Building a Cyber Risk Management Program Evolving Security for the Digital Age (Brian Allen, Brandon Bapst, Terry Allan Hicks) (Z-Library)

📄 File Format: PDF

💾 File Size: 2.8 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

Brian Allen & Brandon Bapst with Terry Allan Hicks Building a Cyber Risk Management Program Evolving Security for the Digital Age

📄 Page 2

SECURIT Y “As a cyber practitioner who built and evolved the cyber risk program at the world’s largest fintech, I believe this book’s program framework and insights will benefit cyber risk leaders working in any industry, company, or program.” —Greg Montana Independent Board Member and former CRO, FIS Global Building a Cyber Risk Management Program Twitter: @oreillymedia linkedin.com/company/oreilly-media youtube.com/oreillymedia Cyber risk management is one of the most urgent issues facing enterprises today. This book presents a detailed framework for designing, developing, and implementing a cyber risk management program that addresses your company’s specific needs. Ideal for corporate directors, senior executives, security risk practitioners, and auditors at many levels, this guide offers both the strategic insight and tactical guidance you’re looking for. You’ll learn how to define and establish a sustainable, defendable, cyber risk management program and understand the benefits associated with proper implementation. Cyber risk management experts Brian Allen and Brandon Bapst, working with writer Terry Allan Hicks, also provide advice that goes beyond risk management. You’ll discover ways to address your company’s oversight obligations as defined by international standards, case law, regulation, and board-level guidance. This book helps you: • Understand the transformational changes digitalization is introducing and the cyber risks that come with it • Learn the key legal and regulatory drivers that make cyber risk management a mission-critical priority for enterprises • Gain a complete understanding of the four components that make up a formal cyber risk management program • Implement or provide guidance for a cyber risk management program within your enterprise Brian Allen, senior VP of cybersecurity and technology risk management at the Bank Policy Institute, works with bank executives and advocates for the industry in front of regulators, legislators, law enforcement agencies, and intelligence communities. Brandon Bapst is a consultant and risk adviser for EY’s cybersecurity practice. He works closely with executives, CSOs, and CISOs to develop strategic cyber risk programs. Terry Allan Hicks has more than 30 years of experience as a business and technology writer, including 20-plus years with Gartner, focusing on financial services, information security, and regulatory compliance and corporate governance. 9 7 8 1 0 9 8 1 4 7 7 9 2 5 5 9 9 9 US $59.99 CAN $74.99 ISBN: 978-1-098-14779-2 A llen & B a p st

📄 Page 3

Brian Allen and Brandon Bapst with Terry Allan Hicks Building a Cyber Risk Management Program Evolving Security for the Digital Age Boston Farnham Sebastopol TokyoBeijing

📄 Page 4

978-1-098-14779-2 LSI Building a Cyber Risk Management Program by Brian Allen, Brandon Bapst, and Terry Allan Hicks Copyright © 2024 Security Risk Governance Group LLC, Brandon Bapst, and Terry Allan Hicks. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com. Acquisitions Editor: Simina Calin Development Editor: Sara Hunter Production Editor: Katherine Tozer Copyeditor: nSight, Inc. Proofreader: Dwight Ramsey Indexer: BIM Creatives, LLC Interior Designer: David Futato Cover Designer: Karen Montgomery Illustrator: Kate Dullea December 2023: First Release Revision History for the First Release 2023-12-04: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781098147792 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Building a Cyber Risk Management Pro‐ gram, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the author and do not represent the publisher’s views. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

📄 Page 5

Table of Contents Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii 1. Cybersecurity in the Age of Digital Transformation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 The Fourth Industrial Revolution 3 Cybersecurity Is Fundamentally a Risk Practice 6 Cyber Risk Management Oversight and Accountability 8 Digital Transformation and Maturing the Cyber Risk Management Program 9 Cybersecurity Isn’t Just a “Security” Concern 9 Cyber Risk Management Program: An Urgent Enterprise Concern 12 This Book’s Roadmap 13 The Bottom Line 13 2. The Cyber Risk Management Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 The SEC Speaks—and the World Listens 15 Incident Disclosure (“Current Disclosures”) 16 Risk Management, Strategy, and Governance Disclosures (“Periodic Disclosures”) 17 The Cyber Risk Management Program Framework 18 Cyber Risk Management Program: Key Drivers 19 Satisfying Obligations and Liability 22 When Risk Management Fails Completely: The Boeing 737 MAX Disasters 23 Risk Management Program Applied to the Boeing Disasters 25 “Essential and Mission Critical”: The Boeing Case 27 Benefits of a Security Risk Program 28 Benefit 1: Strategic Recognition of the Security Risk Function 30 Benefit 2: Ensuring the Cyber Risk Function Has an Effective Budget 31 Benefit 3: Protections for Risk Decision Makers 32 iii

