The Cyber Risk Handbook - Creating and Measuring Defective Cybersecurity Capabilities

Foreword by Ron Hale xxiii About the Editor xxxi List of Contributors xxxiii Acknowledgments xxxv CHAPTER 1 Introduction 1 Domenic Antonucci, Editor and Chief Risk Officer, Australia The CEO under Pressure 1 Toward an Effectively Cyber Risk-Managed Organization 3 Handbook Structured for the Enterprise 4 Handbook Structure, Rationale, and Benefits 7 Which Chapters Are Written for Me? 8 CHAPTER 2 Board Cyber Risk Oversight 11 Tim J. Leech, Risk Oversight Solutions Inc., Canada Lauren C. Hanlon, Risk Oversight Solutions Inc., Canada What Are Boards Expected to Do Now? 11 What Barriers to Action Will Well-Intending Boards Face? 13 What Practical Steps Should Boards Take Now to Respond? 16 Cybersecurity-The Way Forward 20 About Risk Oversight Solutions Inc. 21 About Tim J. Leech, FCPA, CIA, CRMA, CFE 21 About Lauren C. Hanlon, CPA, CIA, CRMA, CFE 21 CHAPTER 3 Principles Behind Cyber Risk Management 23 RIMS, the risk management society (TM) Carol Fox, Vice President, Strategic Initiatives at RIMS, USA Cyber Risk Management Principles Guide Actions 23 Meeting Stakeholder Needs 25 Covering the Enterprise End to End 26 Applying a Single, Integrated Framework 27 Enabling a Holistic Approach 28 Separating Governance from Management 31 Conclusion 31 About RIMS 32 About Carol Fox 32 CHAPTER 4 Cybersecurity Policies and Procedures 35 The Institute for Risk Management (IRM) Elliot Bryan, IRM and Willis Towers Watson, UK Alexander Larsen, IRM, and President of Baldwin Global Risk Services Ltd., UK Social Media Risk Policy 35 Ransomware Risk Policies and Procedures 41 Cloud Computing and Third-Party Vendors 45 Big Data Analytics 50 The Internet of Things 53 Mobile or Bring Your Own Devices (BYOD) 55 Conclusion 60 About IRM 64 About Elliot Bryan, BA (Hons), ACII 65 About Alexander Larsen, FIRM, President of Baldwin Global Risk Services 65 CHAPTER 5 Cyber Strategic Performance Management 67 McKinsey & Company James M. Kaplan, Partner, McKinsey & Company, New York, USA Jim Boehm, Consultant, McKinsey & Company, Washington, USA Pitfalls in Measuring Cybersecurity Performance 68 Cybersecurity Strategy Required to Measure Cybersecurity Performance 69 Creating an Effective Cybersecurity Performance Management System 72 Conclusion 77 About McKinsey Company 78 About James Kaplan 78 About Jim Boehm 79 CHAPTER 6 Standards and Frameworks for Cybersecurity 81 Stefan A. Deutscher, Principal, Boston Consulting Group (BCG), Berlin Germany William Yin, Senior Partner and Managing Director, Boston Consulting Group (BCG), Hong Kong Putting Cybersecurity Standards and Frameworks in Context 81 Commonly Used Frameworks and Standards (a Selection) 84 Constraints on Standards and Frameworks 93 Good Practice Consistently Applied 93 Conclusion 94 About Boston Consulting Group (BCG) 95 About William Yin 96 About Dr. Stefan A. Deutscher 96 CHAPTER 7 Identifying, Analyzing, and Evaluating Cyber Risks 97 Information Security Forum (ISF) Steve Durbin, Managing Director, Information Security Forum Ltd. The Landscape of Risk 97 The People Factor 98 A Structured Approach to Assessing and Managing Risk 100 Security Culture 101 Regulatory Compliance 102 Maturing Security 103 Prioritizing Protection 104 Conclusion 104 About the Information Security Forum (ISF) 106 About Steve Durbin 106 CHAPTER 8 Treating Cyber Risks 109 John Hermans, Cyber Lead Partner Europe, Middle East, and Africa at KPMG, The Netherlands Ton Diemont, Senior Manager at KPMG, The Netherlands Introduction 109 Treating Cybersecurity Risk with the Proper Nuance in Line with an Organization's Risk Profile 110 Determining the Cyber Risk Profile 111 Treating Cyber Risk 112 Alignment of Cyber Risk Treatment 114 Practicing Cyber Risk Treatment 115 Conclusion 119 About KPMG 120 About John Hermans 121 About Ton Diemont 121 CHAPTER 9 Treating Cyber Risks Using Process Capabilities 