Epilogue

Becoming CyberSmart™: a Risk Maturity Road Map for Measuring Capability Gap-Improvement Domenic Antonucci, Editor and Chief Risk Officer (CRO), Australia Didier Verstichel, Chief Information Security Officer (CISO) and Chief Risk Officer (CRO), Belgium

Tom prepared his last slides for presentation to the Board with a quiet sense of satisfaction. His chief risk officer Nathan, had summarized the assessments of the current state of enterprise-wide capabilities to deliver an effective cyber risk management subsystem to the existing enterprise-wide risk management (ERM) system. These assessments were sourced from all functional heads. As CEO, he knew the board expected to see future gap improvements in these capabilities. As he saw his chairperson, Mara, enter his office, he quietly smiled. He held a new confidence that his organization had a way to measure and track capability gaps.

Background

Improving risk management maturity improves trust and reliability in the organization’s ability to achieve its objectives, to report its risk profile(s), and to add value to the organization. More mature enterprise risk management (ERM) systems deliver researched bottom-line, top-line and other “hard” benefits for an organization such as the tripling of the bottom-line.1 There is no reason the same does not apply for the ERM subset, a cyber risk management system.

Enterprise risk management system capabilities mature over years at staggered rates unique to your organization. The same is true for a cyber risk management system except they have a greater “need for speed” to meet the velocity and dynamism of the cyber threat landscape. “Maturity” means a current or future state, fact, or period of evolving development, quality, sophistication and effectiveness (it is not necessarily age-dependent). A “maturity model” is a simplified system that “road-maps” improving, desired, anticipated, typical, or logical evolutionary paths of organization actions that are repeatable. The ascending direction implies progression that increases organization effectiveness over time (albeit subject to stasis and regression).

Benchmarking against self (and others) is the most powerful tool for measuring gap improvements in the capabilities that make up the cyber risk management system. It benchmarks your current baseline capabilities against targeted self-improvements over time. This delivers the right set of specific cybersecurity capabilities within an enterprise risk management system best tailored to your organization. This serves to continually assess and assure effectiveness.

Becoming CyberSmart

CyberSmart capabilities may be rated by a simple rating approach. This applies an assessor score of between 0 to 4. Assessors are typically the CISO and/or Risk and/or Internal Audit functions, as well as external independent assessors. These ratings scales are based on robust criteria adapted from the HB156 ISO and IIA-backed maturity assessment five-point scale methodology for in-evidence implementation of each capability.2 Table E.1 explains in detail how to attribute a score of between 0 and 4 on a five-point scale for rating of CyberSmart™ capabilities.

Table E.1 CyberSmart™ Five-Point Scales for Rating of Capabilities

Assess This Score for Each Scale … Description: Ask If the Organization Capability Is … Example
0 = Nil. Nonexistent, nothing in place, achieved, in effect (0%), or known. No capability. Unaware or no recognition of need. Not part of culture or mission. Policy X not in current management mind-set.
1 = Starting. Starting to be put in-place, achieve or in-effect (say 0–<30%). Insignificant, limited, or starting capability as intent not action. Management mandate or some recognition of intent and need may exist but still lacks engagement or execution. Approach is ad hoc, disorganized, without communication or monitoring. People unaware of responsibilities. Policy X still being planned or written before approval.
2 = Partly. Partially in place, achieved, or in effect (say 30–<60%). Capability exercised to some extent so as to create/protect value. Practices/controls are in place but are not documented. Mandate backed by commitment evidenced by reinforcement practices by management. Operation dependent on knowledge and motivation of individuals. Effectiveness not adequately evaluated. Many practice/control weaknesses exist and are not adequately addressed; the impact can be severe. Management actions to resolve practice/control issues are not prioritized or consistent. People aware in part of their responsibilities. Policy X approved in writing or informally communicated by management. Now in early stages of being introduced as a business process with awareness/training, etc., so people partly have the knowledge and experience to perform the process.
3 = Largely. Largely in place, achieved, or in effect (say >60–<90%). Capability effectively practiced or with proficiency which creates/protects value. There is a largely effective enterprise-wide risk management practice and internal control environment. People aware and largely discharge their responsibilities. Now in latter stages of being largely integrated by aware/trained/capable people with evidence of implementation by management for informed decision making (e.g., reports providing management with the right information at the right time and/or methodologies that adequately analyze data and information).
4 = Fully. Fully in place, achieved, or in effect (say >90%) at all times in all places. Capability practiced towards the optimum or serves as model for others so as to create/protect value. People fully aware, trained where appropriate and discharge their responsibilities as an integrated part of the way they work and make decisions. Some use of technology applied appropriately to automate practices/controls to gain efficiencies or reduce cost or duplication. Management checks and balances in-place so as to continuously improve. Policy X fully integrated and continuously improved (where appropriate) with systems and information to meet tomorrow’s needs such that practices (and internal controls) are monitored, measured, reported and fed back so management is confident that they are effective and efficient.

