top of page

Enterprise Risk Management is Foundational to Cybersecurity

By: Humza Agha

Cybersecurity threats are becoming more common and organizations need to be aware of the danger these threats pose in order to help mitigate them.

Across all industries, data breaches cost companies $3.86 million per breach on average, or $1.49 per record (Fierce Healthcare White Paper).

According to IBM's 2020 Cost of a Data Breach Report, 80% of these incidents resulted in the exposure of customers' personally identifiable information (PII). Out of all types of data exposed in these breaches, customer PII was also the costliest to organizations, both in terms of the financial and reputational risks.

Organizations, both public and private, can use the tools of enterprise risk management (ERM) to identify, mitigate and monitor their threats and plan accordingly. By taking a holistic approach to risk management, organizations can more effectively identify, assess, and mitigate risks that could impact their objectives.

1. Identify cyber threats and vulnerabilities: The first step in managing cybersecurity risk is to identify potential threats and vulnerabilities that could impact the organization. This can be done through a variety of means, including conducting risk assessments, analyzing threat intelligence, and reviewing security metrics.

2. Assess the impact of cyber threats and vulnerabilities: Once potential threats and vulnerabilities have been identified, it is important to assess the potential impact they could have on the organization. This includes considering the likelihood of an event occurring as well as the potential consequences if it did occur.

3. Develop and implement mitigation strategies: Once the potential impact of cyber threats and vulnerabilities has been assessed, organizations can develop and implement mitigation strategies to reduce the likelihood or impact of an event occurring. This might include implementing security controls, increasing awareness and training, or establishing Incident Response plans.

4. Monitor and adjust mitigation strategies as needed: It is important for organizations to continually monitor the efficacy of their mitigation strategies and make adjustments as needed. This might include changes in the security controls that are implemented or the way in which they are used. Additionally, new threats and vulnerabilities can emerge over time, so it is important to periodically reassess risks and update mitigation strategies accordingly.

One useful framework that can be used is the Cyber Security Risk Management Framework (CSRMF). CSRMF provides a structured approach for identifying, assessing, and managing cyber security risks at the enterprise level. It is based on ISO 27001, the international standard for Information Security Management Systems (ISMS), and includes input from leading experts in the field of cyber security.

While the CSRMF is designed to be used by organizations of all sizes and in all industries, it can be adapted to the specific needs of each enterprise, and it is flexible enough to accommodate new risks as they emerge.

In the public sector one such framework is the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) that organizations can use to manage information security and privacy risk, in compliance with the Federal Information Security Modernization Act (FISMA).

How is your organization thinking about managing cyber security risk, and is this a part of your enterprise-wide strategy?

Please reach out with your questions and requests:

8 views0 comments


bottom of page