Executive's Guide to Cyber Risk 1st Edition Siegfried Moyo
Visit to download the full and correct content document: https://ebookmass.com/product/executives-guide-to-cyber-risk-1st-edition-siegfried-m oyo/
Executive’s Guide to Cyber Risk
Securing the Future Today
Copyright © 2022 by John Wiley & Sons, Inc. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permission.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our web site at www.wiley.com.
Library of Congress
Cataloging-in-Publication Data
Names: Moyo, Siegfried, author.
Title: Executive’s guide to cyber risk : securing the future today / Siegfried Moyo.
Description: First edition. | Hoboken, New Jersey : Wiley, [2022] | Includes bibliographical references and index.
Identifiers: LCCN 2022013196 (print) | LCCN 2022013197 (ebook) | ISBN 9781119863113 (cloth) | ISBN 9781119863137 (adobe pdf) | ISBN 9781119863120 (epub)
Subjects: LCSH: Data protection. | Computer security. | Computer networks—Security measures. | Management information systems. | Computer crimes—Risk assessment.
Classification: LCC HF5548.37 .M68 2022 (print) | LCC HF5548.37 (ebook) | DDC 658.4/78—dc23/eng/20220525
LC record available at https://lccn.loc.gov/2022013196
LC ebook record available at https://lccn.loc.gov/2022013197
Cover Design: Wiley
Cover Image: © ismagilov/Getty Images
To everyone around the globe—no matter where they are—who are tirelessly working toward creating a cyber-secure future starting today.
Foreword ix
Preface xi
xv
the Author xvii
Foreword
CYBERSECURITY IS, IN MY mind, one of the most serious issues facing the sustainability of the global economy, institutions, and society at large. Everyone, and increasingly everything, is connected through information technology. Our everyday life activities are dependent upon technology. Working from home and on the move has exacerbated the vulnerability of our platforms and poses significant challenges to CISOs that technology alone cannot solve.
Today, our digital technology systems are under attack from rogue hackers, cybercriminal gangs, and nation-sponsored cyber terrorists. No one is immune. Banks, hospitals, schools, and city governments are hacked; emails are compromised; and even the CIA has been hacked. And cybersecurity is critical to our ability to successfully tackle climate change, food scarcity, poverty, and global stability.
Most cybersecurity detection and prevention efforts concentrate on technology solutions as the primary line of defense. While information technology professionals are constantly upgrading their knowledge and cyber defense skills, many business executives, managers, and employees have a rudimentary understanding of what constitutes effective cybersecurity. This book aims to change that.
Siegfried Mayo is a hands-on cybersecurity professional deeply concerned about the lack of cybersecurity awareness and skills in today’s global businesses. Like myself, he believes that every employee, and especially board directors and executives, needs to step up and take active accountability for protecting themselves and their organization. But accountability requires awareness, not just of the technical issues involved, but the organizational, infrastructure, and cultural issues that are the backbone of a cyber-safe organization.
This book is written especially for board directors and executives to help improve their understanding, awareness, and ability to effectively manage cybersecurity risks. After a short introduction to cybersecurity, chapters
focus on understanding cyber risk, the importance of a well-crafted and communicated cybersecurity strategy, and the cultural and business factors that enable enterprise-wide cybersecurity.
Irrespective of your level of understanding of cybersecurity, this book will give you a holistic view of cyber risk management from a business perspective.
Christiane Wuillamie, OBE CEO, PYXIS Culture Technologies, Ltd.Preface
THE PURPOSE OF THIS BOOK
In this book, I describe what I believe to be the five fundamental cyber risk management precepts that are critical for any organization business executive to understand to achieve their business goals and objectives. We are in an era of increasingly successful cyber-attacks that allow cybercriminals or hackers to steal, manipulate, or destroy critical data, or disrupt business operations by compromising critical infrastructure in businesses. To fight successfully against malicious intent, it’s imperative that executives understand fundamental principles at a high level so they can prioritize cyber risk like any other business risk.
The goal of this book is to explain these five foundational precepts in non-technical terms so that the members of the Board of Directors (BOD) and C-Level executives (C-LEs) can continue to help their businesses prosper despite this era of ongoing cyber-attacks.
As I reflect on the past decade, every organization of any size, or industry of any magnitude, be it public or private, has been exposed to fear that’s characterized by uncertainty and a possibly bleak future. Economic challenges are driven by the proximity of market forces and by cyber risks that expose the organization to undue spontaneous cyber-attacks that exploit the organization.
