I recently wrote this piece for ISACA on business process maps. Clearly, this is tongue in cheek – there are a lot of benefits to building a map of business processes and for a security professional, these maps can become the basis of lots of security and risk reporting. You can read my thoughts onContinue reading “Business Process Maps are Boring”
Category Archives: Reporting
WEF – Principles of Board Governance for Cyber Risk
A new whitepaper was released this week from the World Economic Forum. I was very honored to be a part of the group that authored this (you can see my contributions in section 2.2 – Understand the economic drivers and impact of cyber risk). The paper is free to download here.
How to Report Cyber Risk to the Board
I’m giving a webinar tomorrow based on the whitepaper I authored for ISACA: Reporting Cybersecurity Risk to the Board of Directors. It’s a free download. I cover Board reporting from the technologists perspective, covering the role of the Board and how to communicate to them in a way they understand. You can register for theContinue reading “How to Report Cyber Risk to the Board”
Interviewed on the SEC’s new Cyber Risk Disclosure Guidance
I was recently interviewed by the FAIR Institute on the recently released guidance for firms to disclose material cyber risk.
Effective Approaches to “Bringing the Pain” With Risk Management
Just a quick note about this month’s column (available here). I’m getting the sense from the risk and control professionals I’ve spoken with recently that there is a greater realization of the separation of duties incumbent upon risk functions. In this piece, I briefly discuss how to use reporting to make this clear, and driveContinue reading “Effective Approaches to “Bringing the Pain” With Risk Management”
Amish Approaches to Risk Management
I’ve been watching Amish Mafia lately (a guilty pleasure). That got me to thinking about the role of shunning in good risk management (because this is how my mind works, apparently). We want our leadership to take good, appropriate levels of risk, which is a way of saying there are good behaviors to which we would likeContinue reading “Amish Approaches to Risk Management”
The Risk Dr ® 