Enterprise Cyber Risk Management As A Value Creator: Leverage Cybersecurity For Competitive Advantage 1st Edition Bob Chaput

Enterprise Cyber Risk Management as a
Value Creator: Leverage Cybersecurity

for Competitive Advantage 1st Edition
Bob Chaput
Visit to download the full and correct content document:
https://ebookmass.com/product/enterprise-cyber-risk-management-as-a-value-creator
-leverage-cybersecurity-for-competitive-advantage-1st-edition-bob-chaput/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Confronting Cyber Risk: An Embedded Endurance Strategy

for Cybersecurity Falco
https://ebookmass.com/product/confronting-cyber-risk-an-embedded-
endurance-strategy-for-cybersecurity-falco/
Small Business Management: Creating a Sustainable

Competitive Advantage
https://ebookmass.com/product/small-business-management-creating-
a-sustainable-competitive-advantage/
Strategic Management: A Competitive Advantage Approach,

Concepts 16th Edition, (Ebook PDF)
https://ebookmass.com/product/strategic-management-a-competitive-
advantage-approach-concepts-16th-edition-ebook-pdf/
Human Resource Management: Gaining a Competitive

Advantage 13th Edition Raymond Noe
https://ebookmass.com/product/human-resource-management-gaining-
a-competitive-advantage-13th-edition-raymond-noe/
eTextbook 978-0134153971 Strategic Management: A
Competitive Advantage Approach Concepts (16th Edition)
https://ebookmass.com/product/etextbook-978-0134153971-strategic-
management-a-competitive-advantage-approach-concepts-16th-
edition/
Strategic Management : A Competitive Advantage Approach

— Concepts and Cases, 17th Global Edition Fred R. David
https://ebookmass.com/product/strategic-management-a-competitive-
advantage-approach-concepts-and-cases-17th-global-edition-fred-r-
david/
Essentials of Strategic Management: The Quest for

Competitive Advantage 5th Edition, (Ebook PDF)
https://ebookmass.com/product/essentials-of-strategic-management-
the-quest-for-competitive-advantage-5th-edition-ebook-pdf/
Strategic human resource management : gaining a

competitive advantage Second Canadian Edition. Edition
Noe
https://ebookmass.com/product/strategic-human-resource-
management-gaining-a-competitive-advantage-second-canadian-
edition-edition-noe/
eTextbook 978-1259546983 Essentials of Strategic

Management: The Quest for Competitive Advantage 5th
Edition
https://ebookmass.com/product/etextbook-978-1259546983-
essentials-of-strategic-management-the-quest-for-competitive-
advantage-5th-edition/
Foreword by Phil Gardner, CEO, IANS Research
Enterprise Cyber
Risk Management
as a Value Creator
Leverage Cybersecurity
for Competitive Advantage
―
Bob Chaput
Enterprise Cyber Risk
Management as a
Value Creator
Leverage Cybersecurity
for Competitive Advantage
Bob Chaput
Foreword by Phil Gardner, CEO, IANS Research
Enterprise Cyber Risk Management as a Value Creator: Leverage
Cybersecurity for Competitive Advantage
Bob Chaput
Belleair Beach, FL, USA
ISBN-13 (pbk): 979-8-8688-0093-1 ISBN-13 (electronic): 979-8-8688-0094-8

https://doi.org/10.1007/979-8-8688-0094-8
Copyright © 2024 by Bob Chaput

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or
part of the material is concerned, specifically the rights of translation, reprinting, reuse of
illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way,
and transmission or information storage and retrieval, electronic adaptation, computer software,
or by similar or dissimilar methodology now known or hereafter developed.
Trademarked names, logos, and images may appear in this book. Rather than use a trademark
symbol with every occurrence of a trademarked name, logo, or image we use the names, logos,
and images only in an editorial fashion and to the benefit of the trademark owner, with no
intention of infringement of the trademark.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if
they are not identified as such, is not to be taken as an expression of opinion as to whether or not
they are subject to proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of
publication, neither the authors nor the editors nor the publisher can accept any legal
responsibility for any errors or omissions that may be made. The publisher makes no warranty,
express or implied, with respect to the material contained herein.
Managing Director, Apress Media LLC: Welmoed Spahr
Acquisitions Editor: Susan McDermott
Development Editor: Laura Berendson
Coordinating Editor: Jessica Vakili
Distributed to the book trade worldwide by Springer Science+Business Media New York, 233
Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail
orders-ny@springer-sbm.com, or visit www.springeronline.com. Apress Media, LLC is a
California LLC and the sole member (owner) is Springer Science + Business Media Finance Inc
(SSBM Finance Inc). SSBM Finance Inc is a Delaware corporation.
For information on translations, please e-mail booktranslations@springernature.com; for reprint,
paperback, or audio rights, please e-mail bookpermissions@springernature.com.
Apress titles may be purchased in bulk for academic, corporate, or promotional use. eBook
versions and licenses are also available for most titles. For more information, reference our Print
and eBook Bulk Sales web page at http://www.apress.com/bulk-sales.
Any source code or other supplementary material referenced by the author in this book is available to
readers on the Github repository: https://github.com/Apress/Enterprise-Cyber-Risk Management-
as-a-Value-Creator. For more detailed information, please visit https://www.apress.com/gp/services/
source-code.
Paper in this product is recyclable
I dedicate this book to my wife, Mary.
It’s like deja-vu all over again.
—Yogi Berra (1925–2015), American professional

baseball catcher, manager, and coach.
Table of Contents
Endorsements for Enterprise Cyber Risk Management
as a Value Creator��xv
Acknowledgments�� xxv
About the Author�� xxvii
About the Technical Reviewer�� xxix
Foreword�� xxxi
Preface�� xxxiii
Abbreviations�� xxxvii
Part I: A Case for Action��1

Chapter 1: Enterprise Cyber Risk Management as a Value Creator��3
The Next Cybersecurity Pivot��5
Digital Transformation Is Not Slowing Down��6
Creating Business Value��7
Increasing Customer Trust and Brand Loyalty��7
Improving Social Responsibility��8
Driving Revenue Growth��10
Facilitating Digital Transformation and Innovation��12
Lowering the Cost of Capital��13
Attracting Higher-Quality Investments��15
Assuring Operational Continuity and Resilience��16
vii
Table of Contents
Creating Competitive Advantage��17

Attracting and Retaining Talent��19
Facilitating M&A Activity��21
Leveraging Regulatory Compliance Requirements��23
Conclusion��24
Questions Management and the Board Should Ask and Discuss��25
Endnotes��27
Chapter 2: SEC and Other Important Cyber Regulations��39

Overview of the SEC “Cybersecurity Risk Management, Strategy,
Governance, and Incident Disclosure” Final Rule��41
Why Are These Changes Being Made?��42
When Will the SEC “Cybersecurity Risk Management, Strategy,
Governance, and Incident Disclosure” Changes Be Implemented?��43
Who Is Covered?��43
What Changes Are Being Made?��44
Who Enforces These and Other SEC Regulations?��46
What Happens If Your Company Doesn’t Comply?��47
Disclosure of Cybersecurity Incidents on Current Reports��48
Disclosure About Cybersecurity Incidents in Periodic Reports��50
Disclosure of a Registrant’s Risk Management, Strategy,
and Governance Regarding Cybersecurity Risks��51
Disclosure Regarding the Board of Directors’ Cybersecurity Expertise��55
What Is Cybersecurity Expertise?��56
Should Your Not-for-Profit and Private Company Care About SEC Cyber
Disclosure Requirements?��58
Conclusion��62
Endnotes��65
viii
Table of Contents
Chapter 3: The Courts Are Picking Up the Cyber Pace��79

The Board and Risk Management Responsibilities��80
Cyber Legal Cases��81
The Caremark Standard and Recent Cyber Cases��83
An Important Healthcare Case to Watch��87
Three Other Relevant Cybersecurity Cases��88
Effective Compliance Programs: US Sentencing Guidelines and
Federal Prosecution of Business Organizations��91
Conclusion��93
Endnotes��95
Chapter 4: The Most Critical Cybersecurity Decision��105

What Does “HOW Your Organization Will Conduct ECRM” Mean?��106
Risk��107
Risk Owner/Executive��109
Risk Management��110
Enterprise Risk Management (ERM)��111
Enterprise Cyber Risk Management (ECRM)��112
Cybersecurity��112
Strategy��113
Cybersecurity Strategy��113
The Board and Risk Management Responsibilities��114
Regulatory and Enforcement Changes��115
Key Actions/Decisions to Facilitate Your Important “HOW Your
Organization Will Conduct ECRM” Decision��116
Conclusion��121
Endnotes��122
ix
Table of Contents
Chapter 5: Justifying ECRM Funding��129

The Challenge of Cybersecurity Investments Being Wasted��131
A New ECRM Budget Philosophy Is Needed��134
Why Create an ECRM Budget Philosophy��135
Building Your ECRM Budget Philosophy��137
ECRM Budget Philosophy��143
The Single Most Important Cybersecurity Question for the Board to Ask��143
The Solution: Overcoming ECRM and Cybersecurity Investment Challenges��145
Conclusion��150
Endnotes��152
Chapter 6: The C-Suite and Board Role��161

