Welcome to your April-May Cyber Risk Update!
- I was asked to write a piece about how umbrella frameworks like NIST can be incomplete without detailed implementation guidance, but also how such detailed methodologies like CVSS were also lacking. The result was this piece I wrote for the FAIR Institute.
- I was also pleasantly surprised to discover that NIST released an IR draft that referenced FAIR directly as a way to tie together cyber risk and enterprise risk. You can read my hot take on this here and read the standard here.
- I was very honored to be able to speak at the Inaugural Volatility and Risk Institute Conference hosted by NYU Stern, where I was interview by the inestimable Phil Venables. He write his thoughts about this here and you can watch the interview here, where you can see my amazing Zoom background (h/t to Digital Blasphemy where I’ve been a lifetime member since the late 90s)
- Here is a piece I wrote for Dark Reading where I describe how to integrate MITRE ATT&CK into your risk modeling
- Lastly my article on Risk Communication was published in this month’s ISACA Journal, available here. It was published as a feature article in their Human Element of Risk issue.