The world of cyber-attackers is not sitting still. Daily, organizations face a whole new set of cyber-attacks, some of which may not even yet exist. Currently, there is often a lack of focus in organizations that employ the support of the BOD, the shareholders, and the executives, as they might not have adequate comprehension of the basic precepts of cyber risk management but do have a direct impact on the organization’s vision, objectives, and goals.
In a world of faster technology cycles and instant digitalization, board members and executives need to be more agile, collaborative, and
forward-looking in regard to cyber risk management. Leaders of organizations should be able to articulate the basic and intrinsic knowledge of cyber risk management within the business realm or in their purviews.
There is an urgent need for the leaders of every organization to understand the key aspects of cyber risk management. Such knowledge is critical to an organization’s future and ongoing success. Every organization needs forward-thinking precepts in order to achieve its vision and ease its decisionmaking in relation to cyber risk management. This is where Executive’s Guide to Cyber Risk: Securing the Future Today comes into play. This book aims to explain the cyber risk management principles that organizations need to achieve business goals.
The book provides important fundamental cyber risk management precepts for board members, business executives, founders of start-ups, and owners of small- to medium-sized businesses. The key is identifying the gap between your current level of comprehension and what else you need to comprehend for better alignment on cyber risk management. This book helps to elucidate that gap.
Despite the existence of increasingly complex and sophisticated cyberattacks, I have full confidence that board members, business executives, founders of start-ups, and business owners can achieve sustainable business growth when they understand the five foundational cyber risk management precepts.
MY PERSPECTIVE
As an executive, it’s important that you approach potential cyber risks with foresight and a forward-looking mindset. Otherwise, cyber risks will continue to incapacitate or harm your organization. This can go so far as to harm the global economy, public health, and overall safety. There are five fundamental cyber risk management precepts and strategies that I consider essential and relevant to board members, business executives, and business managers. They allow executives to get better aligned on cyber risk management within the organization. The precepts empower people with mindset-changing principles to mitigate potentially crippling cyber risk issues.
The change in mindset is from hindsight to foresight.
■ Hindsight: Dealing with and understanding a problem only after it has happened.
■ Foresight: The ability to judge correctly what is going to happen in the future and plan your actions based on this knowledge.
I am determined to help organizations develop foresight when it comes to cyber risks. Raising awareness is necessary and will bring about change, making the world more cyber-secure. I do not hesitate to share my points of view throughout this book. I think this increases the authenticity and value that I can give. I recognize that for some, the precepts may call into question my credibility. I’m afraid I must disagree, but I appreciate that this will be easier to read for those already committed to securing the future. I hope others will find it stimulating and valuable as well. My perspective on these fundamental five precepts has developed over many years, and it is my opinion that adopting these precepts will help build a cyber-secure future.
WHAT THIS BOOK IS AND WHAT IT’S NOT
This book is not meant to substitute for or discredit any information security and cybersecurity standards or best practices, laws, or regulations. It’s not intended to replace or undermine the great work being done by CISOs and cybersecurity professionals across the world, working to secure the organizations they have been entrusted to help. If you are reading this book with the intention of acquiring the skills to be certified in cybersecurity or information security, I am sorry to let you know you are in the wrong place. The book is not a training reference for any certification.
This book outlines five cybersecurity precepts or strategies for board members and executives, so they can develop foresight into cyber risk management. The book is for:
■ Executives, so they can go forward better aligned with their cybersecurity executives.
■ BOD members and executives, as a single reference guide that is a starting point to be able to identify and articulate the gaps in executive support.
■ Founders of start-ups and owners and executives of small- to mediumsized organizations that don’t have a clue where to start on cyber risk management.
■ Anyone who wants to understand cyber risk better and wants to be part of shared social responsibility to make the future more cyber-secure.
This book should complement the work of the CISOs and cybersecurity professionals. They allow for business growth by incorporating diverse cyber risk management frameworks, and they work relentlessly with executives to
help them comprehend cyber risk management in non-technical jargon to improve decision-making.
I recognize the limits of my perspective, but its validity as well. I do not claim any particular relevance because of my experience, and, despite my best efforts, I know that I likely have exhibited some biases along the way. But I believe that likelihood does not stop me from sharing my insights and knowledge to help move us toward a more cyber-secure world. If I were to allow this to keep me from sharing my perspectives, I would succumb to the neutrality trap. I hope readers will be open to what I have to say and keep my perspective in mind.
HOW THE BOOK IS ORGANIZED
I organized this book into five chapters:
■ Chapter 1, “Cyber Strategy,” takes a strategy-centric approach to discussing cyber risk.
■ Chapter 2, “Cyber Value,” takes a value-centric approach to discussing cyber risk.