📄 Page 6

CRMP: Systematic but Not Zero-Risk 32 Board Accountability and Legal Liability 34 The Boeing Ruling and Cyber Risk Oversight Accountability 36 CISOs in the Line of Fire for Liability 38 The Bottom Line 39 3. Agile Governance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 The Uber Hack Cover-Up 43 What Does Good Governance Look Like? 44 Aligning with the Enterprise Governance Strategy 46 Seven Principles of Agile Governance 49 Principle 1: Establish Policies and Processes 49 Principle 2: Establish Governance and Roles and Responsibilities Across the “Three Lines Model” 50 Principle 3: Align Governance Practices with Existing Risk Frameworks 53 Principle 4: Board of Directors and Senior Executives Define Scope 54 Principle 5: Board of Directors and Senior Executives Provide Oversight 55 Principle 6: Audit Governance Processes 57 Principle 7: Align Resources to the Defined Roles and Responsibilities 58 The Bottom Line 59 4. Risk-Informed System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Why Risk Information Matters—at the Highest Levels 63 Risk and Risk Information Defined 64 Five Principles of a Risk-Informed System 66 Principle 1: Define a Risk Assessment Framework and Methodology 67 Principle 2: Establish a Methodology for Risk Thresholds 69 Principle 3: Establish Understanding of Risk-Informed Needs 71 Principle 4: Agree on a Risk Assessment Interval 73 Principle 5: Enable Reporting Processes 75 The Bottom Line 77 5. Risk-Based Strategy and Execution. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 ChatGPT Shakes the Business World 82 AI Risks: Two Tech Giants Choose Two Paths 83 Wall Street: Move Fast—or Be Replaced 85 The Digital Game Changers Just Keep Coming 86 Defining Risk-Based Strategy and Execution 87 Six Principles of Risk-Based Strategy and Execution 88 Principle 1: Define Acceptable Risk Thresholds 89 Principle 2: Align Strategy and Budget with Approved Risk Thresholds 90 Principle 3: Execute to Meet Approved Risk Thresholds 93 iv | Table of Contents

📄 Page 7

Principle 4: Monitor on an Ongoing Basis 95 Principle 5: Audit Against Risk Thresholds 96 Principle 6: Include Third Parties in Risk Treatment Plan 96 The Bottom Line 98 6. Risk Escalation and Disclosure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 The SEC and Risk Disclosure 101 Regulatory Bodies Worldwide Require Risk Disclosure 101 Risk Escalation 103 Cyber Risk Classification 105 Escalation and Disclosure: Not Just Security Incidents 107 Disclosure: A Mandatory Concern for Enterprises 108 The Equifax Scandal 109 SEC Materiality Considerations 112 Cyber Risk Management Program and ERM Alignment 113 Five Principles of Risk Escalation and Disclosure 114 Principle 1: Establish Escalation Processes 115 Principle 2: Establish Disclosure Processes—All Enterprises 117 Principle 3: Establish Disclosure Processes—Public Companies 119 Principle 4: Test Escalation and Disclosure Processes 122 Principle 5: Audit Escalation and Disclosure Processes 123 The Bottom Line 124 7. Implementing the Cyber Risk Management Program. . . . . . . . . . . . . . . . . . . . . . . . . . . 125 The Cyber Risk Management Journey 126 Beginning the Cyber Risk Management Journey 128 Implementing the Cyber Risk Management Program 130 Agile Governance 130 Risk-Informed System 134 Risk-Based Strategy and Execution 143 Risk Escalation and Disclosure 146 Selling the Program 149 The Bottom Line 153 8. The CRMP Applied to Operational Risk and Resilience. . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Enterprise Functions That Interact with and Contribute to Operational Resilience 158 A Malware Attack Shuts Down Maersk’s Systems Worldwide 160 Guiding Operational Resilience Using the Four Core Cyber Risk Management Program Components 162 Agile Governance 163 Risk-Informed System 164 Table of Contents | v

