The National Institute of Standards and Technology (NIST) is part of the US Department of Commerce. It has provided guidance on the assessment of cyber-related risk that is followed by many information security and cyber professionals.
In March, it published a draft, Integrating Cybersecurity and Enterprise Risk Management (ERM).
One of the problems, a serious constraint on NIST, is that it operates in an environment that has required the traditional practice of ERM, where the final product is a risk register (or a risk profile, which is simply a prioritized risk register). Federal (US) agencies[1] have published authoritative guidance that mandates this approach.
Most leading practitioners and thought leaders have recognized that risk registers and risk heat maps are without significant value. They might enable leaders of the organization to manage individual risks, but they neither help see the big picture nor run the organization for success.
As I have said before, such as in Time to Wake Up to Risk Reality, leaders of organizations around the world have consistently said that traditional risk management is not helping them set and then execute on enterprise objectives.
Traditional risk management is not helping leaders make the decisions necessary for success.
Avoiding failure is not the…