123 ISACA Todd Fitzgerald, CISO and ISACA, USA Cybersecurity Processes Are the Glue That Binds 123 No Intrinsic Motivation to Document 124 Leveraging ISACA COBIT 5 Processes 125 COBIT 5 Domains Support Complete Cybersecurity Life Cycle 137 Conclusion 139 About ISACA 140 About Todd Fitzgerald 141 CHAPTER 10 Treating Cyber Risks-Using Insurance and Finance 143 Aon Global Cyber Solutions Kevin Kalinich, Esq., Aon Risk Solutions Global Cyber Insurance Practice Leader, USA Tailoring a Quantifi ed Cost-Benefi t Model 143 Planning for Cyber Risk Insurance 149 The Risk Manager's Perspective on Planning for Cyber Insurance 150 Cyber Insurance Market Constraints 152 Conclusion 154 About Aon 157 About Kevin Kalinich, Esq. 158 CHAPTER 11 Monitoring and Review Using Key Risk Indicators (KRIs) 159 Ann Rodriguez, Managing Partner, Wability, Inc., USA Definitions 160 KRI Design for Cyber Risk Management 160 Conclusion 169 About Wability 169 About Ann Rodriguez 170 CHAPTER 12 Cybersecurity Incident and Crisis Management 171 CLUSIF Club de la Securite de l'Information Francais Gerome Billois, CLUSIF Administrator and Board Member Cybersecurity at Wavestone Consultancy, France Cybersecurity Incident Management 171 Cybersecurity Crisis Management 174 Conclusion 182 About CLUSIF 183 About Gerome Billois, CISA, CISSP and ISO27001 Certifi ed 183 About Wavestone 183 CHAPTER 13 Business Continuity Management and Cybersecurity 185 Marsh Sek Seong Lim, Marsh Risk Consulting Business Continuity Leader for Asia, Singapore Good International Practices for Cyber Risk Management and Business Continuity 186 Embedding Cybersecurity Requirements in BCMS 188 Developing and Implementing BCM Responses for Cyber Incidents 189 Conclusion 190 Appendix: Glossary of Key Terms 191 About Marsh 191 About Marsh Risk Consulting 192 About Sek Seong Lim, CBCP, PMC 192 CHAPTER 14 External Context and Supply Chain 193 Supply Chain Risk Leadership Council (SCRLC) Nick Wildgoose, Board Member and ex-Chairperson of SCRLC, and Zurich Insurance Group, UK External Context 194 Building Cybersecurity Management Capabilities from an External Perspective 200 Measuring Cybersecurity Management Capabilities from an External Perspective 204 Conclusion 204 About the SCRLC 205 About Nick Wildgoose, BA (Hons), FCA, FCIPS 205 CHAPTER 15 Internal Organization Context 207 Domenic Antonucci, Editor and Chief Risk Offi cer, Australia Bassam Alwarith, Head of the National Digitization Program, Ministry of Economy and Planning, Saudi Arabia The Internal Organization Context for Cybersecurity 207 Tailoring Cybersecurity to Enterprise Exposures 209 Conclusion 240 About Domenic Antonucci 241 About Bassam Alwarith 241 CHAPTER 16 Culture and Human Factors 243 Avinash Totade, ISACA Past President UAE Chapter and Management Consultant, UAE Sandeep Godbole, ISACA Past President Pune Chapter, India Organizations as Social Systems 243 Human Factors and Cybersecurity 246 Training 248 Frameworks and Standards 249 Technology Trends and Human Factors 250 Conclusion 252 About ISACA 253 About Avinash Totade 253 About Sandeep Godbole 254 CHAPTER 17 Legal and Compliance 255 American Bar Association Cybersecurity Legal Task Force Harvey Rishikof, Chair, Advisory Committee to the Standing Committee on Law and National Security, USA Conor Sullivan, Law Clerk for the Standing Committee on National Security, USA European Union and International Regulatory Schemes 255 U.S. Regulations 258 Counsel's Advice and Boom Planning 261 Conclusion 266 About the Cybersecurity Legal Task Force 269 About Harvey Rishikof 269 About Conor Sullivan 270 CHAPTER 18 Assurance and Cyber Risk Management 271 Stig J. Sunde, Senior Internal Auditor (ICT), Emirates Nuclear Energy Corporation (ENEC), UAE Cyber Risk Is Ever Present 271 What the Internal Auditor Expects from an Organization Managing Its Cyber Risks Effectively 272 How to Deal with Two Differing Assurance Maturity Scenarios 277 