Description
Book SynopsisActionable guidance and expert perspective for real-world cybersecurity The Cyber Risk Handbook is the practitioner''s guide to implementing, measuring and improving the counter-cyber capabilities of the modern enterprise. The first resource of its kind, this book provides authoritative guidance for real-world situations, and cross-functional solutions for enterprise-wide improvement. Beginning with an overview of counter-cyber evolution, the discussion quickly turns practical with design and implementation guidance for the range of capabilities expected of a robust cyber risk management system that is integrated with the enterprise risk management (ERM) system. Expert contributors from around the globe weigh in on specialized topics with tools and techniques to help any type or size of organization create a robust system tailored to its needs. Chapter summaries of required capabilities are aggregated to provide a new cyber risk maturity model used to benchmark capabil
Table of Contents
Foreword by Ron Hale xxiii
About the Editor xxxi
List of Contributors xxxiii
Acknowledgments xxxv
CHAPTER 1 Introduction 1
Domenic Antonucci, Editor and Chief Risk Officer, Australia
The CEO under Pressure 1
Toward an Effectively Cyber Risk–Managed Organization 3
Handbook Structured for the Enterprise 4
Handbook Structure, Rationale, and Benefits 7
Which Chapters Are Written for Me? 8
CHAPTER 2 Board Cyber Risk Oversight 11
Tim J. Leech, Risk Oversight Solutions Inc., Canada Lauren C. Hanlon, Risk Oversight Solutions Inc., Canada
What Are Boards Expected to Do Now? 11
What Barriers to Action Will Well-Intending Boards Face? 13
What Practical Steps Should Boards Take Now to Respond? 16
Cybersecurity—The Way Forward 20
About Risk Oversight Solutions Inc. 21
About Tim J. Leech, FCPA, CIA, CRMA, CFE 21
About Lauren C. Hanlon, CPA, CIA, CRMA, CFE 21
CHAPTER 3 Principles Behind Cyber Risk Management 23
RIMS, the risk management society™ Carol Fox, Vice President, Strategic Initiatives at RIMS, USA
Cyber Risk Management Principles Guide Actions 23
Meeting Stakeholder Needs 25
Covering the Enterprise End to End 26
Applying a Single, Integrated Framework 27
Enabling a Holistic Approach 28
Separating Governance from Management 31
Conclusion 31
About RIMS 32
About Carol Fox 32
CHAPTER 4 Cybersecurity Policies and Procedures 35
The Institute for Risk Management (IRM) Elliot Bryan, IRM and Willis Towers Watson, UK
Alexander Larsen, IRM, and President of Baldwin Global Risk Services Ltd., UK
Social Media Risk Policy 35
Ransomware Risk Policies and Procedures 41
Cloud Computing and Third-Party Vendors 45
Big Data Analytics 50
The Internet of Things 53
Mobile or Bring Your Own Devices (BYOD) 55
Conclusion 60
About IRM 64
About Elliot Bryan, BA (Hons), ACII 65
About Alexander Larsen, FIRM, President of Baldwin Global Risk Services 65
CHAPTER 5 Cyber Strategic Performance Management 67
McKinsey & Company
James M. Kaplan, Partner, McKinsey & Company, New York, USA Jim Boehm, Consultant, McKinsey & Company, Washington, USA
Pitfalls in Measuring Cybersecurity Performance 68
Cybersecurity Strategy Required to Measure Cybersecurity Performance 69
Creating an Effective Cybersecurity Performance Management System 72
Conclusion 77
About McKinsey Company 78
About James Kaplan 78
About Jim Boehm 79
CHAPTER 6 Standards and Frameworks for Cybersecurity 81
Stefan A. Deutscher, Principal, Boston Consulting Group (BCG), Berlin Germany
William Yin, Senior Partner and Managing Director, Boston Consulting Group (BCG), Hong Kong
Putting Cybersecurity Standards and Frameworks in Context 81
Commonly Used Frameworks and Standards (a Selection) 84
Constraints on Standards and Frameworks 93
Good Practice Consistently Applied 93
Conclusion 94
About Boston Consulting Group (BCG) 95
About William Yin 96
About Dr. Stefan A. Deutscher 96
CHAPTER 7 Identifying, Analyzing, and Evaluating Cyber Risks 97
Information Security Forum (ISF)
Steve Durbin, Managing Director, Information Security Forum Ltd.
