Chapter 3. Agile Governance

In the preceding chapter, we discussed the urgent and growing need for a comprehensive, enterprise-wide cyber risk management program (CRMP), focusing on the social, political, economic, and cultural changes that are driving this need. And we outlined the four core components of a program. Now we’re going to go into detail about the first of those components—Agile governance—and the key principles we defined as a part of the CRMP framework aligned with authoritative guidance. But first, let’s take a look at some real-world examples of what can happen when adequate risk governance practices, including cyber risk governance practices, are not in place. (For more information on the comprehensive framework itself, see the Appendix. For more information on specific Agile governance implementation considerations, see Chapter 7.)

A worldwide ride-sharing service tries to cover up an enormous data breach by paying off the hackers responsible. The company then repeatedly lies about it, gets caught, and ends up paying nearly $150 million in fines and other penalties, while its CSO faces federal criminal charges. A social networking service descends into chaos when its new management abruptly changes its moderation policies and its advertisers leave the platform en masse because their brands are repeatedly compromised by fake accounts.

These two ultrahigh-profile enterprises—Uber and Twitter—are very different. A fast-growing ride-sharing service is working in ...