#Information_Security #Info_Sec #Cyber #CyberSecurity #Cyber_Security #Cyber_Risk #Cyber_Risk_Management
What is Cyber?
First, it truly is confusing for no good reason.
Often seen a black box of mystery that only a wizard can decode. Yet often done wrong. Reference the angst of Directors and Executives, and many others really.
Cybersecurity, or Cyber for short, historically known as Information Security (confused yet?) has a layer in each area of the business, however Cyber is a business risk first, with technical aspects attached. If Cyber Risk is not part of your Business' Operating Model, then your company is doing it wrong. In fact, many are, one of many examples is the WEF, who shows less than 17% of boards feel their Cyber Strategy is resilient! Both shocking and yet not surprising.
Most Executive Officers use the wrong metrics, with security-focused officers (CISO, CSO) often mistaking the CEO and Directors for the technical staff. Additionally, most implement a plethora of security tech, perpetuating the tech expense (debt) and human resources required to manage and maintain them, a truly self-fulfilling prophecy.
First, we must agree nothing is 100% secure, at least if you want any sort of function out of it. For instance, we can insert military checkpoints on each city block as an effective security control. Does this sound like a great idea to anyone? Of course not, so let us establish a real-world baseline and base our metrics on it. Often, companies miss the foundational work, get lost in the black box of solutions, and become afraid of offloading tech solutions for many reasons, some of which are political (budget). We at Security Excellence have the financial acumen to implement value chain strategies along with the skillset to strategize with more technical leadership, a perfect harmony to bridge cyber and business to elevate both board and executive members. Therefore, our services include Board Membership, Board Advisory Committee, Executive Advisory, Fractional CISO and more. At a high level, the flow to establish a resilient cyber risk strategy is akin to:
Directors are calibrated and baselined on cyber risk and terminology
Directors agree to govern cyber risk
An executive (CISO) is hired for cyber risk accountability
Director(s) work with CISO to establish a risk appetite
Metrics and KPI's established by CISO with Director(s) approval
CISO presents to officers when risk nears tolerance threshold:
includes value chain strategies and multiple options
Executive team enabled to make cyber decisions based on risk:reward
Directors review of risk appetite and KPI's annually
Comments