8/3/2023 0 Comments Paradigm shift in business![]() ![]() ![]() Once you have a list of agreed upon remediations, estimated costs and resources, timelines, and priorities, it is time to plan out the projects for your cyber-resilience program. Part of the deliverables from this assessment should include the recommended remediations, estimated cost and resources, roadmap, and timeline, expected risk reduction, compensating controls, and forecasted residual risk. The assessment should also have discovered who the key stakeholders are and developed a RACI chart so that everyone can agree on roles and responsibilities. The results are then to be evaluated and reviewed by all key stakeholders so that a consensus can be built. This means that their evaluation of the tactical and strategic implementation of controls is no longer encumbered by bias. If you can decouple the reporting chain of this individual or group, it's even better. It is key to have an internal or external, independent reviewer well versed in Risk Management conduct the actual assessment. This is a key distinction to make, as having your CIO or IT Director assess the cyber security and resiliency of their own design is akin to having students grade their own term papers. As an additional note on each control, how does this control specifically align with and support your business? What guidelines should be considered? Are you a publicly traded company, and therefore, should you be aware of SEC guidelines? Is your company a MedTech, Biotech, or pharmaceutical company that should be aware of FDA guidelines or EU regulations? Independently Assess Independent of what set of controls are used in your evaluation, these controls need to be evaluated and tied back to the business. Do you know what regulations you should be concerned about? These factor into your framework selection, as well as the individual controls within that framework. There are many frameworks to choose from. ![]() Once you know and understand the business and culture, what is the strategic plan moving forward? In these plans, what is the appetite for risk? How is the budget mapped out moving forward? Do you know the projections for the next three to five years? Choose your Cyber-Risk Framework Is it viewed as a burden and hindrance to business functionality? Is it simply an additional cost viewed as taking away from the bottom line? Determine where the culture sits in terms of cyber-awareness and acceptance. What separates your business from competitors or others within your industry? You must understand the business’ values, mission, and purpose. Not just the industry but the specific differentiators of the business. Understand the businessīefore the cyber-risk assessment has even begun, there must be an effort to understand the business. What I would like to do is shift the paradigm. There is value here for sure, and I don’t intend to devalue these efforts. The result is typically some form of a risk matrix and sometimes specific remediations for each control to “close the gap” from where you are in your cyber-maturity, to where you should be. Most frameworks focus on controls specifically designed to determine if best practices and industry standards for cybersecurity are technically implemented at a company. There are many cybersecurity risk assessments in the form of a questionnaire, spreadsheet, or interview process that are filled out by the CIO or Director of IT. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |