I was recently asked to present in a remote session at the ISC2 Thames Valley Chapter on Modern Security Risk. I’ve not presented remotely like this before but while it was unusual not having the audience visible to see their reactions it seemed to go very well. There were a…
Category: Risk
What are Information Assets?
Many methods for analysing Information Security Risks use the term assets, information assets or business assets interchangeably. This is a common foundation of Information Security risk analysis often providing a guide to the business impact of a risk being realised in particular systems that hold or access these assets. The…
Dressing up security with Bow-Ties
Bow-Tie diagrams are a very useful way to visualise the components of security risks and a fantastic way to understand the relative importance of different controls and mitigations. A bow-tie diagram uses the risk scenario under consideration as the ‘knot’ of the tie with two trees either side, the left-hand…
Triage in Supply-Chain Cyber Risk Management
During my career, I have helped several firms design and operate supply chain cyber risk management (SCCRM) programmes. I have some ongoing concerns that I have posted about before about the industry focus on self-reported checklists of various quality. I also have some heightened concerns regarding the use of externally…
Security on the Bottom Line
I often hear calls for security to be treated as a business issue. This seems to vary from calls for the Board of Directors to take an increased interest in security to calls for CISOs to raise their gaze from the technology and consider the whole business. I have myself…