Cyber Risk Illiteracy – 4 – ECRM Program vs. Cybersecurity Strategy

Cyber Risk Literacy – 4 – ECRM Program vs. Cybersecurity Strategy

By failing to prepare, you are preparing to fail.

—Benjamin Franklin[1]

First, in case you didn’t notice, I have changed the series title from “Cyber Risk Illiteracy” to “Cyber Risk Literacy.” After all, in Enterprise Cyber Risk Management as A Value Creator | Leverage Cybersecurity for Competitive Advantage, I’m trying to encourage everyone to, as the song goes, “…[A]ccentuate the positive, Eliminate the negative, Latch on to the affirmative, and Don’t mess with Mister In-Between?”

I Love the Questions… Keep ‘em Coming!

Last week, I responded to a university professor’s question about my definition of enterprise cyber risk management (ECRM) and how it fits into enterprise risk management (ERM). I responded in this post, Cyber Risk Illiteracy – 3 – ECRM? ERM?, and I shared my two previous Risk Illiteracy posts:

• 2024-01-30 – Cyber Risk Illiteracy – 1 – Stomp Out Risk Illiteracy
• 2024-02-05 – Cyber Risk Illiteracy – 2 – Bald Tire

I Received Another Great Question

As a result of the post defining ECRM and where it fits in, I received this question:

What’s the difference between an ECRM Program and a Cybersecurity Strategy?

This excerpt from a recent WSJ Pro Cybersecurity article highlights the difference and starts to get to differentiate the two terms.

“When I was a CISO, I hated our risk team,” she [Sabrina Feng, group head of technology, cyber and resilience risk at the London Stock Exchange Group, and former CISO at Equiniti, a technology provider to financial firms] said. “I was thinking these guys know nothing about security and they come to me trying to give me advice,” she said.[2]

Cyber risk management, which is what your ECRM Program is all about, emphasizes the identification and evaluation of your unique cyber risks and opportunities related to your information assets. Cybersecurity describes your ability to safeguard, protect, and defend the confidentiality, integrity, and availability (CIA) of all your information assets once you have identified your risks. A problem about which I’ve written extensively is that too many organizations start implementing safeguards before they understand their risks.

In Enterprise Cyber Risk Management as A Value Creator, I use the expression ECRM Program and Cybersecurity Strategy almost 200 times. I must confess there are cases in which I use the phrase that suggests they are the same. They are not!

Since the book focuses a great deal on both, I’ll only provide a simple summary here.

ECRM Program

Your ECRM Program should be established, implemented, and matured just like any other major transformational initiative in your business. Unlike a project, it does not have a start date and an end date. It requires that you develop five critical capabilities to be successful – governance, people, process, technology, and engagement. In both Enterprise Cyber Risk Management as A Value Creator and even to a great extent in Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM), I discuss what it takes to develop these capabilities and how to do exactly that. Your ECRM Program must be documented to meet all your regulatory requirements such as the SEC’s Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks[3]

Your ECRM Program sets the stage for how your organization will identify and manage cyber risks and opportunities. It should be based on three foundational building blocks—your ECRM Framework, ECRM Process, and ECRM Maturity Model. It feeds into your ERM program and forms the basis of your organization’s Cybersecurity Strategy. Once your governance, people, process, technology, and engagement capabilities are established and implemented, you will likely refine and improve these capabilities as you mature your program.

Cybersecurity Strategy

I love to think about Cybersecurity Strategy in the context of one of my favorite definitions of strategy as “the means to create economic value by gaining competitive advantage through a unique value proposition”[4] because it connects value creation with competitive advantage. The cited definition of strategy aligns well with the main theme of Enterprise Cyber Risk Management as A Value Creator.

Your Cybersecurity Strategy must be produced under the auspices of your ECRM Program and your overall ERM Program. Any strategy must be aligned with your organization’s vision, mission, strategy, values, and services. Of course, your Cybersecurity Strategy must align as well.

Your ECRM Program specifies HOW you will conduct enterprise cyber risk management. Your Cybersecurity Strategy specifies the execution, including the WHAT, WHO, WHERE, and WHEN.

Your Board should oversee establishing your ECRM Program; execution of your Cybersecurity Strategy should be left to your C-suite and their teams.

Please keep your questions coming!

Endnotes

[1] BrainyQuote. “By failing to prepare, you are preparing to fail.” (n.d.) Accessed February 18, 2024. Available at https://www.brainyquote.com/quotes/benjamin_franklin_138217

[2] Stupp, Catherine. WSJ PRO. “Financial Firms Expect Big Changes from European Cyber Rules.” February 14, 2024. Accessed February 18, 2024. Available at https://www.wsj.com/articles/financial-firms-expect-big-changes-from-european-cyber-rules-a72bf791

[3] Chaput, Bob. Enabling Cyber Risk Oversight Blog. “Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks.” Nov. 21, 2022. Available at https://bobchaput.com/disclosure-of-a-registrants-risk-management-strategy-and-governance-regarding-cybersecurity-risks/

[4] Alsaady, Abdulhamid. “Pay attention to an overlooked cornerstone in strategy development.” July 23, 2022. Accessed February 18, 2024. Available at https://www.linkedin.com/pulse/pay-attention-overlooked-cornerstone-strategy-alsaady-nacd-cd/