Integration of cybersecurity into an organization’s risk management framework is “still in the hunter-gatherer state,” said Yo Delmar, VP, Governance Risk & Compliance (GRC) at MetricStream. She was the second of two presenters at the December 16, 2014, webinar on cybersecurity organized by the Global Association of Risk Professionals.

Cyber risks are currently incorporated into existing risk management and governance processes in an ad hoc fashion that is “unorganized and fragmented,” Delmar said. “There is quite a bit of work to do to get to a rationalized state” that would permit management of such risks. “Most companies have the vision of an optimized state, but… are somewhere between [the states of] ad hoc and managed.”

To reach the optimized state, Delmar described the five core capabilities in cyber risk management and governance that an organization needs.

Culture. Foremost, an organization must have a “culture of risk awareness.” The appetite for, and tolerance of, cyber risks must be defined, and “the dialogue must be supported with metrics and analytics,” she noted.

Behaviour. An organization “must link cyber risks to actual business impact, and link these to performance goals,” she said. It is necessary to “streamline policies, procedures, and roles.”


Language. “We must get better at interpreting the new normal,” she said, referring to frequent cyber attacks. “Translate this into risks confronted by your organization.” It’s important to have a common nomenclature for terms such as “risk,” “controls,” “models,” and so on so that there would be “apples-to-apples” comparison within a risk framework. For example, “kill chain” is a term unique to cyber risk that needs to be linked to the rest of the operational risk world.

Issues. An organization must “create a rapid complete issue resolution process” that has a consolidated view of risk, and will determine the root cause in different businesses. There is a need to “right-size the remediation investment,” Delmar said.

Orchestration. “Harmonize across peer organizations within the firm,” she said. “Develop internal capabilities, especially if fragmented, around the globe.” Part of good orchestration is to continuously innovate, improve, and share success stories.

Through developing the five core capabilities, managing cyber risk will become an organization’s competency.

Delmar believes that incorporating cyber risk into the enterprise risk framework will mean changes to the organization. “As the ‘new normal’ takes hold, people must change their perspective,” she said.

Organizations “are seeing the need for a chief scientist—someone who understands the difference between metrics and analytics.”

“An automated, federated GRC framework … will allow you to reach cyber confidence … with reasonable costs and effort,” she concluded.ª

Click here to view the webinar presentation on cybersecurity. Yo Delmar spoke in two sections, covering slides 15 to 24, and slides 32 to 38.

Click here to view a report of the first presentation, Christophe LeSieur.

Disclaimer: TextMedic completes occasional contract work for MetricStream.