Enterprise Risk Management (ERM) and Business Decisions that Organizations Must Make
5 hours 19 minutes
thanks for sticking with me through module one. And now we're going into module to and this one will talk about identifying organizational assets and risks, and this just shows us where we're at. So we've done Module one preparing an organization for a cyber incident and now module to again identifying organizational assets and risk.
We'll start with Lesson 2.1 enterprise risk management, or CRM, and business decisions that organizations must make.
In this lesson, the objectives will be one identifying how a cert can impact on organizations, risk tolerance and be part of an enterprise
number to understand the importance of the CEO or CIS. So involvement in E. R. M. And why they should have a seat at the table
and number three. Learn how ir aligns with disaster recovery, continuity of operations and recovery objectives within an organization.
So let's talk about risk for a moment. How much risk is acceptable,
and this is a great question that you should be asking your organizational leadership. How much risk are we willing to take? What is the risk versus benefit tradeoff that we're looking at? And what's the appetite of risk within the organization
when we look at like I have on the screen here. There's a few things to think about.
If you have a less complex mission or business, perhaps you're less of a target.
So if you sell things that adversaries may not be interested in or you're a nonprofit organization that don't have a lot of enemies or people that might be after your data, then perhaps you can spend a little bit less on cybersecurity, and you don't feel you're as much of a target.
Perhaps you're a growing business. Maybe you're a startup. You've got a lot of money infused. You have the attention of people. It's more complex as you grow your introducing new applications and systems that also will equate to a larger spend and security.
And then finally, maybe you're a large and complex organization, and you're certainly a target because of your industry, your knowledge, your competitors. If you are, for example, in the government, you might have adversaries just because of the organization that you're with.
I mentioned before in my background that was part of the nuclear weapons complex within the Department of Energy, certainly a large target. A lot of people from both inside the United States. And, as you can imagine, foreign countries wanted to know what information we had on all sorts of weapons programs and science and research.
So we had a lot of targeted attacks,
because of that, we had to invest a lot in cybersecurity.
And oftentimes we see a lower complexity organization have less of a cybersecurity spend.
But they're also higher risk potentially because they don't have much cyber security personnel, sometimes none at all.
And you might lower your risk because you have a higher cost of cybersecurity.
But the one thing I want to get clear here on this slide is particularly if you're talking to executives about cybersecurity. You never want to equate
budget with the level of protection, and there is no perfect protection available to organizations. If you are talking about the fact that you spend a $1,000,000 on cybersecurity and you have firewalls in place and intrusion detection and two full time analysts, you're having the wrong discussion with leadership.
It's not a dollar sign equals protection type of discussion.
Well, it certainly can help. You could pay a lot of money. Look at all these major organizations and businesses that literally pay millions and millions of dollars a year in cybersecurity. Yet they still get preached.
If you are solely focused on dollars, equal security, those are the cybersecurity leaders that we see getting fired after some sort of a breach.
You want to really talk about risk, and it's not a decision that is taken lightly. And it's one that you need executive sponsorship to make and make sure everybody's on the same page.
So when we look at enterprise risk management, a lot of times organizations have some sort of an e r M program or board with a charter on. They look at things like, How old are our facilities, or how quickly can we fill key positions in the organization?
How old is our fire station or things? Things like that that they're talking about infrastructure. Usually
a lot of times, though we don't see I t or cybersecurity in those discussions. But Cee Io's and Sissoko's really need to have a seat at that table because if you've done your job and you've identified risks in your organization,
you want to make sure that other people know it, and it's not just a secret known only by I T or Cyber Security. If you know that you have sands that are beyond end of life. If you know you have a single point of failure in your phone system, that if that one thing goes out, that's already 20 years old as it is,
the entire phone systems going to go out.
Those are risks that need to be identified at a level like this, the Enterprise Risk Management Board.
