Setting ECRM Guiding Principles, Aligning Business and ECRM Strategic Objectives, and Clarifying Governance

(This article was originally posted on February 13, 2023 on my Enabling Board Cyber Oversight blog series at Setting ECRM Guiding Principles, Aligning Business and ECRM Strategic Objectives, and Clarifying Governance .)

Blog #3 of ~15 in ECRM Framework & Strategy Series

Setting ECRM Guiding Principles, Aligning Business and ECRM Strategic Objectives, and Clarifying Governance

If you are diving into this ECRM Framework & Strategy Series for the first time, with Blog #3, you may wish to review:

• #1, Introduction - Overseeing the Development of Your ECRM Framework and Strategy
• #2, Getting Started with the Development of Your ECRM Framework and Strategy

In each post in the series, I will cover one or more aspects of developing your ECRM Framework and Strategy and associated sections of the Table of Contents of an ECRM Framework and Strategy document.

This series’ goal is to explain what content is needed in each area and give you a good start on developing and documenting your ECRM Framework and Strategy.?

Topics and sections of the ECRM Framework and Strategy and related documentation covered in this post are:

5.????ECRM Guiding Principles

6.????Scope of the ECRM Strategy

7.????Business Strategic Objectives

8.????ECRM Strategic Objectives

9.????Responsibility for and Governance of the ECRM Strategy

Again, please refer to Introduction - Overseeing the Development of Your ECRM Framework and Strategy for the complete Table of Contents.

5.????ECRM Guiding Principles

Setting forth guiding principles by which the organization will undertake ECRM is the most critical job of the board of directors. Principles provide guardrails and, importantly, set the tone at the top.

Here are some examples of principles to consider as you develop your ECRM Guiding Principles:

The NACD publication Cyber-Risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards suggested five core principles.[1]

1. Cybersecurity as a Strategic Risk - Directors need to understand and approach cybersecurity as a strategic enterprise risk—not just as an IT risk.
2. Legal and Disclosure Implications - Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
3. Board Oversight Structure and Access to Expertise - Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
4. An Enterprise Framework for Managing Cyber Risk - Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget.
5. Cybersecurity Measurement and Reporting - Board-management discussions about cyber risk should include identifying and quantifying financial exposure to cyber risks and which risks to accept, mitigate, or transfer, such as through insurance, and specific plans associated with each approach.

In a March 2021 update, NACD, in collaboration with the Internet Security Alliance, PwC, and the World Economic Forum, published “Principles for Board Governance of Cyber Risk" and included these six globally applicable principles to aid board directors in governing cyber risk.[2]

1. Cybersecurity is a strategic business enabler - Cybersecurity is more than just an IT issue
2. Understand the economic drivers and impact of cyber risk - Enterprise decision-making requires analysis of the economics of cyber risk.
3. Align cyber-risk management with business needs - Boards should understand and assess how to effectively manage cyber risks in the pursuit of business objectives.
4. Ensure organizational design supports cybersecurity - Organizational structure should integrate and support security and strategic goals.
5. Incorporate cybersecurity expertise into board governance - Boards need diverse sources of cybersecurity expertise.
6. Encourage systemic resilience and collaboration - Effective cyber-risk strategy includes improving the cyber resilience of industries and sectors.

Take the time to discuss these and other principles and use them to create the foundation of your principled-based approach to ECRM

6.????Scope of the ECRM Strategy

Defining the scope of your ECRM program is about setting boundaries around what will be included and excluded from your program. To get started, setting a realistic and reasonably sized scope is essential as it will enable your team to get some wins on the table.?

The first question in setting scope is: in which organizational entities will you undertake ECRM at the outset??Will your scope initially include the entire enterprise??Will you limit it to business units within a specific geography??Will you limit it to specific business functions and their underlying processes (e.g., HR, Finance, or Manufacturing)??Will you focus on business units or activities with a history of intrinsic risk?

Once the organizational scope is set, a finer scope should be selected based on mission essential functions (MEFs) within that organization.?MEFs may be derived by completing a business impact analysis (BIA).?A BIA facilitates prioritizing those business functions and processes most critical to the ongoing execution of your mission.?Clearwater’s white paper Business Impact Analysis (BIA): Key to Organizational Resiliency[3] covers the importance and practical use of a BIA in detail.

Some organizations, perhaps motivated by a recent security incident, may set their scope based on critical information assets or so-called “crown jewels.”?This asset-centric approach has merit and may be most appropriate for some organizations.

Others may take a threat-centric, controls-centric, or even people-centric approach to setting the scope of their ECRM program. I am less favorably disposed to these approaches because they ignore the complete components of risk—an asset, a threat, a vulnerability, controls, likelihood, and impact.

