Sweet and Simple (but , rarely followed)
Your organization does not exist to be secure, it exists to get things done.
Amateurs mitigate risk, professionals manage risk. If you are confused by the difference, you need to read some of Bruce Schneier's books. There are three ways to manage risk: you mitigate it, you accept it or you transfer it
Risk is the likelihood of an incident times the harm of that incident. Likelihood is made up of Threats and Vulnerabilities
Our job is to support the organization's mission. That means when dealing with a cyber security challenge, you may not be the one to make a decision
Managing risk is based on three core areas: Technology, Process and People.
We have hit the point of diminishing returns with Technology but continue to fail in the Process and People side.
For More:
https://securingthehuman.sans.org/blog/2017/10/05/the-five-tenets-of-cyber-security/
No comments:
Post a Comment