Integrated risk management (IRM) marks a shift in how organizations approach cybersecurity, privacy, and risk. It is a commitment to forgoing the siloed practices that defined the governance, risk, and compliance (GRC) era and pave a new way to support secure business growth and enable business leaders with knowledge of cyber risk.
While IRM marks a shift in approach, frameworks still play an integral role in developing a risk-aware culture and integrated view of cybersecurity, risk, and privacy that define integrated risk management.
Integrated Risk Management Frameworks
The goal of integrated risk management is to embrace shifts towards a risk-aware culture and enabling technologies that improve decision-making around cybersecurity, risk, and privacy as a means to enhance business strategy and growth. As a result, the frameworks that support this mission are unique from the checkbox compliance lists that some organizations are used to. Rather, the frameworks that support an integrated risk management approach are outcomes-based rather than a specific control and take a holistic view of cybersecurity, risk, and privacy.
Because IRM puts risk first for a cybersecurity program, the frameworks organizations employ to build an integrated risk management program must be flexible enough to encompass the risks specific to the organization. In the age of digitization, with so many technical options available, there is no cookie-cutter answer. Rather, information security teams must be able to build programs around the specific configuration of technologies that their organization uses.
Given that it is outcomes-based over a list of controls, the NIST Cybersecurity Framework delivers the most flexible option to those looking for a framework to help implement an integrated risk management approach. Since the NIST CSF is a voluntary framework and is based on guidelines and best practices, it offers more flexibility in application than other frameworks.
One of the great strengths of an integrated risk management approach over legacy GRC is the scalability that it offers practitioners. As it is risk-based, IRM scales up and down based on the sizes and volume of risk that an organization has or is willing to tolerate. The result is the need for a framework that can scale up and down in that same fashion.
Given its voluntary nature and its proven track record of supporting organizations of all sizes, we recommend looking into the NIST CSF again. We have seen organizations from small businesses to Fortune 500 organizations adopt facets of the NIST CSF to augment an existing cyber program and build a program from scratch. In both cases, the NIST CSF served as a strong foundation that supported organization growth for the long term as well as security operating in the present.
The value that checkbox compliance brought in the early days of IT was predicated on all organizations using the same or similar solutions. While organizations still need to adhere to compliance standards today, information security is not as easy as checking boxes. With the wide variety of solutions available, the attack surface of one organization versus another varies significantly. As a result of this variance, organizations must take a risk-based approach to information security that encompasses both the industry compliance standards and the risks specific to their organization.
For an integrated risk management framework to be successful, it must be versatile to support the specific risks facing your organization. This unique configuration of technologies across the enterprise is what is driving information security leaders to integrate risk management solutions and practices. Cybersecurity leaders must also ensure that the frameworks they use to guide their strategy have the same versatility.
Returning to the NIST CSF, as we’ve seen with organizations with an existing cybersecurity program, it can supplement and augment a preexisting program. In the same way, the NIST CSF can support the expansion of new digital risks using its practices-based approach rather than focusing on specific controls that are confined to specific controls instead of outcomes.
In the current business climate, with more technologically literate consumer bases and breaches that capture headlines seemingly every week, Boards and CEOs are expecting more from their cybersecurity organizations. The business-centric approach to decision-making and performance through an integrated risk management framework is critical to an IRM program’s success.
The set of practices and processes supported through the NIST CSF enables organizations to discuss cyber through a business lens, that ability being baked in when the Framework was being developed.
The NIST CSF Is The Integrated Risk Management Framework
The shift to integrated risk management can be challenging. Yet, a strategy supported by a risk-centric approach is worth it - it enables a more flexible, scalable, and nimble approach to cybersecurity in a way that can put cybersecurity in a business context. As a leader, ensuring that you are selecting the platforms and tools that support those goals is the best way to ensure integrated risk management success. The guiding framework you select is a necessary step to shore up your existing program and support the shift to integrated risk management.