Executive's Guide to Cyber Risk E-Book

Table of Contents

Cover

Title Page

Copyright

Dedication

Foreword

Preface

THE PURPOSE OF THIS BOOK

MY PERSPECTIVE

WHAT THIS BOOK IS AND WHAT IT'S NOT

HOW THE BOOK IS ORGANIZED

Acknowledgments

About the Author

CHAPTER ONE: Cyber Strategy

INTRODUCTION

CYBERSECURITY STRATEGY

THE VALUE PROPOSITION OF A CYBERSECURITY STRATEGY

THE EXECUTIVE'S ROLE IN CYBERSECURITY STRATEGY

EXECUTIVE'S GUIDE TO CYBERSECURITY STRATEGY

NEXT STEPS/REFLECTION

SUMMARY

NOTES

CHAPTER TWO: Cyber Value

INTRODUCTION

UNDERSTANDING CYBER VALUE

THE VALUE PROPOSITION OF CYBER VAR

CASE STUDY: THE COLONIAL PIPELINE CYBER-ATTACK

EXECUTIVE'S GUIDE TO CYBER RISK MANAGEMENT

EXECUTIVE'S GUIDE TO FAIR CYBER VALUE-AT-RISK

NEXT STEPS

SUMMARY

NOTES

CHAPTER THREE: Cyber Compliance

INTRODUCTION

CYBER COMPLIANCE

THE VALUE PROPOSITION OF CYBER COMPLIANCE

CASE STUDY

EXECUTIVE'S GUIDE TO CYBER COMPLIANCE

CYBER COMPLIANCE CLASSIFICATIONS

NEXT STEPS AND REFLECTION

SUMMARY

NOTES

CHAPTER FOUR: Cyber Culture

INTRODUCTION

WHAT IS CULTURE ANYWAY?

BUILDING A HUMAN-CENTRIC APPROACH TO RISK MANAGEMENT

CASE STUDIES: HUMAN ERROR INCIDENTS

EXECUTIVE'S GUIDE TO CREATING A RISK-AWARE CULTURE

NEXT STEPS

SUMMARY

NOTES

CHAPTER FIVE: Cyber Resilience

INTRODUCTION

THE VALUE PROPOSITION OF CYBER RESILIENCE

CASE STUDIES

THREAT ACTORS?

EXECUTIVE'S GUIDE TO CYBER RESILIENCE

NEXT STEPS/REFLECTION

SUMMARY

NOTES

Appendix A: Framework for Improving Critical Infrastructure Cybersecurity

EXECUTIVE SUMMARY

1.0 FRAMEWORK INTRODUCTION

1.1 OVERVIEW OF THE FRAMEWORK

1.2 RISK MANAGEMENT AND THE CYBERSECURITY FRAMEWORK

2.0 FRAMEWORK BASICS

2.1 1 FRAMEWORK CORE

2.2 2 FRAMEWORK IMPLEMENTATION TIERS

2.3 3 FRAMEWORK PROFILE

2.4 COORDINATION OF FRAMEWORK IMPLEMENTATION

3.0 HOW TO USE THE FRAMEWORK

3.1 BASIC REVIEW OF CYBERSECURITY PRACTICES

3.2 ESTABLISHING OR IMPROVING A CYBERSECURITY PROGRAM

NOTES

Appendix B: Risk Management: ISO 310001

WHO IS ISO 31000 FOR?

WHAT ARE THE BENEFITS FOR MY BUSINESS?

WHY WAS IT

REVISED

?

WHAT ARE THE MAIN DIFFERENCES?

WHAT ABOUT CERTIFICATION?

HOW DO I GET STARTED?

ABOUT ISO

NOTES

Appendix C: Privacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices1

PURPOSE:

SCOPE:

CONTEXT:

1.

