Table of Contents
About the Author
Acknowledgments
Foreword
Introduction
Part I: The Problem
Chapter 1: What Is theĀ Problem?
Chapter 2: Why Is It Complicated?
Technology Is Everywhere
Technology Is Complex
Technology WasĀ Built onĀ Trust
Technology Is anĀ Opportunity forĀ Misuse
The Fundamental Risk Is Not Always Understood
... andĀ Business Leaders Need toĀ Know What toĀ Do
Lack of a Common Cybersecurity Risk Language
Unclear Answers forĀ Proper Oversight
Oh, andĀ Umm... Distractors
Chapter 3: How toĀ Address This Problem
Understand theĀ Risk
Manage theĀ Risk
Measure theĀ Impact ofĀ Risk Management
Choose Risk-Informative Measures
Apply Appropriate Resources
Drive forĀ Value
Be Clear onĀ What toĀ Measure
Avoid Chasing āPerfectā (Itās Not That Valuable)
Part II: The Solution
Chapter 4: Understanding the Problem
Rules toĀ Follow
Be Clear About theĀ Problem (Critical Assets Are atĀ Risk)
Settle onĀ aĀ Definition ofĀ Risk
Settle onĀ aĀ Definition ofĀ Critical
Inventory andĀ Categorize Critical Assets
Step 1. Acknowledge That Asset Management Is Hard
Step 2. Develop theĀ Business Case
Step 3. Define Your Asset Classes
Step 4. Collect andĀ Inventory inĀ Each New Asset Class
Step 5. Identify theĀ Most Critical Assets
Identify theĀ Risks toĀ These Critical Assets
Step 5a. Perform aĀ Threat Analysis
Step 5b. Discover Vulnerabilities
Step 5c. Anticipate theĀ Business Impact ofĀ anĀ Event
Step 5e. Know theĀ Applicable Laws andĀ Regulations
Understanding theĀ Problem: AĀ Recap
Recent Examples
Example 1. Getting Started withĀ aĀ Program
Example 2. FromĀ Legacy āPerfectionā toĀ āGood Enoughā
Example 3. Data Protection Strategy, Please
Example 4. What Risk?
Pitfalls toĀ Avoid
Chapter 5: Manage theĀ Problem
General Observations andĀ Guidelines forĀ Managing theĀ Risk
Observations
Guidelines
Rules toĀ Follow
Focus onĀ One Framework
Structure theĀ Program Approach
Step 1. Set theĀ Structure
Step 2. Align theĀ Risk Mitigating Activities
Step 3. Assign Roles andĀ Responsibilities
Step 4. Identify Gaps andĀ theĀ Appropriate Activities toĀ Fill Them
Step 5. Look Externally (Third-party Risk Management)
Step 5a. Split theĀ Questionnaire into Logical Columns
Step 5b. Build Each Column upon theĀ One Before
Step 5c. Directly Relate theĀ Question toĀ theĀ Risk
Step 6. Pick theĀ Right Tools and Avoid Distraction
Set aĀ Program Review Frequency
Prepare toĀ Respond andĀ Recover
Managing theĀ Problem, aĀ Recap
Recent Examples
Example 1. Addressing Too Many Frameworks
Example 2. Many TPRM Tools
Example 3. FromĀ Controls Focus to aĀ Risk Strategy
Example 4. Third-Party Without aĀ Checklist
Pitfalls toĀ Avoid
Chapter 6: Get Ready for Measures
Chapter 7: Measure theĀ Problem
Rules toĀ Follow
Choose Informative Measures That Provide Actionable Values
Step 1. Choose Actionable Measures
Step 2. Define Clear Addressable Activities
Step 3. Provide Actionable Reviews
Research What Others Have Done (Measures That Have Worked)
Metrics That Have Worked
Be Clear About theĀ Math
Straight Math
Less-Than-Straight Math
Gain Buy-In fromĀ Stakeholders
Develop aĀ Reporting Structure forĀ Consistency
Allow Measures toĀ Mature Over Time
Recent Examples
Example 1. Simple Measures Anyone?
Example 2. Too Much Data, Not Enough Information
Pitfalls toĀ Avoid
Chapter 8: Report Upward
Rules toĀ Follow
Choose aĀ Consistent Report Structure
Provide Clear andĀ Informative Measures
Use Straightforward Terms
Provide Recommendations forĀ All Problems
Pitfalls toĀ Avoid
Chapter 9: Questions Boards Should Ask
A Tear Sheet forĀ Boards
Chapter 10: Conclusion
First, Understand theĀ Risk
Next, Manage theĀ Risk
Then, Measure theĀ Risk
Go Forth andĀ Prosper
Appendix
Illustration
Step 1. Set theĀ Structure
Step 2. Align theĀ Risk-Mitigating Activities
Step 3. Assign Roles andĀ Responsibilities
Step 4. Identify Gaps (Including Third Parties) andĀ theĀ Appropriate Activities toĀ Fill Them
Step 5. Set theĀ Action Plan
Index