Enterprise Cyber Risk Management As A Value Creator: Leverage Cybersecurity For Competitive Advantage 1st Edition Bob Chaput
Enterprise Cyber Risk Management As A Value Creator: Leverage Cybersecurity For Competitive Advantage 1st Edition Bob Chaput
Enterprise Cyber Risk Management As A Value Creator: Leverage Cybersecurity For Competitive Advantage 1st Edition Bob Chaput
https://ebookmass.com/product/confronting-cyber-risk-an-embedded-
endurance-strategy-for-cybersecurity-falco/
https://ebookmass.com/product/small-business-management-creating-
a-sustainable-competitive-advantage/
https://ebookmass.com/product/strategic-management-a-competitive-
advantage-approach-concepts-16th-edition-ebook-pdf/
https://ebookmass.com/product/human-resource-management-gaining-
a-competitive-advantage-13th-edition-raymond-noe/
eTextbook 978-0134153971 Strategic Management: A
Competitive Advantage Approach Concepts (16th Edition)
https://ebookmass.com/product/etextbook-978-0134153971-strategic-
management-a-competitive-advantage-approach-concepts-16th-
edition/
https://ebookmass.com/product/strategic-management-a-competitive-
advantage-approach-concepts-and-cases-17th-global-edition-fred-r-
david/
https://ebookmass.com/product/essentials-of-strategic-management-
the-quest-for-competitive-advantage-5th-edition-ebook-pdf/
https://ebookmass.com/product/strategic-human-resource-
management-gaining-a-competitive-advantage-second-canadian-
edition-edition-noe/
https://ebookmass.com/product/etextbook-978-1259546983-
essentials-of-strategic-management-the-quest-for-competitive-
advantage-5th-edition/
Foreword by Phil Gardner, CEO, IANS Research
Enterprise Cyber
Risk Management
as a Value Creator
Leverage Cybersecurity
for Competitive Advantage
―
Bob Chaput
Enterprise Cyber Risk
Management as a
Value Creator
Leverage Cybersecurity
for Competitive Advantage
Bob Chaput
Foreword by Phil Gardner, CEO, IANS Research
Enterprise Cyber Risk Management as a Value Creator: Leverage
Cybersecurity for Competitive Advantage
Bob Chaput
Belleair Beach, FL, USA
Foreword����������������������������������������������������������������������������������������� xxxi
Preface������������������������������������������������������������������������������������������ xxxiii
Abbreviations������������������������������������������������������������������������������� xxxvii
vii
Table of Contents
viii
Table of Contents
ix
Table of Contents
x
Table of Contents
xi
Table of Contents
xii
Table of Contents
xiii
Table of Contents
Index�������������������������������������������������������������������������������������������������377
xiv
Endorsements for Enterprise
Cyber Risk Management
as a Value Creator
Throughout my 28 years in CISO roles at two of the highest-risk
organizations in the world, I have sweated through countless budget and
resource challenges and struggled to connect my cybersecurity program
to business objectives in the minds of business leaders and our board. A
major hurdle was that cybersecurity was viewed as risk avoidance—a cost
center that did not add value, that is, a painful but necessary overhead.
This book lays out the holy grail for cybersecurity, how to flip that script
to make cybersecurity a business enabler and part of the core growth
strategy, and how to integrate that approach into business strategy.
No one is more knowledgeable and qualified to make this case than
Bob Chaput, who is a living legend in cybersecurity and an unmatched
thought leader in enterprise cyber risk management (ECRM). He lays
out a compelling case, with details on how to apply this thinking to your
organization, and then provides a detailed road map for making it happen.
This should be mandatory reading for CISOs, CFOs, CEOs, and board
members. It will close communication gaps and change the mindset
because it shines a light on the opportunities to expand and accelerate
business transformation and earn customer and stakeholder trust—
through cybersecurity.
