ECRM Automation and Technology Tools Standards, Policies, and Procedures

Blog #12 of ~15 in ECRM Framework & Strategy Series

ECRM Automation and Technology Tools Standards, Policies, and Procedures

If you are starting this ECRM Framework & Strategy Series here, with Blog #12, you may wish to review some previous posts:

• #1, Introduction – Overseeing the Development of Your ECRM Framework and Strategy
• #2, Getting Started with the Development of Your ECRM Framework and Strategy
• #3, Setting ECRM Guiding Principles, Aligning Business and ECRM Strategic Objectives, and Clarifying Governance
• #4, Basic Cyber Risk Management Terminology
• #5, Selecting and Adopting an ECRM Framework, Process, and Maturity Model
• #6, Risk Rating and Risk Appetite

(For the complete list of all posts in this ECRM Framework & Strategy Series, please see Introduction – Overseeing the Development of Your ECRM Framework and Strategy.)

In each post in the series, I cover one or more aspects of developing your Enterprise Cyber Risk Management (ECRM) Framework and Strategy and associated sections of the Table of Contents of an ECRM Framework and Strategy document.

This series aims to explain what content is needed in each area and provide a good head start on developing and documenting your ECRM Framework and Strategy. 

Introduction

The topic of the ECRM Framework and Strategy and related documentation covered in this post is:

20. ECRM Automation and Technology Tools Standards, Policies, and Procedures

(For the complete Table of Contents of an ECRM Framework and Strategy Document, please see Introduction – Overseeing the Development of Your ECRM Framework and Strategy.)

Pick your favorite business publication, magazine, research resource, top consultancy, or local butcher or baker. Their data, systems, and devices that create, receive, maintain, or transmit sensitive information have exploded in all industries and their supply chains over the last two decades. And they are under attack. Cyber attacks’ acceleration, velocity, frequency, and severity are increasing. And by the way, it’s not just adversarial threat sources that may compromise the confidentiality, integrity, and availability of these sensitive data, systems, and devices. Accidental, structural, and environmental threat sources are increasing their activity.  For example, in the environmental threat source category, consider the frequency and severity of all types of storms we’re experiencing. 

Speaking of storms, executives and boards must deal with a perfect cyber storm, a confluence of forces.

• The world economy is wrestling with higher interest rates and a potential recession, putting pressure on all organizations to cut costs, including cybersecurity.
• Geopolitical tensions with Russia, China, North Korea, and Iran will likely increase the number of cyber-attacks.
• Cyber liability insurance lines have been hardening—Mario Greco, chief executive at insurer Zurich, recently told the Financial Times that cyber-attacks are set to become uninsurable.[1]

Combined with the SEC’s proposed Disclosure Regarding the Board of Directors’ Cybersecurity Expertise, the Cyber Incident Reporting for Critical Infrastructure Act Of 2022 (CIRCIA), and a new push for additional mandatory cyber security regulations[2], protecting organizations’ vital digital assets is more complicated than ever.

Good news, C-suites and Boards are engaging in cybersecurity discussions and oversight. Ostensibly more good news, last June, Gartner forecasted “spending for the information security and risk management market will grow to $172.5 billion (current U.S. dollars) in 2022, with a constant currency growth of 12.2%. The market will reach $267.3 billion in 2026, with a constant currency CAGR of 11.0% (2022 to 2026).”[3]

The bad news is that there continue to be suboptimal and fundamentally flawed decisions being made over how and where to spend limited cybersecurity budgets. Something is not working… spending is up, and breaches of confidentiality, integrity, and availability of the data, systems, and devices are up even more! 

In a survey conducted at the 2022 RSA Conference, 73.48% of organizations surveyed felt they had wasted most of their cybersecurity budget on failing to remediate threats, despite having an over-abundance of security tools at their disposal.[4]  Only 13.81% of those surveyed indicated they wasted no money.[5]

In this post, I explore the importance of standards, policies, and procedures to ensure that expenditures are well-spent on shiny new tools that too often end up in the cybersecurity tools boneyard. 

The Need for Tools and Automation

In Selecting and Adopting an ECRM Framework, Process, and Maturity Model, I discussed five critical core capabilities—governance, people, processes, technology, and engagement—that organizations must develop to ensure your ECRM transformation is successful.  Adopting the appropriate technology tools and solutions is critical to success.

Across all four steps in the ECRM process (Frame Risk, Assess Risk, Respond to Risk, and Monitor Risk),[6] we can use tools and automation judicially.