7.????Business Strategic Objectives

In the NIST Cybersecurity Framework, the recommended first step in adopting the framework includes the important scoping discussed above and setting forth business objectives:

Step 1: Prioritize and Scope. The organization identifies its business/mission objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process.[4]

Your unique vision, mission, strategy, values, and services are achieved year after year by setting strategic, tactical, and operational objectives. These objectives, especially strategic objectives, must be clearly articulated and become the basis of your ECRM strategic objectives.

Covering strategy development is well beyond the scope of this article, but it is vital to start your ECRM journey based on your current strategic objectives.

8.????ECRM Strategic Objectives

In chapter 6 of Stop the Cyber Bleeding[5] , I presented a model for aligning your ECRM strategic objectives with business objectives.?The flow in that model illustrates that your strategic objectives inform organization maxims which help derive your cyber risk appetite, which drives your ECRM program.

The CEO of a large national ambulatory surgery center (ASC) organization once told me, “Taking care of our patients’ information is just as important as taking care of our patients.” That objective, or an organizational maxim, served as a touchstone for his organization as it built its ECRM program.?Using this company as an example, an ECRM objective of performing a comprehensive risk analysis of their electronic health records system to understand all the possible ways in which there could be a compromise of confidentiality, integrity, and availability of patient information would probably trump an objective of implementing security auditing and logging of the payroll system.

9.????Responsibility for and Governance of the ECRM Strategy

Your ECRM Framework and Strategy should clarify roles and responsibilities for how your ECRM work will be completed, approved by the C-suite, and overseen by the board.

In Getting Started with Enterprise Cyber Risk Management (ECRM) | Overseeing the Development of Your ECRM Framework and Strategy , I discussed a three-tiered ECRM governance model that I found compelling. As I discussed in that post, the model will vary by the size and resources of each organization. The three tiers in this governance model include:

Tier 1: The entire board or designated board committee (e.g., Audit Committee, Risk Committee, or a specific ECRM Oversight Committee) sets direction, articulates principles, and provides oversight.

Tier 2: An ECRM Executive Steering Committee (including the CEO and their entire team) ensures the execution of the ECRM program and approves program priorities and work products.

Tier 3: An ECRM Cross-Functional Working Group (depending on your organization, may include representatives from legal, risk management, finance, HR, audit, compliance, privacy, IT, clinical engineering, security, quality, and others as appropriate) executes the steps to establish, implement, and mature the ECRM program.

Each of the three tiers should have a formal, written charter that delineates the group’s decision-making authority, structure, scope of responsibilities, work processes to be followed, etc.?

Summary

Sticking with the theme that C-suite executives or board members must become ECRM enablers, not necessarily ECRM experts, overseeing the completion of the parts of your ECRM Strategy and Framework detailed in this post—Setting ECRM Guiding Principles, Aligning Business and ECRM Strategic Objectives, and Clarifying Governance—is essential board-level oversight work.

You may wish to view the short video clip on my YouTube channel, “Episode 23: Principles for C-Suite & Board to Adopt | Putting ECRM Into Action ,” which discusses adopting guiding principles.?Other videos in the Stop the Cyber Bleeding | Putting ECRM Into Action channel may further drive the development of your ECRM Framework and Strategy. They can be accessed and subscribed to at https://www.youtube.com/@stopthecyberbleeding/videos .

I will discuss Basic Cyber Risk Management Terminology in the next post in this ECRM Framework & Strategy Series.

Questions Management and Board Should Ask and Discuss

1. Considering the sections of the ECRM Framework and Strategy covered in this post, to what degree has this content of your ECRM Framework and Strategy been created?
2. Do the sample guiding principles align with your views on how ECRM should be overseen? What others are you considering?
3. Can you provide an ECRM Working Group with a clear articulation of strategic business objectives to serve as the basis for creating the scope of your ECRM program?
4. Do you have the internal resources with the appropriate skills, knowledge, and experience to undertake this work?
5. Can you currently meet the future documentation requirements of SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Proposed Rule Changes today??
6. Would your organization benefit from a session reviewing these and related ECRM Framework and Strategy by competent outside counsel and cyber risk management experts?

Endnotes

[1] Larry Clinton, Josh Higgins, and Friso van der Oord. Cyber-Risk Oversight 2020: Key Principles and Practical Guidance for Corporate Boards. National Association of Corporate Directors (NACD). February 2022. https://nacdonline.org/insights/publications.cfm?ItemNumber=67298

[2] NACD. "Principles for Board Governance of Cyber Risk". March 2021.?Available at https://www.nacdonline.org/applications/secure/?FileID=319863

[3] Clearwater. WHITE PAPER. "Business Impact Analysis (BIA): Key to Organizational Resiliency." Accessed January 27, 2023. Available at https://clearwatercompliance.com/bia-key-to-organizational-resiliency/

[4] Cybersecurity Framework. NIST. April 16, 2018. Available at https://www.nist.gov/cyberframework

[5] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n