book

Building a Cyber Risk Management Program

by Brian Allen, Brandon Bapst, Terry Allan Hicks

December 2023

Intermediate to advanced

220 pages

7h 17m

English

O'Reilly Media, Inc.

Audiobook available

Read now

Unlock full access

Preface
Brian’s StoryBrandon’s StoryBringing It TogetherWho Should Read This BookFinal ThoughtsConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
1. Cybersecurity in the Age of Digital Transformation
The Fourth Industrial RevolutionCybersecurity Is Fundamentally a Risk PracticeCyber Risk Management Oversight and AccountabilityDigital Transformation and Maturing the Cyber Risk Management ProgramCybersecurity Isn’t Just a “Security” ConcernCyber Risk Management Program: An Urgent Enterprise ConcernThis Book’s RoadmapThe Bottom Line
2. The Cyber Risk Management Program
The SEC Speaks—and the World ListensIncident Disclosure (“Current Disclosures”)Risk Management, Strategy, and Governance Disclosures (“Periodic Disclosures”)The Cyber Risk Management Program FrameworkCyber Risk Management Program: Key DriversSatisfying Obligations and LiabilityWhen Risk Management Fails Completely: The Boeing 737 MAX DisastersRisk Management Program Applied to the Boeing Disasters“Essential and Mission Critical”: The Boeing CaseBenefits of a Security Risk ProgramBenefit 1: Strategic Recognition of the Security Risk FunctionBenefit 2: Ensuring the Cyber Risk Function Has an Effective BudgetBenefit 3: Protections for Risk Decision MakersCRMP: Systematic but Not Zero-RiskBoard Accountability and Legal LiabilityThe Boeing Ruling and Cyber Risk Oversight AccountabilityCISOs in the Line of Fire for LiabilityThe Bottom Line
3. Agile Governance
The Uber Hack Cover-UpWhat Does Good Governance Look Like?Aligning with the Enterprise Governance StrategySeven Principles of Agile GovernancePrinciple 1: Establish Policies and ProcessesPrinciple 2: Establish Governance and Roles and Responsibilities Across the “Three Lines Model”Principle 3: Align Governance Practices with Existing Risk FrameworksPrinciple 4: Board of Directors and Senior Executives Define ScopePrinciple 5: Board of Directors and Senior Executives Provide OversightPrinciple 6: Audit Governance ProcessesPrinciple 7: Align Resources to the Defined Roles and ResponsibilitiesThe Bottom Line
4. Risk-Informed System
Why Risk Information Matters—at the Highest LevelsRisk and Risk Information DefinedFive Principles of a Risk-Informed SystemPrinciple 1: Define a Risk Assessment Framework and MethodologyPrinciple 2: Establish a Methodology for Risk ThresholdsPrinciple 3: Establish Understanding of Risk-Informed NeedsPrinciple 4: Agree on a Risk Assessment IntervalPrinciple 5: Enable Reporting ProcessesThe Bottom Line
5. Risk-Based Strategy and Execution
ChatGPT Shakes the Business WorldAI Risks: Two Tech Giants Choose Two PathsWall Street: Move Fast—or Be ReplacedThe Digital Game Changers Just Keep ComingDefining Risk-Based Strategy and ExecutionSix Principles of Risk-Based Strategy and ExecutionPrinciple 1: Define Acceptable Risk ThresholdsPrinciple 2: Align Strategy and Budget with Approved Risk ThresholdsPrinciple 3: Execute to Meet Approved Risk ThresholdsPrinciple 4: Monitor on an Ongoing BasisPrinciple 5: Audit Against Risk ThresholdsPrinciple 6: Include Third Parties in Risk Treatment PlanThe Bottom Line
6. Risk Escalation and Disclosure
The SEC and Risk DisclosureRegulatory Bodies Worldwide Require Risk DisclosureRisk EscalationCyber Risk ClassificationEscalation and Disclosure: Not Just Security IncidentsDisclosure: A Mandatory Concern for EnterprisesThe Equifax ScandalSEC Materiality ConsiderationsCyber Risk Management Program and ERM AlignmentFive Principles of Risk Escalation and DisclosurePrinciple 1: Establish Escalation ProcessesPrinciple 2: Establish Disclosure Processes—All EnterprisesPrinciple 3: Establish Disclosure Processes—Public CompaniesPrinciple 4: Test Escalation and Disclosure ProcessesPrinciple 5: Audit Escalation and Disclosure ProcessesThe Bottom Line
7. Implementing the Cyber Risk Management Program
The Cyber Risk Management JourneyBeginning the Cyber Risk Management JourneyImplementing the Cyber Risk Management ProgramAgile GovernanceRisk-Informed SystemRisk-Based Strategy and ExecutionRisk Escalation and DisclosureSelling the ProgramThe Bottom Line
8. The CRMP Applied to Operational Risk and Resilience
Enterprise Functions That Interact with and Contribute to Operational ResilienceA Malware Attack Shuts Down Maersk’s Systems WorldwideGuiding Operational Resilience Using the Four Core Cyber Risk Management Program ComponentsAgile GovernanceRisk-Informed SystemRisk-Based Strategy and ExecutionRisk Escalation and DisclosureThe Bottom Line
9. AI and Beyond—the Future of Risk Management in a Digitalized World
AI DefinedAI: A Whole New World of RiskAdversarial Machine Learning: NIST Taxonomy and TerminologyRisk Management Frameworks with AI ImplicationsKey AI Implementation Concepts and FrameworksBeyond AI: The Digital Frontier Never Stops MovingThe Bottom Line

Appendix. The Cyber Risk Management Program Framework v1.0
Purpose and ContextStructure of the Cyber Risk Management Program FrameworkNote: Framework Disclosure
Index
About the Authors

Overview

Cyber risk management is one of the most urgent issues facing enterprises today. This book presents a detailed framework for designing, developing, and implementing a cyber risk management program that addresses your company's specific needs. Ideal for corporate directors, senior executives, security risk practitioners, and auditors at many levels, this guide offers both the strategic insight and tactical guidance you're looking for.

You'll learn how to define and establish a sustainable, defendable, cyber risk management program, and the benefits associated with proper implementation. Cyber risk management experts Brian Allen and Brandon Bapst, working with writer Terry Allan Hicks, also provide advice that goes beyond risk management. You'll discover ways to address your company's oversight obligations as defined by international standards, case law, regulation, and board-level guidance.

This book helps you:

Understand the transformational changes digitalization is introducing, and new cyber risks that come with it
Learn the key legal and regulatory drivers that make cyber risk management a mission-critical priority for enterprises
Gain a complete understanding of four components that make up a formal cyber risk management program
Implement or provide guidance for a cyber risk management program within your enterprise

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781098147785Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills