Is it a good practice to embed cybersecurity risks in the enterprise risk register? Keep in mind that both the ERM and cybersecurity following different risk assessment methodologies.

1k views3 Comments

Sort by:

Director of Legal8 months ago

Yes, it's generally considered a best practice to embed cybersecurity risks within the enterprise risk register. While ERM and cybersecurity may use different methodologies, integrating them offers significant advantages. However, it requires careful consideration and a structured approach to bridge the methodological differences. This approach shall help in holistic risk management, alignment with business objectives, improved communication and collaboration, enhanced risk visibility, reporting and better resource allocation.

CISO| Legal & Regulatory APAC lead in Media8 months ago

Integrating cybersecurity risks into the enterprise risk register is indeed a good practice. This approach offers several advantages:

1. Comprehensive Risk Perspective:
It enables organizations to maintain a holistic view of all risks, including cybersecurity, which is
essential given the rising frequency and impact of cyber threats.

2. Enhanced Communication:
Including cybersecurity risks in the enterprise risk register improves communication between
cybersecurity teams and senior management, ensuring these risks are understood and
prioritized at the highest levels.
3. Effective Resource Allocation:
It aids in prioritizing risks and allocating resources more efficiently. By understanding the potential impact of cybersecurity risks within the broader context of enterprise risks,
organizations can make more informed decisions about where to invest in risk mitigation.
4. Consistency in Risk Management:
Despite the different methodologies used in ERM and cybersecurity, integrating them ensures consistent risk management practices across the organization.
5. Regulatory Compliance:
Many regulatory frameworks and standards now require organizations to demonstrate that
they are managing cybersecurity risks as part of their overall risk management processes.

While the methodologies may differ, the key is to align the risk assessment processes and ensure clear communication and understanding between the teams responsible for ERM and cybersecurity. This alignment can be achieved through regular meetings, shared risk registers, and integrated risk reporting.

COO in Finance (non-banking)8 months ago

We cross-reference from our cyber risk framework into the ERM, but there's a recognition that the cyber risk framework is authoritative and contains more detail regarding risk appetite, controls maturity, roadmap etc.

Content you might like

As organizations deploy LLMs and other AI systems, how do you recommend security teams address risks such as data leakage, prompt injection and adversarial manipulation? What frameworks or practices should be prioritized to make AI security programs resilient from day one?

Have you found privileged access management more difficult than identity access management?

Much more difficult2%

Somewhat more difficult42%

Slightly more difficult22%

No difference17%

Slightly less difficult13%

Somewhat less difficult1%

Much less difficult

Unsure

View Results

Have you found using static application security testing (SAST) and dynamic application security testing (DAST) effective for improving app security?

Very effective8%

Moderately effective70%

Moderately ineffective13%

Very ineffective4%

Unsure2%

View Results

Looking to benchmark. If you are in-process of pursuing the ISO 42001 or have obtained it, how have you measured the business value?

With Gartner highlighting the urgency of post-quantum cryptography (PQC), I would like to know if there are other members of the group already involved in the discussion or in the planning to face the threat of attacks like 'harvest-now, decrypt-later'?