—Paul Connelly, First CISO at the White House and
HCA Healthcare
xv
Endorsements for Enterprise Cyber Risk Management as a Value Creator
Bob Chaput picks up where most books leave off by providing powerful
insight into ECRM engagement by providing a factual background coupled
with strategic examples that can and will have positive impacts on any
company’s cyber risk strategy and approach. This resource should become
the standard guidebook for every risk manager, general counsel, CISO,
CTO, C-suite, and board member who has an interest in or a concern
around cyber and privacy liability and entire ECRM protocols.
xvi
Endorsements for Enterprise Cyber Risk Management as a Value Creator
growth and output already dependent upon complex digital systems, this
mindset will help leaders understand the importance of cybersecurity to
the organization’s future.
xvii
Endorsements for Enterprise Cyber Risk Management as a Value Creator
xviii
Endorsements for Enterprise Cyber Risk Management as a Value Creator
Bob Chaput has answered that question and solved the problem with
his latest book: Enterprise Cyber Risk Management as a Value Creator.
For too long, cybersecurity has been viewed as a defensive play, a cost
center. What if the tables were turned and executives and boards thought
about cybersecurity in a positive light and as an opportunity to create
competitive advantage and add value to the organization and drive
business growth?
This book, using data, statistics, and real business examples, is a
primer for redirecting and refocusing those discussions for the leaders
who must be engaged in cybersecurity but for too long have stayed out
of the fray. The book provides lots of guidance and many questions—in
each chapter—to get the business to start answering the right questions
and asking their own. Multiple studies (many cited in this book) clearly
indicate that business leaders and consumers agree that establishing
trust in products and experiences (AI, digital technology, data) that meet
expectations will deepen trust and promote growth.
This is the book to start those conversations, up and down the
organization. Cybersecurity isn’t boring if you have the right people talking
about it—here is how to engage those “right” people in your organization.
You’ll need to arm your IT, security, risk management, operational, and
innovation leaders, but you’ll use the learning to deeply engage the
C-suite, the boards, and committees of the board in positive discussion
around cybersecurity and how to leverage a more secure organization to
move faster and drive new opportunities.
xix
Endorsements for Enterprise Cyber Risk Management as a Value Creator
xx
Endorsements for Enterprise Cyber Risk Management as a Value Creator
for the actions necessary to turn defensive thinking and processing into
positive and value-creating actions and programs. Mr. Chaput makes the
case for competitive and reputational advantage with logic, intelligence,
and wit and draws from a depth of personal knowledge and experience
in ECRM. Each chapter includes a set of “Questions Management and the
Board Should Ask and Discuss,” and these provide a great agenda of items
worthy of consideration. You need this on your reading list.
Bob Chaput in his latest book, Enterprise Cyber Risk Management as a Value
Creator, works magic by revealing why cybersecurity risk is an essential
ingredient of enterprise risk management. He introduces a new paradigm
with enterprise cyber risk management (ECRM) being not just a defensive
play, but as a proactive business enabler that can improve customer trust
and stickiness through security services and increasing revenue sources
by way of security capabilities. Bob lays out a well-understood foundation
xxi
Endorsements for Enterprise Cyber Risk Management as a Value Creator
xxii
Endorsements for Enterprise Cyber Risk Management as a Value Creator
Legal Disclaimer
Although the information provided in this book may be helpful in
informing you and others who have an interest in data privacy, security
issues, and cyber risk management issues, it does not constitute legal
advice. This information may be based in part on current international,
federal, state, and local laws and is subject to change based on changes in
these laws or subsequent interpretative guidance. Where this information
is based on federal law, it must be modified to reflect state law where
that state law is more stringent than the federal law or where other state
law exceptions apply. Information and informed recommendations
provided in this book are intended to be a general information resource
and should not be relied upon as a substitute for competent legal advice
specific to your circumstances. Furthermore, the existence of a link or
organization reference in any of the following materials should not be
assumed as an endorsement by the author. YOU SHOULD EVALUATE ALL
INFORMATION, OPINIONS, AND RECOMMENDATIONS PROVIDED
IN THIS BOOK IN CONSULTATION WITH YOUR LEGAL OR OTHER
ADVISORS, AS APPROPRIATE.
xxiii
Acknowledgments
First, I must start by thanking my wonderful wife, Mary, to whom I
dedicate this book. From coffee, food, patience, and encouragement to
keeping the cats off my lap so I could write, she was as important to this
book getting done as I was. Thank you so much, Mary.
