Cyber Risk Frameworks, MITRE ATT&CK, and Risk Communication in the ISACA Journal

Welcome to your April-May Cyber Risk Update!

  • I was asked to write a piece about how umbrella frameworks like NIST can be incomplete without detailed implementation guidance, but also how such detailed methodologies like CVSS were also lacking. The result was this piece I wrote for the FAIR Institute.
  • I was also pleasantly surprised to discover that NIST released an IR draft that referenced FAIR directly as a way to tie together cyber risk and enterprise risk. You can read my hot take on this here and read the standard here.
  • I was very honored to be able to speak at the Inaugural Volatility and Risk Institute Conference hosted by NYU Stern, where I was interview by the inestimable Phil Venables. He write his thoughts about this here and you can watch the interview here, where you can see my amazing Zoom background (h/t to Digital Blasphemy where I’ve been a lifetime member since the late 90s)
  • Here is a piece I wrote for Dark Reading where I describe how to integrate MITRE ATT&CK into your risk modeling
  • Lastly my article on Risk Communication was published in this month’s ISACA Journal, available here. It was published as a feature article in their Human Element of Risk issue.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: