Why do the consultants keep advising management and the boards to consider cyber risk as if it is separate from all other business risks? Managing any single source of risk in a silo is almost certainly going to lead you to make incorrect, uninformed decisions.
Cyber is only one of many sources of risk that can affect the achievement of an enterprise objective initiative, program, or project.
As I keep saying, it is not about managing risk – it’s about managing the organization and its success.
McKinsey published an article in November, Cyber risk measurement and the holistic cybersecurity approach. It’s an interesting piece, reflecting responses by some board members to a recent piece by them. For example, they quote people as saying:
- “So far, we have not taken a big hit, but I can’t help feeling that we have been lucky. We really need to ramp up our defenses.”
- “Digital resilience is one of our top priorities. But we haven’t agreed on what to do to achieve it.”
They also say, correctly:
- Companies are rolling out a wide range of activities to counter cyber risk. They are investing in capability building, new roles, external advisers, and control systems. What they lack, however, is an effective, integrated approach to cyber risk management and reporting.
- Boards and committees are swamped with…