The 21st Century Approach to Managing Cyber Risk

by | Feb 13, 2017

Cyber Risk Governance recently emerged as a distinct discipline. How can we take a 21st century approach to implementing controls that enable boards to actively engage in overseeing cyber risk?

A rash of highly publicized fraud in the late 1990s revealed how poor financial reporting can create massive risk to shareholders. Before that, corporations had reported on their financial condition to boards of directors, but it became evident that more rigorous standardized reporting might prevent similar events from occurring.  The Sarbanes-Oxley Act was passed in 2002 to mandate change, and a thriving multi-billion dollar market in financial control systems and services has evolved since then.

In a recent post, we observed that the analagous discipline of cyber risk governance (CRG) has emerged within the past two years, driven by realizations that:

  1. cybersecurity is not just a technical problem; it’s a governance problem that needs attention across the entire enterprise;
  2. corporate directors face increasing risk from cyberattacks, including personal liability for breaches; and
  3. data about internal defenses is critical in organizing efforts to combat cyberterrorism and cybercrime.

If cyber risk governance is a 21st century discipline, then meeting best practice standards for cybergovernance requires a 21st century approach. Yet today, most organizations are using more expensive, less effective, and less comprehensive 20th century solutions. Consultants, spreadsheets, and limited monitoring tools lack the advantages that an automated cyber risk governance platform can provide.

To meet their statutory “duty of care” in mitigating all forms of risk, corporate directors need information. Managing cyber risk effectively requires constantly monitoring progress, updating action plans, evaluating improvements in resilience, and summarizing it all for the board. An initial risk assessment is only the beginning; a full-blown internal control system is needed. Just as financial control systems help organizations manage financial risk, an internal control system for cyber risk governance enables the board and management to actively engage in risk mitigation.

Implementing cyber risk governance begins with assessing an organization’s cyber maturity. Leading standards provide the basis for assessment, and the Cyber Security Framework (CSF) from NIST is widely accepted as the de facto standard. Using CSF as the foundation, an internal control system delivers a comprehensive solution to managing enterprise-wide cyber risk.

The table below contrasts three methods currently used to assess and manage cyber risk:

 Manual AssessmentOnline SurveysCyber Risk Control System
MethodMultiple spreadsheetsLinks to key individuals who answer online surveyIndividual questions assigned to and managed by owners
ParticipantsInternal/external consultants interview many employeesInitially distributed, then redistributed as needed based on responsesQuestions pass electronically until most knowledgeable respondent reached
WorkflowSingle or multiple interviewer(s) fan out across the organizationSurvey manually reassigned to additional respondents to fill gapsOwners of domains forward questions to the most qualified respondent (unlimited handoffs)
Effort and AccuracyMultiple spreadsheets must be reconciledMultiple surveys must be reconciledEach question answered once by most knowledgeable respondent
Tracking and ReportingManual tracking; manual reportingManual tracking; manual reportingEach answer immediately updates board level dashboard
Ongoing ProgressRepeat the processRepeat the processAutomated guidance prioritizes next actions based on standard
CollaborationManualManualWorkgroups automatically defined to address related actions
Distributed ManagementMultiple sets of interviewersSurvey links to multiple distributed groupsAutomated rollup of multiple instances
Adding a FrameworkCreate customized spreadsheetsCreate customized online surveyMap to existing controls; create new dashboard


Of course, implementing any form of cyber risk assessment is essential, but only capturing cyber status at one point in time falls short of motivating better cyber hygiene. Embedded cyber risk control systems are superior. They enhance operational excellence by continually monitoring critical systems and providing ongoing guidance based on national standards. In contrast to more manual methods, an internal control system for managing cyber risk is a platform for shared communication and collaborating to implement needed controls that reduce risk and build cyber resilience into the enterprise.

Be notified of new Journal entries in your email box or Follow us on Twitter.