Share these talks and lectures with your colleaguesInvite colleagues
Framing cyber security as a business risk
The information security industry struggles to get its programmes on the enterprise stage. When an organisation has a public breach, we are quick to criticise both the CISO and executive management. Is it that management ‘just doesn’t get it’, or is the problem that we’re still not presenting in a way that resonates with the business? We can learn a lot from other risk disciplines, how they organise risk scenarios and the techniques that they use. Mature organisations rely on risk profiles, the RCSA, stress testing, control testing and the analysis of loss events to understand their risk exposure. If you want your information risk programme to be taken seriously by the business, you have to do more than just throwing around a few business terms — you need to embrace enterprise risk techniques. Structuring a cyber security programme and assessment approach similar to other risk stripes not only provides credibility, but also allows the organisation to normalise risks across domains. By adopting taxonomies that are ERM-friendly, embracing the idea of a quantifiable loss event, and helping to translate impact and frequency factors into IT terms, you will see a great improvement in business engagement and ensure that cyber security concerns receive the right focus.
The full article is available to institutions that have subscribed to the journal
Evan Wheeler is VP Risk Management and CISO at Financial Engines and an expert in information security and operational risk management for organisations in many critical infrastructure sectors. Evan has extensive experience presenting business resilience and cyberthreat profiles to board committees, managing international teams, working directly with regulators and overseeing security operations. He is a specialist in building and running risk programmes for organisations in highly regulated environments. Evan earned an MS in information assurance at Northeastern University. He also served as a course author and lecturer for graduate programmes at UCLA, Clark University, Northeastern University and the SANS Institute. He has published a book, Security Risk Management: Building an Information Security Risk Management Program from the Ground Up.