📄 Page 8

Risk-Based Strategy and Execution 164 Risk Escalation and Disclosure 165 The Bottom Line 165 9. AI and Beyond—the Future of Risk Management in a Digitalized World. . . . . . . . . . 167 AI Defined 168 AI: A Whole New World of Risk 170 Adversarial Machine Learning: NIST Taxonomy and Terminology 172 Risk Management Frameworks with AI Implications 174 Key AI Implementation Concepts and Frameworks 177 Beyond AI: The Digital Frontier Never Stops Moving 180 The Bottom Line 182 Appendix: The Cyber Risk Management Program Framework v1.0. . . . . . . . . . . . . . . . . . . 185 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 vi | Table of Contents

📄 Page 9

Preface In our professional journeys, we encounter pivotal moments—be it a change of job, a new career path, or the adoption of an innovative perspective—that significantly alter our course. For us, a keen and focused curiosity sparked numerous enlightening dis‐ cussions. These discussions laid the groundwork for an essential framework and a proactive, value-centric approach to managing security risks. This evolution of ideas and strategies culminated in the creation of a structured and comprehensive cyber risk management program. Brian’s Story A few years ago, on a flight to California with my wife as we headed off for vacation, I found myself asking a simple question that turned out to be a eureka moment (for me anyway). “What is a cyber risk management program?” It seemed simple at the time. But with a slow internet at 30K feet, I did some searching and couldn’t find an authoritative answer. What had raised the question was the document I was reading: the 2018 Securities and Exchange Commission (SEC) guidance to boards and corpo‐ rate officers on cybersecurity oversight matters. In that guidance, the SEC stated that boards of directors and corporate officers must have oversight of a cyber risk man‐ agement program. A satisfying answer to the question wasn’t in the guidance, nor any other material I could find. With the SEC’s expectation that companies had these answers, and with accountability hanging in the balance, it was an important ques‐ tion not to have an answer to. Let me back up and explain why I was reading SEC guidance on my vacation. For more than a decade, I was the chief security officer (CSO) for Time Warner Cable, a Fortune 130 provider of critical infrastructure (telephone and internet services). Building on my experience, I’d written an earlier book, Enterprise Security Risk Man‐ agement: Concepts and Applications, with my longtime associate Rachelle Loyear. The concept of enterprise security risk management is based on the fundamental premise that, at its core, security is a risk function, and every task a security practitioner vii

📄 Page 10

executes could and should be viewed through the lens of five core risk concepts that apply to any risk paradigm: 1) What is your asset? 2) What are the risks? 3) How could you mitigate these risks? 4) How could you respond to incidents? 5) What con‐ sistent continued learning can you pursue about your environment? It doesn’t matter if you practice cybersecurity, physical security, business continuity, fraud manage‐ ment, or any related security discipline. Every tactic, in every discipline, fits into one of those five core principles. I went to the consulting firm EY to build out in practice the concepts of that book and to work with boards and executives. It was during that part of my career that I was curious about the executive’s security risk management role. Though the SEC document might sound boring, it produced a career-changing revelation. Curiosity got me again. During the next few years, Brandon and I researched the heck out of that question and had a ton of conversations with colleagues, which led to even more questions. We both developed significant experience assessing and building cyber risk management programs at large institutions. After I left EY, we spent time mapping out a broad array of risk-related standards. We evaluated the guidance that boards were receiving, looked at the case law that establishes executive-level accountability, and generally considered the value and role of security as a strategic function—beyond its tactical necessity. Here are some of the findings of all that research: • Security is a risk function (we knew that). • Risk management is a mature practice (the risk practice in the security field is not that mature). • Most security organizations and practitioners take an ad hoc approach (the law, regulators, and the changing economy are demanding a changed expectation of enterprise security practices, all pointing to the maturing of the risk function as the path forward). • A cyber risk management program can be clearly defined as a standalone pro‐ gram, which is frankly not optional at this point. There is true value in building a cyber risk management program, but it needs struc‐ ture and a commitment to executing risk management as a formal program. The journey with Brandon has been amazing, and it continues. We have reciprocal respect and continually challenge each other…a necessary step to move from what security was in our minds to something that it needs to be. I learn from him every time we speak. I appreciate Brandon as a colleague and close friend. viii | Preface

