A recent survey by the Professional Risk Managers International Association (PRMIA) uncovered high frustration among risk professionals with data – the quality, usability, and general time suck required for the raw material of risk analysis.
As a member of the FAIR Enablement Specialist (FES) team at the FAIR Institute, I consult for many individuals and teams as they start on their journeys to better risk management through cyber risk quantification
We have a deep bench of organizations practicing Factor Analysis of Information Risk (FAIR™) represented by the 11,000+ members of the FAIR Institute. Here’s a small sample of public and private enterprises that have shared details on their FAIR programs with our membership.
A new white paper from the Association of Chartered Certified Accountants (ACCA), “Rethinking Risk for the Future”, argues that “accountancy is playing an increasingly larger role in navigating organizations through the urgent problems and interconnected risks
Companies have gradually been moving to the cloud for years, but still need a model for prioritizing security initiatives for their cloud migration. Feedback from our clients is that organizations spread across multiple geographies, markets and business functions operate in silos
Total risk for an IT asset such as a data repository or web app is exactly what is sounds like: the aggregate risk to a digital asset posed by relevant cybersecurity risk scenarios. That is, an asset will have a combination of relevant scenarios
In a warning of a get-tough policy on cyber risk management, the Securities and Exchange Commission (SEC) has fined First American Financial Corp. (FAFC), finding that the major title insurance and escrow company “did not have any disclosure controls and procedures related to cybersecurity,
Surprisingly, we still sometimes hear that some cyber risk professionals are challenged by their General Counsel and legal department not to quantify their cyber risk, as that might - in their opinion - introduce a liability, driven by the fact of possibly knowing about a problem and not having done enough to address it.
In September, 2020, our IBM X-Force IRIS security analysis group began tracking strange phishing attacks targeting suppliers of HVAC equipment and services.
Strange, unusual, media-worthy vulnerabilities and cyberattacks… they seem to pop up every few months or so and send us risk managers into a fire drill. The inevitable questions follow:
