“The secret to winning is constant, consistent management.” Tom Landry, Dallas Cowboys
In cybersecurity, constant, consistent risk management is the secret to beating hackers at their own game. In sports, coaches make sure to have a variety of defensive moves in their playbooks to stop the opposing team. As your company’s cybersecurity coach, you need to do the same. Understanding the differences and overlaps between enterprise risk management and integrated risk management, therefore, allows you to align your risk strategies effectively and purposefully.
Enterprise risk management (ERM) focuses on the process of planning, organizing, leading, and controlling the activities within your organization. ERM works as an organizational review. You look at your strategic business goals and then review the information technology (IT) risks associated with them.
For example, if you’re a database company that current sells a product tuned to the needs of retailer marketers , you might realize that your data management system is also relevant to financial institutions and want to enter that market. However, the retail and financial industries have different cybersecurity requirements with which you need to comply. Therefore, part of ERM is determining how to align your controls to scale your business.
Gartner defines integrated risk management (IRM) as “a set of practices and processes supported by a risk-aware culture and enabling technologies that improves decision making and performance through an integrated view of how well an organization manages its unique set of risks.” In less technical terms, IRM focuses on how you make risk-based decisions about adding technology to streamline your critical business processes.
For example, in restaurants, you may have noticed that servers use tablets or smartphones for taking customer orders rather than pens and paper. This shift to digital information collection, storage, and transmission makes front-of-house and back-of-house communications more efficient. But there are implications to having digital devices, possibly connected to other systems, in the hands of wait staff as they interact with customers.
ERM focuses on reviewing strategic business decisions and the risks your technology poses to them. For example, a retail business may have a website that provides information about their product but focus sales in their brick and mortar store. However, if they’re looking to expand their reach and scale, they want to begin selling their products online as well. ERM means looking at the new risks to the business that arise out of the change, including choosing a vendor, managing the vendor, and new information technology compliance requirements.
IRM focuses specifically on analyzing the risks inherent in your business technologies. In the above example, IRM means reviewing the specific technologies, like ecommerce systems or tag management systems, that the retailer connects to their website for customer tracking and payment purposes and the ways that this new technology impacts other technologies it already uses. In this scenario, the website payment application might connect to an inventory application on a smartphone in a warehouse bringing in Internet of Things (IoT) security issues. This integration between the technologies is part of IRM.
Although the two started out differently, they’re rapidly moving closer together. The use of Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) mean that the choices you make for your business ultimately require new technologies.
Back to the small retailer example, if the company chooses to use an Amazon Web Services integration for their online store, they’re using an IaaS platform to support their business strategies. Thus, while the two are distinct, they’re also inherently intertwined.
An integrated risk management framework is the formal policy that creates a systematic approach to governing risk. Although it incorporates many elements of ERM, it also tends to be more holistic.
The industry standards that help establish cybersecurity control best practices often discuss IRM frameworks. For example, one of the most popular cybersecurity frameworks, the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity was updated in April 2018.
The NIST framework sets out five Core Functions that guide companies through the process of integrating technology risk throughout their organization.
The NIST Cybersecurity Framework (NIST CSF) focuses on five primary elements for governing IT and cybersecurity risk. Each of the primary elements are then broken down into subcategories which are further broken down into sub-sub-categories that define your evaluation activities.
The subcategories are: Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy, and Supply Chain Risk Management Risk.
The subcategories are: Identity Management Authentication and Asset Control, Awareness Training, Data Security, Information Protection Protection Process and Procedures, Maintenance, and Protective Technology.
The subcategories are: Anomalies and Events, Security Continuous Monitoring, and Detection Processes.
The subcategories are: Response Planning, Communication, Analysis, MItigation, and Improvements.
The subcategories are: Recovery Planning and Improvements.
While ERM is a set of vague steps, the NIST CSF requirements specify activities and controls necessary for IRM across your business technologies. Additionally, the NIST CSF incorporates response and recovery requirements.
At Zeguro, we recognize that the IRM incorporates technical language that feels overwhelming. We also know that you want to secure your information so you can protect yourself and your customers. To us, transparency in the IRM process means:
For more information about how we can help you, check out our risk management platform or contact us at Zeguro to learn more.