The Cyber Risk Handbook E-Book

Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Australia, and Asia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers' professional and personal knowledge and understanding.

The Wiley Finance series contains books written specifically for finance and investment professionals as well as sophisticated individual investors and their financial advisors. Book topics range from portfolio management to e-commerce, risk management, financial engineering, valuation and financial instrument analysis, as well as much more.

For a list of available titles, visit our web site at www.WileyFinance.com.

The Cyber Risk Handbook

Creating and Measuring Effective Cybersecurity Capabilities

Cover image: (top) © Toria/Shutterstock; (bottom) © deepadesigns/Shutterstock

Cover design: Wiley

Copyright © 2017 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

ISBN 9781119308805 (Hardcover)

ISBN 9781119309727 (ePDF)

ISBN 9781119308959 (ePub)

This book is dedicated to my wife Jenni, my son Nathan, my daughter Megan, and to the rest of my family.

CONTENTS

Foreword The State of Cybersecurity

The Global Cyber Crisis

The Time for Change

Increasing Cyber Risk Management Maturity

About ISACA

About Ron Hale

About the Editor

List of Contributors

Acknowledgments

Chapter 1: Introduction

The CEO under Pressure

Toward an Effectively Cyber Risk–Managed Organization

Handbook Structured for the Enterprise

Handbook Structure, Rationale, and Benefits

Which Chapters Are Written for Me?

Chapter 2: Board Cyber Risk Oversight: What Needs to Change?

What Are Boards Expected to Do Now?

What Barriers to Action Will Well-Intending Boards Face?

What Practical Steps Should Boards Take Now to Respond?

Cybersecurity—The Way Forward

Notes

About Risk Oversight Solutions Inc.

About Tim J. Leech, FCPA, CIA, CRMA, CFE

About Lauren C. Hanlon, CPA, CIA, CRMA, CFE

Chapter 3: Principles Behind Cyber Risk Management

Cyber Risk Management Principles Guide Actions

Meeting Stakeholder Needs

Covering the Enterprise End to End

Applying a Single, Integrated Framework

Enabling a Holistic Approach

Separating Governance from Management

Conclusion

Notes

About RIMS

About Carol Fox

Chapter 4: Cybersecurity Policies and Procedures

Social Media Risk Policy

Ransomware Risk Policies and Procedures

Cloud Computing and Third-Party Vendors

Big Data Analytics

The Internet of Things

Mobile or Bring Your Own Devices (BYOD)

Conclusion

Notes

About IRM

About Elliot Bryan, BA (Hons), ACII

About Alexander Larsen, FIRM, President of Baldwin Global Risk Services

Chapter 5: Cyber Strategic Performance Management

Pitfalls in Measuring Cybersecurity Performance

Cybersecurity Strategy Required to Measure Cybersecurity Performance

Creating an Effective Cybersecurity Performance Management System

Conclusion

Note

About McKinsey Company

About James Kaplan

About Jim Boehm

Chapter 6: Standards and Frameworks for Cybersecurity

Putting Cybersecurity Standards and Frameworks in Context

Commonly Used Frameworks and Standards (a Selection)

Constraints on Standards and Frameworks

Conclusion

Notes

About Boston Consulting Group (BCG)

About William Yin

About Dr. Stefan A. Deutscher

Chapter 7: Identifying, Analyzing, and Evaluating Cyber Risks

The Landscape of Risk

The People Factor

A Structured Approach to Assessing and Managing Risk

Security Culture

Regulatory Compliance

Maturing Security

Prioritizing Protection

Conclusion

Notes

About the Information Security Forum (ISF)

About Steve Durbin

Chapter 8: Treating Cyber Risks

Introduction

Treating Cybersecurity Risk with the Proper Nuance in Line with an Organization’s Risk Profile

Determining the Cyber Risk Profile

Treating Cyber Risk

Alignment of Cyber Risk Treatment

Practicing Cyber Risk Treatment

Conclusion

About KPMG

About John Hermans

About Ton Diemont

Chapter 9: Treating Cyber Risks Using Process Capabilities

Cybersecurity Processes Are the Glue That Binds

No Intrinsic Motivation to Document

Leveraging ISACA COBIT 5 Processes

COBIT 5 Domains Support Complete Cybersecurity Life Cycle

Conclusion

About ISACA

About Todd Fitzgerald

Chapter 10: Treating Cyber Risks—Using Insurance and Finance

Tailoring a Quantified Cost-Benefit Model

Planning for Cyber Risk Insurance

The Risk Manager’s Perspective on Planning for Cyber Insurance

Cyber Insurance Market Constraints

Conclusion

Notes

About Aon

About Kevin Kalinich, Esq.

Chapter 11: Monitoring and Review Using Key Risk Indicators (KRIs)

Definitions

KRI Design for Cyber Risk Management

Conclusion

Notes

About Wability

About Ann Rodriguez

Chapter 12: Cybersecurity Incident and Crisis Management

Cybersecurity Incident Management

Cybersecurity Crisis Management

Conclusion

About CLUSIF

About Gérôme Billois, CISA, CISSP and ISO27001 Certified

About Wavestone

Chapter 13: Business Continuity Management and Cybersecurity

Good International Practices for Cyber Risk Management and Business Continuity

Embedding Cybersecurity Requirements in BCMS

Developing and Implementing BCM Responses for Cyber Incidents

Conclusion

Appendix: Glossary of Key Terms

About Marsh

About Marsh Risk Consulting

About Sek Seong Lim, CBCP, PMC

Chapter 14: External Context and Supply Chain

External Context

Building Cybersecurity Management Capabilities from an External Perspective

Measuring Cybersecurity Management Capabilities from an External Perspective

Conclusion

About The SCRLC

About Nick Wildgoose, BA (Hons), FCA, FCIPS

Chapter 15: Internal Organization Context

The Internal Organization Context for Cybersecurity

Tailoring Cybersecurity to Enterprise Exposures

Conclusion

Note

About Domenic Antonucci

About Bassam Alwarith

Chapter 16: Culture and Human Factors

Organizations as Social Systems

Human Factors and Cybersecurity

Training

Frameworks and Standards

Technology Trends and Human Factors

Conclusion

Note

About Avinash Totade

About Sandeep Godbole

Chapter 17: Legal and Compliance

European Union and International Regulatory Schemes

U.S. Regulations

Counsel’s Advice and “Boom” Planning

Conclusion

Notes

About the Cybersecurity Legal Task Force

About Harvey Rishikof

About Conor Sullivan

Chapter 18: Assurance and Cyber Risk Management

What the Internal Auditor Expects from an Organization Managing Its Cyber Risks Effectively

How to Deal with Two Differing Assurance Maturity Scenarios

Combined Assurance Reporting by ERM Head

Conclusion

About Stig Sunde, CISA, CIA, CGAP, CRISC, IRM Cert.