■ Chapter 3, “Cyber Compliance,” takes a compliance-centric approach to discussing cyber risk.
■ Chapter 4, “Cyber Culture,” takes a human-centric approach to discussing cyber risk.
■ Chapter 5, “Cyber Resilience,” takes a technology-centric approach to discussing cyber risk.
I expect that between today and the book’s publication, new cyber risks will impact organizations, and they will shed new perspectives on the cyber risk management precepts I share in this book. I want this book to be part of a dynamic, ongoing discussion, and I hope it joins board members, executives, founders, and owners of organizations into a dialogue that I believe is critical to securing the future today.
Acknowledgments
THIS BOOK DRAWS ON two different streams of my life experiences— the spiritual and professional.
Spiritually: Thank you to the Lord Jesus Christ, my cornerstone, my strength, my fortress, for the gift of life, every second on earth up to this day, which has let me write the book and get to this stage of giving back through my profession.
Professionally: Thank you to all my professional colleagues, who challenged my mental models and thought processes, making me constantly strive to be a better person than I was the days or hours before. Both the positive and negative insights and feedback were essential to my growth and understanding.
I especially want to thank the contributors who worked with me over the months, providing objective feedback, challenging my mental models and thought processes, and supporting me as a first-time author. These include:
■ Christiane Wuillamie, OBE and CEO of PYXIS Culture
■ John Childress, chairman, PYXIS Culture Technologies Ltd
■ Anna Collard, SVP content strategy and evangelist at KnowBe4 Africa
■ Jack Jones, award-winning CISO, author of the FAIR standard, and the chairman of the FAIR Institute
■ Kevin L. Jackson - 2X USA Today and WSJ, Best-Selling Author / CEO, GC GlobalNet/COO, SourceConnecte/SVP, TNS/Adjunct Professor, Adj. Prof., Tulane University
I was blessed to be in capable hands throughout the development of my work on this book. Kezia Endsley, the editor from Wiley, provided consistently helpful, supportive, and timely feedback on the various versions of each part of this book. Lori Martinsek and Warren Hapke, copy editing team, provided invaluable commentary, editing, and citation checking and was always tactful but direct in pointing out some of my blind spots. I also want to thank the
Wiley team who grasped the value of this project and have been supportive (and flexible!) throughout—especially Sheck Cho, Susan Cerra, Samantha Wu, Manikandan Kuppan.
Finally, l want to thank my family for their unstinting support throughout, especially my son, who always pushes me to be a better man that he can look up to. Thank you to my father for his push and invaluable support. And my most special thanks to colleagues who were constantly willing to listen, support, distract, and entertain when necessary.
About the Author
Siegfried Moyo has grown within the information security industry from a junior security engineer to a leader of information security teams in organizations with a global footprint. He has experience working across different industries (including banking, manufacturing, technology, the public sector, and logistics and supply chain). He is a cybersecurity professional with over fifteen years of experience in information security. He has hands-on technical experience with diverse information security technologies.
He works toward increasing stakeholder value by providing cyber assurance and managing cyber risk across organizations and creating a robust and sustainable cybersecurity strategy that is resilient against multiple cyber threats. He is a trusted cybersecurity advisor on determining and establishing the right cybersecurity governance and security practices for organizations and helps business executives at the C-Suite level understand cyber risks.
He has practical experience in the following cybersecurity domains: cybersecurity resilience, cybersecurity governance, cybersecurity risk management framework, cybersecurity engineering, cybersecurity operations, cybersecurity strategy development/deployment, and cybersecurity enterprise architecture to align with business/enterprise objectives and goals.
He received a bachelor of science in cybersecurity and a master of science in cybersecurity from EC-Council University. He is currently pursuing a doctor of philosophy (PhD) in Cybersecurity Leadership at Capitol Technology University.
While writing this book, Siegfried lived in Madrid, Spain, with his family.
CHAPTER ONE
Cyber Strategy
The Strategy-Centric Approach
Cybersecurity is the mission-focused and riskoptimized management of information which maximizes confidentiality, integrity, and availability using a balanced mix of people, policy, and technology while perennially improving over time.
Mansur Hasib, speaker, educator, career coach
INTRODUCTION
What exactly is a cyber strategy? Let’s start by defining strategy. The word “strategy” is derived from the Greek word strategos, which is a combination of two words—stratia (meaning army) and ago (meaning to lead or move). Merriam-Webster defines “strategy” as “a careful plan or method for achieving a particular goal, usually over a long period,” or “the skill of making or carrying out plans to achieve a goal.”1
A strategy is a course of action taken by management to achieve one or more of the organization’s objectives. We may alternatively define strategy as
“a broad direction established for the organization and its many components to reach a desired condition in the future.”
