book

Building a Cyber Risk Management Program

by Brian Allen, Brandon Bapst, Terry Allan Hicks

December 2023

Intermediate to advanced

220 pages

7h 17m

English

O'Reilly Media, Inc.

Audiobook available

Read now

Unlock full access

Brian’s StoryBrandon’s StoryBringing It TogetherWho Should Read This BookFinal ThoughtsConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
The Fourth Industrial RevolutionCybersecurity Is Fundamentally a Risk PracticeCyber Risk Management Oversight and AccountabilityDigital Transformation and Maturing the Cyber Risk Management ProgramCybersecurity Isn’t Just a “Security” ConcernCyber Risk Management Program: An Urgent Enterprise ConcernThis Book’s RoadmapThe Bottom Line
The SEC Speaks—and the World ListensIncident Disclosure (“Current Disclosures”)Risk Management, Strategy, and Governance Disclosures (“Periodic Disclosures”)The Cyber Risk Management Program FrameworkCyber Risk Management Program: Key DriversSatisfying Obligations and LiabilityWhen Risk Management Fails Completely: The Boeing 737 MAX DisastersRisk Management Program Applied to the Boeing Disasters“Essential and Mission Critical”: The Boeing CaseBenefits of a Security Risk ProgramBenefit 1: Strategic Recognition of the Security Risk FunctionBenefit 2: Ensuring the Cyber Risk Function Has an Effective BudgetBenefit 3: Protections for Risk Decision MakersCRMP: Systematic but Not Zero-RiskBoard Accountability and Legal LiabilityThe Boeing Ruling and Cyber Risk Oversight AccountabilityCISOs in the Line of Fire for LiabilityThe Bottom Line
The Uber Hack Cover-UpWhat Does Good Governance Look Like?Aligning with the Enterprise Governance StrategySeven Principles of Agile GovernancePrinciple 1: Establish Policies and ProcessesPrinciple 2: Establish Governance and Roles and Responsibilities Across the “Three Lines Model”Principle 3: Align Governance Practices with Existing Risk FrameworksPrinciple 4: Board of Directors and Senior Executives Define ScopePrinciple 5: Board of Directors and Senior Executives Provide OversightPrinciple 6: Audit Governance ProcessesPrinciple 7: Align Resources to the Defined Roles and ResponsibilitiesThe Bottom Line
Why Risk Information Matters—at the Highest LevelsRisk and Risk Information DefinedFive Principles of a Risk-Informed SystemPrinciple 1: Define a Risk Assessment Framework and MethodologyPrinciple 2: Establish a Methodology for Risk ThresholdsPrinciple 3: Establish Understanding of Risk-Informed NeedsPrinciple 4: Agree on a Risk Assessment IntervalPrinciple 5: Enable Reporting ProcessesThe Bottom Line
ChatGPT Shakes the Business WorldAI Risks: Two Tech Giants Choose Two PathsWall Street: Move Fast—or Be ReplacedThe Digital Game Changers Just Keep ComingDefining Risk-Based Strategy and ExecutionSix Principles of Risk-Based Strategy and ExecutionPrinciple 1: Define Acceptable Risk ThresholdsPrinciple 2: Align Strategy and Budget with Approved Risk ThresholdsPrinciple 3: Execute to Meet Approved Risk ThresholdsPrinciple 4: Monitor on an Ongoing BasisPrinciple 5: Audit Against Risk ThresholdsPrinciple 6: Include Third Parties in Risk Treatment PlanThe Bottom Line
The SEC and Risk DisclosureRegulatory Bodies Worldwide Require Risk DisclosureRisk EscalationCyber Risk ClassificationEscalation and Disclosure: Not Just Security IncidentsDisclosure: A Mandatory Concern for EnterprisesThe Equifax ScandalSEC Materiality ConsiderationsCyber Risk Management Program and ERM AlignmentFive Principles of Risk Escalation and DisclosurePrinciple 1: Establish Escalation ProcessesPrinciple 2: Establish Disclosure Processes—All EnterprisesPrinciple 3: Establish Disclosure Processes—Public CompaniesPrinciple 4: Test Escalation and Disclosure ProcessesPrinciple 5: Audit Escalation and Disclosure ProcessesThe Bottom Line
The Cyber Risk Management JourneyBeginning the Cyber Risk Management JourneyImplementing the Cyber Risk Management ProgramAgile GovernanceRisk-Informed SystemRisk-Based Strategy and ExecutionRisk Escalation and DisclosureSelling the ProgramThe Bottom Line
Enterprise Functions That Interact with and Contribute to Operational ResilienceA Malware Attack Shuts Down Maersk’s Systems WorldwideGuiding Operational Resilience Using the Four Core Cyber Risk Management Program ComponentsAgile GovernanceRisk-Informed SystemRisk-Based Strategy and ExecutionRisk Escalation and DisclosureThe Bottom Line
AI DefinedAI: A Whole New World of RiskAdversarial Machine Learning: NIST Taxonomy and TerminologyRisk Management Frameworks with AI ImplicationsKey AI Implementation Concepts and FrameworksBeyond AI: The Digital Frontier Never Stops MovingThe Bottom Line

Purpose and ContextStructure of the Cyber Risk Management Program FrameworkNote: Framework Disclosure

Content preview from Building a Cyber Risk Management Program

Chapter 6. Risk Escalation and Disclosure

In the preceding chapters, we’ve been laying out the foundational building blocks of a cyber risk management program (CRMP) with the capabilities needed to protect the enterprise and its stakeholders against the broad array of known and unknown risks that digitalization introduces. We established the necessity of Agile governance, with the right people making and being held accountable for risk decisions. We showed the importance of having a risk-informed system in place to ensure that appropriate, actionable risk information is delivered to the appropriate parties, including risk owners and the governance body. And we laid out the basis for risk strategy and execution: the process of making risk decisions and acting on them. Now it’s time to look at the last core component of a CRMP—risk escalation and disclosure—and the reasons it’s so critical to the program’s success.

Risk escalation and disclosure—ensuring that the right people and entities are informed of risk issues at the right time and in the right way—can help to prevent a problem from becoming a disaster, and can retain or restore the trust of the public and regulators.

The need for cyber risk escalation and disclosure is driven by the reality that an enterprise’s risk environment will inevitably be especially rapid and unpredictable. Those changes, if not addressed formally and proactively, can cause serious, sometimes even irreparable, harm to the enterprise and its most ...