Chapter 19: Information Asset Management for Cyber

The Invisible Attacker

A Troubling Trend

Thinking Like a General

The Immediate Need—Best Practices

Cybersecurity for the Future

Time to Act

Conclusion

About Booz Allen Hamilton

About Christopher Ling

Chapter 20: Physical Security

Tom Commits to a Plan

Get a Clear View on the Physical Security Risk Landscape and the Impact on Cybersecurity

Manage or Review the Cybersecurity Organization

Design or Review Integrated Security Measures

Reworking the Data Center Scenario

Calculate or Review Exposure to Adversary Attacks

Optimize Return on Security Investment

Conclusion

About Radar Risk Group

About Inge Vandijck

About Paul van Lerberghe

Chapter 21: Cybersecurity for Operations and Communications

Do You Know What You Do Not Know?

Threat Landscape—What Do You Know About Your Organization Risk and Who Is Targeting You?

Data and Its Integrity—Does Your Risk Analysis Produce Insight?

Digital Revolution—What Threats Will Emerge as Organizations Continue to Digitize?

Changes—How Will Your Organization or Operational Changes Affect Risk?

People—How Do You Know Whether an Insider or Outsider Presents a Risk?

What’s Hindering Your Cybersecurity Operations?

Challenges from Within

What to Do Now

Conclusion

About EY

About Chad Holmes

About James Phillippe

Chapter 22: Access Control

Taking a Fresh Look at Access Control

Organization Requirements for Access Control

User Access Management

User Responsibility

System and Application Access Control

Mobile Devices

Teleworking

Other Considerations

Conclusion

Notes

About Sidriaan de Villiers, PwC Partner South Africa

Chapter 23: Cybersecurity Systems: Acquisition, Development, and Maintenance

Build, Buy, or Update: Incorporating Cybersecurity Requirements and Establishing Sound Practices

Specific Considerations

Conclusion

Notes

About Deloitte Advisory Cyber Risk Services

About Michael Wyatt

Chapter 24: People Risk Management in the Digital Age

Rise of the Machines

Enterprise-Wide Risk Management

Tomorrow’s Talent

Crisis Management

Risk Culture

Conclusion

Notes

About Airmic

About Julia Graham

Chapter 25: Cyber Competencies and the Cybersecurity Officer

The Evolving Information Security Professional

The Duality of the CISO

Job Responsibilities and Tasks

Conclusion

Notes

About ISACA

About Ron Hale

Chapter 26: Human Resources Security

Needs of Lower-Maturity HR Functions

Needs of Mid-Maturity HR Functions

Needs of Higher-Maturity HR Functions

Conclusion

Notes

About Domenic Antonucci

Epilogue

Background

Becoming CyberSmart

Notes

About Domenic Antonucci

About Didier Verstichel

Glossary

Index

EULA

List of Tables

Chapter 1

Table 1.1

Chapter 3

Table 3.1

Chapter 9

Table 9.1

Chapter 11

Table 11.1

Chapter 12

Table 12.1

Chapter 14

Table 14.1

Chapter 15

Table 15.1

Table 15.2

Table 15.3

Table 15.4

Table 15.5

Table 15.6

Table 15.7

Table 15.8

Table 15.9

Table 15.10

Table 15.11

Table 15.12

Table 15.13

Table 15.14

Table 15.15

Table 15.16

Table 15.17

Table 15.18

Table 15.19

Table 15.20

Table 15.21

Table 15.22

Chapter 17

Table 17.1

Table 17.2

Chapter 18

Table 18.1

Chapter 25

Table 25.1

Epilogue

Table E.1

Table E.2

List of Illustrations

Chapter 1

Figure 1.1

Conceptualizing information security within the organization

Figure 1.2

How seven sets of capabilities work together

Chapter 2

Figure 2.1

Five lines of assurance

Figure 2.2

Risk status approach to assessment and treatment

Chapter 3

Figure 3.1

Risk management unifies processes

Chapter 5

Figure 5.1

Measuring progress against initiatives

Figure 5.2

DRA provides insight into cybersecurity capabilities

Figure 5.3

Measuring protection of most critical information Courtesy of John Greenwood of McKinsey & Co.

Chapter 7

Figure 7.1

Three types of insider threat identified by the Information Security Forum (ISF)

Figure 7.2

The six phases of the ISF IRAM2 .

Chapter 8

Figure 8.1

An organizational cyber risk profile

Figure 8.2

Selecting the right set of treatment measures

Figure 8.3

An integrated approach to cyber risk management

Figure 8.4

An overarching perspective over cyber risks requiring treatment

Chapter 10

Figure 10.1

Financial statement impact

Figure 10.2

Cyber risk impacts all quadrants

Figure 10.3

Asset value comparison: Property, plant and equipment (PP&E) versus information assets

Figure 10.4

Probable maximum loss (PML) value for PP&E versus information assets

Figure 10.5

Impact of business interruption

Figure 10.6

Information assets covered by insurance compared to PP&E

Figure 10.7

Optimal cyber insurance components

Figure 10.8

Cyber insurance placement minimum timings and steps

Chapter 11

Figure 11.1

Risk taxonomy for KRIs

Figure 11.2

KRI sample of dashboards and reports

Chapter 12

Figure 12.1

Cyber crisis management steps

Chapter 13

Figure 13.1

Conceptual overview of main cyber response components

Chapter 14

Figure 14.1

Top three causes of supply chain disruption

Figure 14.2

Origins of supply chain disruption

Chapter 16

Figure 16.1

The ISACA business model for information security (BMIS)

Figure 16.2

HIMIS methodology to reduce cyber risks that occur due to human mistakes.

