I wrote a piece for ISACA about how the rise of the Chief Trust Officer role is changing the landscape for cyber security and cyber risk leadership. Borrowing from the CISO, CSO, CPO, CIO, and digital transformation roles, the Chief Trust Officer can become the go to role to govern technology and ensure customer’s trustContinue reading “Rise of the Chief Trust Officer”
Category Archives: Risk Communication
The Future of Quantitative Cyber Risk Reporting
In my latest piece for the @ISACA newsletter, I address the US SEC’s interest in enhancing the cyber risk reporting requirements. The SEC has asked for feedback on this matter from the public. I used my feedback to them in the writing of this piece.
Cyber Resilience & Board Communication Interview
My piece on Cyber Resilience was recently published by ISACA. Note that their style guide requires that everything with cyber in it be a compound word which makes it read weird. I had a good laugh with them about this. They also interviewed me for ISACA TV on communicating cyber risk to the board andContinue reading “Cyber Resilience & Board Communication Interview”
WEF – Principles of Board Governance for Cyber Risk
A new whitepaper was released this week from the World Economic Forum. I was very honored to be a part of the group that authored this (you can see my contributions in section 2.2 – Understand the economic drivers and impact of cyber risk). The paper is free to download here.
CRQ, Zero Trust, NACD, and Risk Treatment Options
Here is a mega update on several items I’ve been working on lately. First, I did a podcast with ThreatConnect talking about CRQ. We did a bit of a retrospective on the FAIR book as well which was nice. Next is a piece I wrote for ISACA about how to not over-respond to current workContinue reading “CRQ, Zero Trust, NACD, and Risk Treatment Options”
How to Report Cyber Risk to the Board
I’m giving a webinar tomorrow based on the whitepaper I authored for ISACA: Reporting Cybersecurity Risk to the Board of Directors. It’s a free download. I cover Board reporting from the technologists perspective, covering the role of the Board and how to communicate to them in a way they understand. You can register for theContinue reading “How to Report Cyber Risk to the Board”
Cyber Risk Frameworks, MITRE ATT&CK, and Risk Communication in the ISACA Journal
Interviewed by Phil Venables, published in the ISACA Journal and Dark Reading, and more thoughts on NIST and CVSS
85.7% COVID-19 Free March Update!
RSA Roundup Updates on the Monday all-day FAIR session I did with Jack Jones, Chad Weinman, and Rachel Slabotsky, as well as my Thursday session on maturing your risk management practice. RSAC 2020 Report – Big Turnout for 2 FAIR Seminars, Breakfast Advice on Starting a FAIR Program from Jack Jones and Fannie Mae, AscenaContinue reading “85.7% COVID-19 Free March Update!”
Security Leadership is Risk Leadership
Security leadership is risk leadership
Accepted at RSA 2019 – Virtual Pen Testing
I’m very pleased to announce that I’ve been accepted to speak again at next year’s RSA Conference. I’m going to be presenting on an Agent Based Model concept using FAIR risk results jointly with my colleague Joel Amick. Joel’s team and my team worked to develop a POC of this work and we can’t waitContinue reading “Accepted at RSA 2019 – Virtual Pen Testing”
The Risk Dr ® 