The primary goal of any IT security organization is risk management and mitigation. But understanding risks can be complicated: Is a newly discovered vulnerability a risk for your particular company? Should you pay attention to the news about state-backed APT groups like Lazarus?
The key is to match IT security risk management to the overall business risk management in your organization. Defense or financial organizations usually have a mature and established risk management strategy, sometimes with a dedicated role of Chief Risk Officer; if your organization has someone in that position, that’s who you want to learn from. But every organization is constantly making decisions about risk. Often, this responsibility falls to the CFO and the CEO. I believe you should seek their advice to build an aligned and consistent risk management strategy for the organization. Failing to do so creates additional work and can leave the organization exposed to real threats that IT overlooked due to lack of business involvement.
This brings us back to the challenge that I started with: How do you measure risk and expected savings? I won’t even try to unpack it all in one post; there are long books on the subject (here’s a good one: “How to Measure Anything in Cybersecurity Risk” by Douglas W. Hubbard and Richard Seiersen).
More Info: jobs that require comptia a+ certification
No comments:
Post a Comment