Q&A: NIST’s new ‘Enterprise Risk Management’ guidelines push cyber risks to board level

By Byron V. Acohido

Enterprise risk management (ERM) is a comparatively new corporate discipline. The basic notion is that in today’s complex operating environment, it is important for businesses to proactively identify operational hazards and have a plan in place to account for them.

Related: Poll shows senior execs get cybersecurity

A hazard is anything that can interfere with a company meeting its objectives; it could be something physical, such as a fire, a theft or a natural disaster; or it could  be an abstract risk, such as a lawsuit or a regulatory fine.

As part of its role promoting cybersecurity best practices, the National Institute of Standards and Technology (NIST) has stepped forward to make sure complex and expanding cybersecurity exposures become part and parcel of evolving ERM frameworks.

NIST has been getting positive feedback to draft guidelines it issued in late March which essentially serves as a roadmap for enterprises to account for complex cybersecurity exposures when implementing ERM strategies. The guidelines — NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM) – are specifically aimed at fostering the integration of cybersecurity risk management best practices and ERM frameworks.

The Internet Security Alliance (ISA) is a trade association and think tank whose members include prominent corporations in a wide cross section of industries. In February, ISA, in partnership with the National Association of Corporate Directors (NACD), published the 2020 edition of their Cyber-Risk Oversight Handbook for Corporate Boards.

ISA President Larry Clinton noted how well the trade groups’ handbook meshes with NIST’s new guidelines. “The NIST filing does an excellent job linking many of the principles directors have articulated as necessary for effective cybersecurity,” he says. “The NISTIR, like the NACD-ISA handbook, urges enterprises to utilize the modern models that are being developed to help organizations appropriately balance economic growth and cyber risk.”

I had the chance to drill down on this with Clinton. We had a most lively discussion. Here are excerpts, edited for clarity and length.

LW: How is it that we’ve come this far in the digital age with such a lack of clarity about the economic context of cyber risks?

Clinton: It’s a good question. I think the whole digital age came upon us so quickly, so easily, so pleasantly and so profitably that we simply missed the security downside at first. Most people thought since operating the system was so easy, securing the system must be simple too. Surely  firewall would stop attacks; or if there were any gaps, a “patch” would fix it. Who knew it was complicated?

People became aware of the cyber problem largely through publicity around major breaches like Target and Sony. The knee jerk response was that cyber breaches were new versions of corporate malfeasance – like Enron or Volkswagen —  and the fault lay with those money-grubbing corporations who didn’t care about protecting consumer data. If we just threatened the executives with jail time, that would be sufficient.

But money-grubbing executives, bad as they are,  are not the core problem. At a macro level, the founders (of the Internet) were just trying to build a system to transfer data among the early supercomputers and really didn’t think much about security – it was a very different era.  So the foundation was built as an open system and that created a market totally favoring the attack community.

The core problem with cybersecurity is that we have an inherently vulnerable system, one that’s getting more vulnerable all the time, protecting extremely valuable data. The economic incentive to attack, combined with readily available technical means – and lack of law enforcement –make cyber-attacks all but inevitable

At a micro level, because everything seemed so fun and easy, we hid the economics and turned them upside down. We disassociated cyber risk, like using weak passwords and visiting sketchy websites, from the harm of that risk. Consumers chose to value convenience over security.  So the economic incentive for the IT industry was not to build secure products, but to build quickly on top of the existing insecure system and get the product to market fast, then fix it later with updates and patches. Since there was little market for secure products, universities didn’t emphasize secure coding. Essentially consumers tilted the market toward insecurity.

LW: Why haven’t ERM tactics been applied more uniformly and effectively to securing enterprise IT assets to this point?


Clinton: This gets back to people mostly not realizing there is a cybersecurity problem and then misunderstanding it as a purely technical problem. Assuming cyber insecurity was the result of some sort of technical glitch being exploited by fat kids in basements — a theory then candidate Trump offered in a 2016 Presidential debate – they naturally turned to the technicians to solve it. To a hammer everything looks like a nail, and so the technicians have run out an endless stream of patches and updates to plug the holes in the system.

But the technology is just how the attacks occur. To actually solve the problem we need to address, not just the how, but also the why. That then calls for more advanced and comprehensive thinking that goes beyond just the system’s technology. The human, economic and legal ramifications need to be addressed, which eventually leads to ERM-type solutions.

LW: These guidelines attempt to address cyber exposures which can be pretty abstract and fluid. What’s an example of how they might come into play?

Clinton: Take for example, restrictions many companies have on the websites employees are permitted to access from their office computers. This white list of acceptable websites  may be in place for a wide variety of reasons.

Let’s say a firm wants to build a reputation as an innovator, so the decision is made to remove those restrictions for developers working in the R&D lab; they’re given greater access to, perhaps, risky sites, because the company doesn’t want to  curtail their out-of-box thinking, nor do they want to detract from their reputation as an innovative company. In this case the company would accept the larger risk for the developers versus, say, the production people. And they might look into getting insurance to transfer at least some of this risk.

LW: How ready is the insurance industry to supply policies to cover cyber risks enterprises may increasingly look to transfer – as they integrate cyber risk into ERM planning?

