One of the challenges when it comes to so-called “cybersecurity risk” is in accepting and then applying the idea that cyber is not an “IT risk”. No. It’s a business risk.
That is easy to say, and it makes all the sense in the world.
However, people tend to apply it only when talking about the fact that the whole organization, the entire business, has to be involved in preventing and then responding to a breach.
The truth is that cybersecurity MUST be seen within the context of the whole business, not in a silo.
What is the potential effect of a breach on the achievement of the enterprise’s objectives?
If we are to assess cyber-related business risk, we have to have the answer to that question.
That requires the involvement in the assessment process of both business and technical personnel.
Trying to assess cyber-related risk with only technical personnel is highly unlikely to come up with the right answer.
Yet, the most widely accepted cyber risk standards are written by information security personnel, for (in my opinion) other information security practitioners.
If internal auditors want to assess the management of cybersecurity risk, they should take a more holistic approach, starting with the answers to that question: “What is the potential effect of a breach on the achievement of the…