A comprehensive strategic planning process yields a strategy. A strategy is all about integrating organizational operations and using and distributing corporate resources to fulfill current objectives. We do not build a plan in a vacuum; let’s keep this in mind. Any action conducted by an organization is likely to elicit a response from those affected, whether they are competitors, customers, workers, or suppliers. We may also characterize strategy as knowing what we want to achieve, being aware of the unpredictability of events, and considering possible or actual actions. An organization’s strategy explains its business, the economic and human organization it aims to be, and the impact it intends to make on its shareholders, customers, and society. So strategy is preparing a long-term plan that will guide an organization in achieving its objectives.
In “Strategic Planning for Public and Nonprofit Organizations,” an article on the Insentra website, John M. Bryson defines strategic planning as:
A disciplined effort to produce fundamental decisions and actions which shape and guide what an organization is, what it does and why it does it—all with a focus on the future.2
CYBERSECURITY STRATEGY
The European Union Agency for Cybersecurity (ENISA) defines cybersecurity strategy as:
A national cybersecurity strategy (NCSS) is a plan of actions designed to improve the security and resilience of national infrastructures and services. It is a high-level top-down approach to cybersecurity that establishes a range of national objectives and priorities that should be achieved in a specific timeframe.3
In essence, a cybersecurity strategy is an organization’s plan to reduce business risk from cyber-attacks by maintaining confidentiality, integrity, and availability in all the organization’s information systems and data.
The primary request of any organization or institution’s Board of Directors (BOD) and C-level executives (C-LE) is for a robust, scalable, and
agile cybersecurity strategy that enables business agility and sustainability. A robust cybersecurity strategy is critical for business operations as it protects against cyber risks and mitigates potential data breaches and other cyber threats to critical infrastructure and critical data. For a BOD member or a C-LE to be able to fathom the value proposition of the organization’s cybersecurity strategy, there must be invested accountability on how business is aligned to the specific organization-level approach to cyber value, cyber compliance, cyber culture, and cyber resilience, but all of this starts from the strategy. All these are the precepts in the following chapters of the book.
THE VALUE PROPOSITION OF A CYBERSECURITY STRATEGY
Most executives’ first thought is determining what the return on investment (ROI) is on investing in a cybersecurity strategy. The ROI is the total value of the cost of cyber breaches averted minus the cost of mitigating cyber risks. After reading the next chapter, you’ll understand why this is often difficult to measure and learn how to calculate it better.
Beyond the ROI or net value, the absence or misalignment of a cybersecurity strategy will not enable the board of directors or C-level executives to take the subsequent business strategic risks that facilitate business growth and success in the foreseeable future. A cybersecurity strategy allows the organization to capture more value from its business model.
For example, suppose an organization’s strategy is to grow through mergers and acquisitions (M&As). The cybersecurity strategy should mitigate any cyber risks that emerge with each new M&A while not losing focus on the current cyber risks. The organization’s expansion and growth depend on the trust of existing and new consumers. The cybersecurity strategy should be in line with building the trust of its customers after the M&A-critical infrastructure and data are secure. A strategy in line with the business’s objectives is the only assurance that enables the board of directors and C-level executives to take the business to the next level or the next innovative idea or concept. After that, executives can confidently answer the questions posed in this chapter.
The primary concern of any executive in this realm should be a successful cyber-attack or security breach. Cyber-attacks have caused significant damage to businesses, affecting the bottom line, their business standing, and customer and consumer trust.
THE EXECUTIVE’S ROLE IN CYBERSECURITY STRATEGY
You may wonder why a cybersecurity strategy should be the first foundational precept for the BOD and C-LEs, as prescribed in this book. Most organizations’ executives are not treating cybersecurity like any other strategic business decision. For a cybersecurity strategy to enable the business effectively and successfully, it has to be driven by the organization’s leadership. Cybersecurity strategy that has the support of executive leadership invites the actionable strategic-centric approach and governance model that gives the right priority to cyber risk management. Members of the BOD and C-LEs need to start asking the right questions about cybersecurity strategy to make sure sufficient investments are made to minimize business disruptions from cyber risks. A cybersecurity strategy that is well articulated by the executive leadership will automatically align business strategy objectives and organization risk appetite. Some of the implications of ignoring cybersecurity strategy are listed below:
■ BOD and C-LE insecurities emerge from the lack of a cybersecurity strategy or plan to reduce cyber risks tailored to the organization’s objectives and risk profile.