The maturity model we have dubbed CyberSmart™ appears in Table E.2. It is in matrix form for ease of transfer to a spreadsheet by any organization at no cost. It aggregates the cybersecurity capability building blocks from each chapter in the Cyber Risk Handbook based on the capabilities noted by each subject matter expert. As an illustration only, it shows a current or baseline score of 46 percent Index rising over future periods of implementation to targeted Indices of 69 percent, 82 percent, and 92 percent. Of course, these ratings, targets and periods must be tailored to each organization. These scores and targets may be integrated into the enterprise strategic performance management system as a key performance indicator (KPI) and also used as a key risk indicator (KRI) for the assessment of effectiveness of the ERM system by both the independent Internal Audit function as well as ERM and other management functions. “Becoming CyberSmart™” goes to an operating principle that improving how risk-smart your capabilities are for cybersecurity is a journey, not a destination.

Table E.2 CyberSmart™ Maturity Model: A Risk Maturity Road-Map for Measuring Capability Gap Improvement

Maturity Capabilities and Chapter Reference for Details Rating Gap for Improvement Notes Target Rating by DD/MM/YY Target Rating by DD/MM/YY2 Target Rating by DD/MM/YY3
PART ONE: GOVERNANCE AND RISK OVERSIGHT        
Chapter 2 Cyber risk oversight. Boards and senior management around the world have relied on traditional ERM and internal audit paradigms to help them oversee cyber risk. These paradigms need to change if boards and senior management are going to meet the new expectations. More of the same cybersecurity approaches will not do the job. Boards need to insist that all ERM and internal audit work is directly linked to their organization’s top value creation and value preservation objectives and require regular reports on the state of residual risk linked to those objectives. Cybersecurity needs to be focused on its potential impact on key business objectives, not as a priority on its own regardless of its impact on the organization’s sustained success. To accomplish this shift boards and senior management must call for fundamental change in the way ERM and internal audit services are delivered. 3 4 4 4
Chapter 3 Principles guide actions. Actions are taken by people in order to achieve the goals and objectives of an enterprise. Principles form the foundation of desirable and positive behavior for people in carrying out their respective responsibilities. Risk management principles in a COBIT 5 approach meet stakeholder needs by being transparent, inclusive, dynamic, iterative and responsive. Principles covering the enterprise guide people to create and protect value, tailor to their own environment, and explicitly address uncertainty. In applying a single, integrated framework, being systematic, structured and timely is key. Enabling a holistic approach is supported by making risk considerations integral in all processes and decision making, while considering human factors, and using the best available data. Finally, the principle of facilitating continual improvement through a risk maturity strategy aligns naturally with activities and processes found in separating governance from management. 3 3 4 4
Chapter 4 Policies and procedures. Cyber risk policies. An appropriate mix of tailored cyber risk management-specific policies and procedures guide processes, practices, and organization risk management activities. These put cyber risk principles into effect and are systematically applied through the cyber risk management process. The organization can demonstrate to all stakeholders how it manages cyber risk. At a minimum, policies and procedures are fully in effect to cover mobile devices, ransomware, social media, third-party vendors/cloud computing, “Big Data analytics,” and Internet of Things. Various approaches are deployed to make such risks the responsibility of all employees, and not just the IT function. A cycle of continuous improvement throughout the organization allows development along the risk maturity curve. The policies provide a platform for companies to maximize digital opportunities while managing the threats associated with advances in technology, data-driven insight, and evolving work practices. 2 3 4 4
Chapter 5 Strategic performance management system. The organization has a strategic performance management system to measure implementation of a tailored cyber strategy delivering digital resilience. The cyber strategy shares the organization’s business risks, target state capabilities, target state level of protection and required initiatives. The organization goes beyond cyber risk-mitigating controls and considers cyber a capability-building enabler. A digital resilience assessment frames a baseline maturity to a set of metrics (KPIs/KRIs) of three types: measuring progress against initiatives, measuring overall level of capability, and measuring protection to specification for the most critical information. The metrics align with an appropriate set of principles and are automated, simple, repeatable, and on-demand. There is a forum to cascade for each of the three dimensions the aligned initiatives, markers, activities, actions, and resources (people and funding) necessary to drive each action to successful completion. Tracking the “status” and “progress” of each initiative surfaces the blockers and bottlenecks to the cyber strategy. 1 3 3 3
