CRQ, Zero Trust, NACD, and Risk Treatment Options

Here is a mega update on several items I’ve been working on lately. First, I did a podcast with ThreatConnect talking about CRQ. We did a bit of a retrospective on the FAIR book as well which was nice. Next is a piece I wrote for ISACA about how to not over-respond to current workContinue reading “CRQ, Zero Trust, NACD, and Risk Treatment Options”

How to Report Cyber Risk to the Board

I’m giving a webinar tomorrow based on the whitepaper I authored for ISACA: Reporting Cybersecurity Risk to the Board of Directors. It’s a free download. I cover Board reporting from the technologists perspective, covering the role of the Board and how to communicate to them in a way they understand. You can register for theContinue reading “How to Report Cyber Risk to the Board”

Cyentia Xtreme

In case you missed it, the Cyentia Institute published the IRIS2020 Xtreme report. I was very happy to have written the conclusions for this report. In it, I speak about how the data in the report can be useful for Board Directors. You can read the full report here. Dark Reading quoted me in theirContinue reading “Cyentia Xtreme”

Speaking at the Cyber Future Dialogue in Davos during the World Economic Forum (WEF)

I’m very excited to announce that I will be speaking at the Cyber Future Dialogue in two weeks in Davos, Switzerland during the World Economic Forum. This is going to be an amazing opportunity to converse with distinguished leadership from around the world on the necessity of and practical means to operationalize cyber risk quantificationContinue reading “Speaking at the Cyber Future Dialogue in Davos during the World Economic Forum (WEF)”

Welcome to 2020! Cyber Risk Prospectuses and a “Manifesto”

Welcome to 2020! I kept busy last month, even with the holidays. Here are some updates: I wrote a piece for ISACA about how much spending is being done in aggregate for cyber security and how we need to rationalize the controls we are spending on. The FAIR Institute called this my manifesto here :-)Continue reading “Welcome to 2020! Cyber Risk Prospectuses and a “Manifesto””

Accepted at RSA 2019 – Virtual Pen Testing

I’m very pleased to announce that I’ve been accepted to speak again at next year’s RSA Conference. I’m going to be presenting on an Agent Based Model concept using FAIR risk results jointly with my colleague Joel Amick. Joel’s team and my team worked to develop a POC of this work and we can’t waitContinue reading “Accepted at RSA 2019 – Virtual Pen Testing”

ISSA Journal – The Future of ITRM will be Quantified

The December issue of the ISSA Journal was released and my article on the Future of IT Risk is on the cover. The theme for this month’s Journal is “The Next 10 Years” and I wanted to highlight where I saw the industry going. I begin with a look back on the progress away from ordinalContinue reading “ISSA Journal – The Future of ITRM will be Quantified”

Lowest Common Risk Denominator

I tackle the notion of risk appetite in this month’s column using some metaphors with which you might be familiar. You don’t get to pick your auto insurance coverage by expressing the number of accidents you are willing to accept, yet that’s how a lot of organizations think about cyber risk. Fortunately, the cyber insuranceContinue reading “Lowest Common Risk Denominator”