Risk Management & Reporting

Compliance and Risk – The Two-Step Dance Partners of Information Security

In a previous blog post we looked at how a security scorecard can be used to monitor your organisation’s compliance against a predefined set of controls, such as the Australian Cyber Security Centre’s (ACSC) recommended Essential Eight (E8). By selecting a security framework like E8 you’ve already made a risk management decision; you’ve acknowledged a set of risks against which you want to protect your enterprise. But don’t stop there. By routinely making these measures you can benchmark your security posture over time for continuous risk management and quality improvement purposes.

Read More

Cyber Crime: Know your Exposure

After all the coverage that cyber crime gets, there is often still much uncertainty in the minds of business stakeholders around what the risk is, what could your exposure to it  be? What does the  impact look like if you are affected?

Read More

Cyber Security Quotes: “Third-Party Risk Management Requires Continuous Insight”

Managing third party cyber security risk, or “supply chain assurance”, is not a new topic, in fact we’ve discussed it before here.  The concept of ensuring your suppliers will protect their IT systems and the data that you exchange with them is no longer unreasonable.  As Forrester says in the key takeaways in their recent researchThird-Party Risk Management Requires Continuous Insight” – the quote from this posts title..

Read More

Information Security Risk Management – Achieving better outcomes

Information security managers and CISOs often report that all risks are bad and need mitigation strategies. When communicating these strategies to business leaders, they present risks that demonstrate a deep understanding of the technical challenges and adversaries the business faces. Yet, oftentimes they overlook the fact that the person best placed to understand and choose whether to accept or manage a risk is the organisation’s CEO or board.

Let’s explore why CEO and board empathy is one of the most important attributes a CISO or security manager can have when explaining and presenting a strategy to manage information security risks.

Read More

Cyber Security Quotes: Messages from the front-line of cyber security, data protection and risk management

This post is one of a series looking at what we can learn from what is actually said by real people working on real problems in the cyber security industry (hence “cyber security quotes”). Below we consider the feedback, thoughts, opinions and views at the front line of cyber security – the things that are said by security operators and analysts who monitor and defend systems from attack and deal with incidents when they occur.

Read More

How well can organisations really manage cyber security risks?

In the past when you spoke to organisations about the need to manage their cyber security risks, your recommendations used to be met with blank looks and “we’ve never had a problem”.

Now, cyber-crime is rightfully recognised as a significant risk to the success and value of every organisation.

Read More