In a previous blog post we looked at how a security scorecard can be used to monitor your organisation’s compliance against a predefined set of controls, such as the Australian Cyber Security Centre’s (ACSC) recommended Essential Eight (E8). By selecting a security framework like E8 you’ve already made a risk management decision; you’ve acknowledged a set of risks against which you want to protect your enterprise. But don’t stop there. By routinely making these measures you can benchmark your security posture over time for continuous risk management and quality improvement purposes.Read More
Managing third party cyber security risk, or “supply chain assurance”, is not a new topic, in fact we’ve discussed it before here. The concept of ensuring your suppliers will protect their IT systems and the data that you exchange with them is no longer unreasonable. As Forrester says in the key takeaways in their recent research “Third-Party Risk Management Requires Continuous Insight” – the quote from this posts title..Read More
Information security managers and CISOs often report that all risks are bad and need mitigation strategies. When communicating these strategies to business leaders, they present risks that demonstrate a deep understanding of the technical challenges and adversaries the business faces. Yet, oftentimes they overlook the fact that the person best placed to understand and choose whether to accept or manage a risk is the organisation’s CEO or board.
Let’s explore why CEO and board empathy is one of the most important attributes a CISO or security manager can have when explaining and presenting a strategy to manage information security risks.Read More
This post is one of a series looking at what we can learn from what is actually said by real people working on real problems in the cyber security industry (hence “cyber security quotes”). Below we consider the feedback, thoughts, opinions and views at the front line of cyber security – the things that are said by security operators and analysts who monitor and defend systems from attack and deal with incidents when they occur.Read More
Aside from the relentless barrage of cyber security attacks, one of the key challenges for IT security professionals is getting the rest of the business on board with understanding that cyber security risks translate into business risks.Read More
In the past when you spoke to organisations about the need to manage their cyber security risks, your recommendations used to be met with blank looks and “we’ve never had a problem”.
Now, cyber-crime is rightfully recognised as a significant risk to the success and value of every organisation.Read More