Chapter 6 Standards and frameworks. The appropriate mix of global key standards and frameworks for cybersecurity are in evidence, monitored, reviewed and tailored to the organization context. These include voluntary codes such as the ISO/IEC 27000 series, COBIT 5, NIST, ISF, SANS Top 20 controls, IT-CMF, WEF, and ENISA. These can be tailored singly, or in combination and with local regulatory codes that may apply to the organization. They provide the organization with effective cyber risk management guidance and benchmarking. Management understands that consistently applied good practice beats sporadic pockets of “best” practice. There is a road map for implementation of the cyber risk management system and to establish the required capabilities to keep it functioning, monitored and up to date. Cyber-related risks are treated and included in enterprise risk management (ERM) like any other risk to an organization and are aligned with the umbrella ISO 31000:2009, Risk management—Principles and guidelines standard. 2 2 3 4
PART TWO: PROCESSES
Chapter 7 Assessing cyber risks (identifying, analyzing, and evaluating). The organization realistically assesses the vulnerabilities of its digital system components not just for technology flaws (such as in design, encryption, event logging, or software malfunction) but for human factors. Trusted insiders present the highest risk (motivated either by malice or more commonly by accident) as well as third-party contractors, vendors, or temporary workers (essentially privileged users). The organization commits to a robust and structured approach to assessing and managing risk and an information risk assessment methodology. This involves a six-part approach to (1) generating an integrated view of information risk; (2) realistically assessing worst case; (3) mapping different types of threats, both malicious and accidental; (4) assessing vulnerabilities to different threat events and the strength of any controls already in place; (5) evaluating risk appetite and likelihood of a successful threat; and (6) developing practical approaches to addressing the information risks which have been identified. Other factors examined include organization capability, security culture, commitment, people competence, user privilege patterns, technology, leadership, policy, and environment. There is a balance between regulatory compliance and doing everything reasonable to protect mission-critical information. Cybersecurity maturity avoids barriers separating data security from the organization’s core business functions and does not rely on device-centric safeguards. The focus begins and ends with the organization’s data: how it is protected, which data is truly mission-critical, what behaviors need to be protected against, and who really needs to access it and when. 3 4 4 4
Chapter 8 Treatment. Treating cyber risks. The organization’s risk treatment capabilities align with its risk profile, risk appetite, and context. Risk treatment methodology is not reinvented for cyber risks but is a subset of the enterprise risk management (ERM) system. Risk treatment covers all cyber risk sources, likelihoods and impacts. Risk sources include supply chain, cloud, mobile devices, and social media. Impacts are either noninsurable in nature or insurable in part or whole, and may take various forms (such as fines, reputational damage, loss of customers, loss of employees, and stock devaluation). Impact management preparations are required for insurable risks, crisis management, forensics investigation, customer notification, and business interruption. Cyber risk treatment is prioritized, reiterative, and cyclical. Risk owners complete risk and control action plans that balance threat with opportunity to organization objectives and consider cost/benefit. Appropriate combined treatment options are not mutually exclusive, are appropriate to the case in hand, and are aligned with ISO 31000:2009, Risk management—Principles and guidelines: (1) avoiding the activity that gives rise to the risk; (2) taking or increasing the risk in order to pursue an opportunity; (3) removing the risk source; (4) changing the likelihood; (5) changing the consequences; (6) sharing the risk with other parties (e.g., risk financing, contracts); and (7) retaining the risk by informed decision. 2 2 3 3
Chapter 9 Treatment using process capabilities. Cybersecurity process capabilities provide the governance and management practices necessary to effectively and efficiently align the cybersecurity program with the business enterprise objectives. Detailed activities are developed to support the cybersecurity practices to provide governance (evaluate, direct, and monitor), manage (align, plan, and organize the work), create solutions (build, acquire, and implement), sustain (deliver, service, and support), and improve (monitor, evaluate, and assess). These processes taken together form a cybersecurity life cycle with defined inputs and outputs based on generally accepted good practices that, taken together holistically, can serve to reduce the organizational cybersecurity risk. 1 2 3 4