■ BOD and CLE insecurities emerge due to the absence or misalignment of the cybersecurity strategy to business strategy. The lack of and misalignment results in crippling the business to be more innovative and remain sustainable for the foreseeable future despite operating in an era of increase in cyber-attacks.
If you are a member of the BOD or a C-LE of an organization, you need to be able to articulate answers to these questions:
■ Does your organization have a cybersecurity strategy that’s specific to the organization’s core business?
■ Is the organization’s cybersecurity strategy aligned to the business goals?
■ Does the cybersecurity strategy have adequate resources to mitigate risk within the organization’s risk appetite and risk tolerance?
■ Does the cybersecurity strategy have adequate financial support to manage cyber risks against the critical assets?
■ Is the organization cyber-compliant with all laws and regulatory or industry-specific requirements?
■ How does the organization’s cybersecurity strategy ensure that it can avoid, respond to, and recover from constantly changing cyber threats?
■ Has the organization integrated people, processes, and technology into its cybersecurity strategy?
The failure to clearly articulate a response to these and other questions invites business risk that would result in lost shareholder value, less consumer and customer trust, limited business growth, and more. No single strategy-centric approach to cybersecurity strategy is ideal for all business models; the cybersecurity strategy has to be one that suits your business. Given the rising prevalence of technology, software vulnerabilities, ransomware, and other vectors of cyber-attacks, this makes it imperative for cybersecurity strategy to be at the top of every executive’s agenda. We live in a world of constant volatility, and if you have invested interest and support in how your organization’s cybersecurity strategy will cope with the continual change of cyber-attacks, in both scale and complexity, you will enable your organization to archive its business goals while managing cyber risk within the organization’s risk appetite. Cybersecurity strategy enables BOD members and C-LEs to recognize and have a high level of understanding of the potential impacts of and losses due to cyber risks, which have resulted in an impact on operations, reputations and revenues.
Potential Loss Due to Cyber Risks
Cyber-attacks can result in economic, reputational, and legal losses and problems. Let’s look at each of these areas in more detail.
Economic Losses
Cyber-attacks often result in substantial financial losses arising from:
■ Theft of corporate information
■ Theft of financial information (e.g., bank details or payment card details)
■ Theft of money
■ A halt in business operations (e.g., inability to carry out transactions online)
■ Loss of business or contracts
Damage to a Corporation’s Reputation
Trust is an essential element of the customer relationship. Cyber-attacks can damage a business’s reputation and erode the trust of consumers and customers. It might lead to:
■ Loss of customers
■ Decrease in sales
■ Decrease in net revenue
Reputational damage can also affect suppliers and relationships with partners, investors, and other third parties vested in the business.
Legal Ramifications
Data protection and privacy rules require that the executives oversee the security of any personal data handled or stored, whether on internal or external systems. If this data is compromised (inadvertently or on purpose) and the company cannot implement cybersecurity controls, it may face regulatory penalties.
EXECUTIVE’S GUIDE TO CYBERSECURITY STRATEGY
There is no strategy without accountability and there is no accountability without leadership.
John R. Childress, Chairman, PYXIS Culture Technologies Ltd.The “Executive’s Guide” sections in this book, like this one, provide details and foundational knowledge for executives so they can make informed costand resource-effective investment decisions with their most senior cybersecurity executives, such as chief information security officers (CISOs), to limit the organization’s cyber risk within the organization’s risk appetite. Cybersecurity strategy is critical in enabling any organization to adopt a proactive approach to cyber risk management, as opposed to reacting to every new cyber-attack in hindsight, which can be costly and time-consuming. Whether an organization has an outdated cybersecurity strategy in place or is establishing its first one,
executives can use these guide sections to understand why it is vital to support an effective and strategic cybersecurity plan.
Cybersecurity and Information Security
Cybersecurity is a popular topic these days, but what exactly does it mean? Cybersecurity refers to the collection of tools, policies, guidelines, riskmanagement techniques, activities, best practices, assurances, and technologies that companies use to secure the availability, integrity, and confidentiality of assets in linked infrastructures in government, private businesses, and individual settings.
These assets include connected computing devices, employees, infrastructure, applications, digital service providers, and citizens. The concept of cybersecurity is not as broadly accepted as that of information security. Some individuals believe the concepts are interchangeable or that cybersecurity is either a subset or superset of information security. Many believe that cybersecurity is simply a newer and perhaps more sophisticated version of traditional computer security, which is:
The ability to protect or defend the use of cyberspace from cyber-attacks.
