Chapter 9 Treating Cyber Risks Using Process Capabilities

ISACA Todd Fitzgerald, CISO and ISACA, USA

Tom stared at the center of the diagram he had penciled (see Figure 1.1). His chief risk officer, Nathan, looked across to their chief of information security, Maria, and invited her to explain the word process at the center. Maria obliged, “Process is located at the center of our business model for information security. We understand that cyber risk is an enterprise-wide risk requiring organization-wide solutions. I’ll define these processes for you to clarify how they collectively add clear value to our organization. Interrelationships between process and the people, technology, and other enterprise functions determine the effectiveness and efficiency of our cyber risk management system.”

Cybersecurity Processes Are the Glue That Binds

Maintaining effective cybersecurity processes is too critical to an organization to leave to chance, yet many organizations continue to rely on undocumented processes, tribal knowledge, and paying security professionals to manage routine operational security controls. Cybersecurity processes form the critical piece between those performing the security function and the technology.

Undocumented Processes Result in Tribal Knowledge Dependency

Processes are developed within an organization to include practices and activities to meet objectives through the creation of multiple outputs. Some organizations operate with processes that are either ...

Get The Cyber Risk Handbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.