Managing cyber risk is the book for those looking to understand this new enterprise risk from a strategic perspective. The book was written by a cyber risk expert for managers and senior executives, although practitioners can also benefit from reading it. The book covers everything a senior stakeholder in an organisation needs to know to start managing this increasing business risk.
The first part of the book introduces the challenge of cyber risk to organisations. The author did a great job introducing cyber risk, and the context surrounding it. As a practitioner, not in cyber risk but in cyber security and using security control frameworks to reduce risk exposure; I could not agree more with the author. Some of the frameworks practitioners are using are very large and extend into other areas beyond the technical controls, these areas are supply chain, enterprise governance and IT risk among others. They are all equally important and add up towards the total cyber risk to an organisation; however, this is still not widely understood by organisations. Risk reduction efforts continues to be a tool acquisition exercise; being the main factor the lack of senior executive understanding of cyber risk and its impacts to their businesses. Cyber risk is a business risk, and as such, it has to be integrated in the wider enterprise risk program and not be treated in isolation as an information technology problem.
The second part of the book presents a series of items, which are part of a cyber risk tool kit, for an effective cyber risk management program in the organisation. Each area is presented at a high level, and it covers the importance of adopting that particular practice to effectively reduce risk to the business.
The message transmitted in this book is twofold and extremely compelling for the organisation’s senior leadership.
- Cyber claims against directors and officers are rising year on year; thus the importance to understand and act upon this new risk to the enterprise.
- Cyber risk quantification is paramount to involve the organisation’s senior leadership and calculate the right amount of cyber insurance needed by the organisation.
Many of the subjects presented in this book are likely not new for the cyber security professional; however, it presents the cyber security challenge faced by organisations from a business perspective; thus the cyber security conversation at the technology level becomes a cyber risk conversation at the business level.
I recommend this book for all the cyber and risk professionals but specially for the technical professional interested in understanding how cyber security is measured at the business level.