Successful security teams are in a conversation with the rest of their organisation about managing security risk; unsuccessful teams are always in an argument. Security risk management has to be a conversation. No one individual or group can own or fully control this risk due to the complex, interdependent and…
Author: Phil
No more Department of No
As organisations come to terms with the impact of digital transformation, there have been louder calls for security teams to stop being the Department of No. In general terms, this is a positive trend but there is a danger for security teams as the ‘shift left’ of digital transformation exposes…
Long tails and poverty lines; cyber risk in the supply chain
This week I’ve been attending the third cybersecurity roundtable hosted by the Institute of International Finance (IIF) at their 2018 IIF G20 Conference. The roundtable itself included a good discussion with regulators and firms as well as a summary of the IIF paper on cyber regulatory fragmentation. This paper is…
Writing a good risk statement
I often review documents describing risks that fail to either make an impression as to the seriousness of the risks or fail to explain the cause and impact of those risks, both results leading to a less well informed risk decision by a non-specialist executive. It is vital when stating…
Don’t over think cyber risk
I have been overthinking cyber risk. I’ve been trying to build a reliable model that I could rely on to mechanism my risk assessments. I’ll continue to refine my ideas because I enjoy the intellectual challenge. However, I am of the opinion that until we have the cybersecurity equivalent of…