Inflection Point: Granting Exceptions to Cybersecurity Policies and Standards
Happy New Year!
As you think about your new year as a cyber risk manager, what’s top of mind for you?
There’s no lack of important things to think about, right?
What usually bothers me, when I’m being reflective at a time like this, are the things that are important but not urgent.
Someone recently asked me about when (and how) to grant exceptions to cybersecurity policies and standards.
What a great example of an important, but not urgent, problem!
Of course, that assumes you aren’t processing an exception request right now. But even if you were, it would be easy to just grant it and move on. Those things rarely blow up in your face immediately, right?
If you don’t have a good exception-handling process right now, here’s what I suggest:
If you don’t have an exception-handling process, this example might be inspiring, but I suggest you reduce it down to a “minimum viable” amount of rigor:
Remember: Minimum Viable means the least you can do and still move the needle towards your goal.
Do you already have something like what I’ve described above in place? If not, are you going to get this done before 2024 gets going at full speed?
Click comment and let me know.
And, yes, I really do read every comment you post.
-Kip
P.S. Please repost this “Inflection Point” to share with your network.
Current Podcast Episode: EP 147: SEC Complaint against SolarWinds Corporation – Cyber Risk Management Action Plan (CR-MAP)
What can we learn about the SEC Complaint against SolarWinds Corporation and Timothy G. Brown? Let’s find out with your hosts Kip Boyle, CISO with Cyber Risk Opportunities LLC, and Jake Bernstein, CISSP, CIPP/US, Partner with K&L Gates.
领英推荐
Prepare for the Akylade Certified Cyber Resilience Fundamentals (A/CCRF) certification exam by picking up a copy of the textbook “Mastering Cyber Resilience: From Theory to Practice: Practical Strategies for Cyber Resilience”.
By the way...
We’re currently making plans to attend the Spring series of SecureWorld conferences being held around the United States and Canada in 2024.
Have a look at the schedule and see if you can attend one of them:
I’d love to meet you in person!
Kip Boyle is a husband, dad, entrepreneur, and experienced cyber risk manager. He founded Cyber Risk Opportunities LLC in 2015, after seven years as the CISO of PEMCO Insurance in Seattle. As a captain on active duty in the US Air Force, he served in the Combat Archer and F-22 Stealth Fighter programs where he was the director of enterprise network security. These days, he serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
113 Cherry St #92768, Seattle, WA 98104-2205
Cyber Risk Analyst at Cyber Risk Opportunities / CR-MAP Practitioner / Cybersecurity Consultant
1 年Awesome inflection point! Taking a nebulous question like "should I grant an exception" and turning it into a set of quantifiable risks makes a ton of sense.