However, the development of a risk culture — including appetite, tolerance and profile — within the scope of the management program is essential to provide real visibility into ongoing risks, how they are being perceived and mitigated, and to leverage the organization’s ability to improve its security posture. Consequently, the company begins to deliver reliable products to customers, secure its reputation and build a secure image to achieve a competitive advantage and brand recognition.
If the company already has a mature risk culture
The implementation of a cybersecurity management project becomes more flexible. Since my goal is to share the mechanics to achieve success in a cybersecurity program, I emphasize below some components of this ‘recipe’ to consider:
- Understand the dynamics and scope of the business, mapping stakeholders, processes and critical systems of the organization, categorizing applications and classifying data to determine the appropriate set of controls (guardrails).
- Understand the choice and application of a framework such as NIST CSF 2.0, linked with ISO 27001, COBIT, CMM, NIST 800-53, SABSA, TOGAF, MITRE ATT&CK, OWASP, among…