Chapter 18

Figure 18.1

Combined assurance approach

Chapter 20

Figure 20.1

Tom’s plan to build a state-of-the-art physical security risk management system

Figure 20.2

How to identify physical security risk scenarios using seven key elements

Figure 20.3

Risk assessment stepped approach

Figure 20.4

Risk landscape heat map example

Figure 20.5

Tom’s RASCI plan for the physical security organization

Figure 20.6

“Typical” physical security design in three steps

Figure 20.7

Security zone model example

Figure 20.8

Typical security design example

Figure 20.9

Key objectives for security measures

Figure 20.10

Adversary path analyzer in four steps

Figure 20.11

The three points in time to mitigate an adversary attack

Figure 20.12

Adversary Sequence Diagram

Figure 20.13

Probability (

p

) factors for interrupting an adversary’s attack

Figure 20.14

Optimizing return on investment

Chapter 21

Figure 21.1

The big picture: How your organization can integrate and expand your cybersecurity protocol

Figure 21.2

Checklist of do’s and don’ts for getting started

Chapter 22

Figure 22.1

“The Global State of Information Security Survey 2016” .

Chapter 23

Figure 23.1

Application life cycle and typical controls

Guide

Cover

Table of Contents

1

Pages

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

xxxi

xxxiii

xxxv

1

2

3

4

5

6

7

8

11

12

13

14

15

16

17

18

19

20

21

23

24

25

26

27

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

67

68

69

70

71

72

73

74

75

76

77

78

79

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

109

110

111

112

113

114

115

116

117

118

119

120

121

123

124

125

134

135

136

137

138

139

140

141

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

165

166

167

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

211

212

214

215

216

217

218

219

240

241

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

265

266

267

268

269

270

271

272

273

274

275

276

277

278

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

305

306

307

308

309

310

311

312

313

315

316

317

318

319

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

378

379

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

Foreword The State of Cybersecurity

Ron Hale, ISACA, USA

If cybercrime were compared to other global criminal enterprises, it would rank fourth out of five high-impact crimes in terms of the cost as a percentage of the global gross domestic product (GDP). Only transnational crime (1.2 percent), narcotics (0.9 percent), and counterfeiting/piracy (0.89 percent) rank higher in terms of financial impact. Cybercrime, however, is pushing toward the top, representing 0.8 percent of the global GDP, according to a 2014 study conducted by the Center for Strategic and International Studies. While many may not be aware of the worldwide cost of cybercrime, enterprises everywhere are certainly feeling the consequences of intrusions and compromise. It is hitting the bottom line in corporate financial statements.

Cybercrime is also gaining the attention of legislators, regulators, and boards as reports of intrusions and their consequences are released on a daily basis. Everyone is becoming alarmingly aware of cybercrime, as it is constantly in the news. Cybercrime is also very personal because each of us have probably had the experience of receiving notifications that our financial and other personal information may have been compromised in an attack. The incidence of cybercrime is eroding public trust as well.

The Global Cyber Crisis

We are in what can best be described as a global cyber crisis, and the future does not look promising. The June 2014 Center for Strategic and International Studies report estimated that the global impact of cybercrime was between $375 and $575 billion. As cyber incidents are frequently undetected and infrequently reported, it is difficult to arrive at a more accurate understanding of the extent of cybercrime. The Center’s best estimate is $445 billion, given that the four largest economies, the United States, China, Japan, and Germany collectively account for at least $200 billion of this amount.

Despite the lack of details on the extent of cybercrime, we know that it is having a significant negative impact on business and that instead of slowing, cyber attacks are escalating at what could be considered an alarming rate. Even without verified and complete numbers, we calculate that the Internet economy generates between $3 and $5 trillion dollars globally and that cybercrime extracts between 15 percent and 20 percent of this value. The Center for Strategic and International Studies commented that cybercrime is a rapidly growing industry because of the high potential rate of return on investment and the low risk of detection and prosecution. Many legitimate enterprises would love to have the same economic opportunity that cybercriminals currently enjoy.

The April 2016 Internet Security Threat Report produced by Symantec highlights the extent of the cyber crisis. According to their analysis, 430 million new and unique pieces of malware were discovered in 2015. This represents an increase of 36 percent from the prior year. While this is a huge number, we know that malware does not go out of style in the underground cybercrime community. Attack tools and malicious code that were produced over the past several years are still commonly used and remain very effective. It is impossible to know the full extent of the library of malicious code that is either currently in use or available to hackers. The result, however, is that one-half billion personal records were either lost or stolen in 2015. This comes as the result of the known 1 million attacks that were launched against individuals each and every day in 2015. The state of cybersecurity can best be described as “hackers gone wild.” There seems to be no system that cannot be compromised and no information that is safe.

While the daily impact of cybercrime is alarming, the most significant impact cybercriminals can have is on emerging technologies and business activities. The history of cybercrime demonstrates that as technology advances, so, too, do attacks against systems and the resulting damage that attacks bring. We are in an early stage of global transformation where the combined impact of cloud computing, mobile technologies, big data, analytics, robotics, and the interconnected world of smart devices has the potential to change everything. We have seen demonstrations where self-driving cars can be compromised and hackers can access avionics systems in flight. We know that devices such as insulin pumps and pacemakers are vulnerable.

How can we expect that advanced technology applications are safe when technologies that we have relied on and are business critical are not secure? The Symantec 2016 Internet Security Threat Report found that 78 percent of scanned web sites were vulnerable and that 15 percent had critical security flaws. The report also identified that zero day vulnerabilities increased by 125 percent between 2014 and 2015. If a technology with which we have long-term experience, such as web site deployments, is so ill protected from even traditional attack mechanisms, how prepared can we expect to be from zero day attacks and the even more insidious advanced persistent threats?

