The Calculus of Cyber in the Context of Enterprise Risk

Seema Sewell, Director of Cyber Assurance and Architecture, Maricopa County Lester Godsey, CISO, Maricopa County

There is a common fallacy around the concept of risk, that risk is completely bad and should be avoided at all costs. What many organizations, especially those more established fail to realize is that without risk, there is no reward. Another way of looking at this idea is that if a company’s primary focus is on reducing as much risk as possible, the greatest risk they may find is that of obsolescence. The real objective should be to reduce enterprise risk to a level that allows the organization to be successful and grow.

Unfortunately, not all risk is created equal, some risks are well worth taking while others may lead to catastrophic ruin. In order to determine which risks fall into which category, they must be identified, quantified, documented, analyzed, weighed, and managed through a measured approach known as Enterprise Risk Management (ERM). Through the application of an ERM framework, risks such as knowledge drain, acts of nature, availability of capital, and product failure are evaluated and prioritized through the lens of organizational mission, vision, values and goals, allowing decision-makers the opportunity to take leaps of faith when the risk warrants it.

So why are we talking about ERM here? The risk landscape has drastically changed, and few risks affect organizations with the impact and pervasiveness than that of cyber. In an internet-connected and technology-dependent world, organizations are unable to escape exposure to this ever-morphing risk and its enterprise impact. Worse, few organizations have the ability to calculate the value of cyber risk mitigation strategies or have a mature plan for cyber risk mitigation. It's not that organizations are ignoring it, in fact it's likely that regulatory or reputational requirements necessitate implementation of cyber risk management (CRM) strategies. It's that cyber risks uniquely differ from the more static, well-defined, and somewhat predictable organizational risks to which actuaries are accustomed. Organizational risk is like packing for a trip to a city you used to live in. Alternately, cyber risk can feel like packing for a trip to a foreign country and you won't know where you're going until you get in the air. You may have packed for Australia but wound up in the Arctic.

The risk landscape has drastically changed, and few risks affect organizations with the impact and pervasiveness than that of cyber

Integrating ERM frameworks like the RIMS risk maturity model (RMM) with CRM frameworks like the NIST risk management framework (RMF) adds cyber as a risk category in the organization's operational risk profile. Metrics such as dwell time; mean times to mitigate, remediate, respond and contain; number of intrusion attempts, and number of identified misconfigured assets can be evaluated and used to predict risk and resiliency. Sounds easy right? Not so fast. Non-cyber risk calculations have been honed over decades where as calculating cyber risk is at best, as much art as it is science. When presenting cyber risk to a Board or CEO, qualitative risk profiles can be seen as vague and subjective. These conversations are difficult and frustrating for both sides. In contrast, quantitative risk assessments allow for decision makers to weigh actual costs and benefits. A $10mil control must be looked at in the light of what is being protected. A $50mil asset is worth the spend but what about a $5mil asset?

This is where ERM makes all the difference. By leveraging the valuations and predictive logic used to calculate organizational risk, CSOs can translate cyber risk to business risk. CSOs, CTOs and CEOs can come together to identify and quantify risk values for both the impact and likelihood of cybersecurity events. These values can then be used to track general risk postures and provide clarity in the decision-making process. This collaborative endeavor also ensures that leadership from the top down is engaged and involved, permeating the organizational culture with the mindset that cyber risk is constant and enduring but can be managed.

While cyber risk has been front and center in the news, cyber does not equal enterprise risk. It is a part, arguably the most volatile, of enterprise risk but still a part none the less. Instead of throwing away past processes of calculating enterprise risk, let’s recognize the ubiquitous nature of cyber risk and apply past disciplines and processes, where it makes sense to new or existing ERM systems within all our organizations.