Some time ago I wrote about using the Goal-Question-Metric (GQM) method for identifying useful and organisationally relevant measurements in order to have a clear view of some aspect of security. Often we think about metrics in terms of engaging security colleagues, executives and the board. However, occasionally in distributed organisations,…
Category: Security
Triage in Supply-Chain Cyber Risk Management
During my career, I have helped several firms design and operate supply chain cyber risk management (SCCRM) programmes. I have some ongoing concerns that I have posted about before about the industry focus on self-reported checklists of various quality. I also have some heightened concerns regarding the use of externally…
Security on the Bottom Line
I often hear calls for security to be treated as a business issue. This seems to vary from calls for the Board of Directors to take an increased interest in security to calls for CISOs to raise their gaze from the technology and consider the whole business. I have myself…
Serious Business?
Regulating cybersecurity, and data protection in general, is driven by two needs; to clearly explain the expectations that society has for the organisations that society is increasingly dependent on, to provide a mechanism for the unmanaged externalities to those organisations (the societal and personal harm from breaches) to be realised…
Insider Risk Management
Insiders are legitimate, trusted, individuals we rely on as part of our business activities.