ISACA research recognizes that enterprises are more aware of the risk of advanced persistent threats (APTs) and are taking action to better manage this risk. Sixty-seven percent of respondents to the 2015 Advanced Persistent Threat Awareness survey were familiar or very familiar with APTs. Unfortunately, many organizations are relying on traditional defense and detection mechanisms, which may only be minimally effective against persistent threats. While Web intrusions resulting from configuration or other security lapses are possible and APTs are likely, there is a growing trend to attack mobile devices. The Symantec Threat Report indicated a 214 percent increase in mobile vulnerabilities in 2015.

While we see greater recognition of the cyber problem and its impact on business, this does not equate to implementing cyber defense better. What is needed is a rethinking of how information and cybersecurity are governed, managed, and implemented. What is needed is a more holistic, business-focused approach to cybersecurity, and recognition that cybersecurity is a business issue and not just a technical problem.

The Time for Change

The need to innovate, the accelerated integration of business and technology, the drive for better performance, and the exploitation of new technologies for business benefit can realistically happen only if cybersecurity is how business is done, instead of being addressed as an afterthought. While many organizations continue to see cybersecurity as a technical problem, we are beginning to see changes that will only enhance the effectiveness of cyber risk management.

The State of Cybersecurity: Implications for 2016

A joint research activity by the RSA Conference and ISACA, shows that cybersecurity is increasingly being seen as a business enabler. As organizations strive to become fully digital, and as they exploit benefits derived from emerging technology solutions, security must become a core organization capability involving all departments and not just information technology (IT). We see from the ISACA research that most boards of directors (82 percent) are concerned or very concerned about cybersecurity. Board concern should translate into action. A possible consequence of board attention is that most organizations have developed and are enforcing their cyber policies (66 percent) and are providing what security leaders believe is appropriate funding (63 percent). More importantly, perhaps, 75 percent of those responding to the survey indicated that their cyber strategy is now aligned with enterprise objectives.

Connecting cyber activities to business goals and aspirations is perhaps the most important element in becoming a cyber risk–managed organization. While many security leaders felt that they were adequately funded, board and executive leader attention is resulting in budget increases for 61 percent of the organizations participating in the study. Investments are necessary to do more than keep up with cyber threats. As cyber becomes integral to how new products, services, and capabilities are developed, additional funding is required. Participants in the ISACA/RSA survey reported that this additional funding will provide increased compensation for skilled cyber specialists, enhanced training, broader awareness activities, and more effective response and recovery planning.

Increasing Cyber Risk Management Maturity

Best-performing organizations, with more mature cyber risk management capabilities, share several common characteristics. They commonly:

Recognize the importance of cybersecurity and address it as a board issue and value enhancer.

Ensure that executive management is engaged in leading cyber efforts and support cybersecurity as a business issue.

Manage cyber risks within an enterprise risk management approach providing the necessary human and capital support for programs and initiatives.

Follow established cybersecurity standards or frameworks in building, managing, and monitoring the enterprise cyber program.

Continuously evaluate cybersecurity performance against business goals and objectives.

Track and report cybersecurity performance against the international standards and frameworks used to design and implement their program.

Fine-tune cybersecurity priorities and activities as enterprise needs and threats change.

What sets best-performing organizations apart from the crowd is that they address cybersecurity as an essential part of how products and services are designed and delivered. These organizations look at cybersecurity as an integral part of business that involves everyone from the board to computer users throughout the organization.

For those who recognize that cybersecurity is a business issue and that cyber risks need to be considered within the context of an enterprise risk management program, the consequences are significant. Best-performing organizations typically experience fewer incidents, the impact of incidents is less severe, and recovery times are quicker. More mature organizations, in summary, better manage cyber risk and are more resilient. Reaching this level of cyber preparedness and defense has been a challenge, however, since business leaders, who need to understand their role, did not have business-oriented guidance available to them. Information and cybersecurity have appeared as a technical issue and not a core part of how things are done and how the business operates. Value has been seen as coming from new products or the adoption of new technologies without connecting the need for protection with value enhancing business strategies.

The Cyber Risk Handbook changes this. It is written from the perspective of, and in a language that will resonate with, both technology and business unit leaders. It captures the elements of organization theory and design that have been shown to be essential in creating mature organizations that experience exceptional performance.

A major advancement in thinking that business executives will appreciate is found in the concept of the business model information security as presented in Figure 1.1 in our Introduction. This drawing demonstrates the essential elements found in every organization and the interconnectedness of these elements. Every organization can be described in terms of the organization structure, the people, the technology they leverage, and the processes that bind organization, people, and technology together to achieve business goals. What is less often considered is the importance of the culture connecting people within the organization, the human factors that need to be considered in making technology useful for both customers and staff, and the effectiveness of the technology design or architecture in supporting the business. Often missed in reference guides for cybersecurity practitioners and business leaders is the enabling power of governance connecting organization design to processes, and how technology needs to foster more effective processes and how processes support business enablement through technology. The mature organization understands how these elements come together and how intrinsic they are to creating superior risk management capabilities.

Understanding cybersecurity as part of a system will lead boards and management to a better understanding of cyber defense within the organization and the components of the business that need to be energized to create the culture, structures, and programs required for an effective risk management system. While this understanding is essential, concepts need to be connected with concrete guidance. This is achieved in The Cyber Risk Handbook by leveraging COBIT 5: A Business Framework for the Governance and Management of Enterprise IT and COBIT 5 for Information Security. Of particular importance is the presentation of the seven COBIT 5 enablers, shown in Figure 1.2, and the use of these enablers as the guiding structure for The Cyber Risk Handbook. While cybersecurity leverages security technology, what separates mature organizations from others is the ability to effectively exploit the interconnectedness of security principles, processes, and frameworks with enterprise-wide processes, structures, culture and behavior, and services and infrastructures and to effectively integrate information as part of the enterprise risk management program.

