Bob Chaput, NACD.DC
MA, CISSP, HCISPP, CRISC, CIPP/US, C|EH
NACD CERT Cyber Risk Oversight
Bob Chaput, NACD.DC
MA, CISSP, HCISPP, CRISC, CIPP/US, C|EH
NACD CERT Cyber Risk Oversight
My Services
Board Advisor
Trusted advisor and confidant to entire boards and board committees responsible or enterprise cyber risk management oversight. Author of a go-to resource for healthcare leaders and directors.
Independent Board Member
Oversee cyber risk management a business enabler. Knowledge, skills, and abilities in governance, risk, and regulatory compliance exceed all criteria outlined in the proposed SEC rule making for cybersecurity expertise.
Board Member | Executive | Entrepreneur | Educator | Expert Witness | Author
Experienced, highly credentialed, financially literate, and skilled executive leader with a proven track record establishing, implementing, and maturing enterprise cyber risk management (ECRM) programs in healthcare and other industries. Background includes 40+ years in information technology and security executive leadership in General Electric, Johnson & Johnson, and Healthways. In 2009, founded industry-leading healthcare cyber risk management and compliance firm Clearwater Compliance. Serve as executive chairman of this PE-backed private firm. Also serve as board chairman of the Chaput-Avery Family Foundation.
Download One-Page BIO
Areas of Expertise
- Cybersecurity
- Leadership
- Enterprise Risk
- Cyber Funding
- Public Speaking
- Compliance
- Privacy
- Risk Analysis
- Information Security
- Cyber Risk
- Financial Literacy
- Risk Training
- Technical Testing
- Policy Management
- Complexity of Risks
Cybersecurity Certifications / Credentials
- CISSP (Certified Information Systems Security Professional from ISC2, ID 410812)
- HCISPP (HealthCare Information Security and Privacy Practitioner from ISC2, ID 410812)
- CRISC (Certified in Risk and Information Systems Controla from ISACA, ID 848030)
- CIPP/US (Certified Information Privacy Professional from IAPP, ID 10072362)
- C|EH (Certified Ethical Hacker from EC-Council, ID ECC1627043598)
Enabling Board Cyber Risk Oversight Blog
April 26, 2024
Navigating Cyber Risks in Healthcare: A Critical Wake-Up Call
Navigating Cyber Risks in Healthcare: A Critical Wake-Up Call “Plus ça change, plus c’est la même chose” (“The more things change,…
April 25, 2024
From Cyber Guardian to Boardroom Luminary – Top 5 Actions
From Cyber Guardian to Boardroom Luminary – Top 5 Actions “The best time to plant a tree was 20 years…
March 5, 2024
From Cyber Guardian to Boardroom Luminary – Yogi Berra
From Cyber Guardian to Boardroom Luminary – Yogi Berra It’s like deja-vu, all over again. —Yogi Berra[1] Introduction I recently…
February 19, 2024
Cyber Risk Illiteracy – 4 – ECRM Program vs. Cybersecurity Strategy
Cyber Risk Literacy – 4 – ECRM Program vs. Cybersecurity Strategy By failing to prepare, you are preparing to fail….
Get in Touch
Address:
Tampa Bay Area
Email:
bob@bobchaput.com
Phone:
615-496-4891
Advisor/Board:
Available
“This book should be mandatory reading for C-suite executives and board members. It shows you how to move from viewing cybersecurity as a risk to avoid, and a cost center that does not add value and is overhead, to seeing cybersecurity as an enabler and part of your core strategy to transform your business and earn customer and stakeholder trust.”
– Paul Connelly, First CISO at the White House and HCA Healthcare
Please note: As an Amazon Associate I earn from qualifying purchases.
Additional Information about ECRM As A Value Creator
Chapter Excerpts (coming soon!)
Appendices Excerpts (coming soon!)
Endorsements for Enterprise Cyber Risk Management as a Value Creator
—Paul Connelly, First CISO at the White House and HCA Healthcare
Throughout my 28 years in CISO roles at two of the highest-risk organizations in the world, I have sweated through countless budget and resource challenges and struggled to connect my cybersecurity program to business objectives in the minds of business leaders and our board. A major hurdle was that cybersecurity was viewed as risk avoidance—a cost center that did not add value, that is, a painful but necessary overhead. This book lays out the holy grail for cybersecurity, how to flip that script to make cybersecurity a business enabler and part of the core growth strategy, and how to integrate that approach into business strategy.
No one is more knowledgeable and qualified to make this case than Bob Chaput, who is a living legend in cybersecurity and an unmatched thought leader in enterprise cyber risk management (ECRM). He lays out a compelling case, with details on how to apply this thinking to your organization, and then provides a detailed road map for making it happen.
This should be mandatory reading for CISOs, CFOs, CEOs, and board members. It will close communication gaps and change the mindset because it shines a light on the opportunities to expand and accelerate business transformation and earn customer and stakeholder trust— through cybersecurity.
—Kevin Hewgley, Senior Vice President, Financial Services at Lockton Companies
Bob Chaput picks up where most books leave off by providing powerful insight into ECRM engagement by providing a factual background coupled with strategic examples that can and will have positive impacts on any company’s cyber risk strategy and approach. This resource should become the standard guidebook for every risk manager, general counsel, CISO, CTO, C-suite, and board member who has an interest in or a concern around cyber and privacy liability and entire ECRM protocols.
—Bob Zukis, CEO, Digital Directors Network
Bob Chaput’s latest book is a powerful read that explains cybersecurity in a new context, one that will be helping business leaders, including corporate directors, reframe cybersecurity as a critical part of the need for every organization to drive and create value. With so much economic growth and output already dependent upon complex digital systems, this mindset will help leaders understand the importance of cybersecurity to the organization’s future.
—Ralph W. Davis, Independent Director/Board Advisor, Operating Partner, The Vistria Group
In Enterprise Cyber Risk Management as a Value Creator, Bob Chaput’s latest contribution to simplifying the often impenetrable field of cybersecurity, Bob turns from calling attention to the problem to helping us think differently about it. Are investments in cybersecurity a cost of doing business, with cost containment as the overarching goal? Is cybersecurity a “check the box” exercise, allowing us to throw up our hands if an adverse event occurs after we’ve checked all our boxes? Or is cyber a strategic priority meriting an offensive rather than defensive mindset? As always, Bob doesn’t just pose the questions. He provides practical and timely answers alongside a wealth of real-world examples. A must-read for everyone from the cybersecurity novice to the seasoned pro looking for proper organizational focus on a business pandemic that has no miracle cure in sight.
—Raj Chaudhary, Independent Director, Board Advisor, Retired Cybersecurity Partner, Crowe LLP
Having performed dozens of risk analyses for companies during my career at a public accounting firm, this book is a masterclass in strategic management of digital risks in an enterprise and provides great insight to turn digital risk management into a competitive advantage. This is a good resource for business leaders, security professionals, and anyone seeking to navigate the complex landscape of digital security. With profound insights and practical wisdom, it successfully highlights the critical role of cyber/ digital risk management in driving business value. Bob Chaput’s expertise shines through as he presents a comprehensive and forward-thinking approach to managing cyber/digital risks. The inclusion of actionable insights and practical frameworks adds immense value to the content, ensuring that readers can immediately apply what they’ve learned.
—Michael E. Whitman, PhD, CISM, CISSP Executive Director, Institute for Cybersecurity Workforce Development Professor of Information Security and Textbook Author
Enterprise Cyber Risk Management as a Value Creator delves deep into the critical realm of enterprise cyber risk management, providing a comprehensive guide to not just safeguarding against digital threats but also harnessing the power of cybersecurity as a catalyst for growth and innovation. Today, businesses and organizations are more reliant on technology and data than ever before, and the need for robust cybersecurity practices cannot be overstated. This book serves as an indispensable resource, offering both practical wisdom and strategic insights to navigate the ever-evolving landscape of cyber risks.