Set the “Tone at the Top” with Strong ECRM Guiding Principles��162
Require ECRM to Be Formally Established and Documented��164
Ensure Equal Focus on Positive Cyber Opportunities��167
Increasing Customer Trust and Brand Loyalty��167
Improving Social Responsibility��168
Driving Revenue Growth��168
Facilitating Digital Transformation and Innovation��170
Attracting and Retaining Talent��171
Conclusion��171
Endnotes��173
x
Table of Contents
Part II: Building and Implementing Your ECRM Program��179

Chapter 7: Integrating ECRM into Business Strategy��181
The Challenge��182
The Case for Action��183
Actions to Take��184
Conclusion��195
Endnotes��197
Chapter 8: Getting Started��201

Document Management��202
History��202
Location��202
Revision History��203
Authorization��204
Distribution��204
Related Documents��205
Table of Contents��205
Executive Summary��205
Introduction��207
Glossary��207
Cyber Risk and Cyber Opportunity Notional Equations��210
Cyber Risk Notional Equation��210
Cyber Opportunity Notional Equation��211
Conclusion��211
Endnotes��214
xi
Table of Contents
Chapter 9: ECRM Guiding Principles and Business Alignment��217

ECRM Guiding Principles��217
Scope of the ECRM Strategy��220
Business Strategic Objectives��221
ECRM Strategic Objectives��222
Responsibility for and Governance of the ECRM Program��223
Conclusion��225
Endnotes��227
Chapter 10: Three Vital ECRM Building Blocks��229

ECRM Framework��230
ECRM Process��233
ECRM Maturity Model��235
Conclusion��238
Endnotes��240
Chapter 11: Adapting Your Process to Include Cyber

Opportunities��245
Risk and Opportunity Framing��247
ECRM Key Inputs and Preconditions��247
ECRM Assumptions | Information Asset Assumptions��248
ECRM Assumptions | Vulnerability and Strength Assumptions��248
ECRM Risk Appetite and Opportunity Threshold��249
ECRM Constraints | Legal, Regulatory, and Contractual Constraints��249
Risk and Opportunity Assessment��251
Risk and Opportunity Response��254
Risk and Opportunity Monitoring��256
xii
Table of Contents
ECRM Process Standards, Policies, and Procedures��260

Conclusion��261
Endnotes��263
Chapter 12: Additional Essential ECRM Program Elements��267

ECRM Education and Training��268
ECRM Automation and Technology Tools��270
ECRM Third-Party Risk Management��272
ECRM Recordkeeping and Reporting��274
Standards, Plans, Policies, and Procedures��276
Conclusion��279
Endnotes��281
Chapter 13: Ten Recommended Implementation Steps��285

Implementation Step #1: Establish ECRM Governance��286
Implementation Step #2: Design and Deliver Ongoing ECRM
and Cybersecurity Education��287
Implementation Step #3: Establish and Document ECRM Guiding Principles��290
Implementation Step #4: Establish and Document Strategic Business
and ECRM Objectives��292
Strategic Business Objectives��292
Strategic ECRM Objectives��293
Implementation Step #5: Set the Scope of Your ECRM Program��294
Implementation Step #6: Establish and Document Your ECRM Budget
Philosophy��295
Implementation Step #7: Formally Adopt Your ECRM Framework,
Process, and Maturity Model��295
xiii
Table of Contents
Implementation Step #8: Conduct a Comprehensive, NIST-Based

Enterprise-Wide Risk and Opportunity Assessment��297
Implementation Step #9: Establish Your Cyber Risk Appetite,
Opportunity Threshold, and Complete Risk and Opportunity Treatment��298
Implementation Step #10: Formally Document Your ECRM Program
and Cybersecurity Strategy��300
Conclusion��300
Endnotes��302
Appendix A: What to Look for in an ECRM Company and Solution��305
ppendix B: Enterprise Cyber Risk Management

A
Software (ECRMS)��317
Appendix C: The Benefits of a NIST-Based ECRM Approach��331
Appendix D: Twenty-Five Essential Terms for Your

ECRM Glossary��343
ppendix E: Sample ECRM Program and Cybersecurity
A
Strategy Table of Contents��373
Index��377
xiv
Endorsements for Enterprise
Cyber Risk Management
as a Value Creator
Throughout my 28 years in CISO roles at two of the highest-risk
organizations in the world, I have sweated through countless budget and
resource challenges and struggled to connect my cybersecurity program
to business objectives in the minds of business leaders and our board. A
major hurdle was that cybersecurity was viewed as risk avoidance—a cost
center that did not add value, that is, a painful but necessary overhead.
This book lays out the holy grail for cybersecurity, how to flip that script
to make cybersecurity a business enabler and part of the core growth
strategy, and how to integrate that approach into business strategy.
No one is more knowledgeable and qualified to make this case than
Bob Chaput, who is a living legend in cybersecurity and an unmatched
thought leader in enterprise cyber risk management (ECRM). He lays
out a compelling case, with details on how to apply this thinking to your
organization, and then provides a detailed road map for making it happen.
This should be mandatory reading for CISOs, CFOs, CEOs, and board
members. It will close communication gaps and change the mindset
because it shines a light on the opportunities to expand and accelerate
business transformation and earn customer and stakeholder trust—
through cybersecurity.
—Paul Connelly, First CISO at the White House and
HCA Healthcare
xv
Endorsements for Enterprise Cyber Risk Management as a Value Creator
Bob Chaput picks up where most books leave off by providing powerful
insight into ECRM engagement by providing a factual background coupled
with strategic examples that can and will have positive impacts on any
company’s cyber risk strategy and approach. This resource should become
the standard guidebook for every risk manager, general counsel, CISO,
CTO, C-suite, and board member who has an interest in or a concern
around cyber and privacy liability and entire ECRM protocols.
—Kevin Hewgley, Senior Vice President,

Financial Services at Lockton Companies
In Enterprise Cyber Risk Management as a Value Creator, Bob Chaput’s

latest contribution to simplifying the often impenetrable field of
cybersecurity, Bob turns from calling attention to the problem to helping
us think differently about it. Are investments in cybersecurity a cost
of doing business, with cost containment as the overarching goal? Is
cybersecurity a “check the box” exercise, allowing us to throw up our
hands if an adverse event occurs after we’ve checked all our boxes? Or
is cyber a strategic priority meriting an offensive rather than defensive
mindset? As always, Bob doesn’t just pose the questions. He provides
practical and timely answers alongside a wealth of real-world examples. A
must-read for everyone from the cybersecurity novice to the seasoned pro
looking for proper organizational focus on a business pandemic that has
no miracle cure in sight.
—Ralph W. Davis, Independent Director/Board Advisor,

Operating Partner, The Vistria Group
Bob Chaput’s latest book is a powerful read that explains cybersecurity

in a new context, one that will be helping business leaders, including
corporate directors, reframe cybersecurity as a critical part of the need
for every organization to drive and create value. With so much economic
xvi
growth and output already dependent upon complex digital systems, this
mindset will help leaders understand the importance of cybersecurity to
the organization’s future.
—Bob Zukis, CEO, Digital Directors Network
Enterprise Cyber Risk Management as a Value Creator delves deep into

the critical realm of enterprise cyber risk management, providing a
comprehensive guide to not just safeguarding against digital threats
but also harnessing the power of cybersecurity as a catalyst for growth
and innovation. Today, businesses and organizations are more reliant
on technology and data than ever before, and the need for robust
cybersecurity practices cannot be overstated. This book serves as an
indispensable resource, offering both practical wisdom and strategic
insights to navigate the ever-evolving landscape of cyber risks.
Authored by Bob Chaput, a seasoned expert in the field, this material is
backed by a wealth of knowledge derived from real-world experiences. It’s
not merely a theoretical exercise but a hands-on manual for organizations
seeking to proactively protect their digital assets and leverage them for
strategic advantage. The lessons to be learned from this book are not
confined to a single sector or industry. Its principles are universally
applicable, ensuring that both large and small organizations can find
applicable and valuable takeaways. It’s not just about fortifying defenses;
it’s about adopting a proactive stance toward cybersecurity.
As data breaches and cyberattacks continue to make headlines, this
book is a timely and crucial resource for organizations looking to safeguard
their integrity and reputation. Moreover, it provides the tools and strategies
needed to turn cyber risk management into a value creator, helping
organizations thrive amid an era of digital transformation.
xvii
Enterprise Cyber Risk Management as a Value Creator is a guiding light

in the intricate maze of cybersecurity. It’s a valuable asset for organizations
of all sizes, empowering them to not only withstand digital threats
but emerge stronger, more resilient, and ready to seize the boundless
opportunities of the modern digital age.
—Michael E. Whitman, PhD, CISM, CISSP