In planning and executing attacks against organizations, hackers and adversaries often take a holistic approach. Hackers and adversaries are attackers that consider how best to overcome the significant defenses that organizations have constructed to protect their sensitive business and personal information as well as their critical resources. Attackers consider where there are avenues of weakness understanding that the organization’s culture and behavior as well as services and applications can become easy access paths for compromise instead of competent defenses. Creating convincing e-mail messages to entice users to open an attachment or visit an infected web site, or to disclose security credentials in response to a contrived message from the support desk, are frequent attack mechanisms that prove very successful. A mature risk-managed organization creates awareness that seemingly legitimate messages should not be trusted when they run counter to established processes and where the organization culture supports the idea that it is acceptable to question the legitimacy of a request.

The Cyber Risk Handbook provides a perspective of cybersecurity that breaks the barriers between those whose job is technology provisioning and administration and those who are responsible for business innovation, program development, and front-line customer support. It provides cybersecurity guidance that is understandable since it builds on common experience demonstrating how cybersecurity can build on this experience to create a different outcome. The Cyber Risk Handbook will be an invaluable tool in helping organizations reach a level of cyber protection required to support your organizations goals and objectives.

About ISACA

As an independent, nonprofit, global association, ISACA engages in the development, adoption, and use of globally accepted, industry-leading knowledge and practices for information systems. Previously known as the Information Systems Audit and Control Association, ISACA now goes by its acronym only, to reflect the broad range of IT governance professionals it serves. Incorporated in 1969, ISACA today serves 140,000 professionals in 180 countries. ISACA provides practical guidance, benchmarks, and other effective tools for all enterprises that use information systems. Through its comprehensive guidance and services, ISACA defines the roles of information systems governance, security, audit, and assurance professionals worldwide. The COBIT framework and the CISA, CISM, CGEIT, and CRISC certifications are ISACA brands respected and used by these professionals for the benefit of their enterprises.

About Ron Hale

Ron Hale, PhD, CISM is the cief knowledge officer at ISACA. He brings wide professional experience gained from serving as a forensic investigator, information security manager, security consultant, and researcher. In his current position he represents the professional and career needs of ISACA’s constituents across the professional areas of specialization ISACA represents. Ron was admitted to the Directorship 100 by the National Association of Corporate Directors (NACD) for his contributions to corporate governance. He has a master’s degree in criminal justice from the University of Illinois (United States) and a doctorate in Public Policy from Walden University (United States).

About the Editor

Domenic Antonucci is a practicing international chief risk officer overseeing cybersecurity and a former counterterrorist intelligence officer. An Australian expatriate based in Dubai UAE, Domenic specializes in bringing capabilities within organization risk management systems “up the maturity curve” for enterprise and program and for specialized risks such as cybersecurity. Formerly with Marsh, Shell and Red Cross, he enjoys over 35 years’ experience in risk, strategic planning, and business management consulting across many sectors in Europe, Africa, Middle East, Asia, and Australia-Pacific. A Specialist with IRM (SIRM), he is a certified ISO 31000 ERM lead trainer and BCMS business continuity lead implementer as well as a former RMP-PMI risk management professional and PMP project management professional. A regular international conference presenter and author, he is the content author for risk maturity model software called Benchmarker™ and the author of the book Risk Maturity Models: Assessing Risk Management Effectiveness.

List of Contributors

Mete Bireciki

June Chambers

Andrew Cox

Nicola Crawford

Paul Dwyer

Baris Ekdi

Jennifer Friedberg

Mary E. Galligan

Ron Hale

Nicole Hockin

Waqas M. Hussain

Scott Krugman

Ian Livesy

Malcolm Marshall

Asha Nair

Pam Randall

Victoria Robinson

George M. Shaw

Nagesh Suryanarayana

Bob Sydow

Clive Thompson

Marcus Turner

Carolyn Williams

Caroline Woolley

Acknowledgments

A big thanks to Stig Sunde, a senior audit professional who never tired of my endless questions. My bigger thanks go to my wife Jenni for her forbearance and support, as well as to my editors, Tula, Christina, and Vincent, for their trust and enthusiasm.

All my contributor-authors deserve applause for “volunteering” to contribute to this handbook, especially as they were all so pressed for time and came from all parts of the globe. We did not want to just throw together a loose collection of white papers but to strive toward a cogent enterprise-wide handbook with a story and solutions. I know that for some authors, their initial cynicism grew into trust and support, while for a few, the task turned into hard and disciplined work as I pushed back for revision after revision.

Some of those contributor-authors deserve my special mention for going “above and beyond” in assisting me as editor. These include Ron Hale in the United States, Didier Verstichel in Belgium, and Bassam Alwarith in Saudi Arabia. To all, I tip my hat.

Chapter 1Introduction

Domenic Antonucci, Editor and Chief Risk Officer, Australia

The CEO under Pressure

Tom is sitting at his chief executive officer’s desk staring into his early-morning coffee cup. His chairperson, Tara, has just reminded him that he has only one day before he must personally present to the board regarding his organization’s cyber risk management capabilities. “Also, include an assessment of how effective our cyber risk management is across all our enterprise-wide operations—not just IT,” she added.

Tom has never presented on cyber before. He had delegated such matters in the past to his chief information officer (CIO). Tom struggled to remember his last internal briefing on the matter. He was aware that they had recently hired a chief information security officer (CISO) with a focus on cybersecurity, who reported to him directly. Tom started to protest, “Tara, my CISO or CIO can present …” but was interrupted: “No, you own cybersecurity, we oversee it alongside the board. By ‘system,’ I don’t mean our IT approach, I mean our whole-of-organization capabilities to manage cyber threats.”

Noting the dazed look on Tom’s face, Tara gave Tom a tip. “Tom, cyber risk is not just an IT risk, it is an enterprise, strategic, commercial, and organization-wide risk. We at the top are accountable. You’ve introduced our first enterprise-wide risk management (ERM) system together with a risk maturity strategy and risk maturity model to assess and measure how we are improving the ERM system over time. Fine. But cyber risk is now an urgent priority and the specific capabilities required are a subset of the enterprise risk management system. You need to integrate the two. I suggest you dedicate your whole day today to having your team define the right set of capabilities in cyber risk management that our organization needs and how we can measure them. The board expects to see your road map first thing tomorrow.”

