October 14, 2016 marked the first ever gathering of information security and operational risk professionals at FAIR Conference.
Enhanced cyber risk management standards
The three federal banking regulatory agencies released on Oct. 19, 2016 a series of proposed enhancements to cyber risk management standards that could result in new policy guidance or new stringent regulation. They are currently inviting comments before issuing a more detailed proposal for consideration.
Honoring Excellence in Information and Operational Risk Management
At the upcoming FAIR Conference 2016, the FAIR Institute will honor risk management leaders for their initiative, ingenuity and contributions to Information and Operational Risk Management.
We are happy to announce that the first ever FAIR Conference will take place in Charlotte, NC, at the Wake Forest University Charlotte Center on October 14, 2016. 'Queen City', here we come!
I attended a very informative and engaging presentation at RSA Conference 2016 led by Wade Baker, VP Strategy and Risk Analytics at ThreatConnect and former lead for Verizon’s annual Data Breach Investigations Report (DBIR).
The title of his session was "The Marriage of Threat Intelligence and Risk Assessment". In his presentation, he explored some fundamental questions such as: What is the relationship between threat intelligence and risk management? Many treat them as separate disciplines, but is that the way it should be?
Over the past year, executive teams and board members across multiple industries have started to ask questions more forcefully about the risk posed by cybersecurity attacks. They are no longer content with technical reviews of their security controls and are asking questions related to the business impact of cybersecurity attacks. How much cyber risk do we have? Are we spending too much or not enough? How much can we reduce risk with the proposed info security budget? Should we buy cyber-insurance?
Do you dread reporting on cyber risk to the board? Have you ever felt that board members were left confused by your descriptions of cyber risk in terms of threats and vulnerabilities? Did your board members ever challenge your presentation and ask, "What does this mean to the business?"