Knowledge will forever govern ignorance; and a people who mean to be their own governors must arm themselves with the power which knowledge gives.

– James Madison

Opportunity

In Part I, we gave you tools to bolster your foundational knowledge of how businesses operate and make decisions. We wrapped up Part I by providing you with different business case methods and templates you can use to put your foundational knowledge together and formulate business cases to secure funding for components of your cybersecurity program. In Part II, we will build upon Part I and introduce additional tools that transform common topics regarding cyber risk into enterprise risk dialogue.

Let's just come out and say it, and you already know it, organizations must treat cybersecurity as an enterprise risk rather than relegating it to simply an IT issue that “those tech guys” will handle. Due to high-profile cybersecurity incidents such as those affecting Home Depot, Target, and Equifax, the Securities and Exchange Commission (SEC) established a cyber unit in the Enforcement Division. In the last few years, the SEC has also published numerous documents offering guidance to board directors. The new guidance covers disclosure obligations relating to cybersecurity risks and cyber incidents, as well as Cybersecurity and Resiliency Observations offered by the Office of Compliance Inspections and Examinations (OCIE).

More recently, domestic ...