Chapter 10 Treatment using cyber insurance and risk finance. Cyber breach risks are understood in terms of their potential impact on the organization balance sheet and quantified as far as possible. The cost-benefits of investments in insurance treatment versus cybersecurity treatment are modeled and they are considered for budgeting purposes as complimentary rather than competing investments. A quantitative cost-benefit model to address cyber exposures optimizes the efficient allocation of resources, financial planning, analysis, and reporting. Modeling constraints are understood. Cyber risk is effectively transferred to insurers where this is appropriate to organization context and where it augments existing insurance covers. Cyber insurance reduces the total cost of risk (TCOR) over the long term. Risk and/or insurance managers collaborate with business units when agreeing and implementing plans (i.e., pre-breach education and planning, an incident response and crisis management plan, a breach business continuity plan and, review, and/or placement of cyber insurance). Risk and/or insurance managers have an important coordination role. They take appropriate steps to (1) coordinate all the above plans to properly inform management and the board of directors; (2) position cyber insurance treatment solutions as a subset of ERM system capabilities for the organization; (3) review vendors and the supply chain; (4) treat any insurance gaps in existing insurance; (5) prepare mechanisms for filing a cyber claim well in advance of the event; (6) consider the use of a captive insurer; and (7) stay abreast of cyber insurance market trends, particularly for capacity and regulatory constraints. 0 1 2 3
Chapter 11 Monitoring and review using key risk indicators (KRIs). Specific and tailored cybersecurity KRIs are developed to monitor inherent and residual risk levels. These metrics provide leading indication of increasing risk exposure and potential impacts to achievement of strategic objectives and provide a full view across the range of threats. Context is critical in effective KRI design as are ratios, percentages and always asking the next question to refine the KRI. Response metrics (speed and trend) are important indications of a program’s success, which is a key piece of information for senior management and board members. 0 1 2 3
Chapter 12 Incident and crisis management. Low-impact routine cyber incidents are differentiated from major crises that require prompt escalation in order to avoid high-impact consequences. For incidents, all incident sources are detected and classified; routine incident management policy and volume-process steps are practiced and continually reviewed; and, incident internal reporting aligns with the ERM system. Process steps include identification, containment, remediation, and recovery. An incident “must-have” checklist is followed. When incidents become unmanageable and/or require escalation, it is escalated by preset criteria to a set of cyber crisis management (CCM) principles. CCM follows trained-for steps: (1) alert and qualification; (2) crisis handling (by carrying out an investigation and a defense plan); (3) execution and surveillance; then (4) crisis closure. CCM is steered by a crisis decision-making unit (CDU) (or its equivalent) made up of representatives of the organization’s top management. CCM is implemented by an operational cybersecurity crisis unit that is prestructured, tailored to the organization context, and trained to mobilize quickly. It is made up of three teams that work jointly: the Investigation team provides digital forensics to the defense team, that build upon plans to be approved by the CDU and applied when appropriate regarding the attack life cycle. These teams are adequately resourced with the technical tools and techniques for managing a modern cyber crisis. Adequate preparation for a crisis event is crucial to the organization and both incident management and crisis management processes are tested regularly with tabletop or in-situation exercises. These are improved over time as new threats arise and the organization evolves. 1 3 4 4
Chapter 13 Business continuity management system (BCMS). IT processes are deeply embedded into business and operational processes. A business continuity management system (BCMS) is robust enough to overcome a major cyber incident with an organization-wide impact for a significant period of time (or even threatening the long term survivability of an organization). The BCMS is aligned with the ISO 22301:2012 Societal Security–BCMS–Requirements and with the organizational culture, thus making it a strategic management process. The BCMS provides a framework for the organization to implement an integrated response to counter major cyber incidents. Impact severity levels are defined in a standardized impact severity matrix, which should be used or associated with IT incident management plan (IMP), IT disaster recovery plan (DRP), crisis management plan (CMP), crisis communications plan (CCP), and damage assessment. It is also essential to ensure response procedures in these plans are aligned. These are validated by conducting integrated exercises. 1 3 3 3
PART THREE: ORGANIZATIONAL STRUCTURES AND DESIGN
Chapter 14 External context and supply chain. The external context unique to the organization is established in respect of the cyber risks that are faced, especially in regard to the supply chain. It is a board-level priority to apply this as much to critical third parties as to the internal organization. The focus of organization cyber strategies is equally on developing resilience and protection, not simply on identifying individual cyber risks. External cyber resilience follows five steps to (1) map critical data and value flows for organization, including reputational impact; (2) teach the importance of data security and cyber-resilience to employees and to relevant individuals within critical third parties; (3) develop external cyber-incident and crisis management response plan(s) appropriate to key scenarios, ensuring regulators are notified where applicable; (4) review and benchmark critical third-party cyber-security measures; and (5) track and/or work with policymakers and regulators in the interconnected world of cyber risk public-private partnerships. 0 3 3 3
