Building a Cyber Risk Management Program
Evolving Security for the Digital Age
Paperback Engels 2023 1e druk 9781098147792Samenvatting
Cyber risk management is one of the most urgent issues facing enterprises today. This book presents a detailed framework for designing, developing, and implementing a cyber risk management program that addresses your company's specific needs. Ideal for corporate directors, senior executives, security risk practitioners, and auditors at many levels, this guide offers both the strategic insight and tactical guidance you're looking for.
You'll learn how to define and establish a sustainable, defendable, cyber risk management program, and the benefits associated with proper implementation. Cyber risk management experts Brian Allen and Brandon Bapst, working with writer Terry Allan Hicks, also provide advice that goes beyond risk management. You'll discover ways to address your company's oversight obligations as defined by international standards, case law, regulation, and board-level guidance.
This book helps you:
- Understand the transformational changes digitalization is introducing, and new cyber risks that come with it
- Learn the key legal and regulatory drivers that make cyber risk management a mission-critical priority for enterprises
- Gain a complete understanding of four components that make up a formal cyber risk management program
- Implement or provide guidance for a cyber risk management program within your enterprise
Show and hide more
Specificaties
Lezersrecensies
Inhoudsopgave
Brian’s Story
Brandon’s Story
Bringing It Together
Who Should Read This Book
Final Thoughts
Conventions Used in This Book
O’Reilly Online Learning
How to Contact Us
Acknowledgments
1. Cybersecurity in the Age of Digital Transformation
The Fourth Industrial Revolution
Cybersecurity Is Fundamentally a Risk Practice
Cyber Risk Management Oversight and Accountability
Digital Transformation and Maturing the Cyber Risk Management Program
Cybersecurity Isn’t Just a “Security” Concern
Cyber Risk Management Program: An Urgent Enterprise Concern
This Book’s Roadmap
The Bottom Line
2. The Cyber Risk Management Program
The SEC Speaks—and the World Listens
Incident Disclosure (“Current Disclosures”)
Risk Management, Strategy, and Governance Disclosures (“Periodic Disclosures”)
The Cyber Risk Management Program Framework
Cyber Risk Management Program: Key Drivers
Satisfying Obligations and Liability
When Risk Management Fails Completely: The Boeing 737 MAX Disasters
Risk Management Program Applied to the Boeing Disasters
“Essential and Mission Critical”: The Boeing Case
Benefits of a Security Risk Program
Benefit 1: Strategic Recognition of the Security Risk Function
Benefit 2: Ensuring the Cyber Risk Function Has an Effective Budget
Benefit 3: Protections for Risk Decision Makers
CRMP: Systematic but Not Zero-Risk
Board Accountability and Legal Liability
The Boeing Ruling and Cyber Risk Oversight Accountability
CISOs in the Line of Fire for Liability
The Bottom Line
3. Agile Governance
The Uber Hack Cover-Up
What Does Good Governance Look Like?
Aligning with the Enterprise Governance Strategy
Seven Principles of Agile Governance
Principle 1: Establish Policies and Processes
Principle 2: Establish Governance and Roles and Responsibilities Across the “Three Lines Model”
Principle 3: Align Governance Practices with Existing Risk Frameworks
Principle 4: Board of Directors and Senior Executives Define Scope
Principle 5: Board of Directors and Senior Executives Provide Oversight
Principle 6: Audit Governance Processes
Principle 7: Align Resources to the Defined Roles and Responsibilities
The Bottom Line
4. Risk-Informed System
Why Risk Information Matters—at the Highest Levels
Risk and Risk Information Defined
Five Principles of a Risk-Informed System
Principle 1: Define a Risk Assessment Framework and Methodology
Principle 2: Establish a Methodology for Risk Thresholds
Principle 3: Establish Understanding of Risk-Informed Needs
Principle 4: Agree on a Risk Assessment Interval
Principle 5: Enable Reporting Processes
The Bottom Line
5. Risk-Based Strategy and Execution
ChatGPT Shakes the Business World
AI Risks: Two Tech Giants Choose Two Paths
Wall Street: Move Fast—or Be Replaced
The Digital Game Changers Just Keep Coming
Defining Risk-Based Strategy and Execution
Six Principles of Risk-Based Strategy and Execution
Principle 1: Define Acceptable Risk Thresholds
Principle 2: Align Strategy and Budget with Approved Risk Thresholds
Principle 3: Execute to Meet Approved Risk Thresholds
Principle 4: Monitor on an Ongoing Basis
Principle 5: Audit Against Risk Thresholds
Principle 6: Include Third Parties in Risk Treatment Plan
The Bottom Line
6. Risk Escalation and Disclosure
The SEC and Risk Disclosure
Regulatory Bodies Worldwide Require Risk Disclosure
Risk Escalation
Cyber Risk Classification
Escalation and Disclosure: Not Just Security Incidents
Disclosure: A Mandatory Concern for Enterprises
The Equifax Scandal
SEC Materiality Considerations
Cyber Risk Management Program and ERM Alignment
Five Principles of Risk Escalation and Disclosure
Principle 1: Establish Escalation Processes
Principle 2: Establish Disclosure Processes—All Enterprises
Principle 3: Establish Disclosure Processes—Public Companies
Principle 4: Test Escalation and Disclosure Processes
Principle 5: Audit Escalation and Disclosure Processes
The Bottom Line
7. Implementing the Cyber Risk Management Program
The Cyber Risk Management Journey
Beginning the Cyber Risk Management Journey
Implementing the Cyber Risk Management Program
Agile Governance
Risk-Informed System
Risk-Based Strategy and Execution
Risk Escalation and Disclosure
Selling the Program
The Bottom Line
8. The CRMP Applied to Operational Risk and Resilience
Enterprise Functions That Interact with and Contribute to Operational Resilience
A Malware Attack Shuts Down Maersk’s Systems Worldwide
Guiding Operational Resilience Using the Four Core Cyber Risk Management Program Components
Agile Governance
Risk-Informed System
Risk-Based Strategy and Execution
Risk Escalation and Disclosure
The Bottom Line
9. AI and Beyond—the Future of Risk Management in a Digitalized World
AI Defined
AI: A Whole New World of Risk
Adversarial Machine Learning: NIST Taxonomy and Terminology
Risk Management Frameworks with AI Implications
Key AI Implementation Concepts and Frameworks
Beyond AI: The Digital Frontier Never Stops Moving
The Bottom Line
Appendix. The Cyber Risk Management Program Framework v1.0
Purpose and Context
Structure of the Cyber Risk Management Program Framework
Note: Framework Disclosure
Index
About the Authors
Rubrieken
- advisering
- algemeen management
- coaching en trainen
- communicatie en media
- economie
- financieel management
- inkoop en logistiek
- internet en social media
- it-management / ict
- juridisch
- leiderschap
- marketing
- mens en maatschappij
- non-profit
- ondernemen
- organisatiekunde
- personal finance
- personeelsmanagement
- persoonlijke effectiviteit
- projectmanagement
- psychologie
- reclame en verkoop
- strategisch management
- verandermanagement
- werk en loopbaan