PROACTIVE

NOT REACTIVE;

PREVENTATIVE

NOT REMEDIAL

2. PRIVACY AS THE

DEFAULT

3. PRIVACY

EMBEDDED

INTO DESIGN

4. FULL FUNCTIONALITY – POSITIVE-SUM, NOT ZERO-SUM

5. END-TO-END SECURITY – LIFECYCLE PROTECTION

6. VISIBILITY AND TRANSPARENCY

7. RESPECT FOR USER PRIVACY

NOTE

Appendix D: KnowBe4 – Free IT Security Tools

KNOWBE4—FREE IT SECURITY TOOLS

PHISHING TOOLS

SECURITY AWARENESS TRAINING TOOLS

PASSWORD TOOLS

EMAIL SECURITY TOOLS

MALWARE TOOLS

COMPLIANCE TOOLS

Appendix E: Cyber Resilience Framework by NIST

CHAPTER TWO

2.1 CYBER RESILIENCY ENGINEERING FRAMEWORK

2.2 CYBER RESILIENCY IN THE SYSTEM LIFE CYCLE

2.3 RISK MANAGEMENT AND CYBER RESILIENCY

CHAPTER THREE

3.1 SELECTING AND PRIORITIZING CYBER RESILIENCY CONSTRUCTS

3.2 ANALYTIC PRACTICES AND PROCESSES

REFERENCES

Index

End User License Agreement

List of Tables

Appendix E

TABLE 1 Cyber Resiliency Constructs

TABLE 2 Cyber Resiliency Goals

TABLE 3 Cyber Resiliency Objectives

TABLE 4 Cyber Resiliency in Life Cycle Stages

TABLE 5 Tailorable Process for Cyber Resiliency Analysis

List of Illustrations

Appendix A

FIGURE 1 Framework Core Structure

FIGURE 2 Notional Information and Decision Flows within an Organization

Appendix E

FIGURE 1 Cyber Resiliency Techniques and Implementation Approaches

FIGURE 2 Relationships Among Cyber Resiliency Constructs

FIGURE 3 System Life Cycle Processes and Life Cycle Stages

Guide

Cover Page

Title Page

Copyright

Dedication

Foreword

Preface

Acknowledgments

About the Author

Table of Contents

Begin Reading

Appendix A: Framework for Improving Critical Infrastructure Cybersecurity

Appendix B: Risk Management: ISO 31000

Appendix C: Privacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices

Appendix D: KnowBe4 – Free IT Security Tools

Appendix E: Cyber Resilience Framework by NIST

Index

Wiley End User License Agreement

Pages

iii

vi

v

ix

x

xi

xii

xiii

xiv

xv

xvi

xvii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

177

178

179

180

181

182

183

184

185

186

Executive's Guide to Cyber Risk

Securing the Future Today

SIEGFRIED MOYO

Copyright © 2022 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.

Library of Congress Cataloging-in-Publication Data

Names: Moyo, Siegfried, author.

Title: Executive’s guide to cyber risk : securing the future today / Siegfried Moyo.

Description: First edition. | Hoboken, New Jersey : Wiley, [2022] | Includes bibliographical references and index.

Identifiers: LCCN 2022013196 (print) | LCCN 2022013197 (ebook) | ISBN 9781119863113 (cloth) | ISBN 9781119863137 (adobe pdf) | ISBN 9781119863120 (epub)

Subjects: LCSH: Data protection. | Computer security. | Computer networks—Security measures. | Management information systems. | Computer crimes—Risk assessment.

Classification: LCC HF5548.37 .M68 2022 (print) | LCC HF5548.37 (ebook) | DDC 658.4/78—dc23/eng/20220525

LC record available at https://lccn.loc.gov/2022013196

LC ebook record available at https://lccn.loc.gov/2022013197

Cover Design: Wiley

Cover Image: © ismagilov/Getty Images

To everyone around the globe—no matter where they are—who are tirelessly working toward creating a cyber-secure future starting today.

Foreword

CYBERSECURITY IS, IN MY mind, one of the most serious issues facing the sustainability of the global economy, institutions, and society at large. Everyone, and increasingly everything, is connected through information technology. Our everyday life activities are dependent upon technology. Working from home and on the move has exacerbated the vulnerability of our platforms and poses significant challenges to CISOs that technology alone cannot solve.

Today, our digital technology systems are under attack from rogue hackers, cybercriminal gangs, and nation-sponsored cyber terrorists. No one is immune. Banks, hospitals, schools, and city governments are hacked; emails are compromised; and even the CIA has been hacked. And cybersecurity is critical to our ability to successfully tackle climate change, food scarcity, poverty, and global stability.

Most cybersecurity detection and prevention efforts concentrate on technology solutions as the primary line of defense. While information technology professionals are constantly upgrading their knowledge and cyber defense skills, many business executives, managers, and employees have a rudimentary understanding of what constitutes effective cybersecurity. This book aims to change that.

