It’s a truth universally acknowledged that virtually every company with internet connectivity assumes some degree of cyber-risk — the only way to eliminate it entirely is to close up shop. Exactly how much risk an organization shoulders should depend on its risk appetite, according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO), a group that studies enterprise risk management. Clearly and accurately establishing a company’s cyber-risk appetite and communicating it in business terms throughout the organization are critical challenges for the CISO.
In this excerpt from Chapter 6 of The CISO Evolution: Business Knowledge for Cybersecurity Executives by authors Matthew K. Sharp and Kyriakos “Rock” Lambros, Lambros explains how to define an organization’s cyber-risk appetite, how to differentiate cyber-risk appetite from cyber-risk tolerance and how to communicate all of the these points to the business. He also offers a detailed cyber-risk appetite statement example to illustrate his points.
COSO defines risk appetite as “The types and amount of risk, on a board level, an organization is willing to accept in pursuit of value.” Sounds simple…
