The fact remains that cyber security requirements, particularly for large enterprises and Government organizations, continues to be reactive, compliance-based, and maintains a heavy reliance on 3d party assessments and controls-testing.
This FCW article (Security-proofing agency business processes) speaks to the need for better integration and understanding of business processes and their related risks, and promotes evidence-based controls testing as a much better strategy for compliance assessments.
Better, but still not proactive.
Only through a complementary digital risk management strategy leveraging knowledge to prioritize risk mitigations and quantify consequences can cyber threats be proactively managed. For inspiration, look no further than the energy industry who is a leading proponent of DRM solutions that proactively protect critical infrastructure such as power grids.
Typically the business executive defines risk as a function of the probable frequency of cyber events and the magnitude of losses they induce. While IT security teams define risk as the product of vulnerabilities, threats and impacts. Some of the IT teams also assign confidentiality, integrity and availability values to the systems they are charged with protecting in order to understand risks.
These differing perspectives on cyber security and cyber risk is necessitating the need for digital risk management. Digital risk management helps to bridge this gap in understanding and proactively managing business risk to organizations related to the cyber threat.
To learn more and collaborate with like-minded others join us in the Digital Risk Management Institute.