Siegfried Mayo is a hands-on cybersecurity professional deeply concerned about the lack of cybersecurity awareness and skills in today's global businesses. Like myself, he believes that every employee, and especially board directors and executives, needs to step up and take active accountability for protecting themselves and their organization. But accountability requires awareness, not just of the technical issues involved, but the organizational, infrastructure, and cultural issues that are the backbone of a cyber-safe organization.

This book is written especially for board directors and executives to help improve their understanding, awareness, and ability to effectively manage cybersecurity risks. After a short introduction to cybersecurity, chapters focus on understanding cyber risk, the importance of a well-crafted and communicated cybersecurity strategy, and the cultural and business factors that enable enterprise-wide cybersecurity.

Irrespective of your level of understanding of cybersecurity, this book will give you a holistic view of cyber risk management from a business perspective.

—Christiane Wuillamie, OBECEO, PYXIS Culture Technologies, Ltd.

Preface

THE PURPOSE OF THIS BOOK

In this book, I describe what I believe to be the five fundamental cyber risk management precepts that are critical for any organization business executive to understand to achieve their business goals and objectives. We are in an era of increasingly successful cyber-attacks that allow cybercriminals or hackers to steal, manipulate, or destroy critical data, or disrupt business operations by compromising critical infrastructure in businesses. To fight successfully against malicious intent, it's imperative that executives understand fundamental principles at a high level so they can prioritize cyber risk like any other business risk.

The goal of this book is to explain these five foundational precepts in non-technical terms so that the members of the Board of Directors (BOD) and C-Level executives (C-LEs) can continue to help their businesses prosper despite this era of ongoing cyber-attacks.

As I reflect on the past decade, every organization of any size, or industry of any magnitude, be it public or private, has been exposed to fear that's characterized by uncertainty and a possibly bleak future. Economic challenges are driven by the proximity of market forces and by cyber risks that expose the organization to undue spontaneous cyber-attacks that exploit the organization.

The world of cyber-attackers is not sitting still. Daily, organizations face a whole new set of cyber-attacks, some of which may not even yet exist. Currently, there is often a lack of focus in organizations that employ the support of the BOD, the shareholders, and the executives, as they might not have adequate comprehension of the basic precepts of cyber risk management but do have a direct impact on the organization's vision, objectives, and goals.

In a world of faster technology cycles and instant digitalization, board members and executives need to be more agile, collaborative, and forward-looking in regard to cyber risk management. Leaders of organizations should be able to articulate the basic and intrinsic knowledge of cyber risk management within the business realm or in their purviews.

There is an urgent need for the leaders of every organization to understand the key aspects of cyber risk management. Such knowledge is critical to an organization's future and ongoing success. Every organization needs forward-thinking precepts in order to achieve its vision and ease its decision-making in relation to cyber risk management. This is where Executive's Guide to Cyber Risk: Securing the Future Today comes into play. This book aims to explain the cyber risk management principles that organizations need to achieve business goals.

The book provides important fundamental cyber risk management precepts for board members, business executives, founders of start-ups, and owners of small- to medium-sized businesses. The key is identifying the gap between your current level of comprehension and what else you need to comprehend for better alignment on cyber risk management. This book helps to elucidate that gap.

Despite the existence of increasingly complex and sophisticated cyber-attacks, I have full confidence that board members, business executives, founders of start-ups, and business owners can achieve sustainable business growth when they understand the five foundational cyber risk management precepts.

MY PERSPECTIVE

As an executive, it's important that you approach potential cyber risks with foresight and a forward-looking mindset. Otherwise, cyber risks will continue to incapacitate or harm your organization. This can go so far as to harm the global economy, public health, and overall safety. There are five fundamental cyber risk management precepts and strategies that I consider essential and relevant to board members, business executives, and business managers. They allow executives to get better aligned on cyber risk management within the organization. The precepts empower people with mindset-changing principles to mitigate potentially crippling cyber risk issues.

The change in mindset is from hindsight to foresight.

Hindsight: Dealing with and understanding a problem only after it has happened.

Foresight: The ability to judge correctly what is going to happen in the future and plan your actions based on this knowledge.

I am determined to help organizations develop foresight when it comes to cyber risks. Raising awareness is necessary and will bring about change, making the world more cyber-secure. I do not hesitate to share my points of view throughout this book. I think this increases the authenticity and value that I can give. I recognize that for some, the precepts may call into question my credibility. I'm afraid I must disagree, but I appreciate that this will be easier to read for those already committed to securing the future. I hope others will find it stimulating and valuable as well. My perspective on these fundamental five precepts has developed over many years, and it is my opinion that adopting these precepts will help build a cyber-secure future.