The Landscape of Risk 97
The People Factor 98
A Structured Approach to Assessing and Managing Risk 100
Security Culture 101
Regulatory Compliance 102
Maturing Security 103
Prioritizing Protection 104
Conclusion 104
About the Information Security Forum (ISF) 106
About Steve Durbin 106
CHAPTER 8 Treating Cyber Risks 109
John Hermans, Cyber Lead Partner Europe, Middle East, and Africa at KPMG, The Netherlands
Ton Diemont, Senior Manager at KPMG, The Netherlands
Introduction 109
Treating Cybersecurity Risk with the Proper Nuance in Line with an Organization’s Risk Profile 110
Determining the Cyber Risk Profile 111
Treating Cyber Risk 112
Alignment of Cyber Risk Treatment 114
Practicing Cyber Risk Treatment 115
Conclusion 119
About KPMG 120
About John Hermans 121
About Ton Diemont 121
CHAPTER 9 Treating Cyber Risks Using Process Capabilities 123
ISACA
Todd Fitzgerald, CISO and ISACA, USA
Cybersecurity Processes Are the Glue That Binds 123
No Intrinsic Motivation to Document 124
Leveraging ISACA COBIT 5 Processes 125
COBIT 5 Domains Support Complete Cybersecurity Life Cycle 137
Conclusion 139
About ISACA 140
About Todd Fitzgerald 141
CHAPTER 10 Treating Cyber Risks—Using Insurance and Finance 143
Aon Global Cyber Solutions
Kevin Kalinich, Esq., Aon Risk Solutions Global Cyber Insurance Practice Leader, USA
Tailoring a Quantifi ed Cost-Benefi t Model 143
Planning for Cyber Risk Insurance 149
The Risk Manager’s Perspective on Planning for Cyber Insurance 150
Cyber Insurance Market Constraints 152
Conclusion 154
About Aon 157
About Kevin Kalinich, Esq. 158
CHAPTER 11 Monitoring and Review Using Key Risk Indicators (KRIs) 159
Ann Rodriguez, Managing Partner, Wability, Inc., USA
Definitions 160
KRI Design for Cyber Risk Management 160
Conclusion 169
About Wability 169
About Ann Rodriguez 170
CHAPTER 12 Cybersecurity Incident and Crisis Management 171
CLUSIF Club de la Sécurité de l’Information Français Gérôme Billois, CLUSIF Administrator and Board Member Cybersecurity at Wavestone Consultancy, France
Cybersecurity Incident Management 171
Cybersecurity Crisis Management 174
Conclusion 182
About CLUSIF 183
About Gérôme Billois, CISA, CISSP and ISO27001 Certifi ed 183
About Wavestone 183
CHAPTER 13 Business Continuity Management and Cybersecurity 185
Marsh
Sek Seong Lim, Marsh Risk Consulting Business Continuity Leader for Asia, Singapore
Good International Practices for Cyber Risk Management and Business Continuity 186
Embedding Cybersecurity Requirements in BCMS 188
Developing and Implementing BCM Responses for Cyber Incidents 189
Conclusion 190
Appendix: Glossary of Key Terms 191
About Marsh 191
About Marsh Risk Consulting 192
About Sek Seong Lim, CBCP, PMC 192
CHAPTER 14 External Context and Supply Chain 193
Supply Chain Risk Leadership Council (SCRLC)
Nick Wildgoose, Board Member and ex-Chairperson of SCRLC, and Zurich Insurance Group, UK
External Context 194
Building Cybersecurity Management Capabilities from an External Perspective 200
Measuring Cybersecurity Management Capabilities from an External Perspective 204
Conclusion 204
About the SCRLC 205
About Nick Wildgoose, BA (Hons), FCA, FCIPS 205
CHAPTER 15 Internal Organization Context 207
Domenic Antonucci, Editor and Chief Risk Offi cer, Australia
Bassam Alwarith, Head of the National Digitization Program, Ministry of Economy and Planning, Saudi Arabia
The Internal Organization Context for Cybersecurity 207
Tailoring Cybersecurity to Enterprise Exposures 209
Conclusion 240
About Domenic Antonucci 241
About Bassam Alwarith 241
CHAPTER 16 Culture and Human Factors 243
Avinash Totade, ISACA Past President UAE Chapter and Management Consultant, UAE
Sandeep Godbole, ISACA Past President Pune Chapter, India
Organizations as Social Systems 243
Human Factors and Cybersecurity 246
Training 248
Frameworks and Standards 249
Technology Trends and Human Factors 250
Conclusion 252
About ISACA 253
About Avinash Totade 253
About Sandeep Godbole 254
CHAPTER 17 Legal and Compliance 255
American Bar Association Cybersecurity Legal Task Force
Harvey Rishikof, Chair, Advisory Committee to the Standing Committee on Law and National Security, USA
Conor Sullivan, Law Clerk for the Standing Committee on National Security, USA
European Union and International Regulatory Schemes 255
U.S. Regulations 258
Counsel’s Advice and “Boom” Planning 261
Conclusion 266