Combined Assurance Reporting by ERM Head 278 Conclusion 278 About Stig Sunde, CISA, CIA, CGAP, CRISC, IRM Cert. 280 CHAPTER 19 Information Asset Management for Cyber 281 Booz Allen Hamilton Christopher Ling, Executive Vice President, Booz Allen Hamilton, USA The Invisible Attacker 281 A Troubling Trend 282 Thinking Like a General 283 The Immediate Need-Best Practices 283 Cybersecurity for the Future 284 Time to Act 286 Conclusion 286 About Booz Allen Hamilton 287 About Christopher Ling 287 CHAPTER 20 Physical Security 289 Radar Risk Group Inge Vandijck, CEO, Radar Risk Group, Belgium Paul Van Lerberghe, CTO, Radar Risk Group, Belgium Tom Commits to a Plan 290 Get a Clear View on the Physical Security Risk Landscape and the Impact on Cybersecurity 291 Manage or Review the Cybersecurity Organization 294 Design or Review Integrated Security Measures 295 Reworking the Data Center Scenario 299 Calculate or Review Exposure to Adversary Attacks 302 Optimize Return on Security Investment 305 Conclusion 306 About Radar Risk Group 307 About Inge Vandijck 307 About Paul Van Lerberghe 307 CHAPTER 21 Cybersecurity for Operations and Communications 309 EY Chad Holmes, Principal, Cybersecurity, Ernst & Young LLP (EY US) James Phillippe, Principal, Cybersecurity, Ernst & Young LLP (EY US) Do You Know What You Do Not Know? 309 Threat Landscape-What Do You Know About Your Organization Risk and Who Is Targeting You? 310 Data and Its Integrity-Does Your Risk Analysis Produce Insight? 310 Digital Revolution-What Threats Will Emerge as Organizations Continue to Digitize? 311 Changes-How Will Your Organization or Operational Changes Affect Risk? 312 People-How Do You Know Whether an Insider or Outsider Presents a Risk? 312 What's Hindering Your Cybersecurity Operations? 312 Challenges from Within 313 What to Do Now 313 Conclusion 318 About EY 319 About Chad Holmes 319 About James Phillippe 319 CHAPTER 22 Access Control 321 PwC Sidriaan de Villiers, Partner-Africa Cybersecurity Practice, PwC South Africa Taking a Fresh Look at Access Control 321 Organization Requirements for Access Control 322 User Access Management 323 User Responsibility 327 System and Application Access Control 327 Mobile Devices 329 Teleworking 331 Other Considerations 332 Conclusion 333 About PwC 334 About Sidriaan de Villiers, PwC Partner South Africa 334 CHAPTER 23 Cybersecurity Systems: Acquisition, Development, and Maintenance 335 Deloitte Michael Wyatt, Managing Director, Cyber Risk Services, Deloitte Advisory, USA Build, Buy, or Update: Incorporating Cybersecurity Requirements and Establishing Sound Practices 336 Specific Considerations 342 Conclusion 344 About Deloitte Advisory Cyber Risk Services 346 About Michael Wyatt 346 CHAPTER 24 People Risk Management in the Digital Age 347 Airmic Julia Graham, Deputy CEO and Technical Director at Airmic, UK Rise of the Machines 347 Enterprise-Wide Risk Management 348 Tomorrow's Talent 350 Crisis Management 354 Risk Culture 355 Conclusion 356 About Airmic 358 About Julia Graham 358 CHAPTER 25 Cyber Competencies and the Cybersecurity Offi cer 359 Ron Hale, PhD, CISM, ISACA, USA The Evolving Information Security Professional 359 The Duality of the CISO 360 Job Responsibilities and Tasks 363 Conclusion 366 About ISACA 368 About Ron Hale 368 CHAPTER 26 Human Resources Security 369 Domenic Antonucci, Editor and Chief Risk Offi cer, Australia Needs of Lower-Maturity HR Functions 369 Needs of Mid-Maturity HR Functions 370 Needs of Higher-Maturity HR Functions 372 Conclusion 373 About Domenic Antonucci 374 Epilogue 375 Becoming CyberSmart TM: a Risk Maturity Road Map for Measuring Capability Gap-Improvement Domenic Antonucci, Editor and Chief Risk Offi cer (CRO), Australia Didier Verstichel, Chief Information Security Offi cer (CISO) and Chief Risk Offi cer (CRO), Belgium Background 375 Becoming CyberSmartTM 376 About Domenic Antonucci 392 About Didier Verstichel 392 Glossary 393 Index 399