WHAT THIS BOOK IS AND WHAT IT'S NOT

This book is not meant to substitute for or discredit any information security and cybersecurity standards or best practices, laws, or regulations. It's not intended to replace or undermine the great work being done by CISOs and cybersecurity professionals across the world, working to secure the organizations they have been entrusted to help. If you are reading this book with the intention of acquiring the skills to be certified in cybersecurity or information security, I am sorry to let you know you are in the wrong place. The book is not a training reference for any certification.

This book outlines five cybersecurity precepts or strategies for board members and executives, so they can develop foresight into cyber risk management. The book is for:

Executives, so they can go forward better aligned with their cybersecurity executives.

BOD members and executives, as a single reference guide that is a starting point to be able to identify and articulate the gaps in executive support.

Founders of start-ups and owners and executives of small- to medium-sized organizations that don't have a clue where to start on cyber risk management.

Anyone who wants to understand cyber risk better and wants to be part of shared social responsibility to make the future more cyber-secure.

This book should complement the work of the CISOs and cybersecurity professionals. They allow for business growth by incorporating diverse cyber risk management frameworks, and they work relentlessly with executives to help them comprehend cyber risk management in non-technical jargon to improve decision-making.

I recognize the limits of my perspective, but its validity as well. I do not claim any particular relevance because of my experience, and, despite my best efforts, I know that I likely have exhibited some biases along the way. But I believe that likelihood does not stop me from sharing my insights and knowledge to help move us toward a more cyber-secure world. If I were to allow this to keep me from sharing my perspectives, I would succumb to the neutrality trap. I hope readers will be open to what I have to say and keep my perspective in mind.

HOW THE BOOK IS ORGANIZED

I organized this book into five chapters:

Chapter 1, “Cyber Strategy,” takes a strategy-centric approach to discussing cyber risk.

Chapter 2, “Cyber Value,” takes a value-centric approach to discussing cyber risk.

Chapter 3, “Cyber Compliance,” takes a compliance-centric approach to discussing cyber risk.

Chapter 4, “Cyber Culture,” takes a human-centric approach to discussing cyber risk.

Chapter 5, “Cyber Resilience,” takes a technology-centric approach to discussing cyber risk.

I expect that between today and the book's publication, new cyber risks will impact organizations, and they will shed new perspectives on the cyber risk management precepts I share in this book. I want this book to be part of a dynamic, ongoing discussion, and I hope it joins board members, executives, founders, and owners of organizations into a dialogue that I believe is critical to securing the future today.

Acknowledgments

THIS BOOK DRAWS ON two different streams of my life experiences—the spiritual and professional.

Spiritually: Thank you to the Lord Jesus Christ, my cornerstone, my strength, my fortress, for the gift of life, every second on earth up to this day, which has let me write the book and get to this stage of giving back through my profession.

Professionally: Thank you to all my professional colleagues, who challenged my mental models and thought processes, making me constantly strive to be a better person than I was the days or hours before. Both the positive and negative insights and feedback were essential to my growth and understanding.

I especially want to thank the contributors who worked with me over the months, providing objective feedback, challenging my mental models and thought processes, and supporting me as a first-time author. These include:

Christiane Wuillamie, OBE and CEO of PYXIS Culture

John Childress, chairman, PYXIS Culture Technologies Ltd

Anna Collard, SVP content strategy and evangelist at KnowBe4 Africa

Jack Jones, award-winning CISO, author of the FAIR standard, and the chairman of the FAIR InstituteKevin L. Jackson - 2X

USA Today and WSJ

, Best-Selling Author / CEO, GC GlobalNet/COO, SourceConnecte/SVP, TNS/Adjunct Professor, Adj. Prof., Tulane University

I was blessed to be in capable hands throughout the development of my work on this book. Kezia Endsley, the editor from Wiley, provided consistently helpful, supportive, and timely feedback on the various versions of each part of this book. Lori Martinsek and Warren Hapke, copy editing team, provided invaluable commentary, editing, and citation checking and was always tactful but direct in pointing out some of my blind spots. I also want to thank the Wiley team who grasped the value of this project and have been supportive (and flexible!) throughout—especially Sheck Cho, Susan Cerra, Samantha Wu, Manikandan Kuppan.

