book

Building a Cyber Risk Management Program

by Brian Allen, Brandon Bapst, Terry Allan Hicks

December 2023

Intermediate to advanced

220 pages

7h 17m

English

O'Reilly Media, Inc.

Audiobook available

Read now

Unlock full access

Brian’s StoryBrandon’s StoryBringing It TogetherWho Should Read This BookFinal ThoughtsConventions Used in This BookO’Reilly Online LearningHow to Contact UsAcknowledgments
The Fourth Industrial RevolutionCybersecurity Is Fundamentally a Risk PracticeCyber Risk Management Oversight and AccountabilityDigital Transformation and Maturing the Cyber Risk Management ProgramCybersecurity Isn’t Just a “Security” ConcernCyber Risk Management Program: An Urgent Enterprise ConcernThis Book’s RoadmapThe Bottom Line
The SEC Speaks—and the World ListensIncident Disclosure (“Current Disclosures”)Risk Management, Strategy, and Governance Disclosures (“Periodic Disclosures”)The Cyber Risk Management Program FrameworkCyber Risk Management Program: Key DriversSatisfying Obligations and LiabilityWhen Risk Management Fails Completely: The Boeing 737 MAX DisastersRisk Management Program Applied to the Boeing Disasters“Essential and Mission Critical”: The Boeing CaseBenefits of a Security Risk ProgramBenefit 1: Strategic Recognition of the Security Risk FunctionBenefit 2: Ensuring the Cyber Risk Function Has an Effective BudgetBenefit 3: Protections for Risk Decision MakersCRMP: Systematic but Not Zero-RiskBoard Accountability and Legal LiabilityThe Boeing Ruling and Cyber Risk Oversight AccountabilityCISOs in the Line of Fire for LiabilityThe Bottom Line
The Uber Hack Cover-UpWhat Does Good Governance Look Like?Aligning with the Enterprise Governance StrategySeven Principles of Agile GovernancePrinciple 1: Establish Policies and ProcessesPrinciple 2: Establish Governance and Roles and Responsibilities Across the “Three Lines Model”Principle 3: Align Governance Practices with Existing Risk FrameworksPrinciple 4: Board of Directors and Senior Executives Define ScopePrinciple 5: Board of Directors and Senior Executives Provide OversightPrinciple 6: Audit Governance ProcessesPrinciple 7: Align Resources to the Defined Roles and ResponsibilitiesThe Bottom Line
Why Risk Information Matters—at the Highest LevelsRisk and Risk Information DefinedFive Principles of a Risk-Informed SystemPrinciple 1: Define a Risk Assessment Framework and MethodologyPrinciple 2: Establish a Methodology for Risk ThresholdsPrinciple 3: Establish Understanding of Risk-Informed NeedsPrinciple 4: Agree on a Risk Assessment IntervalPrinciple 5: Enable Reporting ProcessesThe Bottom Line
ChatGPT Shakes the Business WorldAI Risks: Two Tech Giants Choose Two PathsWall Street: Move Fast—or Be ReplacedThe Digital Game Changers Just Keep ComingDefining Risk-Based Strategy and ExecutionSix Principles of Risk-Based Strategy and ExecutionPrinciple 1: Define Acceptable Risk ThresholdsPrinciple 2: Align Strategy and Budget with Approved Risk ThresholdsPrinciple 3: Execute to Meet Approved Risk ThresholdsPrinciple 4: Monitor on an Ongoing BasisPrinciple 5: Audit Against Risk ThresholdsPrinciple 6: Include Third Parties in Risk Treatment PlanThe Bottom Line
The SEC and Risk DisclosureRegulatory Bodies Worldwide Require Risk DisclosureRisk EscalationCyber Risk ClassificationEscalation and Disclosure: Not Just Security IncidentsDisclosure: A Mandatory Concern for EnterprisesThe Equifax ScandalSEC Materiality ConsiderationsCyber Risk Management Program and ERM AlignmentFive Principles of Risk Escalation and DisclosurePrinciple 1: Establish Escalation ProcessesPrinciple 2: Establish Disclosure Processes—All EnterprisesPrinciple 3: Establish Disclosure Processes—Public CompaniesPrinciple 4: Test Escalation and Disclosure ProcessesPrinciple 5: Audit Escalation and Disclosure ProcessesThe Bottom Line
The Cyber Risk Management JourneyBeginning the Cyber Risk Management JourneyImplementing the Cyber Risk Management ProgramAgile GovernanceRisk-Informed SystemRisk-Based Strategy and ExecutionRisk Escalation and DisclosureSelling the ProgramThe Bottom Line
Enterprise Functions That Interact with and Contribute to Operational ResilienceA Malware Attack Shuts Down Maersk’s Systems WorldwideGuiding Operational Resilience Using the Four Core Cyber Risk Management Program ComponentsAgile GovernanceRisk-Informed SystemRisk-Based Strategy and ExecutionRisk Escalation and DisclosureThe Bottom Line
AI DefinedAI: A Whole New World of RiskAdversarial Machine Learning: NIST Taxonomy and TerminologyRisk Management Frameworks with AI ImplicationsKey AI Implementation Concepts and FrameworksBeyond AI: The Digital Frontier Never Stops MovingThe Bottom Line

Purpose and ContextStructure of the Cyber Risk Management Program FrameworkNote: Framework Disclosure

Content preview from Building a Cyber Risk Management Program

Chapter 8. The CRMP Applied to Operational Risk and Resilience

Throughout this book, we’ve stressed the fundamental changes—social, political, economic, cultural, and of course technological—that are reshaping the enterprise risk environment in fundamental ways. We’ve shown examples of the highly damaging, even catastrophic, impacts enterprises face when they fail to manage these emerging and accelerating risks in a formal, programmatic way. And we’ve detailed some of the many ways effective risk management, and especially cyber risk management, can help enterprises survive and thrive in this new and highly volatile environment, by balancing risk against reward in ways that drive better decision making.

In this chapter, we’re going to detail the mission-critical role of a cyber risk management program (CRMP) in operational resilience, and how it coordinates with other operational risk functions to focus on broader operational resilience efforts. Cyber risk management, like every other operational risk management function, has one ultimate objective: achieving operational resilience that balances risk and reward. Cyber risks are unquestionably critical, but they’re only one aspect of the risk environment that enterprises need to consider. Senior enterprise decision makers aren’t simply thinking about malware and identity theft and data breaches. They’re asking far broader questions, which essentially come down to “How resilient are we in the face of an ever-changing risk environment?” ...