Executive Director, Institute for Cybersecurity Workforce Development
Professor of Information Security and Textbook Author
Having performed dozens of risk analyses for companies during my

career at a public accounting firm, this book is a masterclass in strategic
management of digital risks in an enterprise and provides great insight to
turn digital risk management into a competitive advantage. This is a good
resource for business leaders, security professionals, and anyone seeking to
navigate the complex landscape of digital security. With profound insights
and practical wisdom, it successfully highlights the critical role of cyber/
digital risk management in driving business value. Bob Chaput’s expertise
shines through as he presents a comprehensive and forward-thinking
approach to managing cyber/digital risks. The inclusion of actionable
insights and practical frameworks adds immense value to the content,
ensuring that readers can immediately apply what they’ve learned.
—Raj Chaudhary, Independent Director, Board Advisor,
Retired Cybersecurity Partner, Crowe LLP
Someone told me recently that “cybersecurity is boring.” Cybersecurity is

boring if it is other people listening to CIOs, CISOs, and other IT people
talking about it. They understand the issues, the risks, the solutions.
Cybersecurity should not be boring to people who don’t live it but must
make decisions about it—big decisions like staffing, funding, prioritization
against other business issues. How do you talk about cybersecurity in
meaningful ways with the full C-suite, with your board of directors or
trustees?
xviii
Bob Chaput has answered that question and solved the problem with
his latest book: Enterprise Cyber Risk Management as a Value Creator.
For too long, cybersecurity has been viewed as a defensive play, a cost
center. What if the tables were turned and executives and boards thought
about cybersecurity in a positive light and as an opportunity to create
competitive advantage and add value to the organization and drive
business growth?
This book, using data, statistics, and real business examples, is a
primer for redirecting and refocusing those discussions for the leaders
who must be engaged in cybersecurity but for too long have stayed out
of the fray. The book provides lots of guidance and many questions—in
each chapter—to get the business to start answering the right questions
and asking their own. Multiple studies (many cited in this book) clearly
indicate that business leaders and consumers agree that establishing
trust in products and experiences (AI, digital technology, data) that meet
expectations will deepen trust and promote growth.
This is the book to start those conversations, up and down the
organization. Cybersecurity isn’t boring if you have the right people talking
about it—here is how to engage those “right” people in your organization.
You’ll need to arm your IT, security, risk management, operational, and
innovation leaders, but you’ll use the learning to deeply engage the
C-suite, the boards, and committees of the board in positive discussion
around cybersecurity and how to leverage a more secure organization to
move faster and drive new opportunities.
—David Finn, Health IT Advocate,

Recovering Healthcare CIO, Security and Privacy Officer
Baldrige Foundation Award for Cybersecurity Leadership Excellence
xix
Enterprise risk management, and cybersecurity risk management in

particular, is more important now than ever. Bob’s book takes the reader
through easy-to-follow steps and provides “food for thought” when
implementing an ERM program. A compliment to any bookshelf.
—Rachel V. Rose, JD, MBA, Principal at

Rachel V. Rose—Attorney at Law, PLLC
Chaput’s new book on enterprise cyber risk management is a tour de force

on this subject. Building a value-creating ECRM culture is not a sprint
or a marathon, but a relay. Making this book an all-team read for your
leadership and the first part an all-board read is an excellent way to start
building that culture.
—Nancy Falls, Independent Board Director and CEO,
The Concinnity Company
I heard a friend recently bemoaning the state of ECRM within their

organization, “We do risk management as an art, not a science.” Bob
breaks ECRM down to science. Bob’s prescription for ECRM is on point
and execution-ready. I looked at the Table of Contents and jumped right
to Chapter 8. Each organization I’ve been part of has had a different ECRM
strategy. Bob’s book helps distill what success looks like. Bob coaches the
reader through aligning business strategy and ECRM strategy—I especially
appreciated his wisdom on what “HOW your organization will conduct
ECRM?” means. Now, the challenge is ours to learn and implement.
—Dan Bowden, Global CISO, Marsh
Where others have focused primarily on the defensive aspects of cyber

risk management, Bob Chaput sees opportunities in ECRM. Mr. Chaput
states: “Companies with a strong security posture are more likely to
retain existing customers and attract new ones, as they value their data
protection. This customer trust and brand loyalty can increase revenue
and market share for the organization.” C-suite and board members will
ignore this timely advice at their peril. This book provides a road map
xx
for the actions necessary to turn defensive thinking and processing into
positive and value-creating actions and programs. Mr. Chaput makes the
case for competitive and reputational advantage with logic, intelligence,
and wit and draws from a depth of personal knowledge and experience
in ECRM. Each chapter includes a set of “Questions Management and the
Board Should Ask and Discuss,” and these provide a great agenda of items
worthy of consideration. You need this on your reading list.
—Stephen R. Rusmisel, JD, NACD.DC, 12-Year Independent Director

and Former Lead Director of Life Storage, Inc.
Enterprise Cyber Risk Management as a Value Creator is a wide-ranging,

thought-provoking book on an often-overlooked topic. Bob not only lays
out why executives should care about ECRM but gives meaningful advice
on how to get it done, and done well. He shares lessons, learned from
years in the trenches, on how companies can get a handle on this vital yet
often-misunderstood topic. This book addresses the key success factors
as well as the common pitfalls in world-class risk management. It focuses
on what leaders need to know and do, rather than get lost in the minutia of
“this configuration of this system.” This focus makes this book applicable
across any industry that has to manage its cyber risk, which is, of course,
all of them. The questions for the board of directors alone make this a
worthwhile read—merely asking these questions will, at the very least,
start you on the right path.
—William Niner, CISO
Bob Chaput in his latest book, Enterprise Cyber Risk Management as a Value
Creator, works magic by revealing why cybersecurity risk is an essential
ingredient of enterprise risk management. He introduces a new paradigm
with enterprise cyber risk management (ECRM) being not just a defensive
play, but as a proactive business enabler that can improve customer trust
and stickiness through security services and increasing revenue sources
by way of security capabilities. Bob lays out a well-understood foundation
xxi
by elegantly taking us through a comprehensive survey of the changing

