I have been researching and thinking about risk and cybersecurity management concepts for the last year or so, and I wanted to share with you some initial conclusions I’ve reached about them.
I will call them “myths”, though some may not entirely agree. Of course, there is always a bit of truth even in myths– why else were they first perceived as true?
We frequently use the terms “risk and cybersecurity” together, and sometimes even as synonyms. But that can lead to the first myth:
Myth 1- RISK MANAGEMENT AND CYBERSECURITY MANAGEMENT ARE THE SAME THING.
Reality: I myself am guilty of grouping these two concepts together as if they were one and the same, and you will find much of our research output about cybersecurity and/or risk management lists them together often. But that means that they are connected and related– not that they are the same thing. Risk management is focused on managing the risks your organization faces, and uses a complete ecosystem of process, organization and technologies to perform that. Yes, some of those processes, organizations and technologies overlap, is dependent on, and contributes to cybersecurity, but again– not the same thing. Risk management is its own profession, has many categories and types and is more business-oriented than cybersecurity. I often think of risk management as “the power of negative thinking for positive outcomes”, because that is in a sentence its mission. It allows key decision makers and owners of key assets and processes throughout the organization to come to terms with “what can go wrong” with them– whether natural disaster, human error, mechanical failure– or deliberate actions. Cybersecurity management is devoted to the latter, particularly as it relates to information and the systems that support its collection, dissemination, analysis, access and management. In a sense, the primary purpose of cybersecurity is FIRST to inform “negative thinkers” about what could go wrong when deliberate acts occur involving data, software, networks, computers and support services, THEN to protect those systems as prescribed by the outcome of all of that negative thinking. But that’s not the entire story. Now, let’s proceed to Myth 2.
Myth 2- RISK MANAGEMENT AND CYBERSECURITY MANAGEMENT ARE MANAGED GENERALLY BY THE SAME PEOPLE AND REPORT TO THE SAME PEOPLE.
Reality: No. Risk and cybersecurity management are managed by the same people when those people have no choice and there are little or no resources available to have teams for each. This is the typical “multiple-hat” theory, found often in smaller organizations. They can report to the same person, but just as often not do so because of the mission as outlined in Myth 1. They are distinctive disciplines with related but different missions. More mature organizations find ways to have risk management “closer” to business decision-makers, non-technical types that make risk-related decisions based upon business outcomes– not only compliance outcomes, and not cybersecurity outcomes. But this is where it gets complicated.
When I referred earlier to different types of risk, it can be confusing when your people discuss “cyber risk management” or “IT risk management” at the same time they may discuss something known as “enterprise risk management”. I’ll write more about the latter in a moment. IF risk and cybersecurity management are done by the same people and if they report to the same people, it is often because they are responsible for specifically managing IT and/or cyber risks. It doesn’t mean they are directly responsible for managing things like credit risk, or operational risk (at least entirely), or legal risk. They certainly contribute to doing so with their collected information, but cybersecurity folks may sometimes think they are responsible for more than they really are when it comes to risk management. I don’t mean that in a disparaging way, but you have to admit we sometimes can get confused in a board meeting when they ask you pointed questions about corporate or agency performance that you cannot answer. There’s a reason for that.
MYTH 3- CYBER AND/OR IT RISK MANAGEMENT IS ENTERPRISE RISK MANAGEMENT.
Reality: No. That is what I was describing in the reality check for Myth 2. Enterprise risks are those that board-level executives and key senior leaders in your organization are held accountable for and must address. They can USE your information (and do frequently) to account for them, but remember, there are other ways to collect, analyze and deliver information for making risk decisions in the organization besides IT or cyber infrastructure. Now it IS true that every year that passes IT and cyber systems become so pervasive throughout the organization that it is getting more difficult to NOT find technology involved in that information collection, analysis and delivery, but don’t confuse protecting THAT for “delivering” accountability for enterprise risk in the organization. They aren’t the same thing. Cybersecurity management helps in many things, but you aren’t accountable normally for credit risk (exception alert: if your livelihood is involved in credit management, maybe more involved).
It may be easier to conceptualize a four-layer cake when thinking about this, though that of course is a generalization and makes you hungry at the same time.
Bottom layer: Operational risk management, where you’re concerned about day-to-day negative thinking of what could go wrong in operations.
Second layer: IT and/or cyber risk management, negative thinking about the technological “skin” for processes in operations, business and other functions.
Third layer: integrated or business risk management, that incorporates operational and IT/cyber risks with different business-related risks (like vendor, corporate oversight, legal, audit, etc. risks).
Fourth layer: enterprise risk management, which deals with organization wide strategic risks like reputational risk, financial risk, credit risk and other executive concerns.
Between these layers are intricate relationships, bi-directional information and decision flows. THAT is the risk management ecosystem.
MYTH 4- IF YOU’RE IN COMPLIANCE, YOU HAVE ALMOST ALL OF THE SECURITY AND RISK MANAGEMENT YOU NEED.
Reality: wrong, wrong, wrong. Gartner has written about this repeatedly but it’s worth mentioning yet one more time. Compliance is not risk management, though it is part of it. Compliance is not cybersecurity management, though it is part of it. Think of compliance and associated standards, frameworks and guidance as a “baseline” of controls to manage negative thinking for positive outcomes. It is the basic direction provided by government, industry or consortia to at least manage those risks that have been commonly identified. Much like a technical standard, it attempts to make the most of what has been learned through harsh experience and potential threat to create a common approach. That can be made into a regulation or provided as a framework, standards or ‘guidance’, and often companies take up any of those to start a risk management process.
If you notice for example the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework is listed as a risk management framework, though it is used in cybersecurity management practice to help create a plan as well. There’s a reason for that, and it’s to attempt to link together the disciplines of risk management and cybersecurity management so that everyone is pulling in the same direction for the same reasons. Again, let’s generalize for a moment.
Think of cybersecurity planning as needed at least three major inputs in any organization to be successful–
(1) the nature of the threat, which we get with our security technologies to monitor and detect threats, to detect vulnerabilities, to detect intrusions and more;
(2) regulatory compliance mandates, which directs us toward what our industry or focus area has learned that it is “just the right thing to do”, and;
(3) risk management leadership input, as indicated through governance and decision-making bodies and through that formal risk management profession I mentioned from Myth 1. Of course there are other inputs, but think of it again in a simple way for starters.
Much of what I’ve written today may already be known by most of you, but if I’ve helped anyone to better understand the big picture around risk and cybersecurity management, I’ve done my job. I welcome any and all feedback as to this discussion today, including those of you who think my version of this universe is wrong. Debate is always healthy. Try not to spend too much time however in the “negative thinking” mindset, or else you’ll begin to think you have to be tested genetically for pessimism to become a risk manager– another myth.