The Need for a Cyber Risk Handbook

“But what is the board worrying about, Tara?” Tom quizzed. Tara paused, “Cyber threats, social media, mobile devices, massive data storage, artificially intelligent products, the Internet of Things (IoT), privacy requirements, and continuity of our business-as-usual—and more. These require heavy information security measures and organization capabilities. Tom, I’m going to leave you with a couple of recent survey results and you’ll understand what our board is worrying about. Read the highlights.”

Tom picked up the two reports and read the highlights.

Eighty-eight percent of companies don’t believe their information security fully meets their organization’s needs … Sixty-nine percent of businesses recognize that they should be spending more on cybersecurity than they currently do, and learning about making the most of that essential investment is critical.

—EY’s Global Information Security Survey 2015: “Creating Trust in the Digital World,” www.ey.com/giss

In November and December 2015, the ISACA and RSA Conference conducted a global survey of 461 cybersecurity managers and practitioners. Survey participants confirmed that the number of breaches targeting organizational and individual data continues to go unchecked and the sophistication of attack methodologies is evolving. The current state of global cybersecurity remains chaotic, the attacks are not expected to slow down, and almost 75 percent of respondents expect to fall prey to a cyber attack in 2016. Cybercriminals are the most prevalent attackers and continue to employ social engineering as their primary initial attack vector. … Eighty-two percent of security executives and practitioners participating reported that boards are concerned or very concerned about cybersecurity.

—Text from ISACA Report, March 2016. Source: State of Cybersecurity: Implications for 2016 ©2016 ISACA. All rights reserved. Used by permission.

“So, how do you suggest I start?” queried a concerned Tom. As she left the room, Tara looked back and said simply, “Get the perspectives of all your organization functions as they are all stakeholders for cyber risk, and not just your information security guys. Pull together an enterprise playbook to cover what they need to create and measure effective cybersecurity capabilities. Call it your cyber risk handbook.”

Toward an Effectively Cyber Risk–Managed Organization

Cyber risk is not new. It has been around since the start of the digital age, but cyber threats to organizations are now growing in scale and sophistication at an unprecedented rate due to advancing technologies, criminal and state-level avarice, and changing work practices (such as big data, remote access, cloud computing, social media, and mobile technology). There is increasing media and insurance industry attention. This is spotlighting high-profile and highly disruptive and damaging security breaches. These threaten financial, physical, and reputation damage across critical organization (and state) infrastructures.

Cyber risk is now widely regarded as a top risk for organizations and the top risk for many. Organization vulnerability across all sectors is increasing. The do-nothing option is increasing becoming unrealistic. This is due to legislative, corporate, national security, and regulatory requirements to demonstrate that organizations are protecting sensitive information and digital assets (i.e., any equipment which contains a microprocessor) as well as managing their internal cyber risk management system effectively.

There is no internal or external consensus among cybersecurity agents (the “Goodies”) on which set of clear and specific organization capabilities represent an “effectively cyber risk–managed organization”—one that is sustainability resilient against cybersecurity threat agents (the “Baddies”). This calls for clarity regarding specific internal enterprise-wide capabilities in cybersecurity.

Effectiveness Is All About Doing the Right Things

Tom is our handbook’s fictional protagonist, but he is representative of an organizational leader. Tom returns at the start of each chapter and elsewhere to help pull together our developing journey and to emphasize the need for an enterprise-wide and integrated approach to cyber risk management maturity and effectiveness for the modern organization. Today, nothing should be stopping an organization moving up the cyber risk maturity curve—a curve that is dynamically changing all the time as cyber threats increase and transform themselves. Our epilogue explains our maturity approach in greater detail.

While efficiency is about “doing things right,” effectiveness is all about “doing the right things.” That means the modern challenge for any organization is keeping up with the right capabilities to protect the digital enterprise against faster-paced threat agents.

This handbook sets about normalizing cyber risk as enterprise risk and its risk management system as a subset of the ERM system. It represents a call to arms from the functional perspectives of the CEO and all organization managers—not just the IT department—to understand how they must work together as a team. How they must together play their part in building and measuring a constantly improving right set of capabilities needed to deliver ongoing and fast cyber risk management effectiveness.

This handbook arms the CEOs, functional managers, and front and support lines of a modern organization with a reference guide devoted to the specific subject of integrating a cyber risk management system and cyber risk maturity at the digital enterprise level.

Handbook Structured for the Enterprise

Conceptualizing Cybersecurity for Organization-Wide Solutions

Tom is realizing that information security and organizations are inextricably interwoven today. Cyber attacks and data breaches are not just IT risks. They are enterprise-wide risks requiring joint solutions across nearly all organizational functions. To help unify his approach with his team members, Tom penciled a diagram. This conceptualized how cybersecurity did not just sit in one corner under technology but was part of an interrelated triangle with the organization at the top. See Figure 1.1.

Figure 1.1 Conceptualizing information security within the organization

Source: The Business Model for Information Security ©2010 ISACA. All rights reserved. Used with permission.

Theming the Right Set of Capabilities

Tom was well aware of his existing organization chart and how his team worked by function under him. He regarded his functional heads as the strategic drivers working as a team to build the combined right set of capabilities needed to protect the digital enterprise.

Drivers in turn need enablers. Tom did not want to reinvent any wheels. So on the advice of his CISO and CIO, Tom adapted the COBIT 5 enablers to the information security process as a way to theme and modularize the right set of cyber risk management capabilities he wanted to define and measure. COBIT 5 is an information security management system (ISMS) backed by ISACA, an international professional association serving a broad range of IT governance professionals and a framework accepted by many assurance and governance professionals.

Tom now had seven parts for his handbook, representing the seven sets of capabilities he wanted to build and measure. As adapted from COBIT 5 Framework (ISACA®, Cobit 5® An ISACA® Framework: A Business Framework for the Governance and Management of Enterprise IT, USA, 2012), Figure 1.2 visualizes how the seven capability sets work together in a sequential way that Tom could take to his managers (rather than the holistic way of Figure 1.1).