cybersecurity governance landscape. He skillfully reveals timely concepts
such as the new federal regulations, the evolving financial industry
governing body trends, and the quiet but growing court system precedents.
Bob makes a sound case for why ECRM is a must-have concept that is to be
understood and adopted by organizations today.
With tight financial margins facing many organizations, it is critical
that business value is achieved with every dollar spent. Bob shows us how
ECRM goes well beyond just being an IT problem. He clearly explains how
ECRM can serve to propel an organization forward with a host of benefits,
some of which are by facilitating digital transformation and innovation,
attracting higher-quality investments, bringing in more talent, supporting
mergers and acquisitions (M&A) activities, reducing regulatory exposure,
assuring operational continuity and resiliency, and creating increased
competitive advantage.
Bob makes it easy for us to not only comprehend this evolving topic
but practically take steps forward to implement the ECRM strategy by
outlining a simple five-step approach. He sheds light on how small and
large organizations can justify and practically build out an appropriate
budget needed to establish a successful ECRM program, with specific
guidance on how to educate and win over the C-suite and board, including
key questions to ask and discuss. Bob deftly reveals the role of ECRM
Program and Cybersecurity Strategy within the context of ERM, tying
cybersecurity strategy into the board’s responsibilities. His insights on the
business ownership of risk through authorization to operate and use are
particularly compelling.
This text is a must-have for boards of directors, senior management, IT
and security leaders, and anyone who wants to know just how vital ECRM
can be in ensuring the future success of your organization.
—James Brady, PhD, Healthcare CIO/CTO/CISO
xxii
Legal Disclaimer
Although the information provided in this book may be helpful in
informing you and others who have an interest in data privacy, security
issues, and cyber risk management issues, it does not constitute legal
advice. This information may be based in part on current international,
federal, state, and local laws and is subject to change based on changes in
these laws or subsequent interpretative guidance. Where this information
is based on federal law, it must be modified to reflect state law where
that state law is more stringent than the federal law or where other state
law exceptions apply. Information and informed recommendations
provided in this book are intended to be a general information resource
and should not be relied upon as a substitute for competent legal advice
specific to your circumstances. Furthermore, the existence of a link or
organization reference in any of the following materials should not be
assumed as an endorsement by the author. YOU SHOULD EVALUATE ALL
INFORMATION, OPINIONS, AND RECOMMENDATIONS PROVIDED
IN THIS BOOK IN CONSULTATION WITH YOUR LEGAL OR OTHER
ADVISORS, AS APPROPRIATE.
xxiii
Acknowledgments
First, I must start by thanking my wonderful wife, Mary, to whom I
dedicate this book. From coffee, food, patience, and encouragement to
keeping the cats off my lap so I could write, she was as important to this
book getting done as I was. Thank you so much, Mary.
I would also like to thank all the colleagues, executives, and board
members with whom I’ve had an opportunity to work over the course of
my career at GE, Johnson & Johnson, Healthways, and Clearwater. Those
career opportunities helped me develop as an information technology
and cyber risk management executive, entrepreneur, and educator and,
ultimately, prepared me to write this book. Everyone with whom I worked
contributed to this book in some way. Thank you.
When I first considered writing this book, I prepared a book proposal
and turned to several cybersecurity, regulatory, and risk management
veterans to provide feedback on the concept of a book on positive
cyber risks or cyber opportunities. I sincerely appreciate Jim Brady, Raj
Chaudhary, David Finn, Rachel Rose, and Paul Connelly for their careful
reviews and constructive and encouraging feedback.
I want to thank the entire publishing team at Apress and, specifically,
Susan McDermott and Laura Berendson for their support and guidance
throughout the process.
Finally, I would like to thank my friend, former colleague, and
technical reviewer of this book, Jon Stone, for skull sessions on the subject
matter in this book that go back to our early work on Clearwater Security
together.
xxv
About the Author
Bob Chaput, NACD.DC, is the author of Stop
the Cyber Bleeding: What Healthcare Executives
and Board Members Must Know About
Enterprise Cyber Risk Management (ECRM).
He is also Founder and Executive Chairman of
Clearwater, a leading provider of cybersecurity,
cyber risk management and compliance
software, consulting, and managed services. As
a leading authority in cybersecurity regulatory
compliance and enterprise cyber risk management, Bob has assisted
dozens of organizations and their business partners, including Fortune 100
organizations, wanting to improve their risk posture. Bob’s degrees include an
MA in mathematics from Clark University and a BA in mathematics from the
Massachusetts College of Liberal Arts. In addition to the NACD Directorship
Certification (NACD.DC), Bob holds numerous privacy, security, and cyber
risk management certifications. He is a faculty member at IANS Research.
xxvii
About the Technical Reviewer
Jon Stone is Senior Vice President and Chief
Product Officer for Clearwater. In this role,
he leads product innovation and product
development.
Formerly, Jon served in numerous roles at
Healthways, Inc., including Senior Portfolio
and Project Management Director. He
provided leadership of complex projects,
product development, product strategy,
and health information management consulting services to healthcare,
managed care, and health information technology companies.
Before joining Healthways, Jon served as Director of Project
Management and Healthcare Quality Metrics at Cigna Healthcare.
Jon has a master’s in public administration and healthcare regulatory
policy from the University of Tennessee at Chattanooga. He is certified as
a Project Management Professional and has a Project Management for
Information Systems certification from the University of Colorado.
xxix
Foreword
The issue of value creation has long been a contentious topic in
cybersecurity. In this book, Bob Chaput makes a compelling argument
that cybersecurity executives can function as value creators by taking on
a leadership role in enterprise cyber risk management (ECRM). Bob then
articulates a road map for how infosec executives, business leaders, and
board members can work together to develop an ECRM-driven approach
to security.
This book couldn’t have come at a more critical time. The release of
new cyber breach disclosure rules from the US Securities and Exchange
Commission in July 2023 accelerated a growing movement among boards
to govern cyber in a more strategic manner. Public companies are expected
to identify the materiality of breaches and report on any material incidents
within four days of determining materiality. To meet this need, the board,
business executives, and CISOs must work together to develop a cohesive
ECRM strategy. While the mandate only extends to public companies, the
impact is expected to extend well beyond that jurisdiction.
Moving the cybersecurity conversation away from a focus on controls
to an emphasis on ECRM is essential, and Bob is perfectly positioned to
provide guidance here. From his executive technical leadership positions
at GE, Johnson & Johnson, and Healthways to his work as CEO and, since
2018, Executive Chairman at Clearwater Compliance, not to mention his
essential contribution as a member of the IANS Faculty, Bob has been
exposed to countless executive cyber risk conversations. Bob is also a
member of the National Association of Corporate Directors and has served
xxxi
Foreword
as a board advisor. This blend of experience allows Bob to not only speak
with authority about ECRM issues but also provide practical guidance on
how to deliver value to the business.
On a personal note, I’ve found Bob to be one of the best active
listeners that I’ve ever met. Bob’s other great skill is in his ability to distill
his conversations with CISOs, business leaders, board members, and
regulators into compelling, actionable insights. He cares deeply about this
topic and it shows.
The wisdom he passes on in this book is not just for CISOs. Anybody
with a responsibility to manage or govern enterprise cyber risk can benefit
from Bob’s guidance.
This work is essential in the industry today, especially because it is
not an academic work. Instead, Bob provides real, practical guidance on
how to build out an ECRM program and use that to influence the business
effectively. It takes what is often a theoretical idea and presents tangible
ways to make that value a reality. That actionability makes it stand out
and turns it into a necessary read for executives seeking a perspective on
enterprise cyber risk.
—Phil Gardner, CEO, IANS Research
xxxii
Preface
It feels like we’re going through a similar positive cycle to what I
experienced early in my career in the mid-1980s when businesses
recognized that information and information technology were an asset
that companies could leverage for competitive advantage. In 1985, Michael
E. Porter and Victor E. Millar published their seminal article, “How
Information Gives You Competitive Advantage.” In it, they highlighted
how the information revolution critically affected competition, including
changing industry structure, altering competition rules, creating
competitive advantage by giving companies new ways to outperform their
rivals, and spawning whole new businesses.
In this book, I highlight parallels between what happened over the
course of the last 40 years and what is underway today with cybersecurity.
In short, with the explosion in data, systems, and devices in connection
with massive digitization programs that businesses have undertaken, it has
become clear that organizations must safeguard these new information
assets. Organizations, their C-suites, and boards must now realize that
they can leverage a robust Enterprise Cyber Risk Management (ECRM)
Program and Cybersecurity Strategy to create a competitive advantage for
their organization. As Yogi said, it’s like déjà vu all over again.
I was gratified to see how well executives, board members, and many
stakeholders in the healthcare ecosystem received my book Stop the Cyber
Bleeding in 2020. I appreciated the opportunity to give something back to
the healthcare industry in the form of practical, tangible recommendations
to establish, implement, and mature an ECRM program. For many
organizations, building such a program represented paying off “ECRM
debt” after having gone on a spending binge as they digitized what were,
xxxiii
Preface
in many cases, ancient clinical and administrative information systems.

Most of that book focused on basics to build defenses to assure the
confidentiality, integrity, and availability of data, systems, and devices
against adversarial and other threat sources.
To a lesser extent, I addressed the possibility of a strong ECRM
program becoming a business enabler. I discussed that not only is ECRM
not an “IT problem,” it can become a business enabler if appropriately
handled. I briefly discussed how a robust ECRM Program and
Cybersecurity Strategy might be leveraged as a competitive advantage. I
presented several possible cyber opportunities, such as facilitating M&A,
reducing the cost of capital, lowering executive risk insurance premiums,
and helping their organizations compete with “technology invaders.”
In Enterprise Cyber Risk Management as a Value Creator, I go further.
I wrote this book to encourage organizations in all industries to start to
move away from ECRM and cybersecurity strategy as a purely defensive
play. I think most organizations are overdue to proactively seek ways to
use their ECRM Program and Cybersecurity Strategy to not only manage
risks or “manage the downside” but also identify ways to use their ECRM
Program and Cybersecurity Strategy to identify and exploit opportunities
or “manage the upside” and create competitive advantage.
This book provides an overview of why a robust ECRM Program and
Cybersecurity Strategy is a strategic imperative for your organization and
how executives and board members should think more positively about
ECRM and cybersecurity and, finally, outlines how to develop your ECRM
Program and Cybersecurity Strategy, including a discussion of the contents
of documentation that will help establish, implement, and mature your
program and meet increasingly more stringent requirements legislators,
regulators, and the courts are setting.
My goal is that C-suite executives, board members, and their
Chief Information Security Officers (CISOs) use this book to bridge
communication gaps and meet at the intersection of where boards focus:
xxxiv
Preface
talent management, strategy, and risk management. As an existential risk

to most organizations, they need to manage these risks and leverage their
programs’ strengths to create value and drive business growth.
For ECRM to be effective, the entire organization must be engaged in
the program. Although this book is written primarily for C-suite executives,
board members, and CISOs, I am confident that the information I present
will also be helpful to other leaders, managers, and professionals in all
functional areas in all organizations in all industries.
Bob decided to write this book to help facilitate the role of Chief
Information Security Officers (CISOs) to better integrate into their
businesses and interact with C-suite executives and board members. As
happened when Chief Information Officers (CIOs) began to “earn a seat at
the table” decades ago, there is a significant communication gap between
this newly discovered role, the C-suite, and the board. Bob’s goal is to make
CISOs and their boards successful in better understanding one another
and better managing cyber risks and cyber opportunities. The aim of this
book is to help close the communication gap by linking CISOs with the
three main topics that boards deal with: talent management, strategy, and
risk management.
—Bob Chaput, Founder and Executive Chairman, Clearwater
xxxv
Abbreviations
• AI: Artificial Intelligence
• ANSI: American National Standards Institute
• BIA: Business Impact Analysis
• BT: Business Technology
• CAE: Chief Audit Executive
• CapEx: Capital Expenditures
• CCA: Certified CMMC Assessor
• CCP: Certified CMMC Professional
• CCPA: California Consumer Privacy Act
• CDI: Covered Defense Information
• CFR: Code of Federal Regulation
• CFTC: Commodity Futures Trading Commission
• CGEIT: Certified in Governance of Enterprise IT
• CIA: Confidentiality, Integrity, and Availability
• CIO: Chief Information Officer
• CIRCIA: Cyber Incident Reporting for Critical

Infrastructure Act of 2022
• CISA: Certified Information Systems Auditor
• CISA: Cybersecurity and Infrastructure Security

