Enterprise Risk Management encompasses a wide array of tools and processes. By understanding the core elements of Enterprise Risk Management, firms can choose the tools that best fit their unique circumstances.
Although it’s easy to assume that cyberwar exists only between nation states, the reality is that companies must wage their own cyber battles against hackers daily. In sports, as in war, we often say that the best offense is a good defense. To defend your data, however, you need to know the risks and threats to your systems, networks, and software so that you can create controls to effectively manage threats to your environment. Enterprise risk management tools allow you to calculate risks more strategically so that you can establish a stronger “defensive” offense.
The technical definition of enterprise risk management (ERM) is the process of planning, organizing, leading, and controlling your organization’s activities to minimize the impact risks have on your financial security. Enterprise risk management includes financial, strategic and operational risks, in addition to risks associated with accidental losses.
This short definition doesn’t do justice to the complexity of the process. Imagine that you’re a general leading an army into war.. You need to think about group and individual resources. You need to think about how to aggregate the best soldiers. You need to think about who you put in charge. You need to find ways to defend against the attacking armies resources, soldiers, and strategic locations.
Cybersecurity works the same way. As the leader of your organization, you need to focus on your strengths and understand your weaknesses to stymie hackers attempting to lay siege to your data.
While it might sound a bit extreme to suggest hackers lay siege to data, the reality is that organizations often don’t notice that a breach has occurred right away. According to the 2018 Data Breach Study by the Ponemon Institute:
Even more frightening is that in the United States, the report noted that the MTTI is 201 days. Fortunately, once identified, US companies have a lower than average MTTC of 52 days.
More often than not, malicious actors infiltrate your systems then continue to siphon data until you find them. In the same way that an army waits out opposition resources, so do hackers. Thus, hackers sitting in the background continuously attacking your system whether through cross site scripting, a SQL attack, or malware act as a siege upon your data environment.
If you’re already taking a security-first approach to cybersecurity, then you’ve probably already gone through the ERM process. In fact, it’s safe to say that as more standards and regulations take a risk-based approach to compliance, any compliance requirements to which you want to align your controls will force you to engage in ERM.
Before you start creating controls, you need to look at where you are, where you started, and where you want to go. For example, if you started out with a payment processing tool for retail, you may realize that it also works well for doctors’ offices. If you’re planning to expand your business into new industries, you need to think about what service you started with, what you’re providing now, and where else you can leverage that tool. Beginning with your strategic business operations goals allows you to decide what software, networks, and systems you need and what to plan for in the future.
Your risk assessment drives the rest of your plans. To create a useful risk assessment, you need to list all the types of data you collect and devices that store, transmit, and collect it. This must include Internet of Things (IoT) and employee devices. Assign each of the sources, devices, locations, and data types a level of potential risk (high, medium, or low). Then look at the impact the breach would have on your business.
You can choose to accept, reject, reduce, or share risks. However, you need to detail the decision and reasoning behind it.
Even though you can’t control attacker’s actions, you can control your defensive strategies to keep hackers out of your data environment. Establishing policies, procedures, and security controls makes response implementation easier.
You also need to make sure that your employees understand the importance of cyber hygiene and train them appropriately. Training, quizzes, reminders, and rewards should be a part of the cultural integration of risk to your employees’ routines.
Things happen that can change your approach to your ERM program. Whether it’s bringing in a new Software-as-a-Service (SaaS) platform to enable operations, news of a new malware attack, or a vendor data breach, you need to identify events that can change your risk strategy.
Regular communication is key to maintaining a secure environment. , You need to make sure that you’re sending out the needed, role-based information to keep everyone cyber aware. Not only do you need to discuss risks and protections with your front line staff, you need to make sure that everyone at the executive level understands your analysis, including any Board of Directors.
Malicious actors don’t wait for your annual formal risk review. Creating a good defense means continuously monitoring your controls and ensuring that they protect your data.
ERM requires you to continuously look at the different security and risk events specific to your organization.
In the healthcare industry for example, a family practitioner handles less information than a large hospital. The same is true for large law firms and multi-store retail businesses versus their smaller siblings. As you drill down further, restaurants and clothing stores have different needs and risks as well. Similarly, civil and criminal litigation firms may have different information and data risks based on the evidence they store as part of their practice.
ERM lets you focus specifically on what can impact your organization’s specific needs rather than looking at the global needs for the industry as a whole.
Solving this problem is different for every business, primarily because enterprise risk differs from company to company.
The good news is that you have more ERM software options today. The bad news is that the proliferation of ERM software makes the decision more difficult. The following steps can help you make decisions about ERM tools to find the one that’s right for you.
You’re looking for the best bang for your buck. Free risk assessment software might seem like a great idea at first. Unfortunately, if you don’t have the IT staff to appropriately complete the risk assessment, then you might not appropriately analyze your risk in the first place. Additionally, free tools often take a long time to complete. Thus, you risk spending valuable time on something that might leave a gap in your protections. Weigh the cost in man hours spent against the potential cost of a data breach when considering cost effectiveness of a tool.
Only you know what standards and regulations apply to you. Before choosing an ERM tool, you need to determine your compliance requirements in the current moment as well as for future business sectors you want to enter.. You need to make sure any risk management tool you choose can grow with you. Otherwise, you’ll need to start again from the beginning.
The wide array of cybersecurity solutions available seem overwhelming. However, some may provide more services than you need, costing more. Others may not meet future needs, but cost less.In some cases, you might just need a platform that offers you storage for your documentation. In other cases, you might need to bolster your employee training options.
Depending on your organization’s maturity and industry, you may already have some of what you need and just need to add on capabilities as the issue arises. Before you research services, try making a “wish list” of what your organization needs to maintain a robust cybersecurity program. . Some services may have more than you need, while others may not meet your core requirements. Don’t get caught up in the “oooh shiny!” on websites which can make narrowing the process down more difficult. Come to any meetings with a list of your core requirements and ask vendors what they can do to meet those needs.
Regardless of size, no one enjoys a difficult technology deployment. Moreover, if you’re in a bind and need to mature your cybersecurity and compliance stance rapidly, you need something that enables rapid deployment and user-friendly interface. If technology isn’t your
Hackers are waiting for you to make a mistake. If you’re looking for an ERM software, then you want something that helps you find weakness, and fast. Data breach costs rise significantly when it takes longer to find and contain them.
Whether you’re just getting started or fully compliant, you want to know you can ask questions and have someone knowledgeable to answer them. Assuming the same level of knowledge across platforms is difficult if you’re not confident in your IT knowledge. You want to look for staff with experience in the field, but also professional certifications can help give you insight as to whether the staff really know what they’re doing.
As Sun Tzu said, “many calculations lead to victory.” Visible and hidden risks that lead to data breaches require you to calculate across internal and external stakeholders. You need to be able to see into your infrastructure to protect it. To us, transparency means:
For more information about how we can help you, check out our risk management platform or contact us at Zeguro to learn more.