Search “integrated risk management” on the internet and you’ll soon notice that it is where the cybersecurity industry is headed. Checklist compliance isn’t going to work for the modern and future CISO. With the escalation of cybersecurity to a board-level issue and the rise of myriad compliance standards for almost every industry, CISOs can no longer rely on check-box compliance to drive their strategy. Enter integrated risk management.
integrated risk management, as the name implies, integrates the facets of an existing cybersecurity program and the models of a legacy GRC platform:
Digital Risk Management (DRM)
Vendor Risk Management (VRM)
Business Continuity Management (BCM)
Audit Management (AM)
Enterprise Legal Management (ELM)
Corporate Compliance & Oversight (CCO)
What changes between and Integrated risk management solution and a GRC platform, though, is the way these attributes are combined. In a traditional GRC organization and platform, you will see a module-based, fragmented, setup where each functionality operates with little to no knowledge of the other. In the case of an organization with one singular mission (keeping the organization secure), this approach causes inefficiencies, overspending in unnecessary areas, and underspending in critical areas of critical risk.
An integrated approach, empowered by an integrated risk management solution, recombines these facets into a singular approach that is focused on business outcomes. Under the Gartner definition, integrated risk management has certain attributes:
Strategy: Enablement and implementation of a framework, including performance improvement through effective governance and risk ownership
Assessment: Identification, evaluation, and prioritization of risks
Response: Identification and implementation of mechanisms to mitigate risk
Communication and reporting: Provision of the best or most appropriate means to track and inform stakeholders of an enterprise’s risk response
Monitoring: Identification and implementation of processes that methodically track governance objectives, risk ownership/accountability, compliance with policies and decisions that are set through the governance process, risks to those objectives and the effectiveness of risk mitigation and controls
Technology: Design and implementation of an integrated risk management solution architecture
This guide will give you a brief overview of critical functionalities to look for an integrated risk management solution as you make the shift from a checkbox compliance to a risk-based approach.
Digital risk management is the newest, potentially the biggest, and yet least defined aspect of an integrated risk management program. Driven by the integration of technology into an enterprise, newer technologies have opened new opportunities for cybercriminals and increased cyber risk for an organization. In many cases with new technology, business units will adopt a new technology without an understanding of the risk implications. We have already begun seeing this occur specifically with internet of things technology.
Emerging tech is the greatest case for a risk-based approach to cyber. The stringent standards for established (and even antiquated) processes simply don’t exist for much of the digital world. As a CISO looking for an integrated risk management solution, you must be diligent to look for a platform that can support both a bespoke framework developed internally to secure the emerging technologies in use in your specific organization as well as a platform that can rapidly integrate new frameworks and standards as they are released.
The CyberStrong platform supports both of these approaches to digital risk management. Users can combine frameworks, standards, and custom controls to support a holistic DRM strategy unique to your organization. Furthermore, the CyberStrong platform also integrates the latest frameworks and versions into the platform - users today can begin supplementing their DRM strategy with the NIST Smart Grid Framework. With our strong relationship with NIST, the CyberSaint team is also closely watching the development of NIST’s new IoT framework.
When focusing on the VRM facet of an integrated risk management program, start with the end in mind. Defining where you and your team need to go as your vendor list expands creates a framework to assess the VRM functionality necessary to augment your team’s ability.
The ability to organize vendors, their services, and contracts into different tiers of risk. Ensure that the platform supports customization for detailed assessment of risks associated with each vendor, their services, and the level of access they require. The platform must also be able to assess these impacts against your organization's compliance requirements and prioritize each vendor based on the level of risk they bring. Lastly, the VRM functionality should be able to map the vendors, their risks to controls, owners, remediation actions, vendors, business entities, performance metrics, and others.With integrated risk management solution with VRM capabilities like CyberStrong, risk tiering is seen with scoring and color coding representing levels of risk.CyberStrong provides environments to store a lost of contracts and score risk and compliance for each contract.
In the case of primary contractors needing to assess their own subcontractor supply chain, the VRM functionality must support the assessment of the entire supply chain. As seen in the CyberStrong screenshot, users can distribute assessment questionnaires and manage those assessments through the platform.
CyberStrong also provides the flexibility to support any supply-chain oriented mandate (such as DFARS) as well as custom hybrid frameworks.
