Enterprise Cyber Risk Management as a Value Creator

This book will help you learn the importance of organizations treating enterprise cyber risk management (ECRM) as a value creator, a business enabler, and a mechanism to create a competitive advantage. Organizations began to see the real value of information and information technology in the mid-1980s. Forty years later, it’s time to leverage your ECRM program and cybersecurity strategy in the same way.

The main topics covered include the case for action with specific coverage on the topic of cybersecurity as a value creator, including how the courts, legislators, and regulators are raising the bar for C-suite executives and board members. The book covers how the board’s three primary responsibilities (talent management, strategy, and risk management) intersect with their ECRM responsibilities.

ECRM was once solely focused on managing the downside of risk by defending the organization from adversarial, accidental, structural, and environmental threat sources. Author BobChaput presents the view that we must focus equally on managing the upside of cyber strengths to increase customer trust and brand loyalty, improving social responsibility, driving revenue growth, lowering the cost of capital, attracting higher quality investments, creating competitive advantage, attracting and retaining talent, and facilitating M&A work. He focuses on the C-suite and board role in the first part and provides guidance on their roles and responsibilities, the most important decision about ECRM they must facilitate, and how to think differently about ECRM funding. You will learn how to the pivot from cost-center thinking to value-center thinking.

Having built the case for action, in the second part, the book details the steps that organizations must take to develop and document their ECRM program and cybersecurity strategy. The book first covers how ECRM must be integrated into business strategy. The remainder of that part presents a sample table of contents for an ECRM Program and Cybersecurity Strategy document and works through each section to facilitate development of your own program and strategy. With all the content and ideas presented, you will be able to establish, implement, and mature your program and strategy.

What You Will Learn

• Read new information and treat ECRM and cybersecurity as a value creator
• Receive updates on legal cases, legislative actions, and regulations that are raising the stakes for organizations, their C-suites, and boards
• Think differently about funding ECRM and cybersecurity initiatives
• Understand the most critical ECRM decision that boards must facilitate in their organizations
• Use practical, tangible, actionable content to develop and document your ECRM program and cybersecurity strategy

“This book should be mandatory reading for C-suite executives and board members. It shows you how to move from viewingcybersecurity as a risk to avoid, and a cost center that does not add value and is overhead, to seeing cybersecurity as an enabler and part of your core strategy to transform your business and earn customer and stakeholder trust.”

—Paul Connelly, First CISO at the White House and HCA Healthcare

 

Who This Book Is For

The primary audience includes Chief Information Security Officers, Chief Risk Officers, and Chief Compliance Officers. The secondary audience includes C-suite executives and board members. The tertiary audience includes any stakeholder responsible for privacy, security, compliance, and cyber risk management or students of these topics.

​Praise for Enterprise Cyber Risk Management as a Value Creator

“Throughout my 28 years in CISO roles at two of the highest risk organizations in the world, I have sweated through countless budget and resource challenges, and struggled to connect my cybersecurity program to business objectives in the minds of business leaders and our board.  A major hurdle was that cybersecurity was viewed as risk avoidance—a cost center that did not add value (i.e., painful but necessary overhead). This book lays out the holy grail for cybersecurity, how to flip that script to make cybersecurity a business enabler and part of the core growth strategy, and how to integrate that approach into business strategy. 

No one is more knowledgeable and qualified to make this case than Bob Chaput, who is a living legend in cybersecurity and an unmatched thought leader in Enterprise Cybersecurity Risk Management. He lays out a compelling case, with details on how to apply this thinking to your organization, then provides a detailed roadmap for making it happen.

This should be mandatory reading for CISOs, CFOs, CEOs, and board members.  It will close communication gaps and change the mindset because it shines a light on the opportunities to expand and accelerate business transformation and earn customer and stakeholder trust—through cybersecurity.”