Chapter 15 Internal Organization Context. The organization understands its internal context and builds and measures its capability to align all enterprise functions to mutually support the cyber risk management system. The organization operates to the overall principle that cyber risk is an enterprise-wide risk, not just an IT risk. It considers voluntary guidance code approaches that are tailored to the organization. A “cyber risk management system” involves the ongoing, effective, and fast deployment of 24/7/365 organization capabilities to mitigate cyber threats. The cybersecurity function and its risk management system is aligned to other enterprise functions and management systems in such a way that the organization has the speedy, adaptive, resilient and responsive capabilities required to face the fast-paced evolving universe of cyber threats (and opportunities). The cyber risk function operating model is appropriately tailored. Cybersecurity is aligned not only across the enterprise but within each key enterprise function that needs to team up with the CISO/DRO’s cyber function. The CEO directs the executive management team from the CISO/DRO and IT-related management functions right across to people-related functions such as human resources. The CRO is accountable for the enterprise risk management system and all its subsystems, which includes the cyber risk management system. 2 3 3 3
PART FOUR: CULTURE, ETHICS, AND BEHAVIOR
Chapter 16 Culture and human factors. Management treats the organization as a social system influenced by human factors. While culture involves complex variables and multiple stakeholders (including employees, customers, vendors, and business partners); a tailored risk management culture addresses cyber risks comprehensively. Cybersecurity is treated not merely as a technology issue but as a mix of social, cultural, emotional, and behavioral issues where potential conflicts and contradictions are managed. Cyber risk treatments (including controls) combine technology with nontechnology treatments and are fast paced to match the threat. Organization decision making avoids biases such as Groupthink. The culture is resistant to human factors such as insider threats and social engineering threats. Active, able, aware, motivated and trained people, vendors and other stakeholders support cybersecurity. Employee training programs cover different phases of the employee life cycle and are role specific where appropriate. An appropriate set of standards and qualitative approaches are used for measuring and evaluating people behavior and culture. 2 2 3 3
Chapter 17 Legal and compliance. The legal and compliance issues surrounding cybersecurity are predefined by principles of currency, reasonableness, and preparedness such that the organization is prepared for the legal requirements and ramifications of a breach. An organization must work with its legal professionals to ensure any currently applicable data security regulations are met while planning to accommodate regulatory expansion towards widely accepted standards. Legal should be integrally involved in the entire “process-oriented” cycle of cyber defense planning, including committee creation, application, simulation, auditing, and recordation. The C-suite must stay appraised on the process to ensure compliance with fiduciary duties and “reasonable” action (typically, to identify risks, delineate plans to deal with those risks, then implement the plans with requisite oversight). Actions towards fulfilling a “process” are able to be proven to regulators, shareholders, and judges in the event of a data incident via the recordation of all C-suite and boardroom planning, discussion, and actions. The basic “process” should be designed and executed by a board level advisory cyber committee, composed of multidisciplinary professionals with some cyber familiarity. A board-level audit process regularly reviews the advisory committee’s actions, plans, and recommendations. Before any cyber event, legal counsel not only articulates any applicable state or industry data regulations but directs documentation of the “process,” reviews past contracts, and manages future contracts with cybersecurity risks in mind. Legal can advise on the purchase of specific cyber insurances and determine whether information-sharing partnerships with government or with similar companies might be beneficial. During and after any incident, legal counsel is part of the response teams set in action with constant documentation of steps taken and with reports sent to the C-suite. Advice by legal counsel—either with in-house or outside counsel depending on the potential need to preserve privilege—should be established immediately and sustained throughout the response to the crisis. From the input of legal counsel, compliance with notification and data protection regulations pertaining to the subject industry is adhered to. Beyond notification requirements, disclosure of the breach to partners in the private and public sector may create opportunities to gain further resources and information to mitigate damage (while balancing internal concerns over potential harm the reputation of the company by such disclosure). Owners of contractually transferred data should be notified as to the status of the breach and the confidentiality of their data. Notifying the public, and specifically those who might have had information disclosed by the breach, also warrants discussion with legal and other relevant parts of the company. An internal investigation should be created to record events and actions. If an “active defense” is contemplated, receiving authorization from the appropriate public authorities and foreign network owners before operations are commenced could help limit liability for actions taken. 2 2 3 4
