
The Calculus of Cyber in the Context of Enterprise Risk


Seema Sewell, Director of Cyber Assurance and Architecture, Maricopa County Lester Godsey, CISO, Maricopa County
There is a common fallacy around the concept of risk, that risk is completely bad and should be avoided at all costs. What many organizations, especially those more established fail to realize is that without risk, there is no reward. Another way of looking at this idea is that if a company’s primary focus is on reducing as much risk as possible, the greatest risk they may find is that of obsolescence. The real objective should be to reduce enterprise risk to a level that allows the organization to be successful and grow.
Unfortunately, not all risk is created equal, some risks are well worth taking while others may lead to catastrophic ruin. In order to determine which risks fall into which category, they must be identified, quantified, documented, analyzed, weighed, and managed through a measured approach known as Enterprise Risk Management (ERM). Through the application of an ERM framework, risks such as knowledge drain, acts of nature, availability of capital, and product failure are evaluated and prioritized through the lens of organizational mission, vision, values and goals, allowing decision-makers the opportunity to take leaps of faith when the risk warrants it.
So why are we talking about ERM here? The risk landscape has drastically changed, and few risks affect organizations with the impact and pervasiveness than that of cyber. In an internet-connected and technology-dependent world, organizations are unable to escape exposure to this ever-morphing risk and its enterprise impact. Worse, few organizations have the ability to calculate the value of cyber risk mitigation strategies or have a mature plan for cyber risk mitigation. It's not that organizations are ignoring it, in fact it's likely that regulatory or reputational requirements necessitate implementation of cyber risk management (CRM) strategies. It's that cyber risks uniquely differ from the more static, well-defined, and somewhat predictable organizational risks to which actuaries are accustomed. Organizational risk is like packing for a trip to a city you used to live in. Alternately, cyber risk can feel like packing for a trip to a foreign country and you won't know where you're going until you get in the air. You may have packed for Australia but wound up in the Arctic.


Integrating ERM frameworks like the RIMS risk maturity model (RMM) with CRM frameworks like the NIST risk management framework (RMF) adds cyber as a risk category in the organization's operational risk profile. Metrics such as dwell time; mean times to mitigate, remediate, respond and contain; number of intrusion attempts, and number of identified misconfigured assets can be evaluated and used to predict risk and resiliency. Sounds easy right? Not so fast. Non-cyber risk calculations have been honed over decades where as calculating cyber risk is at best, as much art as it is science. When presenting cyber risk to a Board or CEO, qualitative risk profiles can be seen as vague and subjective. These conversations are difficult and frustrating for both sides. In contrast, quantitative risk assessments allow for decision makers to weigh actual costs and benefits. A $10mil control must be looked at in the light of what is being protected. A $50mil asset is worth the spend but what about a $5mil asset?
This is where ERM makes all the difference. By leveraging the valuations and predictive logic used to calculate organizational risk, CSOs can translate cyber risk to business risk. CSOs, CTOs and CEOs can come together to identify and quantify risk values for both the impact and likelihood of cybersecurity events. These values can then be used to track general risk postures and provide clarity in the decision-making process. This collaborative endeavor also ensures that leadership from the top down is engaged and involved, permeating the organizational culture with the mindset that cyber risk is constant and enduring but can be managed.
While cyber risk has been front and center in the news, cyber does not equal enterprise risk. It is a part, arguably the most volatile, of enterprise risk but still a part none the less. Instead of throwing away past processes of calculating enterprise risk, let’s recognize the ubiquitous nature of cyber risk and apply past disciplines and processes, where it makes sense to new or existing ERM systems within all our organizations.

Featured Vendors
EDITOR'S PICK
Essential Technology Elements Necessary To Enable...
By Leni Kaufman, VP & CIO, Newport News Shipbuilding
Comparative Data Among Physician Peers
By George Evans, CIO, Singing River Health System
Monitoring Technologies Without Human Intervention
By John Kamin, EVP and CIO, Old National Bancorp
Unlocking the Value of Connected Cars
By Elliot Garbus, VP-IoT Solutions Group & GM-Automotive...
Digital Innovation Giving Rise to New Capabilities
By Gregory Morrison, SVP & CIO, Cox Enterprises
Staying Connected to Organizational Priorities is Vital...
By Alberto Ruocco, CIO, American Electric Power
Comprehensible Distribution of Training and Information...
By Sam Lamonica, CIO & VP Information Systems, Rosendin...
The Current Focus is On Comprehensive Solutions
By Sergey Cherkasov, CIO, PhosAgro
Big Data Analytics and Its Impact on the Supply Chain
By Pascal Becotte, MD-Global Supply Chain Practice for the...
Technology's Impact on Field Services
By Stephen Caulfield, Executive Director, Global Field...
Carmax, the Automobile Business with IT at the Core
By Shamim Mohammad, SVP & CIO, CarMax
The CIO's role in rethinking the scope of EPM for...
By Ronald Seymore, Managing Director, Enterprise Performance...
Driving Insurance Agent Productivity with Mobile and Big...
By Brad Bodell, SVP and CIO, CNO Financial Group, Inc.
Transformative Impact On The IT Landscape
By Jim Whitehurst, CEO, Red Hat
Get Ready for an IT Renaissance: Brought to You by Big...
By Clark Golestani, EVP and CIO, Merck
Four Initiatives Driving ECM Innovation
By Scott Craig, Vice President of Product Marketing, Lexmark...
Technology to Leverage and Enable
By Dave Kipe, SVP, Global Operations, Scholastic Inc.
By Meerah Rajavel, CIO, Forcepoint
AI is the New UI-AI + UX + DesignOps
By Amit Bahree, Executive, Global Technology and Innovation,...
Evolving Role of the CIO - Enabling Business Execution...
By Greg Tacchetti, CIO, State Auto Insurance
Read Also
Technology enabling smarter location decisions
How to Re-imagine Retail using Design Thinking
How do we Elevate ourselves from other Sports Markets?
