It is widely acknowledged that all businesses can be victims of cyber crime, suffer data loss, get hit by ransomware or fall victim to some other form of cyber attack – the “when, not if” maxim in cyber security circles. However, for SMEs, facing up to this fact is difficult.Read More
For people who have been working in security for some time there has been an evolution in communicating cyber crime risks to the board; this has gone through several phases from initial disinterest, through necessary but begrudging acceptance to a point where now measurement of the state of key risk indicators is actively sought.Read More
It is getting almost stale to be warning about the need to assure security throughout the supply chain. Most businesses have had third party assurance programmes in place for many years and are well versed with the challenges and struggles in the fight against cyber crime.Read More
It has been said that “If you can’t measure it, you can’t manage it” (Peter Drucker).
That may not apply universally (most rules have exceptions), but it is an interesting way to look at cyber crime; or more accurately the ability to withstand and/or recover from a cyber crime attack.Read More
In a previous blog post we looked at how a security scorecard can be used to monitor your organisation’s compliance against a predefined set of controls, such as the Australian Cyber Security Centre’s (ACSC) recommended Essential Eight (E8). By selecting a security framework like E8 you’ve already made a risk management decision; you’ve acknowledged a set of risks against which you want to protect your enterprise. But don’t stop there. By routinely making these measures you can benchmark your security posture over time for continuous risk management and quality improvement purposes.Read More
Managing third party cyber security risk, or “supply chain assurance”, is not a new topic, in fact we’ve discussed it before here. The concept of ensuring your suppliers will protect their IT systems and the data that you exchange with them is no longer unreasonable. As Forrester says in the key takeaways in their recent research “Third-Party Risk Management Requires Continuous Insight” – the quote from this posts title..Read More
Information security managers and CISOs often report that all risks are bad and need mitigation strategies. When communicating these strategies to business leaders, they present risks that demonstrate a deep understanding of the technical challenges and adversaries the business faces. Yet, oftentimes they overlook the fact that the person best placed to understand and choose whether to accept or manage a risk is the organisation’s CEO or board.
Let’s explore why CEO and board empathy is one of the most important attributes a CISO or security manager can have when explaining and presenting a strategy to manage information security risks.Read More
This post is one of a series looking at what we can learn from what is actually said by real people working on real problems in the cyber security industry (hence “cyber security quotes”). Below we consider the feedback, thoughts, opinions and views at the front line of cyber security – the things that are said by security operators and analysts who monitor and defend systems from attack and deal with incidents when they occur.Read More
Aside from the relentless barrage of cyber security attacks, one of the key challenges for IT security professionals is getting the rest of the business on board with understanding that cyber security risks translate into business risks.Read More