NIST Cybersecurity Framework = What to do

Cyber Risk Management Action Plan (CR-MAP) = How to do it

Cybersecurity operations/administration

Governance, Risk & Compliance (GRC)

$47 million - Lost due to disrupted operations and fines from accumulated shipping containers

$18 million - Investigation, recovery, and shipping-related claims

Total: $65 million (unbudgeted, no cyber insurance coverage)

Expeditors exposed systems through inattentiveness and negligence

Lacked proper business continuity plans

Breached contractual obligations for 24-hour shipping and 4-hour system updates

$900,000 in retailer refunds

$23,000 in expedited shipping

$1.1 million in new logistics provider transition costs

$1 million in additional storage and back charges

Physical counting and transportation of 12,000 pallets on 207 rented trailers

iRobot argued Expeditors' own 10-K filing identified cyberattack as a foreseeable risk

Failure to implement risk mitigation despite known risks

Demonstrates the business reality: Cyber resilience is fundamentally a business problem requiring both technical AND business acumen

Charges of unfair or deceptive acts, leading to severe consequences such as corrective orders

Extensive oversight of cybersecurity programs for up to two decades

Fines of up to $40,000 per violation.

Provides the "what" - outcomes to achieve

Framework Functions: Identify, Protect, Detect, Respond, Recover, Govern

Flexible, risk-based approach

Version 2.0 current standard

Provides the "how" - practical implementation method

Translates CSF outcomes into actionable steps

Quantifies progress using 0-10 scale

Contextualizes for specific organizations

Each CR-MAP question maps to specific CSF outcomes

Organizations rate themselves 0-10 on each question

Lower scores indicate less maturity

Higher scores indicate greater implementation

Organizations establish target scores aligned with:

Target scores drive goal setting and roadmap prioritization

Progress measured by improvement from current to target state

Provides clear, measurable objectives

Enables progress tracking over time

Supports resource allocation decisions

Facilitates communication with stakeholders

Creates accountability for improvement

Industry sector and regulations

Size and complexity

Risk tolerance

Threat landscape

Available resources

Current state assessment

Target state definition

Gap analysis

Prioritization approach

Phase One: 30 days - Discover Top Cyber Risks

Phase Two: 30 days - Create Action Plan

Phase Three: 10 months - Maintenance and Updates

The 13th Month: Repeat the cycle

Establish a robust cyber resilience program within your organization

Reduce cyber risk footprint

Significantly enhance cyber resilience

Positively impacting your bottom line

Saving substantial time

Goal: Develop a rigorous prioritization method to determine your company's most critical risks

Top 5 Cyber Risks Report showing:

Visual charts (radar/spider charts, bar graphs, pie charts)

Custom questionnaire for the target organization

Industry sector and competitive landscape

Regulatory environment

Business model and operations

Technology infrastructure

Previous security incidents or audits

Organizational culture and structure

What business are they in?

What are their critical assets?

Who are their key stakeholders?

What regulations apply to them?

What is their risk appetite?

Duration: 30 days

Goals:

Industry sector

Size and complexity

Risk tolerance

Resource availability

Compliance requirements

Small organizations: Simpler processes, fewer resources

Medium organizations: Growing complexity, scaling challenges

Large organizations: Complex environments, more stakeholders

Healthcare: HIPAA compliance, patient data protection

Financial: PCI-DSS, SOX, financial regulations

Retail: PCI-DSS, customer data, e-commerce

Manufacturing: OT/IT convergence, supply chain risks

Starting fresh: More foundational work needed

Some practices in place: Build on existing foundation

Mature programs: Focus on optimization and gaps

Risk-averse vs. risk-tolerant

Hierarchical vs. flat structure

Technical sophistication level

Change readiness

Specific mitigations mapped to each risk

Custom mitigations based on questionnaire and interview data

Standard Operating Procedures (SOPs) for each control

Cost estimates for implementation

Resource allocation considerations

Phase One: 30 days for discovery

Phase Two: 30 days for action plan

Phase Three: 10 months for maintenance

Key decision points and reviews

Personnel (internal and external)

Tools and technology

Budget allocation

Time commitments from stakeholders

Identification of key stakeholders

Interview schedules

Communication cadence

Approval processes

Templates to prepare

Data collection tools

Reporting formats

Presentation materials

Time - Implementation schedules and availability

Money - Budget allocations and cost justifications

Skilled Personnel - Availability of internal expertise

Verify each top risk is covered by mitigation roadmap

Rate each mitigation using the Business Value Model

Create custom mitigations based on organizational context

Develop SOPs for mitigations and controls

Generate cost estimates

Create implementation roadmap with Gantt charts

Assign mitigations to specific organizational units

Group mitigations by owner type

Driving forces - Factors supporting change

Restraining forces - Factors resisting change

Strategies to strengthen drivers and weaken restraints

Level of interest in cybersecurity initiatives

Level of influence over outcomes

Appropriate engagement strategies for each group

Provide cost estimates broken down by phase

Show ROI through risk reduction

Compare to cost of potential incidents

Demonstrate business value dimensions

Clear timeline with milestones

Resource requirements at each phase

Dependencies and critical path

Quick wins vs. long-term efforts

Current threat landscape

Regulatory requirements

Competitive pressures

Cost of inaction (use Expeditors case study)