For example, as I discussed in Risk Assessment Standards, Policies, and Procedures, comprehensive, enterprisewide risk analysis, a foundational step in developing a sound cybersecurity and cyber risk management strategy, cannot be conducted, documented, or maintained using a simple Excel spreadsheet as your assets, threats, vulnerabilities, and controls evolve. Risk analysis, as a part of ECRM, is a complicated enough task that it is worth considering using specialized software to facilitate and document your ECRM program. Software development is not a core competency of most organizations. Just as most organizations would not consider writing their enterprise resource planning (ERP) software, ECRM is an instance where specialized software can make cyber risk framing, assessment, response, and monitoring easier to conduct, document, implement, and maintain.  In Appendix B: Enterprise Cyber Risk Management Software [ECRMS] of Stop the Cyber Bleeding, I provide more detail about the value of using specialized software.[7]

Ultimately, the technology and automation tools you use to support your ECRM program will range from strategic-level solutions (such as an ECRMS solution) to operational-level solutions (such as a security information and event management (SIEM) system). Additional examples include:

• Asset Management, Change Management, Patch Management, Problem Management, and Configuration Management.
• Identity management and authentication.
• Incident response and reporting.
• Malware detection and eradication.
• Tools for risk monitoring (e.g., SIEM, IDS/IPS, tools).
• An automation solution or service provider for technical testing such as penetration testing, vulnerability scans, social engineering testing, etc.

The technology with the most significant relevance to the C-suite and board is the ECRMS solution. The ECRMS solution provides the foundation for the ECRM program. It should include appropriate C-suite and board-level dashboards and reports that give the C-suite and board the information you need to execute your ECRM leadership and oversight responsibilities.

ECRM Automation and Technology Tools Policy

Your ECRM Automation and Technology Tools policy statement should indicate what you plan to do, why you plan to do so, the values of your organization, and what is expected of members of your workforce when it comes to automation and tools.  To emphasize what I’ve stated before, policies are higher-level aspirational statements emphasizing “what” and “why.”  That is, what your course of action will be and why you’ve chosen this course of action. Your policy statement establishes your good faith intent.

In the case of cyber risk management automation and tools, it is essential to convey that automation and tools are critical to your success. At the same time, communicate that their selection and use must be closely managed to ensure your organization derives a return on investment.

Following is an example of an ECRM Automation and Technology Tools policy statement:

[YOUR COMPANY NAME HERE] is committed to establishing, implementing, and maturing an enterprise cyber risk management (ECRM) program, safeguarding all sensitive stakeholder data, systems, and devices against compromising confidentiality, integrity, and availability.  International, Federal, state, and local laws and regulations have established standards by which acceptable ECRM, privacy, security, and compliance will be achieved.

Just as we employ technology tools and automation to streamline other management, administrative, and operational processes in our organization, we will judiciously employ ECRM automation and tools to make ECRM workflows more effective and efficient.   To facilitate the adoption, deployment, and use of ECRM automation technology and tools, we will utilize a systems development life cycle approach which will include standard steps such as planning, analysis, design, development, testing, implementation, maintenance, and retirement. [YOUR COMPANY NAME HERE] will formally reassess the use of our ECRM automation technology and tools at least annually.

The Importance of ECRM Automation and Technology Tools Standards

As the frequency and sophistication of cyberattacks continue to increase, organizations are increasingly turning to cyber risk management automation and tools to protect their systems and data. However, the effectiveness of these tools and their ability to work together depend on the existence of cyber risk management automation and tools standards. These standards are critical in ensuring that cyber risk management solutions are interoperable, consistent, and reliable.

One of the primary benefits of cyber risk management automation and tools standards is that they promote interoperability between different tools and solutions. Standards such as the Common Vulnerability Scoring System (CVSS) enable organizations to assess and prioritize vulnerabilities consistently across different tools and platforms.[8] This promotes better collaboration and coordination between different teams, helping to improve the effectiveness of cybersecurity solutions.

Standards such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework provide a comprehensive framework for organizations to manage and improve their cybersecurity posture.[9]  Using the NIST Cybersecurity Framework as a tool enables your organization to follow standardized practices and processes and to minimize the risk of errors and inconsistencies in their cybersecurity solutions. Moreover, cybersecurity automation and tools standards help to ensure that solutions are consistent and reliable.

Finally, cyber risk management automation and tools standards help to reduce the cost and complexity of implementing cybersecurity solutions. Just as International Electrotechnical Commission (IEC) and other standards bodies underscore, organizations can leverage economies of scale and reduce duplication of effort by adopting standardized approaches and technologies.[10] This can lead to cost savings and improved efficiencies across industries and within your organization while ensuring that cyber risk management solutions meet industry best practices and quality standards.

The importance of cyber risk management automation and tools standards cannot be overstated. They provide a framework for designing, implementing, and managing cyber risk management solutions and promote interoperability, consistency, and reliability. By adopting these standards, organizations can improve the effectiveness of their cybersecurity solutions, reduce costs, and enhance their ability to respond to the evolving threat landscape.

Content of ECRM Automation and Technology Tools Procedures

All procedures are designed to bring policies to life by providing the necessary actions to deliver on your policy. If policies are higher-level statements addressing “what” and “why,” then procedures provide the much-needed detail as to “how,” “by whom,” “when,” “where,” “using what,” etc., the policy will be implemented.