Authored by Bob Chaput, a seasoned expert in the field, this material is backed by a wealth of knowledge derived from real-world experiences. It’s not merely a theoretical exercise but a hands-on manual for organizations seeking to proactively protect their digital assets and leverage them for strategic advantage. The lessons to be learned from this book are not confined to a single sector or industry. Its principles are universally applicable, ensuring that both large and small organizations can find applicable and valuable takeaways. It’s not just about fortifying defenses; it’s about adopting a proactive stance toward cybersecurity.
As data breaches and cyberattacks continue to make headlines, this book is a timely and crucial resource for organizations looking to safeguard their integrity and reputation. Moreover, it provides the tools and strategies needed to turn cyber risk management into a value creator, helping organizations thrive amid an era of digital transformation.
Enterprise Cyber Risk Management as a Value Creator is a guiding light in the intricate maze of cybersecurity. It’s a valuable asset for organizations of all sizes, empowering them to not only withstand digital threats but emerge stronger, more resilient, and ready to seize the boundless opportunities of the modern digital age.
—Nancy Falls, Independent Board Director and CEO, The Concinnity Company
Chaput’s new book on enterprise cyber risk management is a tour de force on this subject. Building a value-creating ECRM culture is not a sprint or a marathon, but a relay. Making this book an all-team read for your leadership and the first part an all-board read is an excellent way to start building that culture.
—Rachel V. Rose, JD, MBA, Principal at Rachel V. Rose—Attorney at Law, PLLC
Enterprise risk management, and cybersecurity risk management in particular, is more important now than ever. Bob’s book takes the reader through easy-to-follow steps and provides “food for thought” when implementing an ERM program. A compliment to any bookshelf.
—William Niner, CISO
Enterprise Cyber Risk Management as a Value Creator is a wide-ranging, thought-provoking book on an often-overlooked topic. Bob not only lays out why executives should care about ECRM but gives meaningful advice on how to get it done, and done well. He shares lessons, learned from years in the trenches, on how companies can get a handle on this vital yet often-misunderstood topic. This book addresses the key success factors as well as the common pitfalls in world-class risk management. It focuses on what leaders need to know and do, rather than get lost in the minutia of “this configuration of this system.” This focus makes this book applicable across any industry that has to manage its cyber risk, which is, of course, all of them. The questions for the board of directors alone make this a worthwhile read—merely asking these questions will, at the very least, start you on the right path.
—David Finn, Health IT Advocate, Recovering Healthcare CIO, Security and Privacy Officer, Baldrige Foundation Award for Cybersecurity Leadership Excellence
Someone told me recently that “cybersecurity is boring.” Cybersecurity is boring if it is other people listening to CIOs, CISOs, and other IT people talking about it. They understand the issues, the risks, the solutions. Cybersecurity should not be boring to people who don’t live it but must make decisions about it—big decisions like staffing, funding, prioritization against other business issues. How do you talk about cybersecurity in meaningful ways with the full C-suite, with your board of directors or trustees?
Bob Chaput has answered that question and solved the problem with his latest book: Enterprise Cyber Risk Management as a Value Creator. For too long, cybersecurity has been viewed as a defensive play, a cost center. What if the tables were turned and executives and boards thought about cybersecurity in a positive light and as an opportunity to create competitive advantage and add value to the organization and drive business growth?
This book, using data, statistics, and real business examples, is a primer for redirecting and refocusing those discussions for the leaders who must be engaged in cybersecurity but for too long have stayed out of the fray. The book provides lots of guidance and many questions—in each chapter—to get the business to start answering the right questions and asking their own. Multiple studies (many cited in this book) clearly indicate that business leaders and consumers agree that establishing trust in products and experiences (AI, digital technology, data) that meet expectations will deepen trust and promote growth.
This is the book to start those conversations, up and down the organization. Cybersecurity isn’t boring if you have the right people talking about it—here is how to engage those “right” people in your organization. You’ll need to arm your IT, security, risk management, operational, and innovation leaders, but you’ll use the learning to deeply engage the C-suite, the boards, and committees of the board in positive discussion around cybersecurity and how to leverage a more secure organization to move faster and drive new opportunities.