With every facet of integrated risk management, the platform must support collaboration within specific teams as well as across your security organization. Make sure that your solution allows your organization to communicate and share information about vendor risks and remediation.Capable integrated risk management platforms such as CyberStrong empower team collaboration with control assignment notification, due dates/scheduling, assessment owners, and team access.
Your integrated risk management solution must support the creation and maintenance of contracts and services associated with a vendor, and the ability to assess the controls and risks associated with each. Ensure that your solution can provide a central location to access these - CyberStrong offers evidence attachment to allow your team easy access.
Control Assessment And MonitoringThe solution needs to provide the ability to assess the effectiveness of controls and carry out ongoing monitoring of vendor risks. At a minimum, an integrated risk management platform must support the workflow for the application's other functions, such as exception management and reporting.The CyberStrong integrated risk management solution provides a comprehensive dashboard to show the effectiveness of the controls you put in place as well as the compliance status of each. As you go about implementing the VRM practices of your integrated risk management program, ensure that your integrated risk management platform can task out actions with notes and automated reporting to streamline your supply-chain team.(SSP, POAM, and RA one-click reports, Executive Risk Report, Trend Report, GDPR Report, Overview Report)
The ability to manage vendor risk exceptions in relation to control requirements, the compensating controls to mitigate risks, and periodic reviews of whether exceptions are still required.In the CyberStrong platform, you can use N/A feature to exclude controls for specific vendors.
The ability to see the IT VRM status of an earlier time, such as a past quarter or year. Make sure you establish early on in a vendor relationship when they will snapshot their status in your solution and that they have the capabilities to do so.
The ability to provide roles for personalized access to an IT VRM application, and to assign relationships between job roles and individuals, and risks and controls. An integrated risk management solution with strong VRM abilities such as CyberStrong will allow you to build teams with Admin, Manager, Collaborator access levels and permissions
The recording of action plans to identify control failures and other VRM deficiencies and to track those plans to fulfillment. The CyberStrong platform uses a spider graph to visualize the current state of a vendors profile against the desired scores. This 'always on' remediation plan increases transparency between both parties and is an easily accessible visualization they can report against.
The ability to collect performance data and assess it against expected service levels and deliverables. For example, the CyberStrong platform allows you to benchmark your current control set against a ‘Magic Cookie’ target. Also, know vendors are improving and always have a plan of action in place to remediate.
This includes news feeds, ownership structures, lines, safety violations, and financial performance, risk-related alerts, and risk ratings. Foundationally, ensure that your solution allows you to attach documentation as a central storage location for your team.
The ability to import vendor and related contract (engagement) data from other systems, or to input it manually; the ability to collect and organize intelligence about vendors; the ability to manage vendor documentation and other content; and vendor self-service capabilities that enable vendors to maintain and update information themselves. The solution should allow vendors to access and manage their own profiles to an extent.
For any large enterprise, business continuity is a critical function. As such, a strong integrated risk management solution will be able to support the tracking of BCM activities and progress.
For an integrated risk management solution that supports BCM, it should support a process from end-to-end. Starting with a risk assessment grounded in a comprehensive and standard framework. The CyberStrong platform uses NIST 800-30 methodology for its risk assessments.
A strong integrated risk management platform will also be able to act as a single-pane-of-glass for a team, both centralized and distributed. In BCM, collaboration is key. The CyberStrong platform supports teams of any size and empowers managers to automate where possible through deadline reminders and control assignments.
Potentially the most critical within BCM is the testing of the processes in place in the event of an incident. Through control notes in the CyberStrong platform, BCM teams can provide detailed information for a given control and the necessary steps for risk remediation.
Internal auditors act as the third line of defense against threats to the organization. Although, with the increase in geographic and industry-based compliance requirements, auditors using spreadsheets and a checklist-based approach to compliance are increasingly experiencing audit fatigue. As an auditor, you need to ensure that you’re using a solution that empowers your team and delivers the functionality to augment their ability.
The foundational aspect of an internal audit management program, your solution must be able to support the development of audit scope and the maintenance of that scope through execution.
Ensure that your solution allows you to set a baseline for where your organization is and where it needs to go. This is critical for audit and project planning to remediate any inherent or residual risk within the organization.The CyberStrong platform supports an in-depth risk assessment throughout the solution. The risk assessment functionality rolls up into a spider graph that can be shown to both non-technical and technical stakeholders to show where your organization is weak and where to direct resources to reduce risk.
