Your ERM Is At Risk Without Cybersecurity & 6 Steps To Fix It

Senior leaders often have fiduciary and reporting responsibilities that other organizational stakeholders do not, so they have a unique responsibility to holistically manage the combined set of risks, including cybersecurity risk.

The increasing frequency, creativity, and severity of cybersecurity attacks mean that all enterprises should ensure that cybersecurity risk is receiving appropriate attention within their enterprise risk management (ERM) programs.

What is NIST 8286

The National Institute of Standards and Technology (NIST) 8286 Integrating Cybersecurity and Enterprise Risk Management (ERM) provides guidelines on how organizations should manage their cybersecurity risks. 

The NIST 8286 series enables risk practitioners to integrate Cyber Security Risk Management (CSRM) activities more fully into the broader enterprise risk processes. 

It focuses on understanding the threats to your organization’s data, systems, and networks; assessing the likelihood of these threats; determining how to respond; and monitoring progress.

Because information and technology comprise some of the enterprise’s most valuable resources, it is vital that directors and senior leaders have a clear understanding of cybersecurity risk posture at all times. 

It is similarly vital that those identifying, assessing, and treating cybersecurity risk understand enterprise strategic objectives when making risk decisions.

What is the Focus of 8286

The report is intended to help organizations improve their cybersecurity risk information, which they provide as inputs to their enterprise’s ERM processes through communications and risk information sharing. By doing so, enterprises and their component organizations can better identify, assess, and manage their cybersecurity risks in the context of their broader mission and business objectives.

Focusing on the use of risk registers to set out cybersecurity risk, this guide explains the value of rolling up measures of risk usually addressed at lower system and organization levels to the broader enterprise level.

Cybersecurity risk is an important type of risk for any enterprise. Traditionally risks addressed by ERM have included, but are not limited to financial, legal, legislative, operational, privacy, reputational, safety, strategic, and supply chain risks. 

In today’s digital age, cybersecurity is no longer just an IT issue and has been elevated to enterprise risk. As organizations strive to protect their data and systems from breaches and malicious attacks, they must also work to ensure that their ERM now includes cyber risk. 

Understanding this Framework and what it means for your organization can help you assess what your current IT, cyber security, and GRC staff are doing toward risk mitigation and prepare for any professional development or training your staff needs in 2023.

6 Stages of 8286

The 8286 report emphasizes a holistic approach and includes a 6-stage process for managing cyber risks.

  1. Identify the context. Context is the environment in which the enterprise works and is influenced by the risks involved.
  2. Identify the risks. This means identifying the comprehensive set of positive and negative risks—determining which events could enhance or impede objectives, including the risks of failing to pursue an opportunity.
  3. Analyze the risks. This involves estimating the likelihood that each identified risk event will occur, and the potential impact of the consequences described.
  4. Prioritize the risks. The exposure is calculated for each risk, based on likelihood and the potential impact and the risks are then prioritized based on their exposure.
  5. Plan and execute risk response strategies. The appropriate response is determined for each risk, with the decisions informed by risk guidance from leadership.
  6. Monitor, evaluate, and adjust. Continual monitoring ensures that enterprise risk conditions remain within the defined risk appetite levels as cybersecurity risks.

How to Implement the 6 Phases

Stages 1, 2, & 3 can be addressed with a Security and Risk Assessment performed to establish a baseline and know the unknowns of your cyber risks.

Stages 4 & 5 can be achieved by implementing appropriate security layers from a defense-in-depth approach to protecting the organization from cyber threats.

Stage 6 is critical to ensuring that cyber risks are known and mitigated promptly.  Including trend analysis can help identify areas of cyber risk and will move you from reactive to proactive data-driven decision-making.

The Benefits of 8286

The benefits of integrating Cybersecurity into your ERM program:

  1. Establish an organizational understanding of cyber risks.
  2. Enables the understanding of changes in cyber risks.
  3. Improved decision-making around resource allocation.
  4. Increased transparency into how cyber risk is managed.


As organizations navigate this ever-changing landscape of cyber security threats it is important that they understand the NIST 8286 Framework and how it applies to their risk management strategies.

By developing a comprehensive cybersecurity program that aligns with the core principles outlined in the Framework organizations can better protect themselves against cyber risks while remaining compliant with legal obligations regarding data privacy. Additionally regular reviews and assessments will enable organizations to constantly improve their cybersecurity posture over time.

Recommended Resources

Suggestions to Learn About The Latest Your Cyber Risk & Governance…

  • Read about Netswitch’s Security and Risk Assessment (SARA).  We help you in less than a week.
  • Join us in an upcoming LinkedIn Live Event where they will discuss how you can change the narrative around GRC in your organization.  Watch Previous Events HERE 
  • Request to join other risk professionals in our Cyber Risk Governance LinkedIn Group – The largest LinkedIn Group about Cyber Risk and Governance  JOIN
  • Follow us on