Agency, US Department of Homeland Security
xxxvii
Abbreviations
• CISM: Certified Information Security Manager
• CISO: Chief Information Security Officer
• CISSP: Certified Information Systems Security

Professional
• CMMC: Cybersecurity Maturity Model Certification
• CMS: Centers for Medicare and Medicaid Services
• COBIT: Control Objectives for Information and Related

Technologies
• COOP: Continuity of Operations Plan
• COSO: Committee of Sponsoring Organizations of the

Treadway Commission
• CPA: Certified Public Accountant
• CRISC: Certified in Risk and Information

Systems Control
• CSO: Chief Security Officer
• CSRC: Computer Security Resource Center (at NIST)

• CUI: Controlled Unclassified Information
• CVE: Common Vulnerability Enumeration
• DBIR: Data Breach Investigations Report (Verizon)
• DFARS: Defense Federal Acquisition Regulation

Supplement
• DHHS: Department of Health and Human Services
• DOJ: Department of Justice
• DIB: Defense Industrial Base
xxxviii
Abbreviations
• ECRM: Enterprise Cyber Risk Management
• ECRMS: Enterprise Cyber Risk Management System
• ED&I: Equity, Diversity, and Inclusion
• EDP: Electronic Data Processing
• EDR: Endpoint Detection and Response
• EHR: Electronic Health Record
• ePHI: Electronic Protected Health Information
• ERP: Enterprise Resource Planning
• ERM: Enterprise Risk Management
• ESG: Environmental, Social, and Governance
• EU: European Union
• FAR: Federal Acquisition Regulation
• FBI: Federal Bureau of Investigation
• FCC: Federal Communications Commission
• FCI: Federal Contract Information

• FDA: Food and Drug Administration
• FDIC: Federal Deposit Insurance Corporation
• FERPA: Family Educational Rights and Privacy Act
• FFIEC: Federal Financial Institutions

Examination Council
• FISMA: Federal Information Security Management Act
• FSB: Financial Stability Board
• FSOC: Financial Stability Oversight Counsel
xxxix
Abbreviations
• FTC: Federal Trade Commission
• GDPR: General Data Protection Regulation
• GISS: Global Information Security Survey
• GLBA: Gramm-Leach-Bliley Act
• GRC: Governance, Risk Management, and Compliance
• HIMSS: Healthcare Information and Management

Systems Society
• HIPAA: Health Insurance Portability and

Accountability Act
• HITECH Act: Health Information Technology for

Economic and Clinical Health Act
• HVAC: Heating, Ventilation, and Air Conditioning
• IAM: Identity and Access Management
• IDN: Integrated Delivery Network
• IM: Information Management
• IRM|Pro: Information Risk Management | Professional,

Clearwater’s ECRMS solution
• ISA: Internet Security Alliance
• ISACA: Information Systems Audit and Control

Association
• ISAC: Information Sharing and Analysis Center
• ISC2: International Information System Security

Certification Consortium
• ISCM: Information Security Continuous Monitoring
xl
Abbreviations
• ISO/IEC: International Organization for

Standardization and International Electrotechnical
Commission
• ISS: Institutional Shareholder Services
• ISSA: Information Systems Security Association
• IT: Information Technology
• M&A: Mergers and Acquisitions
• MD&A: Management’s Discussion and Analysis of

Financial Condition and Results of Operations
• MFA: Multifactor Authentication
• MNPI: Material Non-public Information
• MIS: Management Information Services
• MIT CISR: Massachusetts Institute of Technology

Center for Information Systems Research
• MPL: Medical Professional Liability
• NACD: National Association of Corporate Directors

• NASDAQ: National Association of Securities Dealers
Automated Quotations Stock Market
• NATO: North Atlantic Treaty Organization
• NCUA: National Credit Union Administration
• NIS2: Network and Information Security Directive 2

2022/2555
• NIST: National Institute of Standards and Technology
• NIST SP: NIST Special Publication
• NIST CSF: NIST Cybersecurity Framework
xli
Abbreviations
• NPRM: Notice of Proposed Rulemaking
• NYDFS: New York Department of Financial Services
• NYSE: New York Stock Exchange
• OCC: Office of the Comptroller of the Currency (OCC),

US Federal Reserve
• OCR: HHS Office for Civil Rights
• OpEx: Operating Expenses
• PAM: Privileged Access Management
• PB: Petabytes
• PCI: Payment Card Information
• PCI DSS: Payment Card Industry Data Security

Standard
• PDLC: Product Development Life Cycle
• PE: Private Equity
• PHI: Protected Health Information
• PI Program: CMS’ Promoting Interoperability Program

• PII: Personally Identifiable Information
• PIN: Personal Identification Number
• PMO: Project Management Office
• RIMS: Risk Management Society
• ROI: Return on Investment
• ROSI: Return on Security Investment
• SaaS: Software-as-a-Service
xlii
Abbreviations
• SDLC: Systems Development Life Cycle or Security

Development Life Cycle
• SEC: US Securities and Exchange Commission
• SIEM: Security Information and Event Management
• SOC: Security Operations Center
• SOC2: System and Organization Controls (SOC)
• TB: Terabytes
• TCO: Total Cost of Ownership
• TPRM: Third-Party Risk Management
• VC: Venture Capital
• XDR: Extended Detection and Response
xliii
PART I
A Case for Action

CHAPTER 1
Enterprise Cyber
Risk Management
as a Value Creator
Once you replace negative thoughts with positive ones, you'll
start having positive results.
—Willie Nelson1
Over the last 40 years, I’ve enjoyed helping organizations comply with
various privacy, security, and breach notification regulations and
standards and improve their enterprise cyber risk management and
cybersecurity posture. These efforts have been primarily defensive. The
focus of my defensive work with healthcare organizations, for example,
is captured in the subtitle of my book Stop the Cyber Bleeding,2 as How to
Save Your Patients, Preserve Your Reputation, and Protect Your Balance
Sheet. The verbs “save,” “preserve,” and “protect” are about safeguarding,
assuring, and “managing the downside.” Although critically important,
“managing the downside” does not align with the language of most
companies’ strategic objectives, which include creating value, driving
revenue growth, and enabling their business. In other words, those
© Bob Chaput 2024 3

B. Chaput, Enterprise Cyber Risk Management as a Value Creator,
https://doi.org/10.1007/979-8-8688-0094-8_1
Chapter 1 Enterprise Cyber Risk Management as a Value Creator
defensive verbs are not about using cybersecurity to “create and manage
the upside.” You need to think about cyber opportunities that can help
achieve your business goals.
Risk management and especially cyber risk management (both of
which I will further define) are too often only focused on preventing the
bad things that may happen in your organization. That’s a good thing.
At the same time, I recommend you expand your thinking, policies,
procedures, and practices to incorporate opportunity and specifically
cyber opportunities in your risk management work. Although I may
not always link “risk and opportunity” together in phrases like risk and
opportunity management, risk and opportunity assessment, or risk and
opportunity treatment, know that the intent of this book is to provoke your
thinking always to consider opportunities or upside outcomes from your
ECRM work. Also, keep in mind that while cybersecurity regulations such
as HIPAA, SEC, and NYDFS focus on risk (i.e., the downside) when they
use the term risk management, there are compelling reasons to include
your cyber opportunities (i.e., the upside) in your work to meet these
regulatory requirements.
This chapter addresses an essential consideration for all companies
regarding their ECRM Program and Cybersecurity Strategy—pivoting
from regarding cybersecurity as solely a cost-centered defensive program
to a profit-centered transformational core growth strategy. With global
estimated cybercrime costs forecasted to exceed $23B globally by 2027,3
there are already enough good reasons to be defensive and establish,
implement, and mature a strong ECRM program. Progressive-
thinking organizations are going beyond being defensive. Missed
cyber opportunities can be as costly to your organization as exploited
vulnerabilities.
4
In its “2023 Global Future of Cyber Survey,” Deloitte observes:

Today, we are seeing the emergence of powerful new attitudes
when it comes to cyber. Leaders are looking at cyber through a
sharp, new lens—one that reveals the inherent business value
that can come by embedding cyber. Not only across the enter-
prise, but as a crucial part of a powerful growth strategy.4
A strong ECRM Program and Cybersecurity Strategy can facilitate
business strategy, value creation, and growth. To do so, you must change
your thinking to regard cybersecurity as a potential profit center rather
than a cost center.
The Next Cybersecurity Pivot