Chapter 18 Assurance. The board and CEO must ensure the necessary organization capabilities to align cybersecurity with key organization objectives. Cybersecurity should include: A cyber risk assurance framework/methodology is a structured approach to conducting assurance activities in a coordinated manner across an organization. This is for the purpose of gaining confidence that cyber threat mitigations are working effectively, and to convey this conclusion to stakeholders such as the CEO and the board, supported by independent assurance provided by internal audit. It ensures that different assurance activities by different business units are coordinated, and complement each other. It recognizes the special characteristics of cyber threats, and the requirement to have strong cybersecurity governance in place to validate cyber threat treatments (controls/mitigations) continuously, for the benefit of protecting the organization in a balanced manner in its pursuit of achieving the business objectives. Balanced manner means assessing the cyber risks with the right skill sets and providing a balanced and informed basis for decisions on how and what treatments are right for the organization, without hindering the performance of the business. It adds value by reducing duplication of work activities and thus costs, and makes the protection stronger (maintaining confidentiality and integrity of information), while ensuring availability of digital services to support and enable the business achieving the business objectives. 3 3 3 4
PART FIVE: RESOURCES IN INFORMATION ASSETS
Chapter 19 Information asset management. The organization takes a proactive approach to address threats by controlling the speed and effectiveness of its response to cyber attacks. It adopts true military-grade cybersecurity approaches by being proactive in defense, continuously strengthening safeguards while preparing for the worst. A contingency plan handbook documents how to respond in the event of an attack. Plans are rehearsed through regular war games, staff training, and responses adapted over time. Plans and training include changes to threats, in order to reduce mean time between detection and remediation. A dedicated crisis action officer (reporting to the CEO) creates and oversees response planning. The security operations center (SOC) is evolving into a true command-and-control center for operations. Computer network operations are considered as actions that an organization takes to increase their own information security, while denying security to its enemies. 2 3 3 3
PART SIX: RESOURCES IN ARCHITECTURE SERVICES, INFRASTRUCTURE AND APPLICATIONS ASSETS
Chapter 20 Physical security. Physical security risk scenarios are identified, analyzed, and evaluated within the context of a cyber-related physical security risk landscape for the organization. Organizational and technical physical security measures to deter, delay, detect, alarm, and respond to adversary attacks are designed and/or reviewed in order to support and augment cybersecurity. Exposure to adversary attack scenarios are calculated or reviewed by simulating the path of an adversary and calculating the probability of interrupting the adversary. A RASCI-based plan for the physical security organization is implemented. The link between security and the value added is understood as the point where the marginal benefits exceed or equal their optimal costs. 3 3 3 4
Chapter 21 Operations and communications. The organization initiates, integrates and advances core security operations center (SOC) capabilities to detect, prevent and respond to cybersecurity situations. A mature SOC prioritizes what needs to be protected, matures communication strategies, and leverages advances in technology to operate more efficiently and effectively. It delivers not only monitoring and response services to detect and remediate cyber threats but, with the combination of cyber threat intelligence, analytics, and orchestration capabilities, it provides ways organizations can detect and respond in minutes. The organization drives for clarity on the linkage between its business objectives down to its physical assets, organizational risks, applications, and ultimately data, in order to avoid communication and risk challenges. It builds in remediation automation to fill in any gaps, is responsive to the speed of change and knows its assets. It makes cyber risk management more tangible with an “active defense” process. It adapts to cyber environmental changes quickly, by analyzing gap improvements and remains adaptive with a mature and integrated set of security operations capabilities, powered by data science, automation and an analytics platform. This enables the visibility, context and insight needed to proactively protect its data, intellectual property, and brand. 2 3 3 3
