The Risk Foundry | Continuous Cybersecurity Risk Assessments转发了
Director | Managed Programs and Security Consulting | CISSP, CRISC, CISA, PCI QSA
I have a hard time with the squishiness of cyber risk management generally, for example the concepts of "risk appetite" and "risk tolerance". So, let's land that plane into practical application (feel free to steal this example): ????????????????????????????? ?????????? ???????? ???????????????? ?????????????????? (?????????????? ???? ????????????????????) "Our organization is committed to maintaining operational continuity and protecting customer data while embracing innovation. We are willing to accept moderate levels of cyber risk to support strategic growth initiatives, provided those risks do not jeopardize regulatory compliance, critical infrastructure, or stakeholder trust." ???????? ?????????????????? ?????????????? ?? Data Breaches Appetite: Zero tolerance for breaches involving personally identifiable information (PII) or customer financial data. Tolerance: Up to 3 minor incidents annually involving non-sensitive internal data, provided they are contained within 48 hours and do not escalate to legal or reputational impact. ?? Phishing Attacks Appetite: Acknowledges phishing as a likely and manageable threat, provided impacts are minimal and well-controlled. Tolerance: Up to 2% of employees clicking on phishing links during quarterly phishing tests, provided response times remain under 24 hours. ?? System Downtime Appetite: Accepts moderate downtime for non-critical systems to enable upgrades or innovation. Tolerance: 99.9% uptime for critical systems; non-critical systems may experience up to 8 hours of downtime per quarter, if planned and communicated. #CyberRisk #RiskAppetite #Cybersecurity #Leadership
However much risk appetite is company specific, for senior management it generally hinges on three distinct criteria, and irrespective of the ERM domain: 1) ROI: as in "risk of incarceration" 2) FAB: forfeiting your annual bonus 3) BBM: being barred form exercising an executive mandate
Very informative
Yea I like this idea. I will say (being a CRQ guy), from a business perspective I think it's much more useful to set Risk Appetite as a dollar amount (or percentage of revenue/reserves etc). It connects more with the business teams that should be setting the Risk Appetite. Given our Cyber insurance, cash reserves, etc what type of financial hit are we resilient to without materially affecting the business. Then looking at the risk assessment, are we comfortable with risk of those types of events most likely to materialize and their impact.
What.a.joke: “We are willing to accept MODERATE levels of cyber risk to support strategic growth initiatives, provided those risks DO NOT JEOPARDIZE regulatory compliance, critical infrastructure, or stakeholder trust.” That’s all nice in the aftermath of an incident.
What does good look like?
1 个月“Appetite: Zero tolerance” great! Close the business and lay down the books. “Appetite: Acknowledges phishing as a likely and manageable threat, provided impacts are minimal and well-controlled.” Clear nonsense, all aftermath. “Appetite: Accepts moderate downtime”: that’s SLA and is expressed in number of 9s. If appetite is hard to define, stop using the concept.