 —Paul Connelly, First CISO at the White House and HCA Healthcare

 
“Bob Chaput picks up where most books leave off by providing powerful insight into ECRM engagement by providing a factual background coupled with strategic examples that can—and will—have positive impacts on any company's cyber risk strategy and approach.  This resource should become the standard guidebook for every Risk Manager, General Counsel, CISO, CTO, C-Suite, and Board Member who has an interest or a concern around Cyber and Privacy Liability and entire ECRM protocols.”  

—Kevin Hewgley, Senior Vice President, Financial Services at Lockton Companies

 
“In ‘Enterprise Cyber Risk Management as a Value Creator,’ Bob Chaput's latest contribution to simplifying the often impenetrable field of cybersecurity, Bob turns from calling attention to the problem to helping us think differently about it.  Are investments in cybersecurity a cost of doing business, with cost containment as the overarching goal? Is cybersecurity a ‘check the box’ exercise, allowing us to throw up our hands if an adverse event occurs after we've checked all our boxes? Or is cyber a strategic priority meriting an offensive rather than defensive mindset? As always, Bob doesn't just pose the questions. He provides practical and timely answers alongside a wealth of real-world examples. A must read for everyone from the cybersecurity novice to the seasoned pro looking for proper organizational focus on a business pandemic that has no miracle cure in sight.” 

 —Ralph W. Davis, Independent Director/Board Advisor, Operating Partner, The Vistria Group

 
"Bob Chaput’s latest book is a powerful read that explains cybersecurity in a new context. One that will be helping business leaders, including corporate directors, reframe cybersecurity as a critical part of the need for every organization to drive and create value. With so much economic growth and output already dependent upon complex digital systems, this mindset will help leaders understand the importance of cybersecurity to the organization's future."

 —Bob Zukis, CEO Digital Directors Network

 
“‘Enterprise Cyber Risk Management as a Value Creator’ delves deep into the critical realm of Enterprise Cyber Risk Management, providing a comprehensive guide to not just safeguarding against digital threats but also harnessing the power of cybersecurity as a catalyst for growth and innovation. Today, businesses and organizations are more reliant on technology and data than ever before, and the need for robust cybersecurity practices cannot be overstated. This book serves as an indispensable resource, offering both practical wisdom and strategic insights to navigate the ever-evolving landscape of cyber risks. 

Authored by Bob Chaput, a seasoned expert in the field, this material is backed by a wealth of knowledge derived from real-world experiences. It's not merely a theoretical exercise but a hands-on manual for organizations seeking to proactively protect their digital assets and leverage them for strategic advantage. The lessons to be learned from this book are not confined to a single sector or industry. Its principles are universally applicable, ensuring that both large and small organizations can find applicable and valuable takeaways. It's not just about fortifying defenses; it's about adopting a proactive stance towards cybersecurity. 

As data breaches and cyberattacks continue to make headlines, this book is a timely and crucial resource for organizations looking to safeguard their integrity and reputation. Moreover, it provides the tools and strategies needed to turn cyber risk management into a value creator, helping organizations thrive amidst an era of digital transformation. 

   'Enterprise Cyber Risk Management as a Value Creator’ is a guiding light in the intricate maze of cybersecurity. It's a valuable asset for organizations of all sizes, empowering them to not only withstand digital threats but to emerge stronger, more resilient, and ready to seize the boundless opportunities of the modern digital age.”

—Michael E. Whitman, Ph.D., CISM, CISSP, Executive Director, Institute for Cybersecurity Workforce Development, Professor of Information Security and Textbook Author

 
“Having performed dozens of risk analyses for companies during my career at a public accounting firm, this book is a masterclass in strategic management of digital risks in an enterprise and provides great insight to turn digital risk management into a competitive advantage. This is a good resource for business leaders, security professionals, and anyone seeking to navigate the complex landscape of digital security. With profound insights and practical wisdom, it successfully highlights the critical role of cyber/digital risk management in driving business value. Bob Chaput's expertise shines through as he presents a comprehensive and forward-thinking approach to managing cyber/digital risks. The inclusion of actionable insights and practical frameworks adds immense value to the content, ensuring that readers can immediately apply what they've learned.”

