Cyber Risk Illiteracy – 3 – ECRM? ERM?

Cyber Risk Illiteracy – 3 – ECRM? ERM?

A definition is the enclosing a wilderness of idea within a wall of words.

—Samuel Butler[1]

Oh, man! Do we ever need to enclose the wilderness of  enterprise cyber risk management and cybersecurity ideas within a wall of words?!?  

Great Question

Last week, I exchanged emails with a university professor and head of the school’s NSA/CAE program. He posed a great question that deserves coverage:

“Was reading your latest book (Enterprise Cyber Risk Management as A Value Creator | Leverage Cybersecurity for Competitive Advantage); looks interesting.  Have you given a definition of entertpise cyber risk management (ECRM) in any of your writings?  This field is so, so subject to poor understanding of terminology.  Just wanted to understand your definition.”

Of course, I shared my two previous Risk Illiteracy posts with him, which are linkable from here in case you missed them:

• 2024-01-30 – Cyber Risk Illiteracy – 1 – Stomp Out Risk Illiteracy
• 2024-02-05 – Cyber Risk Illiteracy – 2 – Bald Tire

In the first one, I wrote about the ongoing misunderstanding of basic risk terminology such as assets, threats, vulnerabilities, cybersecurity frameworks, processes, and maturity models. The list goes on. In the second one, I cited and did a video on the Bald Tire white paper written by @Jack Jones several years ago. I further illustrated how most people cannot differentiate risk from risk components such as assets, threats, and vulnerabilities.  

As you may recall, I set the stage for a couple of posts on risk illiteracy because it comprises, along with the lack of board/C-suite engagement, two of the most significant root causes of our general cybersecurity failures worldwide in all industries. Do you agree? If not, how do you account for the vicious downward spiral in which we find ourselves?

Back to the Professor’s Great Question

So, what is my definition of ECRM? It is part of an organization’s enterprise risk management (ERM).

Let’s start with @Rick Steinberg’s definition of ERM,

Enterprise risk management (ERM) is a company’s holistic process of identifying, assessing, and managing risks that could interfere with achieving its corporate objectives. It is a systematic approach to dealing with all risks with a reasonable likelihood of significantly affecting a business.[2]

I, then, define Enterprise cyber risk management (ECRM) as follows:

ECRM is (or should be) incorporated into your enterprise risk management program. ECRM deals specifically with the cyber risks and opportunities that can affect your organization. ECRM has multiple components, including developing a risk and opportunity register from your risk and opportunity assessment that serves as the basis for informed decision-making related to cyber risks and opportunities. The countermeasures or controls implemented to treat risks at or above your organization’s risk appetite (see the following definition) and the investments to leverage your cybersecurity strengths form the basis of your organization’s cybersecurity strategy.[3]

The philosopher Ludwig Wittgenstein said, “The limits of my language means the limits of my world.”[4] Language is vital in establishing, implementing, and maturing an ECRM and cybersecurity program. Stomp out risk illiteracy. Define your terms. Create your ECRM Glossary.

If you want to learn more, in Appendix D, Enterprise Cyber Risk Management as A Value Creator, I define 25 essential terms for your ECRM Glossary… that will help you build your glossary. 

Questions Management and the Board Should Ask and Discuss

1. Can your CISO and his/her team explain the difference between risks, threats, and vulnerabilities?
2. Has your organization’s C-suite and board discussed and agreed upon a standard set of definitions related to cyber risk and cyber risk management?
3. Have these definitions been documented in your organization’s ECRM strategy and framework documents and communicated via ECRM training?
4. Do you believe your organization has already conducted ongoing, rigorous, comprehensive, enterprisewide risk analysis that would meet your regulatory requirements?
5. At the most basic level, does your organization understand that risk exists when and only when there is an asset, a specific threat, and a particular vulnerability?
6. As a basic example, does your organization understand that risk exists when and only when there is an asset, a specific threat, and a particular vulnerability?
7. Have you discussed, debated, and established your cyber risk appetite as C-suite executives and board members?
8. Equally essential but too often ignored, have you discussed, debated, and established your cyber opportunity threshold as C-suite executives and board members?

Endnotes

[1] Samuel Butler Quotes. GoodReads. (n.d.) Accessed February 15, 2024.  Available at https://www.goodreads.com/quotes/836117-a-definition-is-the-enclosing-a-wilderness-of-idea-within

[2] Steinberg, Richard M. Governance, Risk Management, and Compliance. Wiley. July 2011. Available at https://tinyurl.com/5n7vzf6y   

[3] Chaput, Bob. Enterprise Cyber Risk Management as A Value Creator. Apress. January 24, 2024. Available on Amazon at https://amzn.to/3NYdafQ

[4] Ludwig Wittgenstein Quotes. GoodReads. (n.d.) Accessed April 17, 2023. Available at https://www.goodreads.com/quotes/12577-the-limits-of-my-language-means-the-limits-of-my