📄 Page 11

Brandon’s Story As a consultant in EY’s Cybersecurity practice, I’ve had the privilege of partnering with top executives, CSOs, CISOs, and security practitioners from some of the world’s largest and most recognized brands across a broad range of industries. This journey, which involved guiding companies in their shift from tactical security practices to holistic security risk management programs, has been a fulfilling venture into addressing their most intricate challenges. My progress on this path has been shaped by invaluable experiences, and especially by the influence of several key individuals. My entry into the world of cybersecurity began 15 years ago, thanks to an introduction by my uncle, Jim Mazotas, a serial entrepreneur and founder of multiple cybersecurity companies. What followed was an academic foundation at Malone University and subsequent certifications. My jour‐ ney has been further enriched by the mentorships of several leaders and colleagues through my time at EY. I’ve learned through my time serving clients how every company’s cybersecurity jour‐ ney is unique. Some are at the early stages of change, grappling with fundamental challenges and working with varying degrees of support from leadership. Others, especially in sectors like financial services and healthcare, have more mature cyberse‐ curity risk practices. But a common thread has been evident throughout: the rapid digitalization of business operations and increasing regulatory pressures means an enterprise’s approach to security must continue to evolve. This book is a distillation of insights, experiences, and best practices Brian and I gath‐ ered over the years. It extends beyond theory to offer security practitioners—and many others with a role in risk management—a blueprint for professional growth, enhanced job security, and greater personal and professional satisfaction in their roles. And it presents a guide for a fast-changing world, because while technology and threats are constantly evolving, the principles of sound risk management we’ve outlined remain timeless. Teaming up with Brian, whom I hold in high regard as a mentor, has been an illumi‐ nating experience. Writing this book, I’ve found further clarity about the “why” of our professional convictions. Our combined expertise—my hands-on consulting exposure and Brian’s invaluable experience as a CSO and consultant—ensures that this book presents a holistic view on building a cyber risk management program. Preface | ix

📄 Page 12

Bringing It Together We (Brian and Brandon) have been on a multiyear mission to better define a cyber risk management program. This journey has been driven by curiosity and an inten‐ tional effort to challenge existing notions. We hope this book will also inspire you to embark on a new or continued journey, hopefully one that stirs your own curiosity and thoughtful approach to maturing your practice, but also your department, or your personal career. This book not only defines risk management but describes how to build your own cyber risk management program. Ideally, this program would be supported by existing standards, laws, and authoritative guidance. It should stand on its own as a true foundation for the strategic elements of a security practice. It also has expected outputs and is defendable. Lastly, it can support security’s practice through the unknowns of digitalization, and it can drive strategic decisions, protect against budding liability, and communicate security’s value as a strategic partner. As we started breaking down the SEC’s guidance to support our definition of a cyber risk management program, a bigger picture emerged. Not only was the SEC formaliz‐ ing an obligation, but the courts were beginning to close in on corporate-officer-level liability, including the CISO. In addition, every industry experienced digital risks, with new threats and breaches appearing constantly. Security organizations struggled to communicate the value of their efforts, and tried to avoid finger-pointing should something happen. These organizations were continuously fighting the perception that everything is protected because budgets have been approved. Today, all of these challenges are increasing, in degree and complexity. Every enter‐ prise is digitalized, increasing the surface area of risks exponentially, with increasing speed and without the necessary or appropriate conversation of risk balance. All the while, business leaders are starting to get budget fatigue, putting even more pressure on the security organizations as they look over their shoulders at even bigger threats—competition and even more serious consequences if they don’t move fast enough in this new economy. Our journey has led us to map a variety of authorities that helped clearly define a cyber risk management program. It turns out, there’s a lot to pull from. It just hasn’t been organized. We mapped the SEC guidance, international risk standards, regula‐ tory approaches, case law, and guidance from the National Association of Corporate Directors (NACD) into a cyber risk management program (CRMP) framework. The framework covers four core components that make up a formal program along with supporting principles that provide more detailed guidance for implementation. This framework supports the concepts in this book and can be found at CRMP.info. When implemented, it should result in a standalone formal program—a needed program that answers the question that stirred this all up. x | Preface

