Welcome to 2020! Cyber Risk Prospectuses and a “Manifesto”

Welcome to 2020!

I kept busy last month, even with the holidays. Here are some updates:

I wrote a piece for ISACA about how much spending is being done in aggregate for cyber security and how we need to rationalize the controls we are spending on.

The FAIR Institute called this my manifesto here :-)

I’m also really excited that my article on Cyber Risk Prospectuses was published over in ThreatPost. I’ve been talking about this topic for about a year now. I’m not a fan of us pretending that we work for companies that won’t get hacked. It’s not if its when and being clear about how long before we expect that loss is important. The FAIR Institute summarized my point succinctly: “Admit you will probably get breached.”

 

 

 

 

 

RSA 2020, NIST CSF, and Dark Reading

First off, I’m very pleased to announce that I will be presenting again next year at the RSA Conference. My session is called “Maturing Cyber-Risk Management Practices: Framework and Next Steps” (EZCL-R01).  This will be done as a Collaborative Learning Session (a new RSAC format). I’ll lead a discussion then turn it over to the room to begin analyzing their risk management program and assessing its maturity.

Also:

 

 

 

 

ISSA Journal – The Future of ITRM will be Quantified

The December issue of the ISSA Journal was released and my article on the Future of IT Risk is on the cover. The theme for this month’s Journal is “The Next 10 Years” and I wanted to highlight where I saw the industry going. I begin with a look back on the progress away from ordinal scale, verbal risk labels and project out on where things will go. I cover regulatory, insurance, and customer pressures to quantify as well as outline a path forward where risk quantification can be used as a competitive advantage.

Check it out in your mailbox or read it online now.

ICYMI: Digital Transformation

I wrote an article to help ISACA introduce its Digital Transformation research in the Financial Services industry.

There are some interesting findings in here about AI, IOT, Cryptocurrency, and Blockchain.

 

My article in Bankingexchange.com is here

ISACA’s Digital Transformation Barometer research is here

ICYMI: Risk Management and the Paradox of Common Sense

I really enjoy reading Duncan Watts work and I was blown away by how he assailed the concept of common sense that we all rely upon so readily:

What we don’t realize, however, is that common sense often works just like mythology. By providing ready explanations for whatever particular circumstances the world throws at us, common sense explanations give us the confidence to navigate from day to day and relieve us of the burden of worrying about whether what we think we know is really true, or is just something we happen to believe.

Questioning our perception of reality is pretty heavy and you can spend a lot of time working through that. But in my article I use this idea to break out of the crutch of using common sense to manage risk.

You can read the full article on the @ISACA Newsletter site here.

 

ICYMI: Organizational Signals for Changing Risk Appetite

I was inspired to write this article by a change in the speed limit that happened on a local Interstate. It was a good jumping off point to illustrate the parallels between speed limits and risk appetite and what it takes to change each.

You can read the article on the FAIR Institute website here.

ICYMI: Concept Creep: Why Cyber Risk Problems Never Get Solved

I had a great time writing this post for the FAIR Institute. I was inspired by post-doc David Levari of the Harvard Business School’s article in The Conversation called Why Your Brain Never Runs out of Problems to Find. In it he talks about how our brains have a sliding scale of what “badness” is over time and how something will always occupy the spot of “badness” even when its not that big of a deal. In my write-up, I apply that to cybersecurity and include some pointers for FAIR practitioners.

You can read my latest FAIR Institute post here.