Figure 1.1 begins with principles, policies, and frameworks as mechanisms acting as hand-rails guiding desired behavior for day-to-day management (see handbook chapters 1 to 6 and our epilogue). Processes describe an organized set of practices and activities to achieve certain objectives and produce a set of outputs in support of achieving cybersecurity objectives aligned to enterprise objectives (see chapters 7 to 13). Organizational structures are the key decision-making entities in an enterprise (see chapters 14 to 15). Culture, ethics, and behavior of individuals and of the enterprise are a key success factor in governance and management activities (see chapters 16 to 18). Information is organization pervasive and includes all information produced and used by the enterprise. Information is not only required to keep the organization running and well governed, but is often the key product of the operational enterprise (see chapter 19). Services, infrastructure, and applications include the infrastructure, technology, and applications that provide the enterprise with information technology processing and services (see chapters 20 to 23). People, skills, and competencies are linked to people and are required for successful completion of all activities and for making correct decisions and taking corrective actions (see chapters 24 to 26).

Figure 1.2 How seven sets of capabilities work together

Source: COBIT 5 ©2012 ISACA. All rights reserved. Used by permission.

Enterprise Functions Together Drive the Right Set of Capabilities

Over that long day collating contributions from all his team, Tom’s handbook was able to make sense and unify his team’s contributions into chapters under these seven parts. It enabled him to matrix out not only who in the future should be responsible for which capability, but who should be accountable, supported, consulted, and informed as well. Tom’s RASCI Matrix can be found in Chapter 15, “Internal Organization Context.”

Cyber Risk Maturity Model Measures Improvements in Capabilities

Tom’s handbook ended up with 26 chapters and an epilogue. Each chapter concluded with a capability statement succinctly describing the set of capabilities required. In this way, the organization could understand what cybersecurity meant—not just the IT or cyber technical specialists.

By collating each capability title into a cyber risk maturity model, Tom was able to assess an overall index score (see epilogue). This then could be integrated into the chief risk officer’s ERM-level risk maturity model, which held one entry for an overall cyber risk management capability. Tom was now ready to present to his board how he was going to build and measure effective cybersecurity capabilities.

Handbook Structure, Rationale, and Benefits

I am a practicing chief risk officer with cyber and enterprise risk management experience stewarding the needs of organizations sitting anywhere along the risk maturity curve. My emphasis in this handbook is less on which idealistic capabilities are required at the top of the cyber risk maturity curve and more on what it takes to move up this ever-moving curve for nontechnical managers. These are addressed by interrelated chapters each written by a different subject matter expert. These capabilities are then collated in an epilogue to form a new cyber risk maturity model for adaptation and ongoing measurement by any organization.

The overall handbook structure is designed to offer several advantages and unifying approaches for enterprise leaders and managers.

Balance and Objectivity

First, it is an edited book based on robust chapter contributions by many types of subject matter experts from around the world. This imparts more overall balance and objectivity from an enterprise perspective to the cybersecurity domain than a single or technical author work may provide.

It is focused on threats to organizations. While the target audience for this handbook is not state-sponsored or military-sponsored cyber agencies, this is not to say that organizations should not factor these agencies as their own sources of risk (and perhaps opportunity?). It is focused on the nontechnical approach to cyber threats directed against organizations of any type, be they for-profits, not-for-profits, or nongovernmental organizations (NGOs)—not just large corporations. It is focused on the globalization of cyber risk, bringing together varying perspectives from an array of subject-matter chapter contributors originating from not just the United States but many countries, including (in alphabetical order): Australia, Belgium, Canada, France, Germany, Hong Kong, India, Italy, Norway, Saudi Arabia, Singapore, South Africa, the Netherlands, United Arab Emirates, and United Kingdom. Chapter contributors also represent not just IT/cybersecurity backgrounds but a wide variety of functional backgrounds in risk management, insurance, finance/accounting, supply chain, and internal audit. Moreover, they represent the varying perspectives of the major consulting firms, professional institutes, and associations. The “About” sections at the end of each chapter attest to the diverse experience the chapter contributors bring to bear.

Enterprise-wide Comprehensiveness

Second, the seven parts guiding the chapters take an enterprise-wide approach to cyber risk content. This helps non-IT managers to understand cybersecurity but also helps IT managers understand how all enterprise managers need to work together. It treats the cyber risk management system as a subset to the modern enterprise risk management system (ERM) in nontechnical language more familiar to non-IT managers. ISO 31000:2009, Risk management—Principles and guidelines is the leading risk management global standard and the standard that is becoming central to, or the “umbrella” for, all ISO standards. This includes those relevant to cyber and information security. Those familiar with ISO 31000 can easily “cross-walk” from our chapter structure to the standard (see Chapter 3, “Principles behind Cyber Risk Management”).

Moving Up the Risk Maturity Curve

Third, enterprise risk managers are familiar with risk maturity strategy (ISO 31000 annex A) and risk maturity models, just as IT professionals are with the capability maturity models that have been around since the late 1980s. So collating the handbook’s contents into one cyber risk maturity model in our epilogue is a proven methodology to road-map and measure gap-capability improvement over time.

Which Chapters Are Written for Me?

Fourth, the handbook structure aggregates a growing accumulation of organization cybersecurity capabilities, chapter by chapter. This is handy for a reader with a particular functional or other perspective who may scan the handbook content more easily for the pertinent part they want to find at the time. It also lends itself to broader management uptake and on-boarding from a handbook than purely a process focus or an IT focus or technical focus, or a loose collection of best practices or case studies.

Managers in modern organizations complain they are time poor. To help readers from different organization functions zero in on key chapters and content that are likely to be of immediate interest to them, we offer Table 1.1, an alternative to the table of contents. Readers who self-identify by a function—whether as a CEO or in operations—may use the key in Table 1.1 to go directly to the chapters of likely interest to them, if not written for them.

Table 1.1 Chapters Listed by Interest to Functional Type in Alphabetical Order

Go to chapters …

Also see …

Audit Committee

01 Introduction02 Board cyber risk oversight18 Assurance

Epilogue & Ch 15 RASCI Tables 15.3 to 15.7

Board

01 Introduction02 Board cyber risk oversight17 Legal and compliance18 AssuranceAll chapter introductions

Epilogue & Ch 15 RASCI Tables 15.3 to 15.7

Business Continuity

13 Business continuity management

Epilogue & Ch 15 RASCI Tables 15.3 & 15.15

CEO

01 Introduction05 Cyber strategic performance02 Board cyber risk oversight11 Monitoring & review - KRIs17 Legal and compliance18 AssuranceAll chapter introductions

Epilogue & Ch 15 RASCI Tables All tables

Compliance

17 Legal and compliance18 Assurance

Epilogue & Ch 15 RASCI Tables 15.3 & 15.17

Corp. Comms.

