How IT Security Fits into Your Enterprise Risk Management Framework

Have you ever tried to represent cyber security’s place in enterprise risk management graphically? If so, then it has likely been done as a pie chart. The slices of the pie chart contain various components such as your customer’s supply chain, operational risks, fraud and so on. Then for almost all businesses today, one of the slices in that pie becomes cyber security.

However, this pie-based view is a little misleading when it comes to cyber security. So how does cyber security risk affect other components of your client’s business, and what does this mean for your organization?

The Right View of Cyber Security Risk

Cyber risk management is more accurately seen as a Venn diagram where a portion of the pie slices intersect.

Instead of a pie chart, imagine the various assets in your client’s business stacked on top of each other to form a cylinder. The various slices of that cylinder will be factors such as third-party risks, supply chains and data assets. At the center, running through this stack of slices are your client’s core business processes.

Business methods today are almost always aided by digital technology and online communications. This means that rather than being another slice isolated from the others, cyber risk management must be a core functionality within your client’s business. It the core of this “risk tower,” supporting their business processes and running through other sectors of the company.

How Cyber Security Affects Enterprise Risk Management

As the metaphor above implies, cyber security has become a business imperative for every other part of enterprise risk management. For example, when you talk about supply chain risk management, consider what happens if your client’s SCM portal goes offline or the delay in bringing on a new supplier who can’t meet cyber security requirements.

As the client’s MSSP, you need to think about cyber security risk not as its own independent entity, but as part of the many portions of the enterprise risk model. This “Venn diagram” perspective allows you to bring the various portions together to see the effectiveness of your security program on all aspects of your client’s business.

Key Considerations for Cyber Security Risks

In general, there are three key elements of cyber security risks that you should evaluate when considering other components of enterprise risk management. All three must be in balance to help your cyber security program stand successfully.

  • Operation: Your client’s systems need to do what they are supposed to do for the business to run effectively.
  • Compliance: Whether it is FFIEC, HIPAA or other industry-specific buzzwords, your client’s systems need to operate in accordance with all applicable regulations.
  • Security: Your client’s systems need to operate in a safe and secure manner to protect internal and user data.

To use another metaphor, these considerations are like brakes on a car. We need our brakes because we want to drive, not stay parked in the garage, and we know that when we drive, we will eventually have to slow down or make a turn. Those brakes provide us security when driving the car, just as road signs guide us with compliance on the road ahead.

Similarly, balanced regulations and security controls allow businesses to drive ahead. Having these guardrails and keeping them in balance is critical in order to move the business at the pace that your customers need.

Final Thought

Cyber security is not just a slice of enterprise risk management, as it is often represented. Instead, it is a core component of all the elements in the enterprise risk management model. Understanding this fact is key to operating your business and having a successful risk management plan.