David X Martin - CyRM: Mastering the Management of Cybersecurity (Internal Audit and IT Audit)

First Edition published 2021
by CRC Press
6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742

and by CRC Press
2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN

2021 Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, LLC

The right of David X Martin to be identified as author of this work has been asserted by him in accordance with sections 77 and 78 of the Copyright, Designs and Patents Act 1988.

Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers.
For permission to photocopy or use material electronically from this work, access

Trademark notice: Product or corporate names may be trademarks or registered trademarks and are used only for identification and explanation without intent to infringe.

ISBN: 978-0-367-56531-2 (hbk)
ISBN: 978-0-367-75785-4 (pbk)
ISBN: 978-1-003-09823-2 (ebk)

Typeset in Caslon
by SPi Global, India

For my family,
who gives life to the world around me.

Back in the 1990sseems like eons ago, doesnt it?General Electric CEO Jack Welch told business leaders, If youre not confused, you dont know whats going on. Ive always liked that admonition, because thinking youve got a handle on things can lead to arrogance and complacency; confusion keeps you humble. And if youre humble, youre teachable. And being teachablebeing aware that there are many things you dont know (and even more things you dont know that you dont know)keeps you seeking new information and remaining open to opportunities, all while staying alert to new threats.

At that time, I was the enterprise risk manager for Citicorp, the largest financial institution in the world, and I understood that financial institutions were mirrors of their environment. If the economy in which were doing business is doing well, our customers do well, and we do well. The opposite is also trueeven if you have the best risk professionals in the business. So back then, my approach was to thoroughly understand the environments we were operating in and to keep a keen eye on inflection pointsleading indicators to know where those environments were going. For example, when our private clients in our emerging markets business started to move their private wealth offshore, I saw this as a leading indicator that their local economy was headed in the wrong direction.

Back then, the rate of technological innovation was a leading indicator, so I hired MIT professor Tsutomu Shimomura to ethically hack the bank. A few days later he came to me and said, You guys are an easy target. All someone has to do is bombard your call center. No customer will be able to call in, and youll be out of business in no time. I was startled. I quickly realized that cybersecurityjust like every other riskneeds to be managed.

Fast-forward to today: public scrutiny (and in some cases outrage) after cyberattacks, together with actions by regulatory authorities, have made cybersecurity a key leadership responsibility. When things go wrong, whether in a major or minor way, the ability to quickly identify and respond to a problem will determine the companys ultimate recovery. Another major breach of cybersecurity will soon be in the news. The only question is how dramatic and costly that breach will be, and whether the full extent of the damage will ever be made public. Worse still, should hackers gain access to the financial records of a major national bank or important defense contractor, well quickly forget about the relatively insignificant attacks at retailers like Target and Home Depot.

What accounts for the increase in cybercrime? Three broad new security challenges have emerged.

First, there has been a previously unimaginable explosion in the amount of data, connections, transactions, and communications that has overloaded traditional data systems.

Second, institutions have lost the ability to effectively identify problems. Faster innovation cycles and a dizzying array of new products mean that most businesses find themselves unable to quickly recognize security breaches. Social networking systems, big data, cloud computing, mobile internet, and Internet of Things technologies are generating personal data streams that have made authorization and message filtration extraordinarily difficult.

Third, theres a lack of formal control mechanisms. In an environment where cybersecurity disruptions are becoming more pervasive and sophisticated, there are still no recognized standards for detection, response, remediation, and enterprise-wide communication. The management of these critical functions is often left to the IT department, which is usually directed to pursue outdated, hardened-shell strategies designed only to discourage penetration.

Armed with decades of experience as a leader in risk management, I examined this landscape, and it became clear to me that we need an information security model that continually assesses the validity, reliability, and value of the information it gathers. I developed and honed that security model into a process that I know can help companies avoid the worst pitfalls of a cyberattack. Its called cyber risk management, or CyRM.

CyRM is a new paradigm that approaches security as a business problem and aligns it with business needs. So, instead of viewing security as a technical problem handled by technical people, it uses an outcome-driven approach that balances investment and risk. Even further, instead of throwing money at the problem at the expense of executive engagement, it connects cybersecurity with business decision-making to impact business outcomes.

To effectively impact business outcomes, CyRM needs to consist of three prongs:

1. Risk Management: It needs to apply the tenets of risk management to cybersecurity in order to take a broad view of risks across an organization to inform resource allocation, better manage risks, and enable accountability.

2. CyberWellness: It needs to encompass not only the firm as a whole, but also every employee who needs to be responsible for the risks they undertake. This requires an active process with cybersecurityjust like physical wellness programs in which the company takes an active approach to promoting employees good health.

3. Cybersecurity as a Business Strategy: Cybersecurity needs to be repositioned for what it really isa growth enabler, and not just designed to reduce operational risks by eliminating the dangers posed by viruses and hackers. It also needs to enhance product integrity, customer experience, operations regulatory compliance, brand reputation, and investor confidence.