National Institute of Standards and Technology (NIST)4
This specific definition from the NIST does not talk about cyber risk and the need to deal with it. Cyber risk management is an essential aspect of prioritizing where an organization deploys the limited resources for its cybersecurity strategy.
A more straightforward and more helpful definition of a cybersecurity strategy is: “the actions, direct and indirect, an organization takes to reduce the risks of being connected to the Internet to a level acceptable to that organization.”
According to the NIST, “Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide integrity, confidentiality, and availability.” By protecting information from cyber threats, you achieve three goals:
■ Confidentiality: You keep your secrets under control.
■ Integrity: Data is not corrupted.
■ Availability: You can see and use information whenever necessary.
Cybersecurity and Trust
One of cybersecurity’s most popular terms is “zero trust.” The use of the word trust in cybersecurity can be confusing. Here is one way to consider this concept, according to Palo Alto Networks:5
Zero trust is a strategic approach to cybersecurity that secures an organization by eliminating implicit trust and continuously validating every stage of digital interaction. Rooted in the principle of “never trust, always verify,” zero trust is designed to protect modern environments and enable digital transformation.
Cyber Risk Management
To clear any confusion on how the cybersecurity strategy and cyber risk management are related, the NIST6 outlines that “risk management is a fundamental principle of cybersecurity. It is the basis of the NIST Framework for Improving Critical Infrastructure Cybersecurity. Agencies of the US Government certify the operational security of their information systems against the requirements of the FISMA Risk Management Framework (RMF). The alternative to risk management would presumably be a quest for total security—both unaffordable and unachievable.”
There are various definitions of risk management from all the cybersecurity industry standards and publications. In this book, for purpose of alignment with the next chapter, we focus on the FAIR definition,
Risk management is the process of achieving and maintaining an acceptable level of exposure to loss, within the context of an organization’s objectives and constraints.
Jack Jones, Cofounder and Chairman of FAIRManaging risks is a critical component of any business’s cybersecurity strategy. Organizational systems, people, networks, and devices are all vulnerable. The business’s services and operations and even its customers may be at risk. The more the business relies on a web presence, the more critical it is to identify and control the cyber risks that have the potential to impact the organization. Cyber threats—ranging from human errors to malicious attacks by hackers—can disrupt critical business operations or expose critical information. Cyber risk assessment involves identifying, analyzing, and
evaluating potential risks. As part of the assessment, the organization should look at the entire organization as well as the culture to identify potential threats arising from, but not limited to:
■ People, processes, and technologies
■ Vulnerabilities within critical infrastructure and critical data
■ Vulnerabilities from third-party partners
The key to effective cyber risk management that enables the BOD members and C-LEs to make informed decisions is having a risk appetite statement in place. The risk appetite statement is only defined and outlined by the BOD and C-LEs of an organization, A risk appetite statement firmly outlines the tone for the BOD’s and C-LEs’ approach to risk management. When the organization’s appetite for risk is tied to business operations, compliance, culture, and reporting objectives, it is also more likely to fulfil its strategic business goals and objectives. The breadth of a risk appetite statement will always differ, depending on the organization. Cybersecurity strategy that is developed without a risk appetite statement is more costly, and cybersecurity measures are applied on almost everything and anything. After the clear outline by the BOD and C-LEs of the organization’s risk appetite comes a clear decision on risk tolerance. For cybersecurity strategy investments in cyber risk management to be cost- and resource-effective, the BOD and C-LEs must have well-articulated and clearly defined statements specific to their organization on the two subjects discussed below: risk appetite and risk tolerance. According to Reciprocity,7
Risk Appetite Risk appetite pertains to a company’s longer-term strategy concerning what goal it needs to achieve and the resources available to achieve it, expressed in quantitative terms. An organization’s risk appetite indicates the amount of risk it’s willing to accept to attain its business objectives.
Risk Tolerance Risk tolerance, on the other hand, sets the acceptable minimum and maximum variation levels for a company, business unit, individual initiative, or specific risk category. A risk tolerance range for minimum and maximum levels of risk is usually set by the committee that oversees the organization’s risk management strategy and is then approved by leadership.
A high level of risk tolerance means that an organization is willing to take a high risk, while a low level of risk tolerance means that the company isn’t willing to accept any risks.
Before we proceed to the next steps, it is now clear that a risk appetite statement encourages consistent, risk-informed decision making aligned with strategic goals and solid corporate governance by establishing explicit risk-taking boundaries
NEXT STEPS/REFLECTION
Now we can revisit some of the questions posed earlier.