 —Raj Chaudhary, Independent Director, Board Advisor, Retired Cybersecurity Partner, Crowe LLP

 
“Someonetold me recently that ‘cybersecurity is boring.’ Cybersecurity is boring if it is other people listening to CIOs, CISOs and other IT people talking about it. They understand the issues, the risks, the solutions. Cybersecurity should not be boring to people who don’t live it but must make decisions about it—big decisions like staffing, funding, prioritization against other business issues. How do you talk about cybersecurity in meaningful ways with the full C-Suite, with your Board of Directors or Trustees? 

Bob Chaput has answered that question and solved the problem with his latest book: Enterprise Cyber Risk Management as a Value Creator. For too long, cybersecurity has been viewed as a defensive play, a cost center. What if the tables were turned and Executives and Boards thought about cybersecurity in a positive light and as an opportunity to create competitive advantage and add value to the organization and drive business growth?

This book, using data, statistics and real business examples is a primer for redirecting and refocusing those discussions for the leaders who must be engaged in cybersecurity but for too long have stayed out of the fray. The book provides lots of guidance and many questions—in each chapter—to get the business to start answering the right questionsand asking their own.  Multiple studies (many cited in this book) clearly indicate that business leaders and consumers agree that establishing trust in products and experiences (AI, digital technology, data) that meet expectations will deepen trust and promote growth. 

This is the book to start those conversations, up and down the organization.  Cybersecurity isn’t boring if you have the right people talking about it—here is how to engage those ‘right’ people in your organization. You’ll need to arm your IT, Security, Risk Management, Operational and Innovation leaders but you’ll use the learning to deeply engage the C-Suite, the Boards and Committees of the Board in positive discussion around cybersecurity and how to leverage a more secure organizationto move faster and drive new opportunities.” 

 —David Finn, Health IT Advocate, Recovering Healthcare CIO, Security and Privacy Officer, Baldrige Foundation Award for Cybersecurity Leadership Excellence

 
“Enterprise Risk Management and cybersecurity risk management in general, is more important now than ever. Bob's book takes the reader through easy-to-follow steps and provides ‘food for thought’ when implementing an ERM program. A compliment to any bookshelf.”

—Rachel V. Rose, JD, MBA, Principal at Rachel V. Rose - Attorney at Law, PLLC

 
“Chaput’s new book on enterprise cyber risk management is a tour de force on this subject. Building a value-creating ECRM culture is not a sprint or a marathon, but a relay. Making this book an All Team Read foryour leadership and the first section an All Board Read is an excellent way to start building that culture.”

—Nancy Falls, Independent Board Director and CEO, The Concinnity Company

 
“I heard a friend recently bemoaning the state of ECRM within their organization, ‘we do risk management as an art, not a science.’ Bob breaks ECRM down to science. Bob’s prescription for ECRM is on-point and execution-ready. I looked at the Table of Contents and jumped right to Chapter 8 – Getting Started. Each organization I’ve been part of has had a different ECRM strategy. Bob’s book helps distill what success looks like. Bob coaches the reader through aligning business strategy and ECRM strategy – I especially appreciated his wisdom on, What ‘HOW your organization will conduct ECRM?’ means. Now, the challenge is ours to learn and implement.”

—Dan Bowden, Global CISO, Marsh

 
“Where others have focused primarily on the defensive aspects of cyber risk management, Bob Chaput sees opportunities in ECRM.  Mr. Chaput states: ‘Companies with a strong security posture are more likely to retain existing customers and attract new ones, as they value their data protection. This customer trust and brand loyalty can increase revenue and market share for the organization.’ C-suite and board members will ignore this timely advice at their peril. This book provides a roadmap for the actions necessary to turn defensive thinking and processing into positive and value-creating actions and programs.  Mr. Chaput makes the case for competitive and reputational advantage with logic, intelligence, and wit and draws from a depth of personal knowledge and experience in ECRM. Each chapter includes a set of ‘Questions Management and the Board Should Ask and Discuss,’ and these provide a great agenda of items worthy of consideration. You need this on your reading list.”

