20654 - STRATEGY AND GOVERNANCE FOR CYBER RISK
Department of Management and Technology
GIANLUCA SALVIOTTI
Mission & Content Summary
MISSION
CONTENT SUMMARY
Part 1| Understanding the context for cyber risk governance and strategy.
- Cyber Risk Governance (CRG) as a new field. CRG, Corporate Governance, Enterprise Risk Management, IT Risk Management, IT Governance.
- Business Strategy in the era of Digital Transformation: how to derive business drivers for Cyber Risk Governance and Strategy. Identifying the crown jewels in transforming organizations: the Real Madrid Case Study.
- Identifying the crown jewels in transforming organizations: the GE Case Study.
- Linking Business Strategy to Cyber Risk Strategy: the SOI case study.
- From strategy to execution: the role of international frameworks. The NIST cybersecurity Framework.
- The NIST cybersecurity framework in action.
- Simulation: Design and execute the Cyber Strategy @ Morpheus Pharma.
Part 2 | Cyber risk governance processes, frameworks and tools.
- Introduction to Corporate Governance and Board Responsibilities.
- Simulation: Build a Cybersecurity Toolkit for Your Board
- Cyber Risk Governance: from Board Responsibilities to other Leadership Structures, Processes, and Mechanisms.
- Removing vulnerabilities through people and culture.
- CISO Metrics & Reporting. Cyber Risk Governance Indicators: KPI and KRI.
- Simulation: Your first 90 days as CISO
Part 3 | Governance and Strategy for Cyber Incidents. How to deal with a Cyber Crisis.
In Part 3 students will have the chance to understand how apply strategy and governanceto approaches and tools to effectively manage a Cyber Incident
- Current Challenges in Cyber and Information security.
- Current Challenges in Cyber and Information security: the CISO's perspective.
- An overview of the NIST SP800-61. Incident response and Security Operations.
- The NIST SP800-61 in action: build your own Incident Response Plan.
- Managing a Cyber Crisis: theory.
- Managing a Cyber Crisis: theory: practice. Tales from the real world.
- Simulation: Your first Cyber Crisis.
Intended Learning Outcomes (ILO)
KNOWLEDGE AND UNDERSTANDING
-
Interpret the main links between Corporate Governance, Enterprise Risk Management, IT Governance, IT Risk Management and Cyber Risk Governance.
-
Align Digitalization and Digital Transformation strategies to Cyber Risk Governance and strategy.
-
Engage Board Members and Executives according to their responsibilities on Cyber Risk Governance and Strategy.
-
Promote a culture of Cyber Risk within the organization.
-
Master the main frameworks and tools for Cyber Risk Governance.
-
Manage a Cyber Incident.
APPLYING KNOWLEDGE AND UNDERSTANDING
-
Design a Cyber Risk Governance process aligned with the organization’s Corporate Governance, Enterprise Risk Management IT Governance and IT Risk Management.
-
Derive, from the key frameworks and tools for Cyber Risk Governance, a specific approach to protect the organization.
-
Implement a Cyber Risk Governance and a Cyber Risk Strategy with an open, collaborative and tech-savvy approach.
-
Build a measurement system for Cyber Risk.
-
Build a Cyber Risk Roadmap with budget constraints.
-
Design, implement and test an Incident Response Plan.
Teaching methods
- Lectures
- Guest speaker's talks (in class or in distance)
- Collaborative Works / Assignments
- Interaction/Gamification
DETAILS
- Guest speaker's talks (in class or in distance). Students have the chance to interact with experienced managers and executives dealing with Cyber Risk in order to discuss the main issues and trends in the field
- Online Lectures. Asynchronous and synchronous Online Lectures to introduce concpets that will be applied throuh case studies, assignments and simulations.
- Case studies /Incidents. Discussions around relevant case studies build a common understanding of the topics introduced by the instructor.
- Group assignments. A final group assignment give students the opportunity to discuss among peers and collaborate in the development of a Cyber Risk Governance plan for a company.
- Interactive class activities (role playing, business game, simulation, online forum, instant polls).
Assessment methods
Continuous assessment | Partial exams | General exam | |
---|---|---|---|
|
x | x | |
|
x |
ATTENDING STUDENTS
With the purpose of measuring the Course expected learning outcomes, attending students will be evaluated according to their capability to translate the key concepts and tool into actions. The Course will be taught in a very pragmatic way, this is why Attending Students will be asked to work on the following practice-oriented outputs.
1. An individual assessment on the first part of the course, aimed at assessing the capability to align Digitalization and Digital Transformation strategies to the Cyber Risk Governance and strategy;
2. A group simulation at the end of the second part of the course, aimed at assessing the capability to properly apply the main frameworks and tools for Cyber Risk Governance in the shoes if a CISO in his firt 90 days in a Company.
3. A group simiulation at the end of part 3, aimed at applying the approaches and metholodogies to deal with a Cyber Crisis.
4. An individual essay assignment at the end of the third part of the course, aimed at measuring the ability to design and implement and Incident Response Plan.
NOT ATTENDING STUDENTS
The assessment for not attending students is based on an open essay question aimed at testing:
- The overall understanding of the key concepst and principles related to Cyber Risk Governance and Strategy;
- The capacity to critically read the Corporate and Digital Strategy of a Company and to desgin a consistent Cyber Risk Strategy;
- The ability to effectively apply the tools and methods for the onboarding of Executives and Board Members in Cyber Risk Governance.
Teaching materials
ATTENDING STUDENTS
Cases, readings, slides, and other material available through Bboard.
NOT ATTENDING STUDENTS
Parenty T.J., Domet J.J., A Leader's Guide to Cybersecurity: Why Boards Need to Lead--and How to Do It, Harvard Business School Publishing, 2019 (Full Book)