It feels like we’re going through a similar positive cycle to what I experienced early in my career in the mid-1980s when businesses recognized that information and information technology were an asset that companies could leverage for competitive advantage. In 1985, Michael E. Porter and Victor E. Millar published their seminal article, “How Information Gives You Competitive Advantage.” In it, they highlighted how the information revolution critically affected competition, including changing industry structure, altering competition rules, creating competitive advantage by giving companies new ways to outperform their rivals, and spawning whole new businesses.
In this book, I highlight parallels between what happened over the course of the last 40 years and what is underway today with cybersecurity. In short, with the explosion in data, systems, and devices in connection with massive digitization programs that businesses have undertaken, it has become clear that organizations must safeguard these new information assets. Organizations, their C-suites, and boards must now realize that they can leverage a robust Enterprise Cyber Risk Management (ECRM) Program and Cybersecurity Strategy to create a competitive advantage for their organization. As Yogi said, it’s like déjà vu all over again.
I was gratified to see how well executives, board members, and many stakeholders in the healthcare ecosystem received my book Stop the Cyber Bleeding in 2020. I appreciated the opportunity to give something back to the healthcare industry in the form of practical, tangible recommendations to establish, implement, and mature an ECRM program. For many organizations, building such a program represented paying off “ECRM debt” after having gone on a spending binge as they digitized what were, in many cases, ancient clinical and administrative information systems. Most of that book focused on basics to build defenses to assure the confidentiality, integrity, and availability of data, systems, and devices against adversarial and other threat sources.
To a lesser extent, I addressed the possibility of a strong ECRM program becoming a business enabler. I discussed that not only is ECRM not an “IT problem,” it can become a business enabler if appropriately handled. I briefly discussed how a robust ECRM Program and Cybersecurity Strategy might be leveraged as a competitive advantage. I presented several possible cyber opportunities, such as facilitating M&A, reducing the cost of capital, lowering executive risk insurance premiums, and helping their organizations compete with “technology invaders.”
In Enterprise Cyber Risk Management As a Value Creator, I go further. I wrote this book to encourage organizations in all industries to start to move away from ECRM and cybersecurity strategy as a purely defensive play. I think most organizations are overdue to proactively seek ways to use their ECRM Program and Cybersecurity Strategy not only to manage risks or “manage the downside” but also identify ways to use their ECRM Program and Cybersecurity Strategy to identify and exploit opportunities or “manage the upside” and create a competitive advantage.
This book provides an overview of why a robust ECRM Program and Cybersecurity Strategy is a strategic imperative for your organization and how executives and board members should think more positively about ECRM and cybersecurity and, finally, outlines how to develop your ECRM Program and Cybersecurity Strategy, including a discussion of the contents of documentation that will help establish, implement, and mature your program and meet increasingly more stringent requirements legislators, regulators, and the courts are setting.
My goal is that C-suite executives, board members, and their Chief Information Security Officers (CISOs) use this book to bridge communication gaps and meet at the intersection of where boards focus: talent management, strategy, and risk management. As an existential risk to most organizations, they need to manage these risks and leverage their programs’ strengths to create value and drive business growth.
For ECRM to be effective, the entire organization must be engaged in the program. Although this book is written primarily for C-suite executives, board members, and CISOs, I am confident that the information I present will also be helpful to other leaders, managers, and professionals in all functional areas in all organizations in all industries.
I decided to write this book to help facilitate the role of Chief Information Security Officers (CISOs) to better integrate into their businesses and interact with C-suite executives and board members. As happened when Chief Information Officers (CIOs) began to “earn a seat at the table” decades ago, there is a significant communication gap between this newly discovered role, the C-suite, and the board. Bob’s goal is to make CISOs and their boards successful in better understanding one another and better managing cyber risks and cyber opportunities. The aim of this book is to help close the communication gap by linking CISOs with the three main topics that boards deal with: talent management, strategy, and risk management.
—Bob Chaput, Founder and Executive Chairman, Clearwater
Click here to purchase Enterprise Cyber Risk Management as A Value Creator | Leverage Cybersecurity for Competitive Advantage. Please note: As an Amazon Associate, I earn from qualifying purchases.