Today’s post contrasts two recent pieces.
PwC shared some very traditional thinking in Overseeing cyber risk: the board’s role.
It says volumes when their web page that links to the report has this:
Questions for directors and management about embedding cyber risk
- Does the company employ multi-factor authentication on all accounts (including VPN access) to control access?
- Who has responsibility for the company’s third-party risk management program?
- Does the company engage in robust patching and vulnerability management?
These are hardly the first questions that should be asked!!
I prefer:
- Where’s the risk to the business?
- Is it acceptable?
- What should we be doing about it?
While they say that we should “ensure cyber risk is embedded in strategic decisions – and the company’s culture”, they don’t explain how that should occur. How do you see the big picture, all the risks (including and not limited to cyber) and opportunities, to make an informed and intelligent decision?
They don’t even ask that management perform and then maintain a business impact analysis so they can start to answer my three questions.
Let’s toss that to one side, agree not to hire them, and consider the other piece.
Brian Barnier is one of the smartest people I know and a good friend[1]. Recently, he has been…