Clear KPIs and metrics

Progress against target scores

Risk reduction quantification

Business impact measures

"Firewall is like a security guard checking IDs"

"Encryption is like a secret code only you can read"

"Backups are like insurance for your data"

Instead of: "We need to patch vulnerabilities"

Say: "We need to fix security gaps that could let attackers in"

Instead of: "We have a critical zero-day"

Say: "We have a high-priority security issue that could cost us $X if exploited"

Use case studies (like Expeditors)

Industry examples

"What if" scenarios specific to the organization

Charts showing risk levels

Roadmap timelines

Before/after comparisons

Heat maps of risk areas

Communication plans to achieve buy-in

Addressing management questions adequately

Translating complex technical topics into layman's terms

Demonstrating business impact of cyber incidents

Track implementation progress

Demonstrate value delivery

Justify continued investment

Support continuous improvement

10 months

When combined with phase one and phase two of the CR-MAP process, it completes the first-year cycle of the three-phase plan

Maintain and continuously improve with monthly check-ins and comprehensive quarterly reviews to monitor progress

Bolster cyber resilience with a comprehensive approach, and by committing to ongoing vigilance

Opportunity to investigate and correct gaps or challenges to regain momentum

Acknowledge and celebrate achievements in managing cyber risks

Monthly check-ins - Quick progress reviews

Quarterly comprehensive reviews - Detailed assessment and adjustment

Adversaries continually innovate

New attack vectors emerge constantly

Previous defenses become obsolete

Organizations undergo significant changes

New systems and processes are introduced

Business priorities shift

Interview process reminds employees of cyber hygiene importance

Keeps reasonable cybersecurity practices top-of-mind

Maintains organizational awareness and engagement

Ongoing adaptation to evolving threats

Alignment with changing business dynamics

Sustained competitive advantage

Continual enhancement of cyber risk management capabilities

🔝 What are the top five cyber risks to my organization? 


💰Am I getting the biggest return possible for my cyber risk management dollars?

👔 Do all our organization’s executives and leaders understand our cybersecurity plans?

⚠ Does everyone at work know how they can help to mitigate our top cyber risks? 


🗣 What do I tell our biggest customers or stakeholders when they ask, “What are you all doing about cybersecurity?”

"Culture eats strategy for breakfast" - Peter Drucker

Embeds cybersecurity into organizational DNA

Provides evidence of reasonable security practices

Protects against negligence claims

Supports defense in legal proceedings

Systematic and documentable

Meets regulatory requirements

Provides consistency across cycles

Maximizes four types of business value

Ensures efficient allocation of budget

Focuses effort where it matters most

Right-sized for organizational capacity

Achievable and measurable

Clear implementation plan

Executives understand cybersecurity plans

Technical teams know their role

All employees understand how they contribute

Stakeholders receive confident answers

Demonstrates security maturity to customers

Supports business development

Protects reputation and brand value

Regular training programs

Phishing simulations

Security reminders and communications

Every employee understands their role

Security is not just IT's problem

Active participation expected at all levels

Celebrate security wins

Recognize good security behavior

Make compliance easier than non-compliance

Executive buy-in and visibility

Resources allocated appropriately

Security integrated into business decisions

Stay current with evolving threats

Share lessons learned from incidents

Adapt practices based on feedback

Employee participation in training

Reporting rates for suspicious activity

Reduction in successful phishing attempts

Speed of incident reporting

Communications between client and attorney are protected

Covered under Federal Rules of Evidence and common law

May extend to work product of cyber resilience practitioners working under attorney direction

Without privilege: Risk prioritization decisions may be used against you

With privilege: Records may be protected from discovery

Attorney can help navigate disclosure requests

In-house counsel (if available)

Outside attorney with cybersecurity expertise

Document attorney-client relationship

Ensure proper contractual arrangements

Define scope of privileged work

Cyber resilience practitioner follows attorney's instructions

Proper handling and protection of cyber risk information

Documentation created under attorney supervision

Legal fees for attorney involvement

Additional administrative overhead

More complex documentation requirements

Legal review processes

More formal approval procedures

Additional coordination requirements

Concept may vary by country

Some limited exceptions exist

May not apply in all circumstances

Consult licensed attorney for specifics

First phase: focuses on discovering and assessing the top cyber risks faced by the organization

Second phase: involves creating a personalized cyber risk management action plan that addresses the top five risks identified in phase one

Third phase: emphasizes the importance of maintaining, updating, and continuously improving the organization’s cybersecurity posture and risk management strategy

The 13th month 🗓 concept was introduced to emphasize the need for an ongoing and iterative approach to cyber risk management

Repeat the CR-MAP process annually

This repetition ensures continual improvement and adaptation to evolving cyber threats and the alignment of cyber risk management efforts with changing business dynamics.

In summary, the CR-MAP process provides organizations with a structured and comprehensive framework to strengthen their cyber resilience.

By systematically identifying and managing cyber risks, organizations can proactively mitigate potential incidents, safeguard valuable assets, and sustain a competitive advantage in the modern digital landscape.

However, it is vital to emphasize the significance of perpetual vigilance, continuous improvement, and the ingrained integration of cybersecurity practices into the organization’s culture to effectively achieve these objectives.