📄 Page 13

Our collective vision for this book is clear: to empower you with a structured and authoritatively defined cyber risk management program, with built-in concepts and guidance to assist with your individual approach of implementation. Who Should Read This Book We’ve designed this book to deliver real-world value to the broadest possible range of readers, while at the same time making it clear at every stage which readers will be most impacted by which content. The key roles we see benefiting from the book are: Security practitioners at every level Risk management is a highly mature practice, one that’s been developed, prac‐ ticed, and refined for decades, but not usually as a comprehensive, formalized program for security. Developing a program will help to drive the maturity, intent, and purpose of the practice. Security practitioners in every function As much as this book is focused on cybersecurity, if you take the word “cyber” out, you have the fundamental elements that could be applied to programmati‐ cally managing risks in physical security, fraud management, business continuity management, and operational resilience. Boards of directors This book is designed to provide directors with a comprehensive understanding of their vital role and responsibilities in overseeing a cyber risk management pro‐ gram. It offers insights into the expectations for management’s role in the pro‐ gram’s establishment. The underlying principles highlight the importance of viewing cybersecurity as a business risk, providing a perspective that empowers directors to ask more relevant questions and provide better guidance to manage‐ ment. By moving the focus from the technical details of cybersecurity tactics and operations to a wider strategic risk oversight role, directors can improve their cyber risk management program’s effectiveness while strengthening defenses against increasing legal and regulatory liabilities. CxOs and line-of-business leaders These high-level decision makers will gain a clear understanding of the need for security to mature as a risk practice; this will help them understand and protect themselves against increased liability. These decision makers will also learn how to set security expectations, so they can make appropriate and informed security risk decisions that align with their overall strategies. Preface | xi

📄 Page 14

Regulators Regulatory bodies can use the guidance in this book to help develop well-defined regulations based on reasonable, consistent, and repeatable expectations. A com‐ mon taxonomy and shared expectations will make their efforts more efficient, effective, and synergistic. Auditors Audit professionals typically focus on best practices, evaluating the effectiveness of an enterprise’s or an organization’s security controls and processes against established policies, standards, frameworks, and regulations. This book provides a comprehensive structure for auditors to use in evaluating a cybersecurity risk management program, because it focuses on security execution in relation to the business’s expected risk appetite and tolerance. Business leaders and professionals whose work may be impacted by the risks introduced by digitalization The impacts of digital transformation are far-reaching, complex, and unpredicta‐ ble. As a result, professionals in many different disciplines—most business lead‐ ers and decision makers across most enterprise functions—will find real value in learning about how to identify digitalization’s risks and make informed decisions about balancing risk and reward. Final Thoughts This is a journey. There’s no quick fix, and there is endless learning and nuance to this conversation—but it’s worth the ride. What it will take is challenging our notions with what’s currently in place, how we’ve practiced in the past, and an eagerness to be curious. As much as this book is written specifically for a cyber practice, remove the word “cyber” and the concepts of the cyber risk management program can be applied to any security risk practice. We’re confident that the insights you’ll gain will empower you in your professional journey. For feedback, questions, or to join the conversation, visit us at CRMP.info. Conventions Used in This Book The following typographical conventions are used in this book: Italic Indicates new terms, URLs, email addresses, filenames, and file extensions. xii | Preface

📄 Page 15

This element signifies a general note. O’Reilly Online Learning For more than 40 years, O’Reilly Media has provided technol‐ ogy and business training, knowledge, and insight to help companies succeed. Our unique network of experts and innovators share their knowledge and expertise through books, articles, and our online learning platform. O’Reilly’s online learning platform gives you on-demand access to live training courses, in-depth learning paths, interactive coding environments, and a vast collection of text and video from O’Reilly and 200+ other publishers. For more information, visit https://oreilly.com. How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 1005 Gravenstein Highway North Sebastopol, CA 95472 800-889-8969 (in the United States or Canada) 707-829-7019 (international or local) 707-829-0104 (fax) support@oreilly.com https://www.oreilly.com/about/contact.html We have a web page for this book with errata, examples, and additional information. You can access this page at https://oreil.ly/building-a-cyber-risk-management-program. For news and information about our books and courses, visit https://oreilly.com. Find us on LinkedIn: https://linkedin.com/company/oreilly-media. Follow us on Twitter: https://twitter.com/oreillymedia. Watch us on YouTube: https://youtube.com/oreillymedia. Preface | xiii