—James Brady, PhD, Healthcare CIO/CTO/CISO
Bob Chaput in his latest book, Enterprise Cyber Risk Management as a Value Creator, works magic by revealing why cybersecurity risk is an essential ingredient of enterprise risk management. He introduces a new paradigm with enterprise cyber risk management (ECRM) being not just a defensive play, but as a proactive business enabler that can improve customer trust and stickiness through security services and increasing revenue sources by way of security capabilities. Bob lays out a well-understood foundation by elegantly taking us through a comprehensive survey of the changing cybersecurity governance landscape. He skillfully reveals timely concepts such as the new federal regulations, the evolving financial industry governing body trends, and the quiet but growing court system precedents. Bob makes a sound case for why ECRM is a must-have concept that is to be understood and adopted by organizations today.
With tight financial margins facing many organizations, it is critical that business value is achieved with every dollar spent. Bob shows us how ECRM goes well beyond just being an IT problem. He clearly explains how ECRM can serve to propel an organization forward with a host of benefits, some of which are by facilitating digital transformation and innovation, attracting higher-quality investments, bringing in more talent, supporting mergers and acquisitions (M&A) activities, reducing regulatory exposure, assuring operational continuity and resiliency, and creating increased competitive advantage.
Bob makes it easy for us to not only comprehend this evolving topic but practically take steps forward to implement the ECRM strategy by outlining a simple five-step approach. He sheds light on how small and large organizations can justify and practically build out an appropriate budget needed to establish a successful ECRM program, with specific guidance on how to educate and win over the C-suite and board, including key questions to ask and discuss. Bob deftly reveals the role of ECRM Program and Cybersecurity Strategy within the context of ERM, tying cybersecurity strategy into the board’s responsibilities. His insights on the business ownership of risk through authorization to operate and use are particularly compelling.
This text is a must-have for boards of directors, senior management, IT and security leaders, and anyone who wants to know just how vital ECRM can be in ensuring the future success of your organization.
—Stephen R. Rusmisel, JD, NACD.DC, 12-Year Independent Director and Former Lead Director of Life Storage, Inc.
Where others have focused primarily on the defensive aspects of cyber risk management, Bob Chaput sees opportunities in ECRM. Mr. Chaput states: “Companies with a strong security posture are more likely to retain existing customers and attract new ones, as they value their data protection. This customer trust and brand loyalty can increase revenue and market share for the organization.” C-suite and board members will ignore this timely advice at their peril. This book provides a road map for the actions necessary to turn defensive thinking and processing into positive and value-creating actions and programs. Mr. Chaput makes the case for competitive and reputational advantage with logic, intelligence, and wit and draws from a depth of personal knowledge and experience in ECRM. Each chapter includes a set of “Questions Management and the Board Should Ask and Discuss,” and these provide a great agenda of items worthy of consideration. You need this on your reading list.
—Dan Bowden, Global CISO, Marsh, Former CISO, Sentara Healthcare
I heard a friend recently bemoaning the state of ECRM within their organization, “We do risk management as an art, not a science.” Bob breaks ECRM down to science. Bob’s prescription for ECRM is on point and execution-ready. I looked at the Table of Contents and jumped right to Chapter 8. Each organization I’ve been part of has had a different ECRM strategy. Bob’s book helps distill what success looks like. Bob coaches the reader through aligning business strategy and ECRM strategy—I especially appreciated his wisdom on what “HOW your organization will conduct ECRM?” means. Now, the challenge is ours to learn and implement.
Add Your Heading Text Here
This is the heading
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Bob Chaput’s Stop the Cyber Bleeding is a needed call to action. It is a thoughtful explication of the risks inherent in our new digital world. Unlike most such narratives, it also offers a practical approach to manage and mitigate those risks.
—Mark Reynolds, President and CEO, Risk Management Foundation of the Harvard Medical Institutions Incorporated (CRICO)
Please note: As an Amazon Associate I earn from qualifying purchases.
