US Government Guidance on Cyber Risk – and Why Risk Management

Before addressing new draft guidance from the Federal Government, 2nd Draft NISTIR 8286A Identifying and Estimating Cybersecurity Risk for Enterprise Risk Management (ERM), it is essential to go back to fundamentals.

Why, we should ask, do we need risk management?

The answer is not: “Because we are required by the regulators and others to have it. It’s a compliance activity”.

While that may be true, we should comply while using the least possible effort and resources if this is the only purpose and there is no other value.

The answer should also not be: “We need to create a list of the things that could go wrong and harm us, so we can avoid or at least mitigate that harm”.

While there is some value in a list, focusing on avoiding all harm is the path to failure. To succeed, you need to take the risk of harm – but do so judiciously where it is warranted on business grounds.

Risk practitioners should avoid being labeled, because of their blinkered approach to managing or mitigating risk, as people who get in the way of running the business.

The correct answer is, of course, that only by understanding what is happening and what might happen in the future can we set and then achieve enterprise objectives – and we do that through informed and intelligent tactical and strategic decisions that are made every day.

XX

Business decisions can be complex and require the consideration of multiple factors.

For example, decisions are often needed in response to questions like these:

• How much should we invest in cybersecurity, given our limited resources and the need to fund new systems, product development, and marketing initiatives?
• Should we implement this new internet-enabled product on time, early (to gain market advantage), or delay it (to obtain greater assurance that it won’t be hacked)?

As you know, I cover this and much more first in Making Business Sense of Technology Risk (focused on the topic at hand today) and then in Risk Management for Success.

XX

There are some good points in the draft NIST report (they haven’t called it a Standard yet).

But they are focused on developing a cyber risk register that can be added to an enterprise risk register, as if that is all that is required for effective risk management.

A risk register, or a risk profile, or a list of risks in another guise will not help management make the business decisions necessary for success.

XX

Let’s review some of the good content, with comments where appropriate.

• For federal agencies, the Office of Management and Budget (OMB) Circular A-11 defines risk as “the effect of uncertainty on objectives.” An organization’s mission and business objectives can be impacted by such effects and must be managed at various levels within the organization.

Comment: this is excellent, but the report does not ask those assessing risks (and they focus on harms rather than all the things that might happen) to do so in terms of the potential effect on objectives. It should be noted that in order to do that, it is necessary to specify which enterprise objectives might be affected and by how much. In my books, I recommend considering how they might affect the likelihood of achieving the objectives rather than a simplistic dollar figure.

• ERM strategy and CSRM strategy are not divergent; CSRM strategy should be a subset of ERM strategy with particular objectives, processes, and reporting.

Comment: this is good, but care should be taken to ensure that any reporting is designed to address the need to enable informed and intelligent decisions. In other words, provide the specific information decision-makers need, when they need it – and that is rarely a list of risks.

• CSRM, as an important component of ERM, helps assure that cybersecurity risks do not hinder established enterprise mission objectives. CSRM also helps ensure that exposure from cybersecurity risk remains within the limits assigned by enterprise leadership.

Comment: CSRM, or cybersecurity risk management, should be fully integrated with enterprise risk management so that all sources of risk (i.e., both the potential for harm and the potential for reward from things that might happen) are considered together. You need to intelligently aggregate risks from disparate sources, such as compliance and cyber, when making a decision.

• Risk appetite regarding cybersecurity risks is declared at the Enterprise Level. Risk appetite provides a guidepost to the types and amount of risk, on a broad level, that senior leaders are willing to accept in pursuit of mission objectives and enterprise value. Risk appetite may be qualitative or quantitative. As leaders establish an organizational structure, business processes, and systems to accomplish enterprise mission objectives, the results define the structure and expectations for CSRM at all levels. Based on these expectations, cybersecurity risks are identified, managed, and reported through risk registers and relevant metrics. The register then directly supports the refinement of risk strategy considering mission objectives.

Comment: while I accept the need for limits, such as credit limits, the idea of an enterprise level risk appetite statement strikes me as having little logical or practical merit. I know many will disagree, but have yet to hear a persuasive argument in their support.

• In a footnote, the report states: OMB Circular A-123 states, “Risk must be analyzed in relation to achievement of the strategic objectives established in the Agency strategic plan (see OMB Circular No. A-11, Section 230), as well as risk in relation to appropriate operational objectives. Specific objectives must be identified and documented to facilitate identification of risks to strategic, operations, reporting, and compliance.”

Comment: this footnote states a critical point that is missing from the body of the report.

• Risk identification represents a critical activity for determining the uncertainty that can impact mission objectives. NISTIR 8286A primarily focuses on negative risks (i.e., threats and vulnerabilities that lead to harmful consequences), but positive risks represent a significant opportunity and should be documented and reviewed as well. Consideration and details regarding positive risks will be addressed in subsequent publications.
• Practitioners will benefit from identifying and overcoming bias factors in enumerating potential threat sources and the events they might cause. Consideration of these factors will also help reconcile reactionary thinking with analytical reasoning. An intentional approach to enumerate threats without bias helps to avoid complacency before an incident and supports a proactive evaluation based on relevant data, trends, and current events.

Comment: I like the fact that the report includes a table with a few types of bias included.

• Some industry specialists have indicated that a range of possible values is more helpful and likely more accurate than a single “point estimate.” Additionally, while this example uses the mean values of those ranges to identify the likelihood and potential impact, the ranges themselves are often recorded in the risk register. In this instance, given a possible impact of “between $1.7 million and $2.4 million,” the exposure may have been presented as “$1.02 million to $1.44 million.”

Comment: the report should add that each of the potential effects has a separate likelihood. I also like the inclusion of a discussion of “three-point estimation” and Monte Carlo simulation.

XX

I have not excerpted more from the NIST report because of its focus on developing a list of risks rather than enabling informed and intelligent strategic and tactical decisions.

I also disagree with the static idea of developing objectives and then setting a risk appetite. I do not believe that will be effective for many of the decisions that have to be made every day in running the business, where multiple sources of risk and reward need to be considered.

XX

I welcome your thoughts.

PS: I have sent comments to NIST at nistir8286@nist.gov. I would send them a copy of Making Business Sense of Technology Risk, but they are not allowed to accept gifts.

Advertisement