20654 - STRATEGY AND GOVERNANCE FOR CYBER RISK
Course taught in English
Go to class group/s: 25
Cybersecurity is emerging as one of the most impacting area of technology and operational risk for modern organizations. Although executives and managers can count on various frameworks and collections of best practices for setting cyber risk governance, a "one-size-fits-all" approach is not recommended. To effectively govern cyber risk, each organization needs to design and execute a cyber strategy connected to current and perspective business models, priorities, constraints and business relationships. The mission of this course is to provide students with the capability to design a framework for cyber risk governance and strategy aligned with the overall digital transformation strategy of an organization, in order to properly prioritize the activities and maximize the returns of cyber risk investments.
Part 1| Understanding the context for cyber risk governance and strategy.
- Cyber Risk Governance (CRG) as a new field.
- CRG, Corporate Governance, Enterprise Risk Management, IT Risk Management, IT Governance.
- Building Organizational Cybersecurity Risk Awareness and Capability.
- 10 Key Cybersecurity Practices for Company Leaders.
- Business Strategy in the era of Digital Transformation: how to derive business drivers for Cyber Risk Governance and Strategy.
- Identifying the crown jewels in transforming organizations: the Real Madrid Case Study.
- Identifying the crown jewels in transforming organizations: the GE Case Study.
- Linking Business Strategy to Cyber Risk Strategy.
- Introduction to Corporate Governance and Board Responsibilities.
- Cyber Risk Governance: Board Responsibilities.
- Simulation: Build a Cybersecurity Toolkit for Your Board
Part 2 | Cyber risk governance processes, frameworks and tools.
- Cyber Risk Governance: from Board Responsibilities to other Leadership Structures, Processes, and Mechanisms.
- Cyber Insurance as a risk management option.
- Removing vulnerabilities through people and culture.
- CISO Metrics & Reporting.
- Cyber Risk Governance Indicators: KPI and KRI.
- Simulation: Your first 90 days as CISO
Part 3 | Cyber risk strategy in action.
In Part 3 students will have the chance to directly interact with the global community of CISOs and discuss with them the current trends
related to cyber risk governance and strategy:
- Current challenges in Cybersecurity.
- Cybersecurity organization: structures, competences and skills.
- Governance, metrics and Board relationship.
- Threat intelligence and Security operations.
- The weakest link: the human challenge and insider threats.
- Third parties, vendor management and the Cloud.
Interpret the main links between Corporate Governance, Enterprise Risk Management, IT Governance, IT Risk Management and Cyber Risk Governance.
Align Digitalization and Digital Transformation strategies to Cyber Risk Governance and strategy.
Engage Board Members and Executives according to their responsibilities on Cyber Risk Governance and Strategy.
Promote a culture of Cyber Risk within the organization.
Master the main frameworks and tools for Cyber Risk Governance.
Design a Cyber Risk Governance process aligned with the organization’s Corporate Governance, Enterprise Risk Management IT Governance and IT Risk Management.
Derive, from the key frameworks and tools for Cyber Risk Governance, a specific approach to protect the organization.
Implement a Cyber Risk Governance and a Cyber Risk Strategy with an open, collaborative and tech-savvy approach.
Build a measurement system for Cyber Risk.
Build a Cyber Risk Roadmap with budget constraints.
Interact with experienced CISOs about the emerging trends and issues of Cyber Risk.
- Face-to-face lectures
- Online lectures
- Guest speaker's talks (in class or in distance)
- Case studies /Incidents (traditional, online)
- Group assignments
- Interactive class activities (role playing, business game, simulation, online forum, instant polls)
- Guest speaker's talks (in class or in distance). Students have the chance to interact with experienced managers and executives dealing with Cyber Risk in order to discuss the main issues and trends in the field
- Online Lectures. Asynchronous and synchronous Online Lectures to introduce concpets that will be applied throuh case studies, assignments and simulations.
- Case studies /Incidents (traditional, online). Discussions around relevant case studies build a common understanding of the topics introduced by the instructor.
- Group assignments. A final group assignment give students the opportunity to discuss among peers and collaborate in the development of a Cyber Risk Governance plan for a company.
- Interactive class activities (role playing, business game, simulation, online forum, instant polls). The IT Risk Simulation challenge students (divided into groups) in detecting the causes that have that led to major IT disasters in real cases.
|Continuous assessment||Partial exams||General exam|
With the purpose of measuring the Course expected learning outcomes, attending students will be evaluated according to their capability to translate the key concepts and tool into actions. The Course will be taught in a very pragmatic way, this is why Attending Students will be asked to work on the following practice-oriented outputs.
1. A group assignment on the first part of the course, aimed at
- assessing the capability to align Digitalization and Digital Transformation strategies to the Cyber Risk Governance and strategy;
- testing the ability to engage Board Members and Executives according to their responsibilities on Cyber Risk Governance and Strategy.
2. A group simulation at the end of the second part of the course, aimed at assessing the capability to properly apply the main frameworks and tools for Cyber Risk Governance in the shoes if a CISO in his firt 90 days in a Company.
3. An individual essay assignment at the end of the third part of the course, aimed at measuring the ability to interact with executive and managers about the emerging trends and issues of Cyber Risk in order to build an open and collaborative approach to the course’s topics.
The assessment for not attending students is based on an open essay question aimed at testing:
- The overall understanding of the key concepst and principles related to Cyber Risk Governance and Strategy;
- The capacity to critically read the Corporate and Digital Strategy of a Company and to desgin a consistent Cyber Risk Strategy;
- The ability to effectively apply the tools and methods for the onboarding of Executives and Board Members in Cyber Risk Governance.
Parenty T.J., Domet J.J., A Leader's Guide to Cybersecurity: Why Boards Need to Lead--and How to Do It, Harvard Business School Publishing, 2019 (only selected chapters).
- Cases, readings, slides, and other material available through Bboard.
- Parenty T.J., Domet J.J., A Leader's Guide to Cybersecurity: Why Boards Need to Lead--and How to Do It, Harvard Business School Publishing, 2019 (Full Book)