PRAISE FOR STOP THE CYBER BLEEDING
—Ralph W. Davis, serial healthcare board member/advisor | Operating Partner, The Vistria Group
“Cybersecurity” is the kryptonite of too many healthcare company board meetings. Otherwise intelligent and accomplished people can be intellectually paralyzed by the mere mention of the term. Yet, failure to appreciate cybersecurity risk and ensure appropriate resource allocation too often leads to an even more painful experience: the post-breach emergency meeting. In Stop the Cyber Bleeding, Bob Chaput clearly and concisely arms executives and board members with what they need to know and the questions they need to ask to exercise effective oversight in this critical area. Whether your goal is to build a best-in-class Enterprise Cyber Risk Management (ECRM) program or, more modestly, simply to keep your company out of the hacker’s crosshairs and off the front pages of the newspaper, Stop the Cyber Bleeding is a “must read” now.
—Benoit Desjardins, MD, PhD, FAHA, FACR, CISSP | Associate Professor, Department of Radiology, Penn Medicine
In his excellent, practical, and timely book, Bob Chaput addresses multiple aspects of ECRM. He first describes the unique challenges of ECRM in today’s healthcare environment, given the current cyber risks and regulations. He then offers a well-rounded plan of action on how C-suite executives can provide leadership and oversight for their organization’s ECRM efforts. This plan of action is tailored to their specific cyber risks, based on the NIST framework, and includes how to establish an ECRM program and fund it. He finally provides several concrete examples of the benefits of establishing an ECRM program. This book is an extremely valuable guide and should be in the library of every healthcare institution C-suite executive, board member, and IT leader.
—Gregory J. Ehardt, JD, LL.M. | Vice President, Compliance and Privacy, CHRISTUS Health
I know from firsthand experience that the concepts, principles, and actions presented in Stop the Cyber Bleeding work to engage and inspire top leaders and board members alike to seriously take up the matter of cyber risk management as an enterprise issue. It’s terrific to see Bob codify his practical risk management skills, knowledge, and experience into a book that’s easy to read and use. His insightful treatment of the transformation required as a behavior-change matter is incredibly relevant for healthcare organizations. Given the increasing cyber liabilities facing healthcare organizations and their C-suite executives and board members alike, Stop the Cyber Bleeding is a must-read today.
—Iliana Peters, JD, LLM, CISSP | Shareholder, Polsinelli PC, Former Acting Deputy Director HHS Office for Civil Rights
In this book, Bob Chaput provides an excellent summary of the major issues facing healthcare entities with regard to cyber risk management and related security compliance. Bob includes helpful talking points to involve all members of a healthcare organization’s workforce in conversations about cybersecurity, including, importantly, the C-suite and board.
—James Furstenberg, Ph.D., CISSP, C|EH, GMON, C|ND, C|PTE, CNA, CLFE, ACE, C|SCU | Assistant Professor, Information Security and Intelligence, Ferris State University
Chaput hits it out of the park with his book Stop the Cyber Bleeding. Bob’s decades of risk management experience detailed in this book offer a must-read tutorial for every industry executive. Bob conveys lessons learned from the trenches while delivering street-smart, pragmatic, and tangible strategies toward unraveling the complexities of Enterprise Cyber Risk Management. More importantly, Bob provides evidence for what we cybersecurity professionals have been stating for years: Cyber risk management is not a department within IT—it is an enterprise issue that demands a seat (and a strategy) at the boardroom table!
—Fernando Martinez, Ph.D., CHCIO, CISSP, CISA, CISM, CGEIT | Chief Strategy Officer THA, President and CEO THA Foundation, Texas Hospital Association
The case for ECRM is decisively made; timely and relevant. Successful cyber exploits frequently capitalize on the failure of organizations to focus on, and address, fundamentals. This book is an instruction manual on how to get all of the fundamentals sustainably right. Clear and straight forward guidance for senior executives and board members alike. Ending each section with not only suggested questions to ask, but why and how to ask them is pure genius. Through realistic scenarios and firsthand experiences, Bob takes the reader on a sobering trip across the healthcare landscape. This is a must-read for executives who influence cyber risk and cybersecurity governance.