Chapter 7


In this chapter we will talk about the one fundamental issue that drives most CISOs and influences how they create and manage their security programs. That issue is risk. Our authors will note that there are numerous types of risk facing an organization from both an internal and external perspective. They will also discuss the various components of risk and its impact to an organization when it’s not properly managed. The discussions that follow will highlight our authors’ unique viewpoints on risk in its disparate forms and how it can be managed through security controls and new tools such as a cyber liability insurance policy.

Our authors collectively believe risk is one of the primary drivers that influences an organization and its ability to be successful. It is because of risk’s enterprise-wide impact that our authors believe the modern CISO must understand their organization’s industry, regulatory requirements, and strategic initiatives. This business context will provide critical insight for CISOs as they use their security program, policies, tools, and cyber insurance to protect their organization and reduce its risk exposure to an acceptable level.

Bill Bonney highlights the four fundamental approaches that organizations will use to manage their risk. He provides a thorough analysis of how the risk function within the organization has changed due to many of the dynamic threats now facing enterprise business environments. He describes the multitude of ways that risk can impact an organization, and from his in-depth experience provides several options that organizations can use to mitigate risk and its impact to their business operations.

Matt Stamper approaches the discussion of risk through the lens of cyber liability insurance. He breaks down how to view the management of risk through tools like an insurance policy and how this new capability should be leveraged for the organization. In his discussion, Matt emphasizes that for the CISO to consider using cyber insurance, they must have an understanding of the current risks facing the business, the present risk management controls that are in place, and the resultant gaps that need to be addressed. He believes that with this knowledge a CISO is in a better position to help their organization reduce their risk exposure by implementing an appropriate cyber insurance policy.

Gary Hayslip begins his discussion on risk with a pragmatic view that for CISOs to be productive in mitigating the risks facing their organization they first must establish a risk baseline. The CISO must understand what is critical to the organization and must have executive management support to ensure that cyber risk is prioritized correctly. Gary delivers a thorough treatment of cyber insurance and its numerous components and provides recommendations on how cyber liability insurance can be used as an effective tool to protect the organization.

Some of the questions the authors used to frame their thoughts for this chapter include:

Screen Shot 2016-08-14 at 11.56.07 AM


Visit here for an excerpt from chapter 7…


Copyright © 2016 CISO DRG JV – All Rights Reserved.