Following the risk assessment, your solution needs to capable of supporting remediation efforts by tracking activities and assigning tasks based on the determined approach. The solution should be able to assign resources (people, time, controls) to specific tasks and activities. In the CyberStrong platform, audit managers can manage teams across multiple assessments and tag specific controls to a given assessment. This single-pane-of-glass approach provides managers a central source and a deep level of insight.
To streamline the management process, the solution should also be able to automate the follow-up process to ensure that assignees are staying on track.Within CyberStrong, managers assign the assessment of specific controls to their team members with due dates. By automating the assignment and follow-up process, audit teams focus on what's important.
The ability to track and report on time and expenses for individual projects. In integrated risk management platform with strong audit management capabilities like CyberStrong will allow you to track details such as time and expenses in the notes and comments within an assessment.
Your solution must be able to act as a single source of truth for supporting documentation including evidence attachments for individual control tests. CyberStrong allows you to attach evidence to a given control in your audit assessment.
At a basic level, your solution must be able to consolidate the findings in order to generate a report for the audit committee. However, a stronger audit management solution will provide downloadable reports and visualizations that can be delivered to the board and audit committee to reflect your findings and remediation efforts.
CyberStrong automatically generates the three main reports usually expected of a cybersecurity team: Plan of Action and Mitigations (POAM), System Security Plan (SSP), Risk Assessment (RA). It also generates executive-level reports previously unseen in the industry: Executive Risk Report, Trend Report, GDPR Report, Overview Report.
The solution must also act as a single pane of glass for the audit process, defining and tracking audit departments and auditors’ KPIs.
Compliance sits at the intersection of legal and cybersecurity for many large enterprises. In many ways, enterprise legal management is the representation of this relationship between security and legal leaders within an organization. A strong integrated risk management solution will act as a bridge for those two teams to empower communication and increase transparency.
While an integrated risk management tool will primarily be used by technical teams within a security organization, a superior program management solution will be able to not only convey information to technical stakeholders but non-technical stakeholders as well.
The CyberStrong platform bridges this gap between non-technical and technical throughout the platform. A portfolio of automated, board-ready reports helps technical leaders articulate their progress and milestones to non-technical team members without sacrificing precious time. The graphic representation throughout the platform delivers a mid-level, comprehensive view of progress to date. Finally, core compliance frameworks (including DFARS) are available in natural language allowing non-technical team members to collaborate on an even granular level.
Corporate compliance and oversight (CCO) is one of the main pillars to a strong integrated risk management program and solution. Today, compliance leaders are faced with a rapidly changing landscape of new compliance requirements from regulatory bodies, partners, and vendors. When iterating your CCO program, ensure that the solution that supports your compliance team has the core requirements necessary to empower your team and augment their efforts.
Policy Development And ManagementCompliance policies are one of the primary forces that shape internal security requirements. As a result, your integrated risk management solution must be able to support the development and management of those policies. Specifically, the ability to directly map your policies and controls to compliance requirements to ensure your organization meets given security requirements. These requirements can be delivered from industry governing bodies (HIPAA, DFARS, PCI) or through a partner (DFARS in this case if you are apart of a DoD supply chain). Alongside these external requirements, your solution should also support the management of internal policies such as ethics and behavior. A strong integrated risk management platform will be able to support the end-to-end creation and maintenance of your policies including the creation and version control as well as an approval workflow.
Any enterprise organization faces a complex world of regulatory requirements and compliance officers face the challenge of fatiguing out. A powerful integrated risk management platform such as CyberStrong allows you to aggregate your compliance requirements from multiple sources and with features like control tagging, know which controls help you meet which compliance requirements. This combination of compliance requirements serves as a facet of a strong risk-based security program. CyberSaint_CCO buying guide 3a
Integrated risk management platforms with CCO capabilities such as CyberStrong supports the compliance process from end-to-end. This means that alongside the aggregation of compliance requirements, CyberStrong supports the assessment and monitoring of controls necessary to meet your compliance requirements. The features necessary to accomplish this are collaborative functions (assignments) to support your compliance team, control catalog and reporting, and compliance metrics.The CyberStrong integrated risk management solution supports all of these functions through control tagging, our collaborative functionality, and our data visualization capabilities that gives a real-time view of your progress to compliance. CyberSaint_CCO buying guide 4
Agility is a critical trait to a successful compliance leader. With the release and update of compliance requirements from myriad sources, your solution must be able to support an ever-evolving workflow and process.Your integrated risk management solution must be able to provide the flexibility for continuous refinement and development while also helping to support current efforts. CyberStrong allows you to integrate new frameworks, and customize frameworks all built on the gold-standard of the NIST CSF. It also supports program management at a more granular level with control assignments and tagging to keep your team accountable and organized.CyberSaint_CCO buying guide 4b
No organization is 100% secure and as a result, compliance officers must be prepared to manage violations. Your solution must be able to support this effort with compliance incident management and analysis. The solution must be able to also support the transparency that a risk-based compliance program necessitates. This includes relaying efforts and needs to non-technical stakeholders. CyberStrong effectively and easily conveys critical information to both technical and non-technical departments and leaders.