I would also like to thank all the colleagues, executives, and board
members with whom I’ve had an opportunity to work over the course of
my career at GE, Johnson & Johnson, Healthways, and Clearwater. Those
career opportunities helped me develop as an information technology
and cyber risk management executive, entrepreneur, and educator and,
ultimately, prepared me to write this book. Everyone with whom I worked
contributed to this book in some way. Thank you.
When I first considered writing this book, I prepared a book proposal
and turned to several cybersecurity, regulatory, and risk management
veterans to provide feedback on the concept of a book on positive
cyber risks or cyber opportunities. I sincerely appreciate Jim Brady, Raj
Chaudhary, David Finn, Rachel Rose, and Paul Connelly for their careful
reviews and constructive and encouraging feedback.
I want to thank the entire publishing team at Apress and, specifically,
Susan McDermott and Laura Berendson for their support and guidance
throughout the process.
Finally, I would like to thank my friend, former colleague, and
technical reviewer of this book, Jon Stone, for skull sessions on the subject
matter in this book that go back to our early work on Clearwater Security
together.
xxv
About the Author
Bob Chaput, NACD.DC, is the author of Stop
the Cyber Bleeding: What Healthcare Executives
and Board Members Must Know About
Enterprise Cyber Risk Management (ECRM).
He is also Founder and Executive Chairman of
Clearwater, a leading provider of cybersecurity,
cyber risk management and compliance
software, consulting, and managed services. As
a leading authority in cybersecurity regulatory
compliance and enterprise cyber risk management, Bob has assisted
dozens of organizations and their business partners, including Fortune 100
organizations, wanting to improve their risk posture. Bob’s degrees include an
MA in mathematics from Clark University and a BA in mathematics from the
Massachusetts College of Liberal Arts. In addition to the NACD Directorship
Certification (NACD.DC), Bob holds numerous privacy, security, and cyber
risk management certifications. He is a faculty member at IANS Research.
xxvii
About the Technical Reviewer
Jon Stone is Senior Vice President and Chief
Product Officer for Clearwater. In this role,
he leads product innovation and product
development.
Formerly, Jon served in numerous roles at
Healthways, Inc., including Senior Portfolio
and Project Management Director. He
provided leadership of complex projects,
product development, product strategy,
and health information management consulting services to healthcare,
managed care, and health information technology companies.
Before joining Healthways, Jon served as Director of Project
Management and Healthcare Quality Metrics at Cigna Healthcare.
Jon has a master’s in public administration and healthcare regulatory
policy from the University of Tennessee at Chattanooga. He is certified as
a Project Management Professional and has a Project Management for
Information Systems certification from the University of Colorado.
xxix
Foreword
The issue of value creation has long been a contentious topic in
cybersecurity. In this book, Bob Chaput makes a compelling argument
that cybersecurity executives can function as value creators by taking on
a leadership role in enterprise cyber risk management (ECRM). Bob then
articulates a road map for how infosec executives, business leaders, and
board members can work together to develop an ECRM-driven approach
to security.
This book couldn’t have come at a more critical time. The release of
new cyber breach disclosure rules from the US Securities and Exchange
Commission in July 2023 accelerated a growing movement among boards
to govern cyber in a more strategic manner. Public companies are expected
to identify the materiality of breaches and report on any material incidents
within four days of determining materiality. To meet this need, the board,
business executives, and CISOs must work together to develop a cohesive
ECRM strategy. While the mandate only extends to public companies, the
impact is expected to extend well beyond that jurisdiction.
