The National Institute of Standards and Technology (NIST) recently released Integrating Cybersecurity and Enterprise Risk Management (NISTIR 8286), with explicit guidance on bringing cyber into the ERM fold to be effectively managed alongside the other risks that government agencies and private enterprises face. NIST called out Factor Analysis of Information Risk (FAIR™), the international standard for cyber risk quantification, as a recommended tool to “better prioritize risks or prepare more accurate risk exposure forecasts” in a risk register.
RiskLens offers the only enterprise and government scale SaaS platform built on FAIR and can help you achieve many of the best practices recommended in NISTIR 8286, including risk prioritization, risk scenario modeling, Monte Carlo simulations, and, of course, quantification of cyber risk in financial terms. Many organizations use RiskLens to maximize the value of their large investments in GRC/IRM/risk register applications.
Ted Stettinius is Federal Practice Leader for RiskLens
Here’s a quick guide to implementing NISTIR 8286 with FAIR and the RiskLens platform, with special attention to the requirements for federal government – where compliance with NIST standards is a mandate. The document recommends:
The Risk Register Should Play a Critical Role in ERM
“The risk register provides a formal communication vehicle for sharing and coordinating cybersecurity risk activities as an input to ERM decision makers,” NISTIR 8286 says.
“However, most enterprises do not communicate their cybersecurity risk guidance or risk responses in consistent, repeatable ways. Methods such as quantifying cybersecurity risk in dollars and aggregating cybersecurity risks are largely ad hoc and are sometimes not performed with the same rigor as methods for quantifying other types of risk within the enterprise.”
>>RiskLens and FAIR Can Help Turn a Risk Register into a “Useful Input” for ERM
Cybersecurity risk registers can become dumping grounds for all kinds of concerns -- compliance issues, policy exceptions, general topics like “the cloud” – that don’t adhere to a consistent definition of risk that supports quantification. One of the first benefits of a FAIR program is focusing the organization on a standard definition of risk as a loss event with a clear threat acting on an asset protected by controls and resulting in a quantifiable impact – any risk register item that doesn’t meet that criteria can be eliminated as an incomplete, and therefore unquantifiable, statement of risk.
Cyber Risks Should Be Prioritized to Integrate to ERM
OMB Circular No. A-123, Management's Responsibility for Enterprise Risk Management and Internal Control, makes a point that applies equally to government or private enterprise risk management: Cybersecurity risk managers need to provide ERM with “a prioritized inventory of the most significant risks identified and assessed through the risk assessment process versus a complete inventory of risks,” a “risk profile”, as OMB calls it.
>>RiskLens Rapid Risk Assessment and Top Risks Assessment Can Help with Prioritization
With the Rapid Risk Assessment capability of the RiskLens platform, risk analysts can, in hours, produce a list of 20-40 properly defined risks (or loss events), prioritized based on probable financial loss and sorted for the needs of ERM, for instance by most severe events, top risks in annualized terms or most likely to exceed a risk tolerance level in dollars. The platform uses Monte Carlo simulation to generate a range of probable outcomes, a technique recommended by NISTIR 8286.
With a prioritized list in hand, analysts can perform detailed Top Risk Assessments on the RiskLens platform to take a deeper dive into a subset of top loss events, with a more intense process of data collection and scenario analysis, for reporting up to ERM.
Note: RiskLens services experts can guide your team through both Rapid Risk Assessments and Top Risk Assessments, in hands-on workshops.
Mitigation Should Be Cost-Effective
“The goal of effective risk management, including cybersecurity risks, is to identify ways to keep risk aligned with the risk appetite or tolerance in as cost-effective a way as possible,” NISTIR 8286 states. “The practitioner will determine whether the exposure associated with each risk in the register is within acceptable levels, based on the potential consequences. If not, that practitioner can identify and select cost-effective risk response options to achieve cybersecurity objectives.” NIST’s emphasis on “cost-effective” is significant – too often, mitigation in cybersecurity is looked at as a technical, not a business proposition.
>>RiskLens Risk Treatment Analysis Can Help with Identifying the Most Cost-Effective Mitigations
With a thorough understanding of the top risks, cyber risk teams are now in a position to consider controls or process changes to drive down, in FAIR terms, the frequency of occurrence or magnitude of impact of loss events. RiskLens Risk Treatment Analysis compares the probable effect on risk reduction (in dollar terms) of two or three risk treatments under consideration. The platform generates reports in terms that are easy to grasp for business decision makers – no technical discussion of cybersecurity required.