECRM Framework & Strategy Series, I will cover one or more sections of the Table of Contents of your ECRM Framework and Strategy document with the ultimate goal of providing you with a good head start on developing and documenting your ECRM Framework and Strategy.

Finally, you may wish to use the short video clips on my YouTube channel, “Stop the Cyber Bleeding | Putting Enterprise Cyber Risk Management (ECRM) Into Action,” which can be accessed at https://www.youtube.com/@stopthecyberbleeding/videos to guide the development of your ECRM Framework and Strategy.

Questions Management and Board Should Ask and Discuss

1. Considering the table of contents above, to what degree has your ECRM Framework and Strategy been created?
2. Have you established a governance structure to develop your ECRM Framework and Strategy? Would the entire board or a board committee oversee this work?
3. Do you have the internal resources with the appropriate skills, knowledge, and experience to undertake this work?
4. How can you meet the future documentation requirements of?SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Proposed Rule Changes today??
5. What are your current risk management policies, procedures, and practices??At first blush, how do they stand up to the proposed disclosure requirements?
6. Do you have appropriate enterprise risk management and cybersecurity expertise on your board?

#cyberriskmanagement #boardsofdirectors #boardcyberoversight #enterpriseriskmanagement

Endnotes

[1] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n

[2] Steinberg, Richard M. “Governance, Risk Management, and Compliance.” Wiley. July 2011. Available at https://tinyurl.com/5n7vzf6y

[3] Managing Information Security Risk. NIST Special Publication 800-39. National Institute of Standards and Technology (NIST). March 2011. Accessed December 17, 2019. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

[4] Managing Information Security Risk. NIST Special Publication 800-39. National Institute of Standards and Technology (NIST). March 2011. Accessed December 17, 2019. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf

[5] Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. National Institute of Standards and Technology (NIST). April 16, 2018. Accessed December 16, 2019. https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

[6] Managing Information Security Risk. NIST Special Publication 800-39. National Institute of Standards and Technology (NIST). March 2011. Accessed December 17, 2019. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-39.pdf