book

Building a Cyber Risk Management Program

by Brian Allen, Brandon Bapst, Terry Allan Hicks

December 2023

Intermediate to advanced

220 pages

7h 17m

English

O'Reilly Media, Inc.

Audiobook available

Read now

Unlock full access

Brian’s StoryBrandon’s StoryBringing It TogetherWho Should Read This BookFinal ThoughtsConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
The Fourth Industrial RevolutionCybersecurity Is Fundamentally a Risk PracticeCyber Risk Management Oversight and AccountabilityDigital Transformation and Maturing the Cyber Risk Management ProgramCybersecurity Isn’t Just a “Security” ConcernCyber Risk Management Program: An Urgent Enterprise ConcernThis Book’s RoadmapThe Bottom Line
The SEC Speaks—and the World ListensIncident Disclosure (“Current Disclosures”)Risk Management, Strategy, and Governance Disclosures (“Periodic Disclosures”)The Cyber Risk Management Program FrameworkCyber Risk Management Program: Key DriversSatisfying Obligations and LiabilityWhen Risk Management Fails Completely: The Boeing 737 MAX DisastersRisk Management Program Applied to the Boeing Disasters“Essential and Mission Critical”: The Boeing CaseBenefits of a Security Risk ProgramBenefit 1: Strategic Recognition of the Security Risk FunctionBenefit 2: Ensuring the Cyber Risk Function Has an Effective BudgetBenefit 3: Protections for Risk Decision MakersCRMP: Systematic but Not Zero-RiskBoard Accountability and Legal LiabilityThe Boeing Ruling and Cyber Risk Oversight AccountabilityCISOs in the Line of Fire for LiabilityThe Bottom Line
The Uber Hack Cover-UpWhat Does Good Governance Look Like?Aligning with the Enterprise Governance StrategySeven Principles of Agile GovernancePrinciple 1: Establish Policies and ProcessesPrinciple 2: Establish Governance and Roles and Responsibilities Across the “Three Lines Model”Principle 3: Align Governance Practices with Existing Risk FrameworksPrinciple 4: Board of Directors and Senior Executives Define ScopePrinciple 5: Board of Directors and Senior Executives Provide OversightPrinciple 6: Audit Governance ProcessesPrinciple 7: Align Resources to the Defined Roles and ResponsibilitiesThe Bottom Line
Why Risk Information Matters—at the Highest LevelsRisk and Risk Information DefinedFive Principles of a Risk-Informed SystemPrinciple 1: Define a Risk Assessment Framework and MethodologyPrinciple 2: Establish a Methodology for Risk ThresholdsPrinciple 3: Establish Understanding of Risk-Informed NeedsPrinciple 4: Agree on a Risk Assessment IntervalPrinciple 5: Enable Reporting ProcessesThe Bottom Line
ChatGPT Shakes the Business WorldAI Risks: Two Tech Giants Choose Two PathsWall Street: Move Fast—or Be ReplacedThe Digital Game Changers Just Keep ComingDefining Risk-Based Strategy and ExecutionSix Principles of Risk-Based Strategy and ExecutionPrinciple 1: Define Acceptable Risk ThresholdsPrinciple 2: Align Strategy and Budget with Approved Risk ThresholdsPrinciple 3: Execute to Meet Approved Risk ThresholdsPrinciple 4: Monitor on an Ongoing BasisPrinciple 5: Audit Against Risk ThresholdsPrinciple 6: Include Third Parties in Risk Treatment PlanThe Bottom Line
The SEC and Risk DisclosureRegulatory Bodies Worldwide Require Risk DisclosureRisk EscalationCyber Risk ClassificationEscalation and Disclosure: Not Just Security IncidentsDisclosure: A Mandatory Concern for EnterprisesThe Equifax ScandalSEC Materiality ConsiderationsCyber Risk Management Program and ERM AlignmentFive Principles of Risk Escalation and DisclosurePrinciple 1: Establish Escalation ProcessesPrinciple 2: Establish Disclosure Processes—All EnterprisesPrinciple 3: Establish Disclosure Processes—Public CompaniesPrinciple 4: Test Escalation and Disclosure ProcessesPrinciple 5: Audit Escalation and Disclosure ProcessesThe Bottom Line
The Cyber Risk Management JourneyBeginning the Cyber Risk Management JourneyImplementing the Cyber Risk Management ProgramAgile GovernanceRisk-Informed SystemRisk-Based Strategy and ExecutionRisk Escalation and DisclosureSelling the ProgramThe Bottom Line
Enterprise Functions That Interact with and Contribute to Operational ResilienceA Malware Attack Shuts Down Maersk’s Systems WorldwideGuiding Operational Resilience Using the Four Core Cyber Risk Management Program ComponentsAgile GovernanceRisk-Informed SystemRisk-Based Strategy and ExecutionRisk Escalation and DisclosureThe Bottom Line
AI DefinedAI: A Whole New World of RiskAdversarial Machine Learning: NIST Taxonomy and TerminologyRisk Management Frameworks with AI ImplicationsKey AI Implementation Concepts and FrameworksBeyond AI: The Digital Frontier Never Stops MovingThe Bottom Line

Purpose and ContextStructure of the Cyber Risk Management Program FrameworkNote: Framework Disclosure

Content preview from Building a Cyber Risk Management Program

Chapter 5. Risk-Based Strategy and Execution

Throughout this book, we’ve stressed the need for a cyber risk management program (CRMP) that brings together risk owners, security professionals, and other stakeholders in a formal, systematic set of processes that replace ad hoc, incident-based approaches. It’s the only way to ensure the enterprise as a whole addresses the challenges of a fast-moving risk environment and helps protect itself from liability. But developing and implementing a program that meets an enterprise’s specific needs is no simple undertaking. It requires a clearly defined strategy and consistent execution against that strategy—and that’s the focus of this chapter. We’ll detail six key principles of risk-based strategy and execution, and lay out the regulatory frameworks and industry protocols influencing them. We’ll identify the roles of key stakeholders—especially the CISO and the rest of the security organization, as well as internal and external auditors—in this highly collaborative process of continuous improvement. And we’ll look at it all through the lens of a spectacular recent example of how radically and how rapidly the enterprise risk environment, and its strategic risk management needs, can change: the sudden public introduction of generative artificial intelligence (AI).

Cyber risk management—the art of balancing risk and reward in a digital world—is more challenging than ever. The stakes are high and getting higher all the time, and both the business ...