SUZANNE HARTIN AND MARIA S. THOMPSON

Why does cyber risk management deserve a chapter in this book? Isn't that what we've been doing all along? Managing our cyber risk? Well, yes and no.

Given the world we've lived in, our focus has been on the right things—patching, managing incidents, ensuring we have the right firewall rules, securing our data in the cloud, and so on. But in today's world, with the CISO required to be a strategist and business promoter, considerations and requirements have grown much more expansive and include questions like:

• Are we managing our cyber risk to fall within our company's cyber risk appetite?
• Are we sufficiently considering other risks interwoven with cybersecurity?
• How do changes in the external environment, such as the plethora of new privacy regulations, impact our security programs?
• Are we even sure we're considering all the risks we should?

Answering these questions accurately is vital since the success of the cybersecurity program is critical to achieving corporate objectives.

Understanding Your Organization's Risk Appetite

First, let's look at identifying the level of risk your organization is willing to take, its risk appetite. The ISO 31000 risk management standard defines risk appetite as “the amount and type of risk that an organization is prepared to pursue, retain, or take.”

We all have a personal risk appetite even though we may not explicitly acknowledge it. ...