I am in the process of writing a new book. It is intended as guidance for senior management and board members on decision-making when it comes to cyber risk.
I see a gap in their understanding of the level of business risk, and that creates problems when it comes to deciding how much of their organization’s scarce resources (people and money) should be invested in preventing or minimizing the effects of a data breach.
I believe they tend to respond to risk assessments by the CISO or others in the management team that label the level of risk as “high”, but do not describe the potential effects on the business and its success, nor the likelihoods of such major impacts.
They also respond to media headlines and the advice of consultants who may not fully understand the business and are not really objective.
Money, as we know, does not grow on trees.
Every penny spent on cyber risk is a penny that is not spent addressing other sources of business risk and opportunity, such as supply chain risk, competitor risk, new or upgraded technologies, marketing programs, customer service, and so on.
As I was doing my research, I reviewed a 2021 study by PCH Technologies, Cost of Cyber Attacks vs. Cost of Cyber Security in 2021. They reported that these four breaches were among the most severe in 2020 and 2021.
I added a…
