I continue to be frustrated by articles and so-called expert advice on how organizations should address the risk of a cyber breach.
It’s just one of the reasons I wrote Making Business Sense of Technology Risk. The book not only explains how problems related to the use of technology should be considered when making strategic and tactical business decisions, but uncovers fatal flaws in the cyber standards and frameworks.
It’s one thing to say that “cyber is a business risk like any other” (quoting a new article by a partner with Schillings) and another to actually treat it that way.
If you want to treat cyber as another business risk, then it needs to be assessed and evaluated in a way that you can compare it to and aggregate its effect with other sources of business risk.
The author of that article gets several things right:
- What businesses need is a new type of CISO. A CISO who can get involved in digital transformation, but who also has executive management skills and understands that security is an enabler.
- Cyber security is about more than just building and maintaining threat resistant systems. It is both a strategic and risk management issue.
- A CISO today needs to understand business impact and resiliency and have the ability to present clearly and in non-technical language (without acronyms), to…
