The North Carolina chapter of the FAIR Institute launches with a meeting on Thursday, February 22, in Charlotte, co-chaired by La’Treall Maddox of Cisco Systems, Inc., along with David Sheronas from Bank of America. La’Treall is Strategy Risk Manager for Cisco’s Security & Trust Organization (S&TO), and the leading FAIR evangelist at the company, which is making a major push on risk quantification;
One of my final initiatives prior to leaving public accounting and entering my new role in risk management was helping organizations prepare for the changes introduced by AICPA in the SSAE 18 audit standard, which went into effect in May 2017.
Simply put, when Industrial Control System (ICS) cyber risk is accurately modeled, measured, quantified and normalized with mechanical / industrial operational risk, it is then demystified.
Risk managers are always seeking to address the risks that matter most to their organizations. But you can’t analyze and prioritize what you don’t identify.
A while back I wrote a post called The Dangers of Being a Cubicle Risk Analyst. The premise being that a good risk analyst could not gather all of the information necessary to run a sound and defensible risk analysis from what they could gather in their four walls. A good risk analyst ventures out to gather both loss event frequency and loss magnitude data from those in the know throughout the organization.
As the final months approach before the EU's General Data Protection Regulation (GDPR) goes into effect in May, 2018, organizations are making significant investments to ensure they are prepared for the changes to come, particularly the strict rules on handling consumers’ personally identifiable information (PII).
Imagine this – an issue is assigned to your risk analyst team, either by your management, someone in the business, or perhaps it's some area of weakness your own team identified. After completing the analysis, now it's time to prepare a presentation on the risk results.
The Wall Street Journal recently referenced a research report published by Ponemon Institute entitled The True Cost of Compliance With Data Protection Regulations. After reading the report I’ve come to the conclusion that although the research objective was admirable, it completely missed the target.
On his recent FAIR Institute Cyber Risk Workgroup Call (membership required), FAIR model creator Jack Jones fielded this question: If you had to judge an organization in terms of how well it manages risk using just one metric, what one metric would you use?
Army documents marked Top Secret…data on 14 million Verizon customers…voter information on 198 million Americans…Just a few of the recent reports on data breaches—or open data discovered by security researchers before a breach occurred—on Amazon S3 “buckets”.