I wish I could readily recall how often I wrote or said that ECRM is not
an “IT problem,” but, indeed, an enterprise risk management issue.
I’ve written that it can be a business enabler.5 I am now “tripling down”
by adding that it can be a value creator and growth driver. Your ECRM
Program and Cybersecurity Strategy can support your strategic business
objectives and growth. Suppose you’ve reached the board by connecting to
their risk oversight responsibilities. In that case, you can now pivot to focus
on one of their other top three responsibilities, strategy, which is about
growing market share, revenues, and profits.
Of course, timing is everything, and the maturity level of your ECRM
Program and Cybersecurity Strategy is a critical consideration as you
make this pivot. I would be reluctant to dive into an all-out cyber media
campaign to increase customer trust in your company (a value creator)
if you’ve not yet completed a comprehensive, enterprise-wide risk and
opportunity assessment. You need to assess your current ECRM maturity
before pivoting.
5
I’ve written about the transformational importance of an ECRM

program, the resultant cybersecurity strategy, and the core capabilities
organizations must develop around governance, people, process,
technology, and engagement.6 Pivoting from an “IT problem” to an
“enterprise risk management matter” to a “core part of business strategy”
not only requires these capabilities but can help further mature these
capabilities.
In 2020, Hepner and Powell published an article in the MIT Sloan
Management Review that examined, among other topics, why the C-suite
and board treat ECRM and cybersecurity as operational rather than
strategic issues. They cited four top reasons: cybersecurity is delegated
to IT, companies misunderstand the strategic nature of cybersecurity,
companies keep attacks under wraps of cybersecurity risk, and executives
assign strategic priorities based on their own areas of expertise. Like my
call for a pivot in thinking, they recommend flipping the narrative on
cybersecurity.7
Digital Transformation Is Not Slowing Down

The Chip War8 continues, Moore’s Law9 has not yet stretched the laws
of physics, technology rapidly evolves, and organizations continue their
digital transformation programs. Whether your digital priorities involve
quantum computing, artificial intelligence/machine learning, 5G, data
analytics, cloud, blockchain, Internet of Things (IoT), or replacing more
traditional IT applications, ongoing digitization is driving the need for
better ECRM programs and the maturing of your cybersecurity strategy.
Cybersecurity protects investments and business value and enables digital
initiatives to drive growth.
Research by the MIT Center for Information Systems Research has
shown that information technology units are more important than
ever to building a company’s success, citing how leveraging four key
6
capabilities can result in higher profitability of as much as 24% greater than

competitors.10 None of the four capabilities (the CIO working strategically
with the company’s executive committee on the role of digital, building
digital discipline across the enterprise, improving external customer
engagement, and relentlessly delivering operational efficiencies) would be
possible without a strong ECRM Program and Cybersecurity Strategy.
Creating Business Value

The following sections provide examples of positive business outcomes
that may result from a strong ECRM Program and Cybersecurity Strategy.
Increasing Customer Trust and Brand Loyalty

In the digital age, customers are increasingly concerned about the security
of their data. Businesses investing in cybersecurity demonstrate their
commitment to protecting customer information and fostering trust
and loyalty. Companies with a strong security posture are more likely to
retain existing customers and attract new ones, as they value their data
protection. This customer trust and brand loyalty can increase revenue
and market share for the organization. A Harvard Business Review article
highlighted the positive outcomes for a trusted organization:
The most trustworthy companies have outperformed the S&P
500, and high-trust companies are more than 2.5 times more
likely to be high-performing revenue organizations. Our own
research shows that trusted companies outperform their peers
by up to 400% in terms of total market value, that customers
who trust a brand are 88% more likely to buy again, and that
79% of employees who trust their employer are more moti-
vated to work and less likely to leave.11
7
Companies that invest in robust cybersecurity measures enjoy an

enhanced reputation in the market, which can translate to a competitive
advantage, discussed later in this chapter. When a company demonstrates
its commitment to protecting sensitive customer information and business
data, it fosters trust and confidence in its brand. This commitment is
essential in industries where data privacy and security are paramount,
such as finance, healthcare, and ecommerce.
According to a McKinsey survey, consumer faith in cybersecurity, data
privacy, and responsible AI hinges on what companies do today—and
establishing this digital trust just might lead to business growth.12 The
survey results of more than 1,300 business leaders and 3,000 consumers
globally suggest that establishing trust in products and experiences that
leverage AI, digital technologies, and data meet consumer expectations
and could promote growth.
Increasing customer trust and brand loyalty creates value and
drives growth.
Improving Social Responsibility

Elevating your ECRM Program and Cybersecurity Strategy can strengthen
your environmental, social, and governance (ESG) program. The SEC has
proposed significant changes to ESG disclosures. It is already monitoring
required filings and voluntary statements such as those made in corporate
sustainability reports, on websites, or in marketing materials.13 Figure 1-1
illustrates the relationship of regulatory compliance, cybersecurity, and
privacy with ESG.
8
Figure 1-1. Relationship of Compliance, Cybersecurity, and Privacy

with ESG
Privacy, cybersecurity, and cyber risk management exposures and

oversight are material ESG issues (MEIs) and should be considered
critical to an organization’s overall ESG risk rating. An MEI is an ESG issue
with the most significant potential to affect a company’s bottom line.14
As companies work to build investors’ and other stakeholders’ trust and
confidence, expect ESG to influence privacy and security programs and
vice versa.
A recent World Economic Forum article admonishes:
Companies need to start looking at cybersecurity as part of
ESG. Cyber risk is the most immediate and financially mate-
rial sustainability risk that organizations face today.15
In “Cyber security: Don’t report on ESG without it,” KPMG presents
the case that cybersecurity is part of all three elements of ESG—
environmental, social, and governance.16 A recent Harvard Law School
Forum on Corporate Governance article also aligns cybersecurity closely
with E, S, and G. The paper proposes how NASDAQ might incorporate
cybersecurity into its voluntary ESG Reporting Guide under the Corporate
Governance subsection.17
9
Another random document with
no related content on Scribd:
"Yes, Pooh."
"Will you be here too?"
"Yes, Pooh, I will be, really. I promise I will be, Pooh."
"That's good," said Pooh.
"Pooh, promise you won't forget about me, ever. Not even when I'm a
hundred."
Pooh thought for a little.
"How old shall I be then?"
"Ninety-nine."
Pooh nodded.
"I promise," he said.
Still with his eyes on the world Christopher Robin put out a hand and
felt for Pooh's paw.
"Pooh," said Christopher Robin earnestly, "if I—if I'm not quite——"
he stopped and tried again—"Pooh, whatever happens, you will
understand, won't you?"
"Understand what?"
"Oh, nothing." He laughed and jumped to his feet. "Come on!"
"Where?" said Pooh.
"Anywhere," said Christopher Robin.
So they went off together. But wherever they go, and whatever
happens to them on the way, in that enchanted place on the top of
the Forest, a little boy and his Bear will always be playing.
BOOKS FOR BOYS AND GIRLS
BY A. A. MILNE
with Decorations by E. H. SHEPARD:
WHEN WE WERE VERY YOUNG

NOW WE ARE SIX
WINNIE-THE-POOH
THE HOUSE AT POOH CORNER
THE CHRISTOPHER ROBIN STORY BOOK
SONG-BOOKS FROM THE POEMS OF A. A. MILNE
with Music by H. FRASER-SIMSON:
FOURTEEN SONGS
THE KING'S BREAKFAST
TEDDY BEAR AND OTHER SONGS
THE HUMS OF POOH
SONGS FROM "NOW WE ARE SIX"
E. P. DUTTON & CO., INC.

*** END OF THE PROJECT GUTENBERG EBOOK THE HOUSE AT
POOH CORNER ***
Updated editions will replace the previous one—the old editions

will be renamed.
Creating the works from print editions not protected by U.S.

copyright law means that no one owns a United States copyright
in these works, so the Foundation (and you!) can copy and
distribute it in the United States without permission and without
paying copyright royalties. Special rules, set forth in the General
Terms of Use part of this license, apply to copying and
distributing Project Gutenberg™ electronic works to protect the
PROJECT GUTENBERG™ concept and trademark. Project
Gutenberg is a registered trademark, and may not be used if
you charge for an eBook, except by following the terms of the
trademark license, including paying royalties for use of the
Project Gutenberg trademark. If you do not charge anything for
copies of this eBook, complying with the trademark license is
very easy. You may use this eBook for nearly any purpose such
as creation of derivative works, reports, performances and
research. Project Gutenberg eBooks may be modified and
printed and given away—you may do practically ANYTHING in
the United States with eBooks not protected by U.S. copyright
law. Redistribution is subject to the trademark license, especially
commercial redistribution.
START: FULL LICENSE

THE FULL PROJECT GUTENBERG LICENSE
PLEASE READ THIS BEFORE YOU DISTRIBUTE OR USE THIS WORK
To protect the Project Gutenberg™ mission of promoting the

free distribution of electronic works, by using or distributing this
work (or any other work associated in any way with the phrase
“Project Gutenberg”), you agree to comply with all the terms of
the Full Project Gutenberg™ License available with this file or
online at www.gutenberg.org/license.
Section 1. General Terms of Use and