Your ECRM Automation and Technology Tools Procedures should specify how you plan, analyze, design, develop, test, implement, maintain, and retire your ECRM automation solutions and tools. You should expand and elaborate on these elements and steps such that those responsible for managing your ECRM automation and technology tools life cycle will be successful if they follow all your process steps in your documented procedures. 

As you develop and document your ECRM Automation and Technology Tools Standards, Policies, and Procedures, the following are several fundamentals to consider:

• Formalize governance.
• Develop a short game and a long game.
• Prioritize expenditures by leveraging comprehensive enterprise risk analysis.
• Converge/reduce the number of tools being used.
• Call on cyber risk management and regulatory compliance experts.

Summary

It is essential to include a section in your ECRM Framework and Strategy document that covers ECRM Automation and Technology Tools Standards, Policies, and Procedures and how you will manage your automation and tools.

The chief output of the work discussed in this post is your organization’s ECRM Automation and Technology Tools Standards, Policies, and Procedures.

In Disclosure of a Registrant’s Risk Management, Strategy, and Governance Regarding Cybersecurity Risks, I discuss the SEC proposed rulemaking requiring registrants to provide more consistent and informative disclosure regarding their cybersecurity risk management and strategy.  Your ECRM Automation and Technology Tools Standards, Policies, and Procedures will help meet this disclosure requirement.

You can visit my YouTube channel, Stop the Cyber Bleeding | Putting ECRM Into Action, which includes brief video clips covering many of the topics in this series. It may help guide the development of your ECRM Framework and Strategy and can be accessed and subscribed to at https://www.youtube.com/@stopthecyberbleeding/videos.

In the next post in this ECRM Framework & Strategy Series, I will discuss ECRM Recordkeeping and Reporting Standards, Policies and Procedures <<hotlink>>, an essential input into making informed risk treatment decisions.

Questions Management and Board Should Ask and Discuss

1. Has your organization agreed upon and documented an ECRM Automation and Technology Tool policy?
2. Has your organization agreed upon and documented ECRM Automation and Technology Tools procedures?
3. Has your organization agreed upon and documented ECRM Automation and Technology Tools standards?
4. Does your organization have a good governance structure in place, one that clearly articulates who makes what ECRM spending decisions and how and when using what data and facts?
5. Does your organization treat the enterprise cyber risk management (ECRM) program as a transformational endeavor?
6. Do you have the internal resources with the appropriate skills, knowledge, and experience to facilitate the development of your ECRM Automation and Technology Tools Standards, Policies, and Procedures?
7. Would engaging an experienced, reputable ECRM partner be valuable to establishing, implementing, and maturing your organization’s ECRM Automation and Technology Tools Standards, Policies, and Procedures?
8. Do your ECRM Automation and Technology Tools Standards, Policies, and Procedures meet the future requirements of SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Proposed Rule Changes today?

Endnotes

[1] Smith, Ian. Financial Times. “Cyber attacks set to become ‘uninsurable,’ says Zurich chief.” December 26, 2022. Available at https://www.ft.com/content/63ea94fa-c6fc-449f-b2b8-ea29cc83637d

[2] The White House. “National Cybersecurity Strategy.” March 2023. Available at https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf

[3] Gartner Research. “Forecast: Information Security and Risk Management, Worldwide, 2020-2026, 2Q22 Update.” June 30, 2022. Available at https://www.gartner.com/en/documents/4016190

[4] Smythe, Zoe Deighton. Security on Screen | Security Industry Group (SOS|SIG). “70% of organisations feel they’ve wasted cybersecurity budget on failing to remediate threats, says Gurucul.” July 19, 2022. Available at https://securityonscreen.com/70-of-organisations-feel-theyve-wasted-cybersecurity-budget-on-failing-to-remediate-threats-says-gurucul/

[5] GURUCUL RESEARCH REPORT. “2022 Security Operations Efficiency Survey”. July 15, 2022. Available at https://gurucul.com/resources/whitepapers/security-operations-efficiency-survey

[6] Chaput, Bob. “Selecting and Adopting an ECRM Framework, Process, and Maturity Model.” Feb. 7, 2023. Available at https://bobchaput.com/selecting-and-adopting-an-ecrm-framework-process-and-maturity-model/

[7] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2021. Clearwater. Available at https://amzn.to/33qr17n

[8] Forum of Incident Response and Security Teams, Inc. “What is CVSS?” Common Vulnerability Scoring System. (2021). Available at https://www.first.org/cvss/

[9] Cybersecurity Framework. NIST. (n.d.). Accessed January 28, 2023. Available at https://www.nist.gov/cyberframework

[10] International Electrotechnical Commission (IEC). Benefits of using IEC standards. (2023). Available at https://www.iec.ch/standards-development/benefits-using-iec-standards