Cyber and Program Risk Management: Close Cousins…mostly
While not greatly different, there are some unique variations
The history of Risk Management (RM) can be traced to the period following World War II and is most associated with the insurance industry (Dionne, 2013). They sought to identify an appropriate cost model to ensure the long-term viability of a company in the insurance marketplace. The application of RM is further found widely throughout the US economy. For example, it is just as prevalent in financial and banking analyses, health and medical diagnoses, and the gaming industry just to describe how pervasive it impacts us daily.
RM has expanded to many fields of study where risk is an integral challenge to include Program Risk Management (PRM) and Cybersecurity Risk Management (CyRM). While having similarities they also have their own unique challenges. RM of any “flavor” is about the “[s]elf protection activities have also become very important. This…activity affects the probabilities of losses or costs before they arise” (Dionne, 2013, p. 149). Both are focused on reducing loss of any kind to a company or organization.
A serious and common problem facing companies, either in the managing of PRM of CyRM is their disconnection from an understood RM process. “New research from North Carolina State University…finds most executives see risks increasing in both number and complexity – but those same executives say their organizations’ risk management efforts may not be staying abreast of those risks (Branson & Hancock, 2017). The inability to keep pace with the complexity and challenges of risk with no clear understanding of risk at the corporate leadership level is not just applicable to these two categories of RM.
Another commonality is that both are about reducing threats. Within PRM it is about the threats affecting performance, cost, and schedule (Program Management Institute, 2013). These are the “threats” to programs, for example, that develop new software applications, systems, or devices. In CyRM it is about the threats that can be just simple nuisances such as a Denial of Service (DOS) attack; a short-lived overwhelming of a company’s servers that bring informational and operational access to a crawl. It can also be graver attacks that inject malicious malware that results in a loss or destruction of corporate data. Both must defend against attacks that may affect the operational readiness of the business.
Finally, both are concerned about a RM process that is implemented throughout the entire lifecycle. For PRM, it is about identifying, analyzing, and controlling risk from inception to delivery to the customer (Pana, N. and Simionescu, L., 2011). For CyRM, it is tied to the identification of a vulnerability such as a lack of two-factor authentication or insider threat training policy. They both rely on the “systematic application of procedures” (Pana, N. and Simionescu, L., 2011, p. 109) to identify and manage the risk until it is eliminated or is at least understood throughout the life of the system, software application, etc.
Contrast
Differences between PRM and CyRM is that when a program is completed and delivered into an operational state to the customer or business, the process of risk management shifts to “continual improvement” (Gallacher & Morris, 2012). Continual improvement is a core program management tenet found in PM approaches using Six Sigma or the Information Technology Infrastructure Library (ITIL) frameworks. These may include security improvements but is typically shifted to a responsible cybersecurity professional assigned to manage the security and privacy of the system after it is deployed operationally. CyRM is an enduring effort. The risks continue through an endless lifecycle until the system is retired; CyRM becomes embedded in system development, while PRM shifts to an operational and maintenance role that no longer requires formal PM leadership.
Other contrasts can be found that while PRM can rely on historical data from other projects or programs, it is based predominantly on “known-unknowns.” In PM, the known-unknowns are predominantly couched around the categories of performance, cost, and schedule. There is established data from other programs that can be leveraged. In contrast, CyRM deals with a significant challenge: the “unknown-unknowns”. The risks that are not even known by the experts (Silver, 2012). A major challenge is with zero-day attacks; a zero-day attack is a vulnerability where there is no current knowledge or expectation that an exploit even exists. These are vulnerabilities that the cybersecurity specialists have no foreknowledge and cannot even anticipate. This contrast is one of the gravest disparities between the two types of RM.
Assessment
PRM and CyRM are both founded upon the same principles of risk identification and control (Pana, N. and Simionescu, L., 2011) that is shared across all forms of RM. The analysis of the commonalities and differences of the respective RM areas while seemingly minor still requires an understanding of the uniqueness of each other. Without such an understanding it is likely that private and public sector leadership will continue to be confused and further ambivalent of RM in general. The current track record appears wanting. Corporate boards can no longer avoid their responsibility and accountability in either of these aspects of RM.
The sad view continues “…that directors are not sufficiently prepared to deal with cybersecurity risk [and it] has raised alarm bells in boardrooms nationwide and globally. Senior leadership must become more engaged with the plight and challenges of RM or continue to continue their reactive roles with both PM and cybersecurity risk indefinitely.
References
Branson, B., & Hancock, B. (2017, March 16). Survey: Corporate risks rising – but risk management efforts not keeping pace. Retrieved from North Carolina State University: https://news.ncsu.edu/2017/03/erm-report-2017/
Dionne, G. (2013). Risk management: History, definition, and critique. Risk Management and Insurance Review, 16(2), 147-166. Retrieved from https://search.proquest.com/docview/1449840499?accountid=44888
Gallacher, L., & Morris, H. (2012). ITIL Foundation Exam Study Guide. West Sussex, UK: John Wiley & Sons.
Pana, N., & Simionescu, L. (2011). The importance of risk management process in ensuring successful implementation of projects entrusted. Land Forces Academy Review, 16(1), 108-114.Retrieved from https://search.proquest.com/docview/858247550?accountid=44888
Program Management Institute. (2013). A Guide to the Project Management Body of Knowledge (PMBOK® Guide)—Fifth Edition. Newtown Square, PA: Program Management Institute.
Radziwill, N., & Benton, M. (2017). Cybersecurity cost of quality: Managing the costs of cybersecurity risk management. Software QualityProfessional, 19(4), 25-43. Retrieved from https://search.proquest.com/docview/1941238932?accountid=44888
Rose, K. H. (2013). A Guide to the Project Management Body of Knowledge (PMBOK® Guide)—Fifth Edition. Project management journal, 44(3), e1-e1.
Rothrock, R. A., Kaplan, J., & Van, D. O. (2018). The board’s role in managing cybersecurity risks. MIT Sloan Management Review, 59(2), 12-15. Retrieved from https://search.proquest.com/docview/1986317468?accountid=44888
Silver, N. (2012). The signal and the noise: Why so many predictions fail–but some don’t. New York: Penguin.
Dr. Russo is currently the Senior Data Scientist with Cybersenetinel AI in Washington, DC. He is a former Senior Information Security Engineer within the Department of Defense’s (DOD) F-35 Joint Strike Fighter program. He has an extensive background in cybersecurity and is an expert in the Risk Management Framework (RMF) and DOD Instruction 8510, which implement RMF throughout the DOD and the federal government. He holds a Certified Information Systems Security Professional (CISSP) certification and a CISSP in information security architecture (ISSAP). He has a 2017 Chief Information Security Officer (CISO) certification from the National Defense University, Washington, DC. Dr. Russo retired from the US Army Reserves in 2012 as a Senior Intelligence Officer.
