Building a Cyber Risk Management Program

Preface
Brian’s Story
Brandon’s Story
Bringing It Together
Who Should Read This Book
Final Thoughts
Conventions Used in This Book
O’Reilly Online Learning
How to Contact Us
Acknowledgments
1. Cybersecurity in the Age of Digital Transformation
The Fourth Industrial Revolution
Cybersecurity Is Fundamentally a Risk Practice
Cyber Risk Management Oversight and Accountability
Digital Transformation and Maturing the Cyber Risk Management Program
Cybersecurity Isn’t Just a “Security” Concern
Cyber Risk Management Program: An Urgent Enterprise Concern
This Book’s Roadmap
The Bottom Line
2. The Cyber Risk Management Program
The SEC Speaks—and the World Listens
Incident Disclosure (“Current Disclosures”)
Risk Management, Strategy, and Governance Disclosures (“Periodic Disclosures”)
The Cyber Risk Management Program Framework
Cyber Risk Management Program: Key Drivers
Satisfying Obligations and Liability
When Risk Management Fails Completely: The Boeing 737 MAX Disasters
Risk Management Program Applied to the Boeing Disasters
“Essential and Mission Critical”: The Boeing Case
Benefits of a Security Risk Program
Benefit 1: Strategic Recognition of the Security Risk Function
Benefit 2: Ensuring the Cyber Risk Function Has an Effective Budget
Benefit 3: Protections for Risk Decision Makers
CRMP: Systematic but Not Zero-Risk
Board Accountability and Legal Liability
The Boeing Ruling and Cyber Risk Oversight Accountability
CISOs in the Line of Fire for Liability
The Bottom Line
3. Agile Governance
The Uber Hack Cover-Up
What Does Good Governance Look Like?
Aligning with the Enterprise Governance Strategy
Seven Principles of Agile Governance
Principle 1: Establish Policies and Processes
Principle 2: Establish Governance and Roles and Responsibilities Across the “Three Lines Model”
Principle 3: Align Governance Practices with Existing Risk Frameworks
Principle 4: Board of Directors and Senior Executives Define Scope
Principle 5: Board of Directors and Senior Executives Provide Oversight
Principle 6: Audit Governance Processes
Principle 7: Align Resources to the Defined Roles and Responsibilities
The Bottom Line
4. Risk-Informed System
Why Risk Information Matters—at the Highest Levels
Risk and Risk Information Defined
Five Principles of a Risk-Informed System
Principle 1: Define a Risk Assessment Framework and Methodology
Principle 2: Establish a Methodology for Risk Thresholds
Principle 3: Establish Understanding of Risk-Informed Needs
Principle 4: Agree on a Risk Assessment Interval
Principle 5: Enable Reporting Processes
The Bottom Line
5. Risk-Based Strategy and Execution
ChatGPT Shakes the Business World
AI Risks: Two Tech Giants Choose Two Paths
Wall Street: Move Fast—or Be Replaced
The Digital Game Changers Just Keep Coming
Defining Risk-Based Strategy and Execution
Six Principles of Risk-Based Strategy and Execution
Principle 1: Define Acceptable Risk Thresholds
Principle 2: Align Strategy and Budget with Approved Risk Thresholds
Principle 3: Execute to Meet Approved Risk Thresholds
Principle 4: Monitor on an Ongoing Basis
Principle 5: Audit Against Risk Thresholds
Principle 6: Include Third Parties in Risk Treatment Plan
The Bottom Line
6. Risk Escalation and Disclosure
The SEC and Risk Disclosure
Regulatory Bodies Worldwide Require Risk Disclosure
Risk Escalation
Cyber Risk Classification
Escalation and Disclosure: Not Just Security Incidents
Disclosure: A Mandatory Concern for Enterprises
The Equifax Scandal
SEC Materiality Considerations
Cyber Risk Management Program and ERM Alignment
Five Principles of Risk Escalation and Disclosure
Principle 1: Establish Escalation Processes
Principle 2: Establish Disclosure Processes—All Enterprises
Principle 3: Establish Disclosure Processes—Public Companies
Material incident reporting
Risk management and strategy
Governance
Principle 4: Test Escalation and Disclosure Processes
Principle 5: Audit Escalation and Disclosure Processes
The Bottom Line
7. Implementing the Cyber Risk Management Program
The Cyber Risk Management Journey
Beginning the Cyber Risk Management Journey
Implementing the Cyber Risk Management Program
Agile Governance
Common challenges with Agile governance
Establish a starting point
Gain senior-level commitment
Obtain necessary budget and other resource limitations
Adapt to the specific enterprise’s environment
Risk-Informed System
Common challenges with a risk-informed system
Dealing with too much data—or the wrong kind of data
Communicating information in terms specific stakeholders will understand and accept
Getting the right information to the right people at the right time
Additional considerations
Maturity modeling
Metric reporting
Risk assessments (qualitative and quantitative)
Risk-Based Strategy and Execution
Common challenges with risk-based strategy and execution
Inadequate budget and other resources
Compliance-driven strategy
Risk Escalation and Disclosure
Common challenges with risk escalation and disclosure
A view of escalation that’s largely limited to reacting to an incident
The failure to identify and focus on enterprise-specific obligations
Generic, isolated, or excessively broad materiality considerations
Selling the Program
The Bottom Line
8. The CRMP Applied to Operational Risk and Resilience
Enterprise Functions That Interact with and Contribute to Operational Resilience
A Malware Attack Shuts Down Maersk’s Systems Worldwide
Guiding Operational Resilience Using the Four Core Cyber Risk Management Program Components
Agile Governance
Risk-Informed System
Risk-Based Strategy and Execution
Risk Escalation and Disclosure
The Bottom Line
9. AI and Beyond—the Future of Risk Management in a Digitalized World
AI Defined
AI: A Whole New World of Risk
Adversarial Machine Learning: NIST Taxonomy and Terminology
Risk Management Frameworks with AI Implications
NIST AI Risk Management Framework
Model risk management (MRM) and the Federal Reserve Board’s guidance
Key AI Implementation Concepts and Frameworks
Fairness and the risk of bias
Soundness
Robustness
Explainability
Beyond AI: The Digital Frontier Never Stops Moving
The Bottom Line
A. The Cyber Risk Management Program Framework v1.0
Purpose and Context
Structure of the Cyber Risk Management Program Framework
Note: Framework Disclosure
Index