—Stephen R. Rusmisel, JD, NACD.DC, 12-year independent director and former lead director of Life Storage, Inc.

 
“ECRM as a Value Creator is wide-ranging, through-provoking book on an often-overlooked topic. Bob lays out not just the why executives should care about ECRM but gives meaningful advice on the how to get it done, and done well.  He shares lessons, learned from years in the trenches, on how companies can get a handle on this vital yet often-misunderstood topic. This book addresses the key success factors as well as the common pitfalls in world-class risk management.  It focuses on what leaders need to know and do, rather than get lost in theminutia of ‘this configuration of this system.’ This focus makes this book applicable across any industry that has to manage its cyber-risk, which is, of course, all of them. The questions for the Board of Directors alone make this a worthwhile read – merely asking these questions will, at the very least, start you on the right path.”

 —William Niner, CISO

“Bob Chaput in his latest book “Enterprise Cyber Risk Management as a Value Creator” works magic by revealing why cybersecurity risk is an essential ingredient of enterprise risk management.   He introduces a new paradigm with enterprise cybersecurity risk management (ECRM) being not just a defensive play, but as a proactive business enabler that can improve customer trust and stickiness through security services and increasing revenue sources by way of security capabilities.  Bob lays out a well understood foundation by elegantly taking us thru a comprehensive survey of the changing cybersecurity governance landscape.  He skillfully reveals timely concepts such as the new federal regulations, the evolving financial industry governing bodies trends, and the quiet but growing court system precedents.  Bob makes a sound case for why ECRM is a must have concept that is to be understood and adopted by organizations today.

With tight financial margins facing many organizations, it is critical that business value is achieved with every dollar spent.  Bob shows us how ECRM goes well beyond just being an IT problem.  He clearly explains how ECRM can serve to propel an organization forward with a host of benefits, some of which are by facilitating digital transformation and innovation, attracting higher quality investments, bringing in more talent, supporting M&A activities, reducing regulatory exposure, assuring operational continuity and resiliency, and creating increased competitive advantage.

Bob makes it easy for us to not only comprehend this evolving topic, but to practically take steps forward to implement the ECRM strategy by outlining a simple five step  approach.  He sheds light on how small and large organizations can justify and practically build out an appropriate budget needed to establish a successful ECRM program, with specific guidance on how to educate and win over the C-Suite and board, including key questions to ask and discuss. Bob deftly reveals the role of ECRM program and cybersecurity strategy within the context of ERM, tying cybersecurity strategy into the board’s responsibilities.  His insights on the business ownership of risk through authorization to operate and use is particularly compelling.

This text is a must have for boards of directors, senior management, IT and security leaders, and anyone who wants to know just how vital ECRM can be in ensuring the future success of your organization.

—James Brady, Ph.D., Healthcare CIO/CTO/CISO

Bob Chaput, NACD.DC, is the author of “Stop the Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” He is also the Founder and Executive Chairman of Clearwater, a leading provider of cybersecurity, risk management, and HIPAA compliance software, consulting, and managed services. As a leading authority in cybersecurity regulatory compliance and enterprise cyber risk management, Bob has assisted dozens of organizations and their business partners, including Fortune 100 organizations, improve their risk posture. Bob's degrees include an MA in Mathematics from Clark University and a BA in Mathematics from the Massachusetts College of Liberal Arts. In addition to the NACD.DC Directorship Certification, Bob holds numerous privacy, security, and cyber risk management certifications. He is a faculty member at IANS Research.

Bob decided to write this book to help facilitate the role of Chief Information Security Officers (CISO) to better integrate into their businesses and interact with C-suite executives and board members. As happened when Chief Information Officers (CIO) began to ‘earn a seat at the table decades ago, there is a significant communications gap between this newly discovered role, the C-suite, and the board. Bob's goal is to make CISOs and their boards successful in better understanding one another and better in managing cyber risks and opportunities. The aim of this book is to help close the communications gap by linking CISOs with the three main topics that boards deal with: talent management, strategy, and risk management.