Redistributing Project Gutenberg™
electronic works
1.A. By reading or using any part of this Project Gutenberg™
electronic work, you indicate that you have read, understand,
agree to and accept all the terms of this license and intellectual
property (trademark/copyright) agreement. If you do not agree to
abide by all the terms of this agreement, you must cease using
and return or destroy all copies of Project Gutenberg™
electronic works in your possession. If you paid a fee for
obtaining a copy of or access to a Project Gutenberg™
electronic work and you do not agree to be bound by the terms
of this agreement, you may obtain a refund from the person or
entity to whom you paid the fee as set forth in paragraph 1.E.8.
1.B. “Project Gutenberg” is a registered trademark. It may only

be used on or associated in any way with an electronic work by
people who agree to be bound by the terms of this agreement.
There are a few things that you can do with most Project
Gutenberg™ electronic works even without complying with the
full terms of this agreement. See paragraph 1.C below. There
are a lot of things you can do with Project Gutenberg™
electronic works if you follow the terms of this agreement and
help preserve free future access to Project Gutenberg™
electronic works. See paragraph 1.E below.
1.C. The Project Gutenberg Literary Archive Foundation (“the
Foundation” or PGLAF), owns a compilation copyright in the
collection of Project Gutenberg™ electronic works. Nearly all the
individual works in the collection are in the public domain in the
United States. If an individual work is unprotected by copyright
law in the United States and you are located in the United
States, we do not claim a right to prevent you from copying,
distributing, performing, displaying or creating derivative works
based on the work as long as all references to Project
Gutenberg are removed. Of course, we hope that you will
support the Project Gutenberg™ mission of promoting free
access to electronic works by freely sharing Project
Gutenberg™ works in compliance with the terms of this
agreement for keeping the Project Gutenberg™ name
associated with the work. You can easily comply with the terms
of this agreement by keeping this work in the same format with
its attached full Project Gutenberg™ License when you share it
without charge with others.
1.D. The copyright laws of the place where you are located also
govern what you can do with this work. Copyright laws in most
countries are in a constant state of change. If you are outside
the United States, check the laws of your country in addition to
the terms of this agreement before downloading, copying,
displaying, performing, distributing or creating derivative works
based on this work or any other Project Gutenberg™ work. The
Foundation makes no representations concerning the copyright
status of any work in any country other than the United States.
1.E. Unless you have removed all references to Project

Gutenberg:
1.E.1. The following sentence, with active links to, or other

immediate access to, the full Project Gutenberg™ License must
appear prominently whenever any copy of a Project
Gutenberg™ work (any work on which the phrase “Project
Gutenberg” appears, or with which the phrase “Project
Gutenberg” is associated) is accessed, displayed, performed,
viewed, copied or distributed:
This eBook is for the use of anyone anywhere in the United

States and most other parts of the world at no cost and with
almost no restrictions whatsoever. You may copy it, give it
away or re-use it under the terms of the Project Gutenberg
License included with this eBook or online at
www.gutenberg.org. If you are not located in the United
States, you will have to check the laws of the country where
you are located before using this eBook.
1.E.2. If an individual Project Gutenberg™ electronic work is

derived from texts not protected by U.S. copyright law (does not
contain a notice indicating that it is posted with permission of the
copyright holder), the work can be copied and distributed to
anyone in the United States without paying any fees or charges.
If you are redistributing or providing access to a work with the
phrase “Project Gutenberg” associated with or appearing on the
work, you must comply either with the requirements of
paragraphs 1.E.1 through 1.E.7 or obtain permission for the use
of the work and the Project Gutenberg™ trademark as set forth
in paragraphs 1.E.8 or 1.E.9.
1.E.3. If an individual Project Gutenberg™ electronic work is

posted with the permission of the copyright holder, your use and
distribution must comply with both paragraphs 1.E.1 through
1.E.7 and any additional terms imposed by the copyright holder.
Additional terms will be linked to the Project Gutenberg™
License for all works posted with the permission of the copyright
holder found at the beginning of this work.
1.E.4. Do not unlink or detach or remove the full Project

Gutenberg™ License terms from this work, or any files
containing a part of this work or any other work associated with
Project Gutenberg™.
1.E.5. Do not copy, display, perform, distribute or redistribute
this electronic work, or any part of this electronic work, without
prominently displaying the sentence set forth in paragraph 1.E.1
with active links or immediate access to the full terms of the
Project Gutenberg™ License.
1.E.6. You may convert to and distribute this work in any binary,
compressed, marked up, nonproprietary or proprietary form,
including any word processing or hypertext form. However, if
you provide access to or distribute copies of a Project
Gutenberg™ work in a format other than “Plain Vanilla ASCII” or
other format used in the official version posted on the official
Project Gutenberg™ website (www.gutenberg.org), you must, at
no additional cost, fee or expense to the user, provide a copy, a
means of exporting a copy, or a means of obtaining a copy upon
request, of the work in its original “Plain Vanilla ASCII” or other
form. Any alternate format must include the full Project
Gutenberg™ License as specified in paragraph 1.E.1.
1.E.7. Do not charge a fee for access to, viewing, displaying,

performing, copying or distributing any Project Gutenberg™
works unless you comply with paragraph 1.E.8 or 1.E.9.
1.E.8. You may charge a reasonable fee for copies of or

providing access to or distributing Project Gutenberg™
electronic works provided that:
• You pay a royalty fee of 20% of the gross profits you derive from
the use of Project Gutenberg™ works calculated using the
method you already use to calculate your applicable taxes. The
fee is owed to the owner of the Project Gutenberg™ trademark,
but he has agreed to donate royalties under this paragraph to
the Project Gutenberg Literary Archive Foundation. Royalty
payments must be paid within 60 days following each date on
which you prepare (or are legally required to prepare) your
periodic tax returns. Royalty payments should be clearly marked
as such and sent to the Project Gutenberg Literary Archive
Foundation at the address specified in Section 4, “Information
about donations to the Project Gutenberg Literary Archive
Foundation.”
• You provide a full refund of any money paid by a user who

notifies you in writing (or by e-mail) within 30 days of receipt that
s/he does not agree to the terms of the full Project Gutenberg™
License. You must require such a user to return or destroy all
copies of the works possessed in a physical medium and
discontinue all use of and all access to other copies of Project
Gutenberg™ works.
• You provide, in accordance with paragraph 1.F.3, a full refund of

any money paid for a work or a replacement copy, if a defect in
the electronic work is discovered and reported to you within 90
days of receipt of the work.
• You comply with all other terms of this agreement for free
distribution of Project Gutenberg™ works.
1.E.9. If you wish to charge a fee or distribute a Project

Gutenberg™ electronic work or group of works on different
terms than are set forth in this agreement, you must obtain
permission in writing from the Project Gutenberg Literary
Archive Foundation, the manager of the Project Gutenberg™
trademark. Contact the Foundation as set forth in Section 3
below.
1.F.
1.F.1. Project Gutenberg volunteers and employees expend

considerable effort to identify, do copyright research on,
transcribe and proofread works not protected by U.S. copyright
law in creating the Project Gutenberg™ collection. Despite
these efforts, Project Gutenberg™ electronic works, and the
medium on which they may be stored, may contain “Defects,”
such as, but not limited to, incomplete, inaccurate or corrupt
data, transcription errors, a copyright or other intellectual
property infringement, a defective or damaged disk or other
medium, a computer virus, or computer codes that damage or
cannot be read by your equipment.
1.F.2. LIMITED WARRANTY, DISCLAIMER OF DAMAGES -

Except for the “Right of Replacement or Refund” described in
paragraph 1.F.3, the Project Gutenberg Literary Archive
Foundation, the owner of the Project Gutenberg™ trademark,
and any other party distributing a Project Gutenberg™ electronic
work under this agreement, disclaim all liability to you for
damages, costs and expenses, including legal fees. YOU
AGREE THAT YOU HAVE NO REMEDIES FOR NEGLIGENCE,
STRICT LIABILITY, BREACH OF WARRANTY OR BREACH
OF CONTRACT EXCEPT THOSE PROVIDED IN PARAGRAPH
1.F.3. YOU AGREE THAT THE FOUNDATION, THE
TRADEMARK OWNER, AND ANY DISTRIBUTOR UNDER
THIS AGREEMENT WILL NOT BE LIABLE TO YOU FOR
ACTUAL, DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE
OR INCIDENTAL DAMAGES EVEN IF YOU GIVE NOTICE OF
THE POSSIBILITY OF SUCH DAMAGE.
1.F.3. LIMITED RIGHT OF REPLACEMENT OR REFUND - If

you discover a defect in this electronic work within 90 days of
receiving it, you can receive a refund of the money (if any) you
paid for it by sending a written explanation to the person you
received the work from. If you received the work on a physical
medium, you must return the medium with your written
explanation. The person or entity that provided you with the
defective work may elect to provide a replacement copy in lieu
of a refund. If you received the work electronically, the person or
entity providing it to you may choose to give you a second
opportunity to receive the work electronically in lieu of a refund.
If the second copy is also defective, you may demand a refund
in writing without further opportunities to fix the problem.
1.F.4. Except for the limited right of replacement or refund set

forth in paragraph 1.F.3, this work is provided to you ‘AS-IS’,
WITH NO OTHER WARRANTIES OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR
ANY PURPOSE.
1.F.5. Some states do not allow disclaimers of certain implied

warranties or the exclusion or limitation of certain types of
damages. If any disclaimer or limitation set forth in this
agreement violates the law of the state applicable to this
agreement, the agreement shall be interpreted to make the
maximum disclaimer or limitation permitted by the applicable
state law. The invalidity or unenforceability of any provision of
this agreement shall not void the remaining provisions.
1.F.6. INDEMNITY - You agree to indemnify and hold the