Unlike the module approach of GRC, integrated risk management uses the six facets in combination to map onto business outcomes. Gartner’s four integrated risk management use cases draw from the outcomes of the six facets to easily convey the status of a cybersecurity program to technical and non-technical stakeholders alike - in the same fashion that a CFO or CMO would.
The Performance use case of integrated risk management combines the innovative thinking of digital risk management (DRM) and the forward-thinking recognition that the future of the enterprise is an ecosystem, not an island, of vendor risk management (VRM).
In a reporting context, Performance use cases are of interest as both VRM and DRM empower business growth. Think of Performance as the ‘scout’ use case that is out ahead, making sure that as the enterprise grows it is staying as secure as possible.
Combining the risk-awareness of external facing teams (supply chain/vendor risk) and internal facing teams (business continuity), the Resilience use case for an integrated risk management solution enables teams to convey how prepared they are for worst case scenarios.
For a Resilience use case, an integrated risk management solution must be able to deliver quantified risk analyses grounded in a reputable risk framework. The CyberStrong uses the gold-standard NIST 800-30 framework for control risk assessment.
One of the most important use cases for board- and CEO-level reporting, the Assurance integrated risk management use case relies on a single-pane-of-glass view that audit management and corporate compliance and oversight delivers. In short, the Assurance use case is the response when a senior level exec asks “are we secure?”.
Any large enterprise has been or will be affected in the near future by information security and privacy compliance requirements. The most “GRC” of the integrated risk management use cases, Compliance combines the efforts of the CCO and legal teams to deliver the evidence necessary to show that the organization is compliant.
With the National Cyber Strategy, the rise of regulations like the CCPA and GDPR, the future for a compliance-based CISO is a patchwork of cross-border regulations that will result in further fractionation of an already siloed cybersecurity organization. Without a common thread or foundation to build a cyber strategy upon and tie all these regulations together, cybersecurity teams will continually be faced with redundant regulations that vary only slightly and have an immense amount of overlap. A compliance-based CISO is bound to an endless list of checkboxes of each new assessment, regardless of its similarity to others.Compliance is a set of bare minimum, broad spectrum, controls that are meant to secure an entire industry or critical aspect to a country. Compliance-focused organizations will end up overspending in areas they don't have to and underspending in areas they do. A compliance mindset ignores the fundamental principle that every organization is different and as a result, it does not make sense to adhere to the same, rigid security requirements alone.
The transition from a compliance-based organization to risk-based calls for a shift in the technology that empowers your organization as well. GRC solutions are designed specifically to help a compliance-based CISO hit the checkboxes on the new mandates they have to meet. A risk-focused CISO, on the other hand, has different priorities. They are less concerned with checking boxes as they are unifying the risks of their organization within a single-pane-of-glass, capable of being seen throughout the organization.
While many GRC platforms have begun to adopt integrated risk management language, don’t be fooled by the use of special terminology. Integrated risk management and GRC are at odds as they approach the problem of risk mitigation differently: a GRC solution may offer the integrated risk management facets as modules, a GRC based solution cannot empower a security team to make the shift to a risk-focused mindset. What a true integrated risk management solution is, and a risk-based strategy demands, is a unified platform that allows for transparency across all six facets of integrated risk management as well as the ability to effectively communicate that information to non-technical stakeholders.
In choosing a solution do not mistake complexity for value. The solution you choose for your organization must lend the flexibility necessary to navigate the rapidly changing regulatory and compliance landscape. Ensure that your solution adheres to strong best practices and supports the development and maintenance of a risk-based approach.
The shift from a compliance-based mindset to a risk-based strategy is an iterative process. It doesn’t happen overnight. As more business processes move to digital and secondary competencies are outsourced to the supply chain, compliance is no longer sufficient. With security becoming a board-level concern, not just from an internal perspective but from a buying perspective, a risk-based strategy is imperative to future business success.