Is IT Risk Management Compatible With ERM?
Every month or so, news events (attacks on government sites, massive privacy breaches, etc.) provide a ‘wake-up call’… a proof point used by vendors and practitioners alike that protecting our national and corporate information assets has never been more critical. On occasion we even see these incidents yield promises of action, for example the anticipated appointment of a US Cybersecurity Czar, which my colleague Khalid Kark discusses here.
But in spite of these warnings, my conversations with enterprise risk and IT risk professionals still reveal many disconnects, including that IT risks are not measured consistently with other enterprise risks. In addition, many IT risk professionals do not see their biggest risks showing up on the corporate risk register.
One problem is that traditional enterprise risk management (ERM) metrics such as likelihood and impact, do not fit neatly with common IT risk metrics such as system criticality and vulnerability. Even at the Federal level, the Office of Management and Budget recommends moving from compliance-based metrics to security- and vulnerability-based metrics. This will be progress if implemented, but it’s still a long way from measuring actual risk exposure.
I have seen more progress by IT professionals using ERM methodologies in the private sector, and I’ll be highlighting some of the best examples at our Security Forum in September. Although most organizations are a long way from a fully integrated enterprise risk management program, the ability to paint a big picture of risk exposure has clear benefits. I think measuring IT risks in the same way as financial, legal, or environmental risks is ultimately the best way to demonstrate how serious they are, and is an important step in earning due consideration at the enterprise level.