12 Cybersecurity incident and crisis management

Epilogue & Ch 15 RASCI Tables 15.3 & 15.22

Finance

10 Treating cyber risks using insurance and finance

Epilogue & Ch 15 RASCI Tables 15.3, 15.13 & 15.16

Human Resources

15 Internal context16 Culture and human factorsChapters 22, 24, 25 & 26

Epilogue & Ch 15 RASCI Tables All tables

Info. Security

All

Epilogue & Ch 15 RASCI Tables All tables

Info. Technology

15 Internal organization contextChapters 19 to 23

Epilogue & Ch 15 RASCI Tables 15.3 & 15.8

Insurance

10 Treating cyber risks using insurance and finance

Epilogue & Ch 15 RASCI Tables 15.3 & 15.13

Internal Audit

02 Board cyber risk oversight15 Internal context18 Assurance

Epilogue & Ch 15 RASCI Tables 15.3 to 15.6

Legal

17 Legal and compliance

Epilogue & Ch 15 RASCI Tables 15.3 & 15.17

Operations

14 External context and supply chain

Epilogue & Ch 15 RASCI Tables 15.3, 15.15, 15.19 & 15.20

Risk

All

Epilogue & Ch 15 RASCI Tables All tables

Security

20 Physical security

Epilogue & Ch 15 RASCI Tables 15.3 & 15.14

Strategy

5 Strategic performance11 Monitoring and review—KRIs

Epilogue & Ch 15 RASCI Tables 15.3 & 15.18

Supply Chain

14 External context and supply chain

Epilogue & Ch 15 RASCI Tables 15.3, 15.15, 15.19, & 15.20

Chapter 2Board Cyber Risk Oversight: What Needs to Change?

Tim J. Leech, Risk Oversight Solutions Inc., Canada Lauren C. Hanlon, Risk Oversight Solutions Inc., Canada

The introduction to this book opens with a succinct statement from Tara to Tom, the CEO who has attempted to delegate accountability for responding to the board’s request for a cybersecurity road map to his chief information security officer. Tara told Tom: “No, you own cybersecurity; we oversee it alongside the board . . . I don’t mean our IT approach, I mean our whole-of-organization capability to manage cyber threats.” This type of clarity and direction to CEOs is relatively new, but one that is gaining traction globally.

From a pragmatic perspective, the key question well-intending boards need to be asking is “what specifically do we and the organization’s CEO need to do differently to meet these new cybersecurity expectations?” The problem they will immediately confront is a veritable ocean of advice on how to do this. This chapter focuses on the following three questions: (1) what are boards expected to do now?; (2) what barriers to action will well-intending boards face?; and (3) what practical steps should boards and organizations take now to respond? Be warned, however; the steps proposed in this paper are a radical departure from status quo thinking.

What Are Boards Expected to Do Now?

The first short answer is the frustrating and quite common “It depends.” It depends on what country your organization is in, the focus and approach of regulators in that country, the business sector the organization is in, the evolution of legal duty of care, the frequency of major governance crises linked to cybersecurity breaches, the culture of the organization, and more.

For busy directors, new expectations and calls for change are often best received and embraced when the communication comes from other board members. In 2014 the National Association of Corporate Directors (NACD) in the United States recognized the emerging need for director guidance following a flurry of major scandals involving breaches of information technology (IT) security. The NACD produced a well-researched, readable, and succinct “Cyber Risk Oversight” guide. This report is available without charge by registering at https://www.nacdonline.org/cyber.

The NACD guidance distilled what the authors believe directors should do to five core principles:

Directors need to understand and approach cybersecurity as an enterprise risk management (ERM) issue, not just an IT issue. (Authors’ note: This is the key principle.)

Directors should understand the legal implications of cyber risks as they relate to their organization’s specific circumstances.

Boards should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time on the board meeting agenda.

Directors should set the expectation that management will establish an enterprise-wide cyber risk management framework with adequate staffing and budget.

Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

1

The board should define the risk appetite for the organization and approve the likelihood and impact scale at the enterprise level. The board may be involved in the insurance aspect, depending on the contract value and possibly the choice of the insurer. Then it is up to management to address the risks that are above the threshold.

For those directors willing to invest more time skilling up on cybersecurity, the U.S. government has produced the widely acclaimed “Framework for Improving Critical Infrastructure Cybersecurity” version 1.0.2 It is important to note that the U.S. National Institute of Standards and Technology (NIST) IT security framework does not emphasize the key role of the board of directors. Unlike some other more silo-leaning IT security guides, the NIST framework does promote the need to see cybersecurity as a subset of ERM. It proposes a cybersecurity maturity framework linked to risk management and what NIST calls an “integrated risk management program.” Unfortunately, the NIST guidance doesn’t give much practical advice on how to transition IT security assessments from what is often a silo-based approach to one that is fully integrated with an effective enterprise risk management framework.

The Short Answer

A quick scan of global developments confirms that, although the specific answer to the question will evolve over time on a country-by-country and sector basis, the answer can be summarized simply as “a lot more.” However, the central message in this chapter is that it should not be “a lot more of the same,” referring to the siloed, specialist-driven approach in use in a large percentage of organizations today. Cyber risk management and assurance needs to be reengineered globally.

What Barriers to Action Will Well-Intending Boards Face?

Most boards will face difficulty as they attempt to address cyber risk management. The five main categories of barriers to action can be identified as follows:

Lack of senior management ownership of IT security.

Failure to link cybersecurity assessments to key organization objectives.

Omission of cybersecurity from entity-level objectives and strategic plans.

Too much focus on internal controls.

Lack of reliable information on residual risk status.

These barriers are discussed in further detail in the following sections.