A Cybersecurity Strategy Aligned to the Business Objectives
Does your organization have a cybersecurity strategy that’s specific to your organization’s business? Is the organization’s cybersecurity strategy aligned to the business’s goals?
To determine if a cybersecurity strategy is appropriately aligned to an organization’s business objectives, executives need to have a clear understanding of how cybersecurity strategy is enabling the organization’s vision and goals within the organization’s risk appetite. For example, say that your business goals are to increase market share through digitalization, with critical information processed or stored on the critical infrastructure, which means you need a bigger Internet presence or digitalization, The cybersecurity strategy needs to focus on a cyber-secure digitalization approach to the critical infrastructure and critical data. If web applications are not balanced with a comprehensive cyber risk management strategy that responds to related cyber threats, your organization cannot achieve its goals, let alone business growth.
Organizations can reference several existing frameworks (such as those of the NIST and ISO) to provide a foundation for building an organization’s specific cybersecurity strategy. In this case, the BOD members and C-LEs would need to embrace a fact-based, data-driven mathematical approach that will empower them to comprehend the cyber risks posed to the organization, the likelihood that those risks could be exploited, and the possible commercial impact if a cyber-attack is successful. The fact-based approach (in the next chapter) will enable any BOD and C-LEs to evaluate, in monetary terms, the level of exposure to loss for the business due to cyber risk and to understand
where resources should be allocated for the most cost-effective approach. This is done by delving deeper into the data, figures, and facts.
An Agile Cybersecurity Strategy That Can React to Changes
How does the organization’s cybersecurity strategy ensure that it can avoid, respond to, and recover from constantly changing cyber threats?
Having a robust cybersecurity strategy is crucial, but the ability to pivot quickly, based on the external threat landscape, is equally important. And this is where company culture plays a big role. Organizations must ensure that their short-term plans and people are aware, capable, and agile enough to enable them to react to new and emerging threats and changes in the market. Every time an organization performs an assessment, they should have complete visibility into internal and external threats, while adjusting their cyber risk mitigation plans and recommendations accordingly.
Any organization that relies on Internet technologies or information is vulnerable to cyber risk. The risk relates to an organization’s use, ownership, operation, engagement, impact, and Internet adoption. Cyber or IT risks may degrade business value and are frequently the result of having no plan or a misaligned plan to mitigate or manage the risks associated with technology or cyber risk classifications. Cyber risk spans a range of business-critical areas, such as:
■ Availability: for example, failure to access IT systems required for company operations
■ Security: for example, compromised organizational data because of unauthorized access or misuse
■ Performance: for example, decreased productivity because of sluggish or delayed access to IT systems
■ Compliance: for example, lack of compliance with laws and regulations (such as those for data protection)
■ Culture: for example, whether employee behavior is either an enabler or a cyber risk management strength is critical to business success
Cybersecurity strategy is more than simply a cost of doing business. It has the potential to be the catalyst for the company’s growth and success. This alignment must begin with a strong business case for cybersecurity investment, which turns into business outcomes and business value. Until recently,
attempts to advertise cyber risk management strategy as an enabler have been clunky, where most organizations have focused on simplifying cybersecurity strategy or minimizing the integration into IT at an early point of the lifecycle to decrease cost and complexity. The issue is that this approach cannot resist the growing threat environment and the threat actors who operate inside it.
A Cybersecurity Strategy Supported from the Top Down
Has the organization integrated people, processes, and technology into its cybersecurity strategy?
Most executives only get involved when there is an significant cyber issue. It’s time for executives to understand and develop a forward-looking cyber strategy that makes the organization more resilient to both current and potential cyber-attacks. Cybersecurity strategies can take many forms and can go into varying levels of detail, depending on the organization’s objectives and levels of cyber-readiness.
This chapter envisages that executives will have a cybersecurity strategy as:
■ An expression of the vision, high-level objectives, principles, and priorities that guide an organization in addressing cyber risks.
■ A detailed overview of the stakeholders entrusted with strengthening cybersecurity, as well as their various roles and responsibilities as members of the BOD or C-LE team.
■ A description of the steps, programs, and initiatives that an organization will undertake to protect its critical infrastructure and data, and in the process, improve its cybersecurity and cyber-resilience.
Once your organization has acknowledged that a cyber risk exists, you can begin to build a renewed cybersecurity strategy with built-in cyber resilience. Setting the vision, objectives, culture, and priorities up front enables organizations to approach cybersecurity holistically across the entire ecosystem, instead of at a particular sector or objective or in response to a specific risk.
Cybersecurity foresight is never perfect, but it is more useful than hindsight.
