The Risk Foundry | Continuous Cybersecurity Risk Assessments

While CCRA and CTEM have distinct focuses, they are highly complementary and can be integrated into a comprehensive cybersecurity strategy: By combining these approaches, organizations can achieve a balanced and effective cybersecurity posture, ensuring both comprehensive risk management and efficient threat mitigation. https://lnkd.in/ejJdvSX3

I have a hard time with the squishiness of cyber risk management generally, for example the concepts of "risk appetite" and "risk tolerance". So, let's land that plane into practical application (feel free to steal this example): ????????????????????????????? ?????????? ???????? ???????????????? ?????????????????? (?????????????? ???? ????????????????????) "Our organization is committed to maintaining operational continuity and protecting customer data while embracing innovation. We are willing to accept moderate levels of cyber risk to support strategic growth initiatives, provided those risks do not jeopardize regulatory compliance, critical infrastructure, or stakeholder trust." ???????? ?????????????????? ?????????????? ?? Data Breaches Appetite: Zero tolerance for breaches involving personally identifiable information (PII) or customer financial data. Tolerance: Up to 3 minor incidents annually involving non-sensitive internal data, provided they are contained within 48 hours and do not escalate to legal or reputational impact. ?? Phishing Attacks Appetite: Acknowledges phishing as a likely and manageable threat, provided impacts are minimal and well-controlled. Tolerance: Up to 2% of employees clicking on phishing links during quarterly phishing tests, provided response times remain under 24 hours. ?? System Downtime Appetite: Accepts moderate downtime for non-critical systems to enable upgrades or innovation. Tolerance: 99.9% uptime for critical systems; non-critical systems may experience up to 8 hours of downtime per quarter, if planned and communicated. #CyberRisk #RiskAppetite #Cybersecurity #Leadership

A tool is not going to fix a broken cyber risk management program. These are a few maladies I see secretly plaguing cyber risk programs: 1) No clear definition of what a risk actually is. 2) No clear mechanism to separately track risks, issues, and exceptions. 3) CISO or accountable security leader not in an approval chain for risk treatment plans or exceptions approvals. 4) Way too many people can add a "risk" to the risk register. 5) No easy and accessible way to communicate the cyber risk landscape to other execs or the board. 6) Likelihood and/or impact of a risk is poorly calibrated causing folks to discredit that risk's severity and not take the risk register seriously. 7) Risks severity ratings are either too qualitative (too undefined) or too quantitative (too specific) making them either unusable or unbelievable. #CyberRiskLeadership #BoardroomCybersecurity #StrategicRiskManagement #DigitalResilience #ExecutiveRiskOversight

?? Cybersecurity Gaps in New Zealand and Australia: A Wake-Up Call for Organisations ?? A recent report has exposed critical cybersecurity gaps in organisations across New Zealand and Australia, particularly within the insurance sector.?? The findings are clear: many organisations are underinvesting in cybersecurity, leaving themselves vulnerable to increasingly sophisticated threats. Key areas of concern include: ? Inadequate Cybersecurity #Investment ?? ? Deficient #Incident Response Planning ??? ? Regulatory #Compliance Challenges ?? ? Limited Risk #Awareness Among Leadership ???? ? Shortage of Cybersecurity #Talent ???? It’s time for organisations to take decisive action. Investing in robust cybersecurity measures, improving incident response capabilities, and ensuring regulatory compliance are no longer optional—they’re essential. Leadership must step up, understand the risks, and prioritise cybersecurity as a critical component of business strategy. #Cybersecurity #RiskManagement #Leadership #Australia #NewZealand #Insurance #Compliance #TechTalent

The Governance Institute of Australia has just published a fantastic guide to effective #cyber #riskmanagement. If you are a director, in the C-suite or a #riskmanager, I encourage you to have a look. This guide has been thoughtfully been developed to assist beginners, intermediate and advanced readers better understand #cyberrisk and how to navigate the highly complex environment that is the world of #cybersecurity from a #risk, #legal and #regulatory perspective. The guide considers things such as: - The role of #governance, the #board and board committees. - Accountability and responsibility. - Cyber risk management frameworks and strategies. - The role of #culture - The role of #cyberinsurance - The regulatory landscape as at August 2024 - Notable standards and certifications, both national and international. - Useful resources to assist on your #cyberesilence journey. You can download the file directly from the Governance Institute of Australia website at https://lnkd.in/g4U65_n9 or its available below. Well done Megan Motto ?? and the GIA team. Very proud to be a Fellow of the Governance Institute!

File this one under "not fooling anybody". When DoD asks for cyber self-assessments: perfect scores When DoD assessors show up to verify: scores plummet by 100+ points Meanwhile, barely half of defense contractors have performed internal assessments against NIST SP 800-171, CMMC, or DFARS in the last 12 months. The further you zoom out the more reports there are with the same findings. I sometimes hear people say "well if CMMC is so important why aren't we hearing anything about it?" CMMC rulemaking is in the final stages of red tape, poised for showtime in Q1 2025. What more is there to say?

Wow.... DOJ is now going after companies who do not meet cybersecurity standards required by their contracts with False Claims Act charges. This is going to have many implications to both procurement efforts and SOWs/PWSs within agencies, and also to small businesses engaged in government contracts. That means following NIST standards, the FAR and DFAR, and many other things. It also means third and fourth party contracts aren't above scrutiny. "The shift highlights the growing importance of robust cybersecurity practices for organizations, especially those engaged in federal contracts. The implications for whistleblowers and prosecutors from the U.S. Department of Justice (DOJ) are significant, with recent cases underscoring this trend." https://lnkd.in/eH9Tm7QU

The Lion, the Witch, and the Framework. #tech #infosec #cybersecurity #NIST

Cybersecurity Risk Assessment (CCRA) vs Continuous Threat Exposure Management (CTEM)

https://lnkd.in/eZAVYGba