Enterprise Risk Management in Cybersecurity

The way of doing business has dramatically changed over the years: most organizations have shifted into globalization of technology adoption, and this shift has spread wide into seemingly small and large areas of infrastructure.

Take for an instance, a local coffee shop which now has the ability to accept more than one form of payment - pay by card, or a contactless method. We can now take a picture of a check with our bank app, and deposit into our account without the need to drive to a traditional banking center.

If equipped in a car, one can use an app to precondition the interior cabin for a suitable temperature. These are all possible because of the advances made with IoT devices. This change is generational, it will only get bigger from hence forth.

Government entities, organizations and corporations have all embraced the ease that technology brings. However, it is not without a cost, because with each innovation, there are risks associated with it.

Risk management becomes a vital part if an organization is aiming for long term sustainability. Enterprise Risk Management (ERM), is a type of strategic plan that a business or entity develops to help prepare for accidents, identify potential for disasters, and define what is an acceptable loss. A loss can either be physical or logical, but it has to be one that has the potential to disrupt the operation of a business.

Organizations in the past would shift risk management on to insurance companies, and expect to just "buy" their way out. But with strict government regulations, this may no longer be the case. Creating an ERM plan with information security in mind not only helps businesses become resilient; it can enable an organization to forecast its risk appetite.

An article by Will Kenton summarized: "Modern businesses, however, face a much more diverse collection of obstacles and potential dangers. How companies manage the risks that defy easy measurements or a framework for management also falls under the ERM umbrella.”

Organizations must now look past financial loss, as there is the damage of reputation loss should a business fail to identify risk factors. To create an effective ERM, businesses and organizations need to include ERM in annual budgeting. It can no longer be a fly-by task for an IT director. Project managers also need to be involved in the process of identifying, creating, and managing risk.

When creating ERM, here some of the things to consider (this is not an exhaustive list):

  1. Scope of ERM implementation: Define the scope of the ERM, make sure that all components are considered. If specifically drawing up a framework for cybersecurity, make certain that risks are identified and assessed. Create a structure that breaks down risk factors and its triggers.
  2. Use clear language: Understand that you may not be dealing with technology-savvy executives, therefore, your language needs to be plain and straight-forward as much as possible. The success of implementing an ERM is somewhat dependent on effective communication.
  3. Use Frameworks: Depending on the industry your organization is in, use of preexisting framework is recommended, there is no need to reinvent the wheel.
  4. Assign Owners: ERM is only as good as the owners of the program managers. It may not be possible to achieve ERM goals if there is no clear owner of each category. This is where expectations will be set.
  5. Key Performance Indicators: How do you tell if an ERM is successful? it is by measuring it. KPI's are important factor when implementing ERM in an organization. KPI will make you ask questions including the following:

  • What do you hope to achieve in ERM?
  • Who is responsible for the framework and implementation?
  • How will the organization track the success?

In summary, ERM is a continuous endeavor. It should not be a setup-and-leave-it program. Progress reports should be part of quarterly reports, this will help an organization understand where it stands on risk management.

Implementing ERM for cybersecurity is similar to any other ERM strategy, except in cybersecurity, where government regulations and industry specific methods need to be followed. For the information security program in an organization to be successful, ERM is a must, and not something that is left for the "IT" guy/department. 


Michael has been involved in information technology for more than seven years, and is currently a PhD candidate at University of the Cumberlands where he is focusing more deeply in systems security. One of his many passions is to cater to small businesses and help protect their assets through a cybersecurity medium. His experience includes: Healthcare, Banking, Entertainment and most recently Telecommunications. He is employed and heads his cyber division.


What’s Hot on Infosecurity Magazine?