Moving the cybersecurity conversation away from a focus on controls
to an emphasis on ECRM is essential, and Bob is perfectly positioned to
provide guidance here. From his executive technical leadership positions
at GE, Johnson & Johnson, and Healthways to his work as CEO and, since
2018, Executive Chairman at Clearwater Compliance, not to mention his
essential contribution as a member of the IANS Faculty, Bob has been
exposed to countless executive cyber risk conversations. Bob is also a
member of the National Association of Corporate Directors and has served
xxxi
Foreword
as a board advisor. This blend of experience allows Bob to not only speak
with authority about ECRM issues but also provide practical guidance on
how to deliver value to the business.
On a personal note, I’ve found Bob to be one of the best active
listeners that I’ve ever met. Bob’s other great skill is in his ability to distill
his conversations with CISOs, business leaders, board members, and
regulators into compelling, actionable insights. He cares deeply about this
topic and it shows.
The wisdom he passes on in this book is not just for CISOs. Anybody
with a responsibility to manage or govern enterprise cyber risk can benefit
from Bob’s guidance.
This work is essential in the industry today, especially because it is
not an academic work. Instead, Bob provides real, practical guidance on
how to build out an ECRM program and use that to influence the business
effectively. It takes what is often a theoretical idea and presents tangible
ways to make that value a reality. That actionability makes it stand out
and turns it into a necessary read for executives seeking a perspective on
enterprise cyber risk.
xxxii
Preface
It feels like we’re going through a similar positive cycle to what I
experienced early in my career in the mid-1980s when businesses
recognized that information and information technology were an asset
that companies could leverage for competitive advantage. In 1985, Michael
E. Porter and Victor E. Millar published their seminal article, “How
Information Gives You Competitive Advantage.” In it, they highlighted
how the information revolution critically affected competition, including
changing industry structure, altering competition rules, creating
competitive advantage by giving companies new ways to outperform their
rivals, and spawning whole new businesses.
In this book, I highlight parallels between what happened over the
course of the last 40 years and what is underway today with cybersecurity.
In short, with the explosion in data, systems, and devices in connection
with massive digitization programs that businesses have undertaken, it has
become clear that organizations must safeguard these new information
assets. Organizations, their C-suites, and boards must now realize that
they can leverage a robust Enterprise Cyber Risk Management (ECRM)
Program and Cybersecurity Strategy to create a competitive advantage for
their organization. As Yogi said, it’s like déjà vu all over again.
I was gratified to see how well executives, board members, and many
stakeholders in the healthcare ecosystem received my book Stop the Cyber
Bleeding in 2020. I appreciated the opportunity to give something back to
the healthcare industry in the form of practical, tangible recommendations
to establish, implement, and mature an ECRM program. For many
organizations, building such a program represented paying off “ECRM
debt” after having gone on a spending binge as they digitized what were,
xxxiii
Preface
xxxiv
Preface
xxxv
Abbreviations
• AI: Artificial Intelligence
xxxvii
Abbreviations
xxxviii
Abbreviations
xxxix
Abbreviations
xl
Abbreviations
xli
Abbreviations
• PB: Petabytes
• SaaS: Software-as-a-Service
xlii
Abbreviations
• TB: Terabytes
xliii
PART I
Enterprise Cyber
Risk Management
as a Value Creator
Once you replace negative thoughts with positive ones, you'll
start having positive results.
—Willie Nelson1
Over the last 40 years, I’ve enjoyed helping organizations comply with
various privacy, security, and breach notification regulations and
standards and improve their enterprise cyber risk management and
cybersecurity posture. These efforts have been primarily defensive. The
focus of my defensive work with healthcare organizations, for example,
is captured in the subtitle of my book Stop the Cyber Bleeding,2 as How to
Save Your Patients, Preserve Your Reputation, and Protect Your Balance
Sheet. The verbs “save,” “preserve,” and “protect” are about safeguarding,
assuring, and “managing the downside.” Although critically important,
“managing the downside” does not align with the language of most
companies’ strategic objectives, which include creating value, driving
revenue growth, and enabling their business. In other words, those
defensive verbs are not about using cybersecurity to “create and manage
the upside.” You need to think about cyber opportunities that can help
achieve your business goals.