Finally, l want to thank my family for their unstinting support throughout, especially my son, who always pushes me to be a better man that he can look up to. Thank you to my father for his push and invaluable support. And my most special thanks to colleagues who were constantly willing to listen, support, distract, and entertain when necessary.

About the Author

Siegfried Moyo has grown within the information security industry from a junior security engineer to a leader of information security teams in organizations with a global footprint. He has experience working across different industries (including banking, manufacturing, technology, the public sector, and logistics and supply chain). He is a cybersecurity professional with over fifteen years of experience in information security. He has hands-on technical experience with diverse information security technologies.

He works toward increasing stakeholder value by providing cyber assurance and managing cyber risk across organizations and creating a robust and sustainable cybersecurity strategy that is resilient against multiple cyber threats. He is a trusted cybersecurity advisor on determining and establishing the right cybersecurity governance and security practices for organizations and helps business executives at the C-Suite level understand cyber risks.

He has practical experience in the following cybersecurity domains: cybersecurity resilience, cybersecurity governance, cybersecurity risk management framework, cybersecurity engineering, cybersecurity operations, cybersecurity strategy development/deployment, and cybersecurity enterprise architecture to align with business/enterprise objectives and goals.

He received a bachelor of science in cybersecurity and a master of science in cybersecurity from EC-Council University. He is currently pursuing a doctor of philosophy (PhD) in Cybersecurity Leadership at Capitol Technology University.

While writing this book, Siegfried lived in Madrid, Spain, with his family.

CHAPTER ONECyber Strategy: The Strategy-Centric Approach

Cybersecurity is the mission-focused and risk-optimized management of information which maximizes confidentiality, integrity, and availability using a balanced mix of people, policy, and technology while perennially improving over time.

—Mansur Hasib, speaker, educator, career coach

INTRODUCTION

What exactly is a cyber strategy? Let's start by defining strategy. The word “strategy” is derived from the Greek word strategos, which is a combination of two words—stratia (meaning army) and ago (meaning to lead or move). Merriam-Webster defines “strategy” as “a careful plan or method for achieving a particular goal, usually over a long period,” or “the skill of making or carrying out plans to achieve a goal.”1

A strategy is a course of action taken by management to achieve one or more of the organization's objectives. We may alternatively define strategy as “a broad direction established for the organization and its many components to reach a desired condition in the future.”

A comprehensive strategic planning process yields a strategy. A strategy is all about integrating organizational operations and using and distributing corporate resources to fulfill current objectives. We do not build a plan in a vacuum; let's keep this in mind. Any action conducted by an organization is likely to elicit a response from those affected, whether they are competitors, customers, workers, or suppliers. We may also characterize strategy as knowing what we want to achieve, being aware of the unpredictability of events, and considering possible or actual actions. An organization's strategy explains its business, the economic and human organization it aims to be, and the impact it intends to make on its shareholders, customers, and society. So strategy is preparing a long-term plan that will guide an organization in achieving its objectives.

In “Strategic Planning for Public and Nonprofit Organizations,” an article on the Insentra website, John M. Bryson defines strategic planning as:

A disciplined effort to produce fundamental decisions and actions which shape and guide what an organization is, what it does and why it does it—all with a focus on the future.

2

CYBERSECURITY STRATEGY

The European Union Agency for Cybersecurity (ENISA) defines cybersecurity strategy as:

A national cybersecurity strategy (NCSS) is a plan of actions designed to improve the security and resilience of national infrastructures and services. It is a high-level top-down approach to cybersecurity that establishes a range of national objectives and priorities that should be achieved in a specific timeframe.

3

In essence, a cybersecurity strategy is an organization's plan to reduce business risk from cyber-attacks by maintaining confidentiality, integrity, and availability in all the organization's information systems and data.

The primary request of any organization or institution's Board of Directors (BOD) and C-level executives (C-LE) is for a robust, scalable, and agile cybersecurity strategy that enables business agility and sustainability. A robust cybersecurity strategy is critical for business operations as it protects against cyber risks and mitigates potential data breaches and other cyber threats to critical infrastructure and critical data. For a BOD member or a C-LE to be able to fathom the value proposition of the organization's cybersecurity strategy, there must be invested accountability on how business is aligned to the specific organization-level approach to cyber value, cyber compliance, cyber culture, and cyber resilience, but all of this starts from the strategy. All these are the precepts in the following chapters of the book.

