Cybersecurity and Enterprise Risk Management (ERM) are two disciplines you’d think would be fully integrated at most organizations. After all, ERM is the process of managing risks and identifying threats to an organization as a whole — two tasks key to cybersecurity in general.
And breaches are obviously a big risk to organizations; not only does the average data breach cost $2.8 million, but its effects are likely to be felt for years. Ponemon’s Cost of a Data Breach Report found that one-third of data breach-related costs occur more than a year after the original breach.
Unfortunately, cybersecurity and ERM aren’t always in sync at most companies. A study conducted at RSA 2019 found that half the respondents hadn’t fully integrated cybersecurity into the ERM function in their organizations. Why haven’t business leaders recognized cybersecurity as a potential risk that could damage the health of their enterprise? And why haven’t security leaders been able to communicate that risk more effectively to the business side of the organization?
To answer those questions more effectively, this post will look at what ERM is, what its key drivers are, and why business leaders and security leaders might not be communicating well when it comes to risk and threats.