book

Building a Cyber Risk Management Program

by Brian Allen, Brandon Bapst, Terry Allan Hicks

December 2023

Intermediate to advanced

220 pages

7h 17m

English

O'Reilly Media, Inc.

Audiobook available

Read now

Unlock full access

Brian’s StoryBrandon’s StoryBringing It TogetherWho Should Read This BookFinal ThoughtsConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
The Fourth Industrial RevolutionCybersecurity Is Fundamentally a Risk PracticeCyber Risk Management Oversight and AccountabilityDigital Transformation and Maturing the Cyber Risk Management ProgramCybersecurity Isn’t Just a “Security” ConcernCyber Risk Management Program: An Urgent Enterprise ConcernThis Book’s RoadmapThe Bottom Line
The SEC Speaks—and the World ListensIncident Disclosure (“Current Disclosures”)Risk Management, Strategy, and Governance Disclosures (“Periodic Disclosures”)The Cyber Risk Management Program FrameworkCyber Risk Management Program: Key DriversSatisfying Obligations and LiabilityWhen Risk Management Fails Completely: The Boeing 737 MAX DisastersRisk Management Program Applied to the Boeing Disasters“Essential and Mission Critical”: The Boeing CaseBenefits of a Security Risk ProgramBenefit 1: Strategic Recognition of the Security Risk FunctionBenefit 2: Ensuring the Cyber Risk Function Has an Effective BudgetBenefit 3: Protections for Risk Decision MakersCRMP: Systematic but Not Zero-RiskBoard Accountability and Legal LiabilityThe Boeing Ruling and Cyber Risk Oversight AccountabilityCISOs in the Line of Fire for LiabilityThe Bottom Line
The Uber Hack Cover-UpWhat Does Good Governance Look Like?Aligning with the Enterprise Governance StrategySeven Principles of Agile GovernancePrinciple 1: Establish Policies and ProcessesPrinciple 2: Establish Governance and Roles and Responsibilities Across the “Three Lines Model”Principle 3: Align Governance Practices with Existing Risk FrameworksPrinciple 4: Board of Directors and Senior Executives Define ScopePrinciple 5: Board of Directors and Senior Executives Provide OversightPrinciple 6: Audit Governance ProcessesPrinciple 7: Align Resources to the Defined Roles and ResponsibilitiesThe Bottom Line
Why Risk Information Matters—at the Highest LevelsRisk and Risk Information DefinedFive Principles of a Risk-Informed SystemPrinciple 1: Define a Risk Assessment Framework and MethodologyPrinciple 2: Establish a Methodology for Risk ThresholdsPrinciple 3: Establish Understanding of Risk-Informed NeedsPrinciple 4: Agree on a Risk Assessment IntervalPrinciple 5: Enable Reporting ProcessesThe Bottom Line
ChatGPT Shakes the Business WorldAI Risks: Two Tech Giants Choose Two PathsWall Street: Move Fast—or Be ReplacedThe Digital Game Changers Just Keep ComingDefining Risk-Based Strategy and ExecutionSix Principles of Risk-Based Strategy and ExecutionPrinciple 1: Define Acceptable Risk ThresholdsPrinciple 2: Align Strategy and Budget with Approved Risk ThresholdsPrinciple 3: Execute to Meet Approved Risk ThresholdsPrinciple 4: Monitor on an Ongoing BasisPrinciple 5: Audit Against Risk ThresholdsPrinciple 6: Include Third Parties in Risk Treatment PlanThe Bottom Line
The SEC and Risk DisclosureRegulatory Bodies Worldwide Require Risk DisclosureRisk EscalationCyber Risk ClassificationEscalation and Disclosure: Not Just Security IncidentsDisclosure: A Mandatory Concern for EnterprisesThe Equifax ScandalSEC Materiality ConsiderationsCyber Risk Management Program and ERM AlignmentFive Principles of Risk Escalation and DisclosurePrinciple 1: Establish Escalation ProcessesPrinciple 2: Establish Disclosure Processes—All EnterprisesPrinciple 3: Establish Disclosure Processes—Public CompaniesPrinciple 4: Test Escalation and Disclosure ProcessesPrinciple 5: Audit Escalation and Disclosure ProcessesThe Bottom Line
The Cyber Risk Management JourneyBeginning the Cyber Risk Management JourneyImplementing the Cyber Risk Management ProgramAgile GovernanceRisk-Informed SystemRisk-Based Strategy and ExecutionRisk Escalation and DisclosureSelling the ProgramThe Bottom Line
Enterprise Functions That Interact with and Contribute to Operational ResilienceA Malware Attack Shuts Down Maersk’s Systems WorldwideGuiding Operational Resilience Using the Four Core Cyber Risk Management Program ComponentsAgile GovernanceRisk-Informed SystemRisk-Based Strategy and ExecutionRisk Escalation and DisclosureThe Bottom Line
AI DefinedAI: A Whole New World of RiskAdversarial Machine Learning: NIST Taxonomy and TerminologyRisk Management Frameworks with AI ImplicationsKey AI Implementation Concepts and FrameworksBeyond AI: The Digital Frontier Never Stops MovingThe Bottom Line

Purpose and ContextStructure of the Cyber Risk Management Program FrameworkNote: Framework Disclosure

Content preview from Building a Cyber Risk Management Program

Chapter 3. Agile Governance

In the preceding chapter, we discussed the urgent and growing need for a comprehensive, enterprise-wide cyber risk management program (CRMP), focusing on the social, political, economic, and cultural changes that are driving this need. And we outlined the four core components of a program. Now we’re going to go into detail about the first of those components—Agile governance—and the key principles we defined as a part of the CRMP framework aligned with authoritative guidance. But first, let’s take a look at some real-world examples of what can happen when adequate risk governance practices, including cyber risk governance practices, are not in place. (For more information on the comprehensive framework itself, see the Appendix. For more information on specific Agile governance implementation considerations, see Chapter 7.)

A worldwide ride-sharing service tries to cover up an enormous data breach by paying off the hackers responsible. The company then repeatedly lies about it, gets caught, and ends up paying nearly $150 million in fines and other penalties, while its CSO faces federal criminal charges. A social networking service descends into chaos when its new management abruptly changes its moderation policies and its advertisers leave the platform en masse because their brands are repeatedly compromised by fake accounts.

These two ultrahigh-profile enterprises—Uber and Twitter—are very different. A fast-growing ride-sharing service is working in ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 9781098147785Errata Page

Building a Cyber Risk Management Program

by Brian Allen, Brandon Bapst, Terry Allan Hicks

Chapter 3. Agile Governance

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Cybersecurity Risk Management

IT Security Risk Control Management: An Audit Preparation Plan

The Cybersecurity Guide to Governance, Risk, and Compliance

NIST Cybersecurity and Risk Management Frameworks

Publisher Resources

Chapter 3. Agile Governance

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Cybersecurity Risk Management

IT Security Risk Control Management: An Audit Preparation Plan

The Cybersecurity Guide to Governance, Risk, and Compliance

NIST Cybersecurity and Risk Management Frameworks

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.