Three Must-Haves in Enterprise Cyber Risk Management

Three Must-Haves in Enterprise Cyber Risk Management

In the 2019 Global Cyber Risk Perception Survey from Marsh and Microsoft:

“Overall, companies’ concern about cyber risk increased since 2017, but belief in their ability to manage cyber risk — their cyber confidence — declined.”

To maintain operational resilience during disruption, enterprises should have well-organized cyber risk management. However, it is not easy to have one as there are many unknowns such as the framework choice, cost, returns, etc. Therefore, the 3 must-haves introduced in this post will help build up enterprise cyber risk management.

  1. Governance Structure: Provides a trackable routine for experts and decision-makers to pass down the risk decisions as risk management has to be driven from top to bottom in an organization.
  2. Risk Appetite: Helps in applying strategies confidently with directing to how much risk can be tolerated and when to escalate identified risks. It can also enable staff to present risks in a quantitative way that makes sure the risks are controllable under the organizational strategy.
  3. Policy and Procedure: Offers a fundamental awareness of risk in employees’ daily work as employees should be educated about how to raise concerns and take the correct actions to deal with disruptions from the first day of employment.

These 3 pillars can help organizations to accomplish missions during disruption if they are applied in the order shown above. Nevertheless, it is necessary to figure out how well the current risk program runs in your organization before applying these 3 pillars on building up your risk management. If an organization has no idea where to start, it means the risk management in this organization is very low. The way to measure how well an enterprise risk management runs is to check out various capability maturity models and see if the current management adheres to any cybersecurity frameworks.

According to IT Governance USA, the 4 cybersecurity frameworks adopted most frequently are PCI DSS (47%), ISO 27001/27002 (35%), CIS Critical Security Controls (32%), and NIST Framework for Improving Critical Infrastructure Security (29%). However, other than these 4 frameworks, COSO, CERT Resilience Management Model (CERT-RMM), and some other standard risk management framework are usually used for developing mature risk management. Even though it is considered as difficult for cybersecurity professionals to simplify and expressed the core ideas of cybersecurity to someone standing outside of this field, cybersecurity frameworks help other people in the business to easily understand, comprehend, and communicate cybersecurity.

Brett Tucker, the Technical Manager of Cybersecurity Risk at Carnegie Mellon University, suggests:

“Even if your enterprise navigates the turbulent storm of cyber threats by luck alone, preparing for disruption builds a culture of mission focus. To maintain that focus in the midst of bigger and more frequent cyber attacks, robust risk management and operational resilience are more important than ever.”


LIFARS, as a highly technical, New York City based incident response and digital forensics firm specializing in proactive and reactive solutions to optimize your organization’s cybersecurity exposure, provides highly focused skill training and practical experience to address the cyber workforce security needs for your organization in the following areas:

  • Incident Response Training
  • Technical Training
  • User Awareness Training
  • Executive Training


Contact LIFARS Today

For Risk Management Services