Foundation, the trademark owner, any agent or employee of the
Foundation, anyone providing copies of Project Gutenberg™
electronic works in accordance with this agreement, and any
volunteers associated with the production, promotion and
distribution of Project Gutenberg™ electronic works, harmless
from all liability, costs and expenses, including legal fees, that
arise directly or indirectly from any of the following which you do
or cause to occur: (a) distribution of this or any Project
Gutenberg™ work, (b) alteration, modification, or additions or
deletions to any Project Gutenberg™ work, and (c) any Defect
you cause.
Section 2. Information about the Mission of

Project Gutenberg™
Project Gutenberg™ is synonymous with the free distribution of
electronic works in formats readable by the widest variety of
computers including obsolete, old, middle-aged and new
computers. It exists because of the efforts of hundreds of
volunteers and donations from people in all walks of life.
Volunteers and financial support to provide volunteers with the

assistance they need are critical to reaching Project
Gutenberg™’s goals and ensuring that the Project Gutenberg™
collection will remain freely available for generations to come. In
2001, the Project Gutenberg Literary Archive Foundation was
created to provide a secure and permanent future for Project
Gutenberg™ and future generations. To learn more about the
Project Gutenberg Literary Archive Foundation and how your
efforts and donations can help, see Sections 3 and 4 and the
Foundation information page at www.gutenberg.org.
Section 3. Information about the Project

Gutenberg Literary Archive Foundation
The Project Gutenberg Literary Archive Foundation is a non-
profit 501(c)(3) educational corporation organized under the
laws of the state of Mississippi and granted tax exempt status by
the Internal Revenue Service. The Foundation’s EIN or federal
tax identification number is 64-6221541. Contributions to the
Project Gutenberg Literary Archive Foundation are tax
deductible to the full extent permitted by U.S. federal laws and
your state’s laws.
The Foundation’s business office is located at 809 North 1500

West, Salt Lake City, UT 84116, (801) 596-1887. Email contact
links and up to date contact information can be found at the
Foundation’s website and official page at
www.gutenberg.org/contact
Section 4. Information about Donations to

the Project Gutenberg Literary Archive
Foundation
Project Gutenberg™ depends upon and cannot survive without
widespread public support and donations to carry out its mission
of increasing the number of public domain and licensed works
that can be freely distributed in machine-readable form
accessible by the widest array of equipment including outdated
equipment. Many small donations ($1 to $5,000) are particularly
important to maintaining tax exempt status with the IRS.
The Foundation is committed to complying with the laws

regulating charities and charitable donations in all 50 states of
the United States. Compliance requirements are not uniform
and it takes a considerable effort, much paperwork and many
fees to meet and keep up with these requirements. We do not
solicit donations in locations where we have not received written
confirmation of compliance. To SEND DONATIONS or
determine the status of compliance for any particular state visit
www.gutenberg.org/donate.
While we cannot and do not solicit contributions from states

where we have not met the solicitation requirements, we know
of no prohibition against accepting unsolicited donations from
donors in such states who approach us with offers to donate.
International donations are gratefully accepted, but we cannot

make any statements concerning tax treatment of donations
received from outside the United States. U.S. laws alone swamp
our small staff.
Please check the Project Gutenberg web pages for current

donation methods and addresses. Donations are accepted in a
number of other ways including checks, online payments and
credit card donations. To donate, please visit:
www.gutenberg.org/donate.
Section 5. General Information About Project

Gutenberg™ electronic works
Professor Michael S. Hart was the originator of the Project
Gutenberg™ concept of a library of electronic works that could
be freely shared with anyone. For forty years, he produced and
distributed Project Gutenberg™ eBooks with only a loose
network of volunteer support.
Project Gutenberg™ eBooks are often created from several

printed editions, all of which are confirmed as not protected by
copyright in the U.S. unless a copyright notice is included. Thus,
we do not necessarily keep eBooks in compliance with any
particular paper edition.
Most people start at our website which has the main PG search
facility: www.gutenberg.org.
This website includes information about Project Gutenberg™,

including how to make donations to the Project Gutenberg
Literary Archive Foundation, how to help produce our new
eBooks, and how to subscribe to our email newsletter to hear
about new eBooks.

Enterprise Cyber Risk Management As A Value Creator: Leverage Cybersecurity For Competitive Advantage 1st Edition Bob Chaput

Uploaded by

Copyright:

Available Formats

Enterprise Cyber Risk Management As A Value Creator: Leverage Cybersecurity For Competitive Advantage 1st Edition Bob Chaput

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Enterprise Cyber Risk Management As A Value Creator: Leverage Cybersecurity For Competitive Advantage 1st Edition Bob Chaput

Uploaded by

Copyright:

Available Formats

Enterprise Cyber Risk Management as a

Value Creator: Leverage Cybersecurity

Confronting Cyber Risk: An Embedded Endurance Strategy

Small Business Management: Creating a Sustainable

Strategic Management: A Competitive Advantage Approach,

Human Resource Management: Gaining a Competitive

Strategic Management : A Competitive Advantage Approach

Essentials of Strategic Management: The Quest for

Strategic human resource management : gaining a

eTextbook 978-1259546983 Essentials of Strategic

ISBN-13 (pbk): 979-8-8688-0093-1 ISBN-13 (electronic): 979-8-8688-0094-8

Copyright © 2024 by Bob Chaput

—Yogi Berra (1925–2015), American professional

About the Author���������������������������������������������������������������������������� xxvii

About the Technical Reviewer��������������������������������������������������������� xxix

Part I: A Case for Action��������������������������������������������������������������1

Creating Competitive Advantage�������������������������������������������������������������������������17

Chapter 2: SEC and Other Important Cyber Regulations��������������������39

Chapter 3: The Courts Are Picking Up the Cyber Pace������������������������79

Chapter 4: The Most Critical Cybersecurity Decision�����������������������105

Chapter 5: Justifying ECRM Funding������������������������������������������������129

Chapter 6: The C-Suite and Board Role��������������������������������������������161

Part II: Building and Implementing Your ECRM Program���������179

Chapter 8: Getting Started����������������������������������������������������������������201

Chapter 9: ECRM Guiding Principles and Business Alignment���������217

Chapter 10: Three Vital ECRM Building Blocks���������������������������������229

Chapter 11: Adapting Your Process to Include Cyber

ECRM Process Standards, Policies, and Procedures�����������������������������������������260

Chapter 12: Additional Essential ECRM Program Elements��������������267

Chapter 13: Ten Recommended Implementation Steps��������������������285

Implementation Step #8: Conduct a Comprehensive, ­NIST-Based

Appendix A: What to Look for in an ECRM Company and Solution���305

 ppendix B: Enterprise Cyber Risk Management

Appendix D: Twenty-Five Essential Terms for Your

—Kevin Hewgley, Senior Vice President,

In Enterprise Cyber Risk Management as a Value Creator, Bob Chaput’s

—Ralph W. Davis, Independent Director/Board Advisor,

Bob Chaput’s latest book is a powerful read that explains cybersecurity

—Bob Zukis, CEO, Digital Directors Network

Enterprise Cyber Risk Management as a Value Creator delves deep into

Enterprise Cyber Risk Management as a Value Creator is a guiding light

—Michael E. Whitman, PhD, CISM, CISSP

Having performed dozens of risk analyses for companies during my

Someone told me recently that “cybersecurity is boring.” Cybersecurity is

—David Finn, Health IT Advocate,

Enterprise risk management, and cybersecurity risk management in

—Rachel V. Rose, JD, MBA, Principal at

Chaput’s new book on enterprise cyber risk management is a tour de force

I heard a friend recently bemoaning the state of ECRM within their

—Dan Bowden, Global CISO, Marsh

Where others have focused primarily on the defensive aspects of cyber

—Stephen R. Rusmisel, JD, NACD.DC, 12-Year Independent Director

Enterprise Cyber Risk Management as a Value Creator is a wide-ranging,

—William Niner, CISO

by elegantly taking us through a comprehensive survey of the changing

—James Brady, PhD, Healthcare CIO/CTO/CISO

—Phil Gardner, CEO, IANS Research

in many cases, ancient clinical and administrative information systems.

talent management, strategy, and risk management. As an existential risk

About the Author�� xxvii

About the Technical Reviewer�� xxix

Part I: A Case for Action��1

Creating Competitive Advantage��17

Chapter 2: SEC and Other Important Cyber Regulations��39

Chapter 3: The Courts Are Picking Up the Cyber Pace��79

Chapter 4: The Most Critical Cybersecurity Decision��105

Chapter 5: Justifying ECRM Funding��129

Chapter 6: The C-Suite and Board Role��161

Part II: Building and Implementing Your ECRM Program��179

Chapter 8: Getting Started��201

Chapter 9: ECRM Guiding Principles and Business Alignment��217

Chapter 10: Three Vital ECRM Building Blocks��229

ECRM Process Standards, Policies, and Procedures��260

Chapter 12: Additional Essential ECRM Program Elements��267

Chapter 13: Ten Recommended Implementation Steps��285

Implementation Step #8: Conduct a Comprehensive, NIST-Based

Appendix A: What to Look for in an ECRM Company and Solution��305

ppendix B: Enterprise Cyber Risk Management

Appendix D: Twenty-Five Essential Terms for Your