Last Updated on January 16, 2024
If your company doesn’t do business with the US federal government, the US National Institute of Standards and Technology (NIST) might not be on your radar (yet). Originally named the National Bureau of Standards, NIST develops standards and guidelines for US federal agencies as well as US private sector companies. Beyond that, NIST guidance is respected and leveraged worldwide by standards bodies and other organizations.
As you might expect, some pretty smart people work at NIST.
One of the smartest is Dr. Ron Ross, a NIST Fellow who leads the development of NIST’s cybersecurity and privacy standards. As our special guest on a recent episode of The Virtual CISO Podcast, Dr. Ross addressed one of the most pervasive problems with cybersecurity and risk management in organizations across the board: “silos of risk”—and shared how NIST is tackling it. “It’s not an easy problem, obviously, and we’re really trying to address that,” Dr. Ross notes. “We have one of our NISTIR [NIST Interagency/Internal Report] folks, Nahla Ivy, working on ERM [Enterprise Risk Management] for a long, long time, trying to take more at NIST and some of the other international standards and really solve the problem that you just described.” “Because you have these different silos of risk management going on,” Dr. Ross continues. “And within those silos, we think we know what risk means, but even that’s tough sometimes. When you start trying to combine those different outputs from the different silos, and you try to start to put all those risk factors together across the different areas and come up with some macro risk management decision, it’s pretty difficult to do that.”
Host John Verry, Pivot Point Security’s CISO and Managing Partner, knows this issue all too well. John observes, “One of the problems with information security, and with risk management as a whole, is that too many organizations have these silos of risk, right? You’ve got information security risk; that’s managed by the CISO. You’ve got the supply chain/third-party risk, which is managed by a different group. You’ve got enterprise risk management, and all of us are talking in terms of different impact criteria. And if we can’t talk the same impact criteria, we can’t have conversations together… A risk that’s high over here isn’t a risk that’s high over here.”
“This is not going to be an exact science,” Dr. Ross asserts. “There’s always going to be some degree of subjectivity and value judgements. That’s what human beings bring to this problem space. And that’s not a bad thing. But I think we can help those senior leaders understand more about where those risk feeds are coming from, and help them understand how to maybe assemble those in a way that they can make some meaningful decisions. We’re not there yet, but we’ve got some good people working on that problem.”
One way that NIST is addressing risk management silos is to make its foundational Risk Management Framework, NIST 800-37 Rev. 2, multipurpose.
“It’s not just a framework that can manage cybersecurity risks; it can also manage privacy risk and supply chain risk as well,” explains Dr. Ross. “The power of having a single framework that can deal with cybersecurity issues, privacy issues, supply chain issues… You’re starting to see a framework that looks a little bit more like an enterprise-wide risk management [ERM] framework.”
In fact, NIST is working on finalizing its Draft NISTIR 8386, Integrating Cybersecurity and Enterprise Risk Management (ERM). This interagency report “… promotes greater understanding of the relationship between cybersecurity risk management and ERM, and the benefits of integrating those approaches.” The goal of the report is to help individual teams within an enterprise “… improve the cybersecurity risk information they provide as inputs to their enterprise’s ERM processes.” This helps frame cyber risk appropriately in the context of the broader enterprise mission and business objectives.
NISTIR 8386 is just one of a number risk management projects underway at NIST in the areas of information security, privacy and supply chain risk.
If silos of risk are a fact of life in your organization, put this podcast episode with Dr. Ron Ross at the top of your must-listen queue.
To hear this episode in its entirety, and wrap your ears around our treasure trove of information security podcasts, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can access all our episodes here.