And it's usually because of poor communication between cybersecurity and I T and executive leadership. At least in my experience, that's what I see. So having the ability to communicate risk in a way that leadership cares about is critically important.
How do you link business continuity with CERT? Well, here's a few ideas. Sirte and Business Continuity Planning, or BCP. You also see disaster recovery. Diar has to be interconnected. There's just no other way around it.
D R and B. C P plans should include recovery from large cyberattack, so you often see
de our plans and BCP plans talk about things like floods, earthquakes,
data corruption. But it doesn't always include large scale cyber attacks and it absolutely should. What happens if Ransomware shows up at the organization and you're completely locked out of all your files? That should be part of D R and B C P.
You also need to know recovery time objectives and recovery point objectives for the organization. Insert needs to be aware of this. So if you have application A that the business tells you we can Onley lose two hours worth of data and it has to be recovered within one hour of being down versus
this application is really not that critical. We could lose a couple of days, maybe even a week's worth of data. It's not a big deal and get it up when you can get it up.
If you don't know that information, how do you know what order to recover the assets in after an attack? And how do you know how to stack and rank applications from a response and triage perspective? So security has to be these air well known I t questions,
but security has to be in the loop on this and understand them as well.
I mentioned having a good handle of risks. This is an example of an I T risk register that should be made in court cooperation with I t and cybersecurity. But it talks about risks that are known to the organization, and a good way to do it is a risk number. What's the description on the slide here? You see, for example,
the sand for the Simmons beyond end of life. Okay, well,
who cares about that? Why should I care? That's if I'm an executive.
What's the So what? And that's why you do the If, then, if the sand fails because it's beyond end of life, then the Sirte will not have visibility in the critical events. OK, you've got my attention now. If you can't see what's going on in the network, how are you going to protect it?
What's the likelihood of this happening? What's the consequence of it? You give it a score and then you have a strategy. In this one, it's replaced san.
Sometimes risks can be fixed with money. Sometimes risks have to be re architected reengineered. You need people. That's not just a money problem. There's another risk. Carrie, you can read for yourself on bench strength, but again, this is something you wanna have a mature organization will have this for both i T and cybersecurity.
There's a lot of sources of data for risk management. Here you see things like poems, which will talk about later. Plan of Action of milestones. You're known vulnerabilities, unmitigated risk. All of this information should funnel down into that E R M or that enterprise risk management view so everyone knows what's going on in the organization
and where you get your information from.
All right, time for a quick quiz question. Why is a risk register a good idea?
A. Because it is recommended in this course.
Be it is a great job for an intern to complete. See, it provides a way to communicate risk in a manner that senior leaders will understand and appreciate.
De. It may help secure additional funding for security
or E. Both C and D are correct.
E is true. Both cnd are correct. It does allow you to talk in a way that executives will care about. And also it may help in fact, secure extra funding. One year when I put together a risk register when I was a C i o, I got over $7 million of incremental funding just to go attack some of those risks.
And the reason I got that extra money was because I was able to articulate it in a way
that all the business leadership and my peers understood that this isn't just a nightie problem. If these things happen, then it affects you. It affects you, it affects you, and this is how it would affect you. And once people understood that there was no problem, getting the funding that I needed to go fix some of those things so it can certainly lead to funding
are another question. Who decides what an appropriate level of risk is for an organization? A. The C i o b. The CIS. So
see the c r o or D, the Executive leadership team
and board of directors.
De is certainly the correct answer here.
This is not a 90 decision. It's not a cybersecurity decision. The risk, tolerance and risk appetite of an organization is absolutely the senior leaderships
decision to make, and you don't want to be making these decisions by yourself. That's a quick way. Teoh be looking for a new job for sure.
So in summary, In this lesson, we looked at how certain can impact in organizations, risk tolerance and be part of the E. R M. We talked about how IR can align to disaster recovery and continuity of operations,
and also the importance of the CIO and CSO involvement in E. R. M and why they should have a seat at the table.