Chapter 22 Access controls. The organization understands that the overall objectives and general principles of ITC access control remain largely the same as for traditional information security. But cyber risk requires that smart processes and next-generation technology be added to achieve current access control objectives. The organization avoids manual controls, embraces automation and deploys access control intelligence to stay ahead of attackers. Its access control structure is effective. Cybersavvy and informed people, including third parties, leverage technology and are capable of identifying and reporting potential suspicious behavior and activities. Competent people use smart processes to bind these elements together to achieve enterprise-level goals. 2 3 3 3
Chapter 23 Systems acquisition, development, and maintenance. Cybersecurity systems acquisition, development, and maintenance. The organization’s effective and reliable information systems are efficient, cost effective and achieve competitive advantages. Building and buying information systems are the result of careful business and risk-based decisions. Appropriate security requirements that are commensurate to the risks, are defined, implemented and tested before moving the application into production. Cybersecurity is “by design” and integrated into the organization applications. Policies and procedures to ensure cybersecurity are addressed through the development or acquisition life cycle in line with the following guiding principles: (1) security requirements should be identified up front based on the risks; (2) the security requirements should be included in the application development and selection processes; (3) the security requirements should be tested for effectiveness pre- and postimplementation; (4) when using cloud/SaaS providers, cybersecurity due diligence should be conducted; and (5) developers should be trained on secure coding practices and the developed code should be inspected for security defects. 2 3 3 3
PART SEVEN: RESOURCES IN PEOPLE, SKILLS AND COMPETENCIES AS ASSETS
Chapter 24 People risk management system. Management understand that people are not machines and cannot be programmed. An enterprise-wide people risk management system includes technology, business, risk and people solutions that avoid operational silos. It forms part of the enterprise risk management system where people risk is not solely the domain of the human resources (HR) department or the technology or information security departments. People risk controls are proportionate, reasonable and achievable. Organizational knowledge upskilling starts at the board and works up from the front line. HR uses training budgets to appropriately target and deliver cross-functional training. Any “digital governance gap” is bridged by in-depth analysis and a cross-disciplinary team including IT, executive management, legal, and risk management. Talent is recruited balancing future needs for both left- and right-brain thinkers and leaders develop or increase their digital quotient (DQ). The organization manages all forms of Digital Risk and may deploy a specialized digital risk officer (DRO) if appropriate. Crisis management capabilities, resources and relationships enable rapid and appropriate response appropriate to not only an emergency, but also to react to small changes that could ultimately develop into a disaster. Senior management nurtures a risk-taking culture that drives competitiveness and profitability. 3 3 4 4
Chapter 25 Competencies. Competencies and the CISO. Cybersecurity is a top concern for boards and executive management. The cybersecurity leader in an organization needs not only to have broad technical capabilities across information security domains, but leadership expertise and the ability to effectively guide the organization in implementing an effective, holistic and enterprise-wide cyber program. This program needs to address organization structure, people, process and technology but also the critical dynamic components of culture, governance, human factors, and the enablement of processes through technology. More critically, in this rapidly changing environment, the CISO needs to recognize emergent conditions and the opportunity and threats that these present. The CISO requires competencies in four areas: (1) Information Security Governance; (2) Information Risk Management and Compliance; (3) Information Security Program Development and Management, and (4) Information Security Incident Management. 2 2 3 4
Chapter 26 Human Resources (HR) security. As a minimum, staff protocols or a standard for HR cybersecurity are in effect and updated. For preemployment protocols, include roles and responsibilities, screening for insider and other threats, and terms and conditions of employment. For during employment, protocols include management responsibilities; information security awareness; organization awareness, education, training and internal communications; and a disciplinary process. For termination or change of employment, protocols include: termination responsibilities; return of assets and, removal of access rights. A checklist is always used for secure employee departure. Larger organizations and/or higher HR maturity functions look for continuous capability improvement by exploiting an array of more sophisticated tools, techniques, and solutions for advanced cybersecurity. 1 2 3 4
CyberSmart™ TOTAL AS INDEX RATING OUT OF 100%: 47%   69% 82% 92%