Christiane Wuillamie, OBE, Chief Executive of PYXIS Culture Technologies Ltd.Priorities for cybersecurity strategies vary by organization and industry. The focus for one may address critical infrastructure-related risks; for others, it
may protect consumers or customer personal information or intellectual property, promote trust in the online environment, improve public cybersecurity awareness, or a combination of these issues. The need to identify and prioritize investments and resources is critical to successfully managing risks in an area as all-encompassing as cybersecurity.
Start- Ups, Small- and Medium- Sized Enterprises (SMEs)
Regardless of the size of the business, either a large enterprise or small- to medium-sized enterprise (SME), both are targets of cyber-attacks.
Large organizations have a larger cyber threat landscape than start-ups and SMEs because of the number of employees, amount of data, or infrastructure size. For start-ups and SMEs, developing a cybersecurity strategy is more critical than ever since cyber-attacks are now more disruptive.
The biggest cyber challenge for any start-up or SME is knowing where to start its cybersecurity strategy and what the best, most cost-effective way is to approach cyber risk management. Developing a cybersecurity strategy is a crucial first step in ensuring that the business is secure and resilient in the era of cyber-attacks. The absence of some form of cybersecurity strategy or even a framework to follow for a start-up or SME, especially when there is no or limited on-site cybersecurity expertise, makes it challenging to ensure that the business will remain sustainable for the foreseeable future.
Cybersecurity strategy should be established not only by large corporations. Start-ups and SMEs are not exempt from the destructive impact of hazardous cyber assaults. In most cases, the initial focus of any start-up and SME is how to increase revenue and market share, and how to generate leads and business growth. Start-up founders and SME executives often do not fathom the potential impact of cyber risks and disparage anything related to cybersecurity. The current situation places most start-ups and SMEs in a critical position. Currently most start-ups and SMEs are trying to manage cyber risk while usually not being skilled or equipped enough to internalize this process. Therefore, there is a need for a practical and easily applicable model to identify a business’s cyber risk profile and its dynamics. Start-ups and SMEs are among the least mature and most vulnerable in cyber risk management and cybersecurity resilience.
Start-ups and SMEs must begin to give diligent and more focused approaches to cybersecurity strategy because the impact of potential cyber-attacks on a start-up or an SME is more catastrophic. It is a fair assumption that not every
start-up and SME will be able to afford a CISO and a fully staffed cybersecurity team effectively to align the business’s goals and objectives to its cybersecurity strategy. Malicious actors are fully aware of these limitations; thus, startups and SMEs will not be exempt from the growing number of cyber threats. The rise of cyber threats makes it imperative for the founders and executive teams of SMEs to evaluate cyber risks and have a strategy-centric approach to cybersecurity for more cost- and resource-effective investment decisions. The recommendation of this book for enhancing cybersecurity risk management is leveraging the one widely recognized cybersecurity framework (CSF) document by the US National Institute of Standards and Technology (NIST). The NIST CSF is a good place to start for any start-up or SME, since it offers a fundamental foundation that businesses can use to develop their overall cybersecurity. Through a CSF evaluation, organizations will effectively construct a baseline to build their cybersecurity strategy and a solid foundation for a practical assessment. NIST CSF provides guidelines, best practices, and standards for cybersecurity risk management. In the absence of a security professional or expert, the founders and executives of any start-up or SME need to have a high-level understanding of the NIST CSF. This will empower the founders and business executives of the start-ups and SMEs to clearly articulate the next step to bolstering a cybersecurity strategy, either by considering employing a managed security service provider (MSSP) for cyber risk management or by building an in-house capability through leveraging the NIST CSF. Although there is no one-size-fits-all approach to the cyber risk management plan, the fundamentals of an effective cyber risk management strategy apply across several sectors. The NIST CSF can help leaders develop a cybersecurity strategy that maps to their organization’s specific and unique needs.
Ongoing cybersecurity strategy reevaluation among founders and SME executives will encourage leadership to take a more proactive approach to cyber risk mitigation. For effective management of cyber risk in today’s constantly changing business and technical landscapes, start-up founders and SME executives will need to acquire and maintain a foundational understanding of cyber risk management and learn the latest knowledge and best practices through a strategic-centric approach to cybersecurity. As founders and business executives of start-ups and SMEs, you are fully responsible for securing your organization’s critical infrastructure and critical information.
The NIST CSF is in Appendix A of this book for further reading for all start-up founders and SME executives. It is a starting point that lets you know how to engage service providers and why. The NIST CSF is also valid for a large organization that has adopted no specific cybersecurity frameworks.