Two of the potentially challenging things about doing information and cyber security risk assessments are being able to easily leverage any existing risk assessments done by other areas of the organization and being able to integrate the risk assessments we do with the existing risk ratings already being compiled and aggregated by the ERM team—assuming […]
Getting past the possibility (or why threat-based security will get you nowhere)
Yesterday, I was re-reading the FAIR book, Measuring and Managing Information Risk: A FAIR Approach, and something jumped out at me that I’d forgotten the first time I’d read it. The notion of getting hooked on the possibility of an event. Of course, the FAIR book poo-poos all over the qualitative risk assessment – and, […]
Staring down the red-eyed monsters
Tonight I watched my son have a white-hot meltdown. It’s never happened before, but then again, he’s never been stuck in the house with the rest of us for going on 7 weeks now either. So, I have little doubt that a lot of the frustration and fears about what’s happening came out all at […]
The key to demonstrating security value
One of the toughest challenges we face as security professionals is proving the value of what we do. I mean, so many people have the attitude that basically, “We get paid when nothing happens.” And, to a point, that is true. If we’re doing our jobs correctly, then things will go smoothly. However, things going […]
Should we really “always look on the bright side” of risk?
There’s a pretty big divide between “risk managers” and people who actually take risks about the whole “risk and opportunity management” vibe at the heart of ISO 31000 and everything related to it—including SABSA. We spend time in the Foundation course talking about you need to have a balanced view of risk, and without taking […]
- 1
- 2
- 3
- 4
- Next Page »
