New guidance from the National Institute of Standards and Technology (NIST) aims to demystify a process with which many companies across all industries have long struggled: how to seamlessly integrate cyber-security risk into an overall enterprise risk management program.
The intent of the guidance—formally called NISTIR 8286, “Integrating Cybersecurity and Enterprise Risk Management (ERM)—is “to help improve communications (including risk-information sharing) between and among cyber-security professionals, high-level executives, and corporate officers at multiple levels,” NIST said. It’s a particularly helpful document for corporate officers—including chief information security officers, chief risk officers, chief compliance officers, and others—because it explains in significant detail what cyber-security data to collect, what analyses to perform, and how to usefully consolidate cyber-security risk information into an overall ERM program.