THE VALUE PROPOSITION OF A CYBERSECURITY STRATEGY

Most executives' first thought is determining what the return on investment (ROI) is on investing in a cybersecurity strategy. The ROI is the total value of the cost of cyber breaches averted minus the cost of mitigating cyber risks. After reading the next chapter, you'll understand why this is often difficult to measure and learn how to calculate it better.

Beyond the ROI or net value, the absence or misalignment of a cybersecurity strategy will not enable the board of directors or C-level executives to take the subsequent business strategic risks that facilitate business growth and success in the foreseeable future. A cybersecurity strategy allows the organization to capture more value from its business model.

For example, suppose an organization's strategy is to grow through mergers and acquisitions (M&As). The cybersecurity strategy should mitigate any cyber risks that emerge with each new M&A while not losing focus on the current cyber risks. The organization's expansion and growth depend on the trust of existing and new consumers. The cybersecurity strategy should be in line with building the trust of its customers after the M&A-critical infrastructure and data are secure. A strategy in line with the business's objectives is the only assurance that enables the board of directors and C-level executives to take the business to the next level or the next innovative idea or concept. After that, executives can confidently answer the questions posed in this chapter.

The primary concern of any executive in this realm should be a successful cyber-attack or security breach. Cyber-attacks have caused significant damage to businesses, affecting the bottom line, their business standing, and customer and consumer trust.

THE EXECUTIVE'S ROLE IN CYBERSECURITY STRATEGY

You may wonder why a cybersecurity strategy should be the first foundational precept for the BOD and C-LEs, as prescribed in this book. Most organizations' executives are not treating cybersecurity like any other strategic business decision. For a cybersecurity strategy to enable the business effectively and successfully, it has to be driven by the organization's leadership. Cybersecurity strategy that has the support of executive leadership invites the actionable strategic-centric approach and governance model that gives the right priority to cyber risk management. Members of the BOD and C-LEs need to start asking the right questions about cybersecurity strategy to make sure sufficient investments are made to minimize business disruptions from cyber risks. A cybersecurity strategy that is well articulated by the executive leadership will automatically align business strategy objectives and organization risk appetite. Some of the implications of ignoring cybersecurity strategy are listed below:

BOD and C-LE insecurities emerge from the lack of a cybersecurity strategy or plan to reduce cyber risks tailored to the organization's objectives and risk profile.

BOD and CLE insecurities emerge due to the absence or misalignment of the cybersecurity strategy to business strategy. The lack of and misalignment results in crippling the business to be more innovative and remain sustainable for the foreseeable future despite operating in an era of increase in cyber-attacks.

If you are a member of the BOD or a C-LE of an organization, you need to be able to articulate answers to these questions:

Does your organization have a cybersecurity strategy that's specific to the organization's core business?

Is the organization's cybersecurity strategy aligned to the business goals?

Does the cybersecurity strategy have adequate resources to mitigate risk within the organization's risk appetite and risk tolerance?

Does the cybersecurity strategy have adequate financial support to manage cyber risks against the critical assets?

Is the organization cyber-compliant with all laws and regulatory or industry-specific requirements?

How does the organization's cybersecurity strategy ensure that it can avoid, respond to, and recover from constantly changing cyber threats?

Has the organization integrated people, processes, and technology into its cybersecurity strategy?

The failure to clearly articulate a response to these and other questions invites business risk that would result in lost shareholder value, less consumer and customer trust, limited business growth, and more. No single strategy-centric approach to cybersecurity strategy is ideal for all business models; the cybersecurity strategy has to be one that suits your business. Given the rising prevalence of technology, software vulnerabilities, ransomware, and other vectors of cyber-attacks, this makes it imperative for cybersecurity strategy to be at the top of every executive's agenda. We live in a world of constant volatility, and if you have invested interest and support in how your organization's cybersecurity strategy will cope with the continual change of cyber-attacks, in both scale and complexity, you will enable your organization to archive its business goals while managing cyber risk within the organization's risk appetite. Cybersecurity strategy enables BOD members and C-LEs to recognize and have a high level of understanding of the potential impacts of and losses due to cyber risks, which have resulted in an impact on operations, reputations and revenues.

Potential Loss Due to Cyber Risks

Cyber-attacks can result in economic, reputational, and legal losses and problems. Let's look at each of these areas in more detail.