Notes

About Domenic Antonucci

Domenic is a practicing international chief risk officer overseeing cybersecurity and a former counter-terrorist intelligence officer. An Australian expatriate based in Dubai UAE, Domenic specializes in bringing capabilities within organization risk management systems “up the maturity curve” for enterprise, program, and specialized risks such as cybersecurity. Formerly with Marsh, Shell and Red Cross, he enjoys over 35 years’ experience in risk, strategic planning and business management consulting across many sectors in Europe, Africa, Middle East, Asia, and Australia-Pacific. A specialist with IRM (SIRM), he is a certified ISO 31000 ERM lead trainer and BCMS business continuity lead implementer as well as a former RMP-PMI risk management professional and PMP project management professional. A regular international conference presenter and author, he is the content author for risk maturity model software called BenchmarkerTM and the author of the book Risk Maturity Models: Assessing Risk Management Effectiveness.

About Didier Verstichel

Didier is an experienced chief information security officer (CISO) as well as a chief risk officer (CRO) with a background in the financial sector. He is currently a freelance consultant in ICT security and enterprise risk management, with a client base that includes BNP Paribas Fortis and ING Belgium. He is also a member of the Strategic Advisory Board of Sonavation Inc, a leader in ultrasonic fingerprint readers. He sat on the Information Security Forum (ISF) advisory board in 2012 and 2013. Didier worked for SWIFT, the Brussels-based global financial messaging system, from 1994 through 2014. He was a program manager and led the Y2K program (among many key initiatives) up to the year 2000. From 2000 to 2005 he was director of the Worldwide Networks department, where his main achievement was the development of a global multivendor secure IP network. He was then appointed director of the Enterprise Security and Architecture department in 2005 and combined the CSO and CISO functions. His responsibilities were IT architecture, security strategy and technology, security risk management, security policies and compliance, as well as corporate security. He was appointed CRO in January 2011. Before joining SWIFT, Didier held various ICT functions at Europay (now Mastercard Europe), where he started his career in 1982.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset