Chapter 5. Risk-Based Strategy and Execution
Throughout this book, we’ve stressed the need for a cyber risk management program (CRMP) that brings together risk owners, security professionals, and other stakeholders in a formal, systematic set of processes that replace ad hoc, incident-based approaches. It’s the only way to ensure the enterprise as a whole addresses the challenges of a fast-moving risk environment and helps protect itself from liability. But developing and implementing a program that meets an enterprise’s specific needs is no simple undertaking. It requires a clearly defined strategy and consistent execution against that strategy—and that’s the focus of this chapter. We’ll detail six key principles of risk-based strategy and execution, and lay out the regulatory frameworks and industry protocols influencing them. We’ll identify the roles of key stakeholders—especially the CISO and the rest of the security organization, as well as internal and external auditors—in this highly collaborative process of continuous improvement. And we’ll look at it all through the lens of a spectacular recent example of how radically and how rapidly the enterprise risk environment, and its strategic risk management needs, can change: the sudden public introduction of generative artificial intelligence (AI).
Cyber risk management—the art of balancing risk and reward in a digital world—is more challenging than ever. The stakes are high and getting higher all the time, and both the business ...
Get Building a Cyber Risk Management Program now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.