Economic Losses

Cyber-attacks often result in substantial financial losses arising from:

Theft of corporate information

Theft of financial information (e.g., bank details or payment card details)

Theft of money

A halt in business operations (e.g., inability to carry out transactions online)

Loss of business or contracts

Damage to a Corporation's Reputation

Trust is an essential element of the customer relationship. Cyber-attacks can damage a business's reputation and erode the trust of consumers and customers. It might lead to:

Loss of customers

Decrease in sales

Decrease in net revenue

Reputational damage can also affect suppliers and relationships with partners, investors, and other third parties vested in the business.

Legal Ramifications

Data protection and privacy rules require that the executives oversee the security of any personal data handled or stored, whether on internal or external systems. If this data is compromised (inadvertently or on purpose) and the company cannot implement cybersecurity controls, it may face regulatory penalties.

EXECUTIVE'S GUIDE TO CYBERSECURITY STRATEGY

There is no strategy without accountability and there is no accountability without leadership.

—John R. Childress, Chairman, PYXIS Culture Technologies Ltd.

The “Executive's Guide” sections in this book, like this one, provide details and foundational knowledge for executives so they can make informed cost- and resource-effective investment decisions with their most senior cybersecurity executives, such as chief information security officers (CISOs), to limit the organization’s cyber risk within the organization's risk appetite. Cybersecurity strategy is critical in enabling any organization to adopt a proactive approach to cyber risk management, as opposed to reacting to every new cyber-attack in hindsight, which can be costly and time-consuming. Whether an organization has an outdated cybersecurity strategy in place or is establishing its first one, executives can use these guide sections to understand why it is vital to support an effective and strategic cybersecurity plan.

Cybersecurity and Information Security

Cybersecurity is a popular topic these days, but what exactly does it mean? Cybersecurity refers to the collection of tools, policies, guidelines, risk-management techniques, activities, best practices, assurances, and technologies that companies use to secure the availability, integrity, and confidentiality of assets in linked infrastructures in government, private businesses, and individual settings.

These assets include connected computing devices, employees, infrastructure, applications, digital service providers, and citizens. The concept of cybersecurity is not as broadly accepted as that of information security. Some individuals believe the concepts are interchangeable or that cybersecurity is either a subset or superset of information security. Many believe that cybersecurity is simply a newer and perhaps more sophisticated version of traditional computer security, which is:

The ability to protect or defend the use of cyberspace from cyber-attacks. —National Institute of Standards and Technology (NIST)4

This specific definition from the NIST does not talk about cyber risk and the need to deal with it. Cyber risk management is an essential aspect of prioritizing where an organization deploys the limited resources for its cybersecurity strategy.

A more straightforward and more helpful definition of a cybersecurity strategy is: “the actions, direct and indirect, an organization takes to reduce the risks of being connected to the Internet to a level acceptable to that organization.”

According to the NIST, “Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide integrity, confidentiality, and availability.” By protecting information from cyber threats, you achieve three goals:

Confidentiality

: You keep your secrets under control.

Integrity

: Data is not corrupted.

Availability

: You can see and use information whenever necessary.

Cybersecurity and Trust

One of cybersecurity's most popular terms is “zero trust.” The use of the word trust in cybersecurity can be confusing. Here is one way to consider this concept, according to Palo Alto Networks:5

Zero trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of digital interaction. Rooted in the principle of “never trust, always verify,” zero trust is designed to protect modern environments and enable digital transformation.

Cyber Risk Management

To clear any confusion on how the cybersecurity strategy and cyber risk management are related, the NIST6 outlines that “risk management is a fundamental principle of cybersecurity. It is the basis of the NIST Framework for Improving Critical Infrastructure Cybersecurity. Agencies of the US Government certify the operational security of their information systems against the requirements of the FISMA Risk Management Framework (RMF). The alternative to risk management would presumably be a quest for total security—both unaffordable and unachievable.”

There are various definitions of risk management from all the cybersecurity industry standards and publications. In this book, for purpose of alignment with the next chapter, we focus on the FAIR definition,

Risk management is the process of achieving and maintaining an acceptable level of exposure to loss, within the context of an organization's objectives and constraints.—Jack Jones, Cofounder and Chairman of FAIR

Managing risks is a critical component of any business's cybersecurity strategy. Organizational systems, people, networks, and devices are all vulnerable. The business's services and operations and even its customers may be at risk. The more the business relies on a web presence, the more critical it is to identify and control the cyber risks that have the potential to impact the organization. Cyber threats—ranging from human errors to malicious attacks by hackers—can disrupt critical business operations or expose critical information. Cyber risk assessment involves identifying, analyzing, and