Chapter 5. Risk-Based Strategy and Execution

Throughout this book, we’ve stressed the need for a cyber risk management program (CRMP) that brings together risk owners, security professionals, and other stakeholders in a formal, systematic set of processes that replace ad hoc, incident-based approaches. It’s the only way to ensure the enterprise as a whole addresses the challenges of a fast-moving risk environment and helps protect itself from liability. But developing and implementing a program that meets an enterprise’s specific needs is no simple undertaking. It requires a clearly defined strategy and consistent execution against that strategy—and that’s the focus of this chapter. We’ll detail six key principles of risk-based strategy and execution, and lay out the regulatory frameworks and industry protocols influencing them. We’ll identify the roles of key stakeholders—especially the CISO and the rest of the security organization, as well as internal and external auditors—in this highly collaborative process of continuous improvement. And we’ll look at it all through the lens of a spectacular recent example of how radically and how rapidly the enterprise risk environment, and its strategic risk management needs, can change: the sudden public introduction of generative artificial intelligence (AI).

Cyber risk management—the art of balancing risk and reward in a digital world—is more challenging than ever. The stakes are high and getting higher all the time, and both the business ...