📄 Page 16

Acknowledgments We have so many to thank for guiding and supporting us on this journey, in both our careers and in writing this book. A special thanks to our supportive families, espe‐ cially our respective loving wives, Maria and Sarah, and our encouraging parents who throughout our lives have built a foundation for us to be respectfully curious. Our gratitude also extends to our friend, writer, and thought-provoker, Terry Allan Hicks; to Sara Hunter at O’Reilly, who provided wisdom throughout this process; our copyeditor Adam Lawrence and his meticulous attention to detail; and the thoughtful reviewers, all of whom artfully helped shape this book. xiv | Preface

📄 Page 17

CHAPTER 1 Cybersecurity in the Age of Digital Transformation A worldwide pandemic brings manufacturing plants in China to a standstill, causing supply shortages and slowdowns at factories from Detroit to Yokohama. An Ethio‐ pian airliner mysteriously nosedives minutes after takeoff, killing everyone on board; and less than six months later, on the other side of the world, the same make and model of aircraft crashes in almost exactly the same way. An unknown person tam‐ pers with the control systems at a water plant in Florida, increasing the amount of a chemical that’s ordinarily safe to use in water treatment but lethal at higher levels by more than 100 times. An extortionist uses artificial intelligence (AI) to convincingly re-create an individual’s voice to fake a kidnapping, and election officials worldwide worry that the same “deepfake” techniques—which can also manipulate images—will be used to undermine democratic elections. A Russian cyberattack on a satellite navi‐ gation system used by the Ukrainian military brings wind turbines hundreds of miles away in Germany to a standstill. And a lone attacker holds a major pipeline system for ransom, creating massive fuel shortages up and down the US East Coast. These events are dramatic examples of how very fragile our daily lives, and the sys‐ tems and processes they rely on, are today. This complex, intricate set of interconnec‐ tions is created by the world’s overwhelming reliance on digital technologies for communication and collaboration, and the unprecedented risks they’ve introduced— and continue to introduce—at a radically accelerating pace. Enterprises everywhere now face threats that would have been unimaginable just a few short years ago. The threats can be acutely damaging to financial interests and, in some cases, even drive companies out of business—and not just because of failures dealing with cyber threats, but because of competition: the ability of one company to take risks and move faster than its competitor, both of whom are digitalizing at a competitive pace. 1

📄 Page 18

The security organizations are struggling to keep pace with the significant challenges those threats and vulnerabilities represent, often falling short. This book presents a way forward in this radically different and threatening new business and technology landscape. The approach, which draws on the authors’ decades of experience in the field, is based on the premise that the way for an enter‐ prise to protect itself today and tomorrow is to develop a comprehensive, enterprise- wide cyber risk management program. The book speaks to a broad range of enterprise stakeholders—not just security practitioners—to guide strategic decisions and execution parameters throughout the enterprise. The key is defining, developing, and implementing a cyber risk management program. Regulators worldwide are focusing more intensely on how enterprises are managing their cyber risks, how they establish their risk tolerance, whether they’re executing to that tolerance, and whether there is proper oversight of this programmatic approach. Courts are narrowing their focus on the personal liability of boards of directors, CEOs and other corporate officers, including chief information security officers (CISOs), as it relates to their oversight of cyber risk management. The lack of a pro‐ gram, and the outputs of a program by themselves, can be the basis of that liability. Many readers, especially experienced security professionals, will recognize some or all of the components of a cyber risk management program as we present it, and they’ll likely be practicing some of them already, at least in part. Security practitioners are by definition risk practitioners (that’s an important concept that we’ll be returning to again and again). Their experience in risk management will prove invaluable in designing and implementing a cyber risk management program. What sets our approach apart is that it brings together all these components and more in a compre‐ hensive, formal program designed to protect the entire enterprise and many of its stakeholders against the entire range of risks in the present and in the future. In this book, we’ll be taking a deep dive into defining a formal cyber risk manage‐ ment program through a variety of authoritative sources, aligning global standards, regulations, court cases, and influential sources with a framework to support the foundational elements of the defined program. Though the book will not be a how-to approach to risk management tactics, it will nevertheless reference many risk practi‐ ces and provide examples that could be implemented in the program. Why a cyber risk management program now? Digital transformation has introduced a cyber element into every aspect of security and has made cybersecurity one of the most urgent concerns for enterprises worldwide in recent years—and not only for the security professionals, but for every leader as well. 2 | Chapter 1: Cybersecurity in the Age of Digital Transformation