Risk management and especially cyber risk management (both of
which I will further define) are too often only focused on preventing the
bad things that may happen in your organization. That’s a good thing.
At the same time, I recommend you expand your thinking, policies,
procedures, and practices to incorporate opportunity and specifically
cyber opportunities in your risk management work. Although I may
not always link “risk and opportunity” together in phrases like risk and
opportunity management, risk and opportunity assessment, or risk and
opportunity treatment, know that the intent of this book is to provoke your
thinking always to consider opportunities or upside outcomes from your
ECRM work. Also, keep in mind that while cybersecurity regulations such
as HIPAA, SEC, and NYDFS focus on risk (i.e., the downside) when they
use the term risk management, there are compelling reasons to include
your cyber opportunities (i.e., the upside) in your work to meet these
regulatory requirements.
This chapter addresses an essential consideration for all companies
regarding their ECRM Program and Cybersecurity Strategy—pivoting
from regarding cybersecurity as solely a cost-centered defensive program
to a profit-centered transformational core growth strategy. With global
estimated cybercrime costs forecasted to exceed $23B globally by 2027,3
there are already enough good reasons to be defensive and establish,
implement, and mature a strong ECRM program. Progressive-
thinking organizations are going beyond being defensive. Missed
cyber opportunities can be as costly to your organization as exploited
vulnerabilities.
4
Chapter 1 Enterprise Cyber Risk Management as a Value Creator
5
Chapter 1 Enterprise Cyber Risk Management as a Value Creator
6
Chapter 1 Enterprise Cyber Risk Management as a Value Creator
7
Chapter 1 Enterprise Cyber Risk Management as a Value Creator
8
Chapter 1 Enterprise Cyber Risk Management as a Value Creator
9
Another random document with
no related content on Scribd:
"Yes, Pooh."
"Will you be here too?"
"Yes, Pooh, I will be, really. I promise I will be, Pooh."
"That's good," said Pooh.
"Pooh, promise you won't forget about me, ever. Not even when I'm a
hundred."
Pooh thought for a little.
"How old shall I be then?"
"Ninety-nine."
Pooh nodded.
"I promise," he said.
Still with his eyes on the world Christopher Robin put out a hand and
felt for Pooh's paw.
"Pooh," said Christopher Robin earnestly, "if I—if I'm not quite——"
he stopped and tried again—"Pooh, whatever happens, you will
understand, won't you?"
"Understand what?"
"Oh, nothing." He laughed and jumped to his feet. "Come on!"
"Where?" said Pooh.
"Anywhere," said Christopher Robin.
So they went off together. But wherever they go, and whatever
happens to them on the way, in that enchanted place on the top of
the Forest, a little boy and his Bear will always be playing.
BOOKS FOR BOYS AND GIRLS
BY A. A. MILNE
with Decorations by E. H. SHEPARD:
1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside
the United States, check the laws of your country in addition to
the terms of this agreement before downloading, copying,
displaying, performing, distributing or creating derivative works
based on this work or any other Project Gutenberg™ work. The
Foundation makes no representations concerning the copyright
status of any work in any country other than the United States.
1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if
you provide access to or distribute copies of a Project
Gutenberg™ work in a format other than “Plain Vanilla ASCII” or
other format used in the official version posted on the official
Project Gutenberg™ website (www.gutenberg.org), you must, at
no additional cost, fee or expense to the user, provide a copy, a
means of exporting a copy, or a means of obtaining a copy upon
request, of the work in its original “Plain Vanilla ASCII” or other
form. Any alternate format must include the full Project
Gutenberg™ License as specified in paragraph 1.E.1.
• You pay a royalty fee of 20% of the gross profits you derive from
the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”
• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.
1.F.
Most people start at our website which has the main PG search
facility: www.gutenberg.org.