ABSTRACT
Chapter 5, shows the integration of risk management into DevOps through the use of the Cybersecurity Risk Management Framework. This chapter introduces the cyber risk investment model that is utilized by stakeholders when making decisions pertaining to cybersecurity spending within organizations. The five areas identified within the cyber risk investment model include the following: 1) technology landscape and application portfolio, 2) data centric focus, 3) risk management practices, 4) cost-benefit analysis for cybersecurity measures and 5) strategic development. These focal areas provide the foundation necessary to utilize risk management practices within the decision-making process of cybersecurity spending.
Chapter 5 also integrates the cybersecurity risk management framework into DevOps, and demonstrates that it may be utilized when evaluating and implementing cybersecurity measures. The cybersecurity risk management framework consists of 1) a risk assessment, 2) an internal control assessment, 3) an understanding of the organization’s risk appetite and 4) a risk mitigation strategy. Although cost-benefit analysis is impactful from a financial perspective, in some cases, other factors need to be considered to fully understand the impact of not implementing additional security measures. For example, the cost of preventative cybersecurity measures is usually not factored into the organization’s cost-benefit analyses. Specifically, the cost of preventative security measures usually includes development and implementation of a continuous compliance monitoring program. The survey study showed that respondents from risk-taking organizations are focused on the implementation of foundational cybersecurity measures to meet mandatory compliance obligations. In addition, most organizations do not have the data necessary to appropriately access the cost and impact of a cybersecurity breach on an organization, i.e., its effect on the organization’s brand/reputation, legal/regulatory landscape, operational/technology environment, forensic/e-discovery-related items, and third-party suppliers; therefore, the actual cost of remediating a cybersecurity breach is unrealized. To adequately implement cybersecurity measures, in addition to performing a cost-benefit analysis, stakeholders should implement an elaborate decision-making process to determine the additional security measures needed to adequately protect an organization from a cybersecurity breach while aligning with its risk appetite.