📄 Page 19

1 This German terminology reflects the country’s importance in manufacturing and other industries. 2 Klaus Schwab, “The Fourth Industrial Revolution: What It Means, How to Respond,” World Economic Forum, January 14, 2016. The Fourth Industrial Revolution The term Fourth Industrial Revolution—sometimes called Industry 4.01—was popu‐ larized in the 2010s by the economist Klaus Schwab, founder of the World Economic Forum (WEF). The concept is commonly defined as rapid, and rapidly accelerating, change in systems and processes driven by the increasing interconnectivity and auto‐ mation of technologies in ways that blur the distinctions between the physical and digital worlds. These technologies include artificial intelligence (AI), advanced robot‐ ics, machine-to-machine (M2M) communication, the networks of autonomous devi‐ ces that make up the Internet of Things (IoT), and many more that are on the horizon. And as these technologies interact in new, unexpected, and unpredictable ways, they are driving social, political, economic, and cultural changes at a velocity never before seen in human history. A 2016 WEF report on the Fourth Industrial Revolution says, “The speed of current breakthroughs has no historical precedent. When compared with previous industrial revolutions, the fourth is evolv‐ ing at an exponential rather than a linear pace. Moreover, it is dis‐ rupting almost every industry in every country. And the breadth and depth of these changes herald the transformation of entire sys‐ tems of production, management, and governance.”2 To understand the dramatic changes we’re experiencing now, let’s take a step back to look at how we got here, specifically at the historical changes that preceded them: • The First Industrial Revolution used water—rivers turning millwheels and coal- fired boilers feeding steam boilers—to drive manufacturing production (steel mills and textile mills) and transportation (trains and ships). • The Second Industrial Revolution electrified these processes, making true mass production possible. • The Third Industrial Revolution was—and is, because it’s still going on—based on electronics, using automation and information exchange to drive improve‐ ments in operational efficiency. • The Fourth Industrial Revolution delivers operational efficiency and innovation at a velocity that was unimaginable a few years ago. It’s driven, above all, by the The Fourth Industrial Revolution | 3

📄 Page 20

digitalization of existing systems, applications, devices, and processes, and—cru‐ cially—by the continuous, ongoing, rapid creation of new digital technologies. In the future, the world will likely look back on the Fourth Industrial Revolution as a more radical, dramatic, and fundamental change than all three of its predecessors taken together. It builds on all of them, especially the Third, with previously unima‐ ginable speed, scope, and impact. It’s as if all the major technology developments that had come before—the electric light bulb, the automobile, radio and television, every‐ thing—were occurring at the same time. There are five key trends impacting enterprises and the risks they face: Industry convergence Every industry is changing, and the cycle of change is constantly accelerating. New ecosystems, business models, and consumer behaviors are blurring industry lines across every market segment. And enterprises collaborating with third par‐ ties in industry ecosystems—sometimes even with direct competitors—face pre‐ viously unknown risks, because they inevitably give up some degree of control to the other parties. Globalization When the people and organizations involved in the value chain—manufacturers, suppliers, partners, customers—are spread across the entire world, enterprises have to recognize that the risks they face are different, highly unpredictable, and on a scale they’ve never before had to deal with. Expectations of oversight Enterprises are being watched more closely than ever by legislators, regulators, industry and consumer organizations, and a broad range of other interested par‐ ties. And all those parties expect—and in many cases demand—greater oversight of enterprise business practices. Legal action challenges Often enterprise actions—and failures to act, as in the case of cybersecurity events like data breaches—result in damaging lawsuits. A changing regulatory landscape Regulatory requirements are becoming ever more complex and more rigorous— and often more contradictory. This increases both the risks of noncompliance and the difficulty and expense of managing those risks. All these trends are characterized by two radically disruptive factors: velocity and vol‐ atility. Everything is happening at a dramatically accelerated pace, and the accelera‐ tion itself is constantly accelerating—markets, politics, consumer behaviors—making everything more complex, unstable, hard to predict, and harder to manage. The 4 | Chapter 1: Cybersecurity in the Age of Digital Transformation