Chapter 7. Implementing the Cyber Risk Management Program

Throughout this book, we’ve stressed the critical importance of a formal cyber risk management program (CRMP) that builds on four key components: Agile governance, a risk-informed system, risk-based strategy and execution, and risk escalation and disclosure. All those components must work together seamlessly, and must—crucially—also work together with many other enterprise functions and internal and external stakeholders. And it’s important to recognize that getting there won’t be a simple undertaking: it’s a journey and a living process. Throughout this chapter we’ll focus on implementation considerations and notable challenges to help you with your individual journey. Table 7-1 summarizes the principles and references relevant to each of the four components.

Effective CRMP requires senior-level commitment, new roles and responsibilities, potential changes to budget and other resources, and, in most cases, fundamental changes to enterprise culture. This isn’t a one-and-done exercise, or simply a policy that’s written and approved once and followed without questions, changes, or updates. And it definitely isn’t something that can be done on an ad hoc or reactive basis. It requires ongoing, consistent contact between the security organization, risk owners, governance bodies, and many other stakeholders. This collaboration makes it possible to build trusting and lasting relationships that clearly establish risk management ...