About the Cybersecurity Legal Task Force 269
About Harvey Rishikof 269
About Conor Sullivan 270
CHAPTER 18 Assurance and Cyber Risk Management 271
Stig J. Sunde, Senior Internal Auditor (ICT), Emirates Nuclear Energy Corporation (ENEC), UAE
Cyber Risk Is Ever Present 271
What the Internal Auditor Expects from an Organization Managing Its Cyber Risks Effectively 272
How to Deal with Two Differing Assurance Maturity Scenarios 277
Combined Assurance Reporting by ERM Head 278
Conclusion 278
About Stig Sunde, CISA, CIA, CGAP, CRISC, IRM Cert. 280
CHAPTER 19 Information Asset Management for Cyber 281
Booz Allen Hamilton
Christopher Ling, Executive Vice President, Booz Allen Hamilton, USA
The Invisible Attacker 281
A Troubling Trend 282
Thinking Like a General 283
The Immediate Need—Best Practices 283
Cybersecurity for the Future 284
Time to Act 286
Conclusion 286
About Booz Allen Hamilton 287
About Christopher Ling 287
CHAPTER 20 Physical Security 289
Radar Risk Group
Inge Vandijck, CEO, Radar Risk Group, Belgium
Paul Van Lerberghe, CTO, Radar Risk Group, Belgium
Tom Commits to a Plan 290
Get a Clear View on the Physical Security Risk Landscape and the Impact on Cybersecurity 291
Manage or Review the Cybersecurity Organization 294
Design or Review Integrated Security Measures 295
Reworking the Data Center Scenario 299
Calculate or Review Exposure to Adversary Attacks 302
Optimize Return on Security Investment 305
Conclusion 306
About Radar Risk Group 307
About Inge Vandijck 307
About Paul Van Lerberghe 307
CHAPTER 21 Cybersecurity for Operations and Communications 309
EY
Chad Holmes, Principal, Cybersecurity, Ernst & Young LLP (EY US)
James Phillippe, Principal, Cybersecurity, Ernst & Young LLP (EY US)
Do You Know What You Do Not Know? 309
Threat Landscape—What Do You Know About Your Organization Risk and Who Is Targeting You? 310
Data and Its Integrity—Does Your Risk Analysis Produce Insight? 310
Digital Revolution—What Threats Will Emerge as Organizations Continue to Digitize? 311
Changes—How Will Your Organization or Operational Changes Affect Risk? 312
People—How Do You Know Whether an Insider or Outsider Presents a Risk? 312
What’s Hindering Your Cybersecurity Operations? 312
Challenges from Within 313
What to Do Now 313
Conclusion 318
About EY 319
About Chad Holmes 319
About James Phillippe 319
CHAPTER 22 Access Control 321
PwC Sidriaan de Villiers, Partner—Africa Cybersecurity Practice, PwC South Africa
Taking a Fresh Look at Access Control 321
Organization Requirements for Access Control 322
User Access Management 323
User Responsibility 327
System and Application Access Control 327
Mobile Devices 329
Teleworking 331
Other Considerations 332
Conclusion 333
About PwC 334
About Sidriaan de Villiers, PwC Partner South Africa 334
CHAPTER 23 Cybersecurity Systems: Acquisition, Development, and Maintenance 335
Deloitte
Michael Wyatt, Managing Director, Cyber Risk Services, Deloitte Advisory, USA
Build, Buy, or Update: Incorporating Cybersecurity Requirements and Establishing Sound Practices 336
Specific Considerations 342
Conclusion 344
About Deloitte Advisory Cyber Risk Services 346
About Michael Wyatt 346
CHAPTER 24 People Risk Management in the Digital Age 347
Airmic
Julia Graham, Deputy CEO and Technical Director at Airmic, UK
Rise of the Machines 347
Enterprise-Wide Risk Management 348
Tomorrow’s Talent 350
Crisis Management 354
Risk Culture 355
Conclusion 356
About Airmic 358
About Julia Graham 358
CHAPTER 25 Cyber Competencies and the Cybersecurity Offi cer 359
Ron Hale, PhD, CISM, ISACA, USA
The Evolving Information Security Professional 359
The Duality of the CISO 360
Job Responsibilities and Tasks 363
Conclusion 366
About ISACA 368
About Ron Hale 368
CHAPTER 26 Human Resources Security 369
Domenic Antonucci, Editor and Chief Risk Offi cer, Australia
Needs of Lower-Maturity HR Functions 369
Needs of Mid-Maturity HR Functions 370
Needs of Higher-Maturity HR Functions 372
Conclusion 373
About Domenic Antonucci 374
Epilogue 375
Becoming CyberSmart TM: a Risk Maturity Road Map for Measuring Capability Gap-Improvement
Domenic Antonucci, Editor and Chief Risk Offi cer (CRO), Australia
Didier Verstichel, Chief Information Security Offi cer (CISO) and Chief Risk Offi cer (CRO), Belgium
Background 375
Becoming CyberSmartTM 376
About Domenic Antonucci 392
About Didier Verstichel 392
Glossary 393
Index 399
