When It Come Down To It, Cybersecurity Is All About Understanding Risk

Get two risk management experts in a room, one financial and the other IT, and they will NOT be able to discuss risk.

Go on … ask your CEO why your company has a VPN … and what the core threat is that it guards against, and how likely it is to happen? If they can answer these questions well, then stop reading this article, as you probably don’t have a problem in your company when it comes to cybersecurity. If the answer is “VPN stands for Virtual Private Network. That’s all I know about it. I have technical people who know about that kind of thing!”, then read on.

I have the privilege of advising organisations on cybersecurity, but I increasingly realise that there is a wide gap between the business elements of an organisation and those in technical roles. In a recent meeting I attended, the buzz words flew around with little care of their usage, and in the end, I didn’t really understand what the basic threat was. My conclusion was that the organisation just needed to sit down and work out a number of use cases for each of the major threats: insider fraud; large-scale data; major outage; etc, and then work out the likelihood of these, and, if possible, put a financial cost against them. Then they just had to work out if…