Clinton: The insurance industry is large, complex and diversified. The industry is quite well-positioned to manage some residual risks.  For example standard “breach” insurance is quite well established and can offset financial risks associated with identifiable costs an enterprise can incur, such as consumer notification, legal filings, help desk expenses, etc., resulting from a breach that might happen, despite the entity using a variety of controls. The key here is that the costs of such events are fairly easily identifiable and thus costs and probabilities can be reasonably assessed —  and rates can be charged competitively.

However residual risk from potentially catastrophic cyber events, e.g. the electric grid goes down for an extended period causing massive downstream loss, or truly systemic risks that could bring down the entire Internet — these are risks that probably outstrip the insurance industry’s ability to properly cover it.

Then there are areas of the insurance industry that still need development. For instance, at what stage does a nation-state attack qualify as an act of war — and hence gets covered by the war exception? And how can we properly value intellectual property theft – which is generally not real theft, but copying? To deal with these unclear areas and massive events we need to evolve a more collaborative approach between government and industry.

LW: Why is it important to have senior level buy-in to these principles?

Clinton: Cyber security is not a discrete, appendage issue that can be tacked on to 15 minutes at the end of a board meeting – even though that is usually how it is addressed.  In the 21st century cybersecurity is an integral part of virtually all important board decisions.  Mergers, acquisitions, new product development, strategic partnership development, supply chain decisions, etc., all have major cybersecurity components.

Boards need to be discussing cyber issues throughout the business operation and development processes. Boards have a responsibility to define risk appetite, approve strategy, calibrate appropriate levels of investment and oversee management’s implementation of these strategies. Fortunately, analytical tools have been developed in the past few years that enable management to assess cyber risk in an empirical way and on an economic basis. This information can be brought to the board allowing them to become fuller partners in cybersecurity.

One of the major reasons we are losing the fight to secure cyberspace – and we are losing it by a massive score — is that we have mostly misunderstood and underestimated the importance of cybersecurity.  Enterprises need to operate from an organizational culture and a security culture that comes from the board down, not from IT operations up.

LW: Can you summarize how NISTIR 8286 dovetails with ISA’s view on how enterprises should conduct cyber-risk oversight?

Clinton: Over the past several years the ISA, in partnership with the National Association of Corporate Directors, has developed a set of five principles that can guide board-level participation in cyber risk oversight. These principles have been endorsed by NACD equivalents in Europe, Latin America India and Japan. They have also been endorsed by government agencies including DHS, DOJ the Organizational American States and the German Federation Office of Information Security.

The principles have been independently assessed by PwC, as part of their Annual Global Information Security Survey, which found use of the principles generated improved budgets, better risk management and closer alignment of cybersecurity with business goals, while also  helping create a culture of security. NISTIR 8286 addresses virtually all of the concepts outlined in the ISA-NACD documents and places them in the framework established under ERM, at the management level.

These twin documents for the first time allow boards and management to focus on the same principles. The principles get elevated to an enterprise-wide risk management function. The previous paradigm was a version of the compliance model, illustrated by unending check lists of largely disembodied technical requirements that were largely divorced from the organization’s business model.

LW: What is the essence of ISA’s “Cybersecurity Social Contract” model, and how does it apply here?

Clinton: The social contract is a model that defines the government’s relationship with the private citizen or sector.  Originally articulated by philosophers like Locke and Rousseau, it redefined the citizens’ relationship with the state as being based, not on some divine right, but as an economic exchange between the state and the private individual. In a social contract the government provided services, like security or roads, in return for the individuals’ allegiance and support.

The model was adapted in the US in the early 20th century to stimulate the construction of our critical infrastructure. In the early 1900s telephones and electricity were being provided where they made economic sense – high density and affluent areas. In that social contract, the private phone and electric companies agreed to provide universal electric/phone service in return for the government essentially guaranteeing their rate of return. That social contract helped lead to rapid expansion and industrialization of the US, turning it from a minor regional player at the dawn of the 20th century into a major world player by WWI in the 1920s, and a superpower by the end of WWII in 1945.

We need a similar social contract for cybersecurity. The private sector and the public sector are interconnected through the same internet. Moreover, the private sector,  including utilities, hospitals, manufacturing and IT, etc., is essentially on the front lines of national cyber defense. The private companies that own these entities provide security at a commercial-level based on their economics.  However commercial-level security is far more risk-tolerant than national level security.

As we’ve discussed, digital economics are convoluted and largely favor the attack community, including aggressive nation states. This economic imbalance is one of the major reasons we have not made much perceptible progress toward securing cyberspace. We need to rebalance digital economics to create collective security in our collective self-interest. In the 21st century cyber defense must be understood as an element of national defense and not just in terms of the military.

We also need national defense of our intellectual property, and protection from the massive cybercriminal empire. This will require much more than awareness programs and operational information sharing. We will need a program of economic incentives to augment the commercial level security that private firms generally provide.

Ironically, virtually every bipartisan commission that has studied cybersecurity for the past decade has come to this same conclusion. The House GOP Task Force on Cyber Security and President Obama’s Executive Order 13636 both call for the development of an economic incentive program, and the recently concluded Bipartisan Solarium Commission literally called for a new social contract for cybersecurity. Unfortunately, both parties in Congress and successive Administrations have failed to follow their own advice. But a new Cyber Social Contract will be needed if we are to make real progress in creating a sustainably secure cyberspace.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone