NIST has released a draft document to help organizations align their cyber risk management operations with an enterprise risk management function. This new standard, NISTIR 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM), aims to provide a guide for organizations trying to better understand how their security operations can be harmonized within the scope of an overall ERM program. The guidance also discusses problems that organizations face when attempting to build cyber risk management programs. Namely:
Asset inventories and shadow IT
Effectively organizations don’t always know the extent of their technology surface area and corresponding configurations. Having a CMDB system here helps tremendously, but absent that, one cannot assess the risk of what they don’t know exists.
The need for quantitative measures of IT risk
NIST says here that there have been decades of research into cyber risk measurements which have been thwarted by increasing complexity of digital infrastructure. Still they say that “without quantitative measures...there is little basis for analyzing risk or expressing risk in comparable ways across digital assets.” This is a strong position that quantitative cyber risk measures are critical to evolve an organization’s risk management maturity.
Informal analysis methods
Since organizations lack good inventory and measures to apply to them, it makes sense that the analysis that is done, such as it is, tends to lack formality and rigor. This gives rise to different analysts and executives giving different risk ratings based on personal experience and biases instead of representing the organization’s risk posture and appetite
Traditional cybersecurity risk analysis methods focus on the technological configurations without placing them in the context of the mission, goals, and objectives of the organization. Without formal repeatable processes, and a hardened model upon which to apply them, any risk analyses are unlikely to be useful to organizational decision making.
The standard clearly favors quantitative risk methodologies although it leaves the door open for those that are currently using qualitative measures. It goes on to specifically name FAIR™ as an enabling methodology and by extension, solve many of the problems outlined above. FAIR provides quantitative measures of cyber risk, providing a basis for expressing risk in comparable ways regardless of how complex the digital infrastructure is. FAIR also provides a standard model for risk analytics as well. It helps analysts shed their biases and connect the technology layer to the business layer.
NIST is accepting comments on this draft document through 20 May 2020.