All too often when we think of business continuity planning, we think of detailed checklists and tabletop tests, and situations approaching disaster recovery scenarios. We think of key suppliers and residual power supplies, and more. America’s current novel coronavirus situation has many of us finding ourselves facing periods of varying lengths where we will be[…]
Audit and risk management are really two perspectives or “flavors” of the same measurement and inspection processes. In blogs of October and November 2018, I’ve discussed some of the key aspects of these processes and offered some arguments for the benefit of their integration to offer executive management a sharper picture of their true risk[…]
Over the past several articles I’ve gone into some depth about TPRM; why it’s a critical part of managing cyber risk, how to integrate TPRM into your enterprise risk program, and the importance of assessment and governance to the overall effort. In doing so it’s possible this focus has created the impression that TPRM is[…]
Data provides no value if it doesn’t lead to decisive action to forward business goals or address customer problems successfully. So, gathering endless amounts of it, as well as compiling or calculating limitless measures offers no guarantee of improved business results. In fact, it can often lead to confusion and clouded views of the key[…]
Considering vendor security as part of your own risk program is an accepted best practice. But what exactly does it mean to do so? How do you determine which vendors merit the most attention? What data do you need? What roles should your legal, compliance, purchasing, IT, and operations resources play? What access might they[…]
Where We Were Diligence mattered, but was relatively straightforward. Not long ago the vendors, suppliers, and other 3rd parties your business engaged with were discreet, independent service or material providers of one sort or another. You communicated by phone, fax, written correspondence or maybe email or EDI. For the most part data flows were simple.[…]
Previous posts have discussed how to present cyber and related risk information to your Board of Directors in a relevant and meaningful manner. They’ve also explored how a GRC software platform can help gather, organize and structure risk data from multiple sources necessary to perform this analysis to support such meaningful Board level reporting. Now,[…]
Our last discussion talked about how to present cyber and related risk information to your Board of Directors in a relevant and meaningful manner. Here we’ll explore how a GRC software platform can help organize and structure risk data from multiple sources necessary to perform this analysis to support such meaningful Board level reporting. And[…]
Every CIO, CISO, and CRO has had this experience, even if only once. They have a meeting with their Board of Directors, for which they have prepared volumes of detailed factual data about the state of risk in their organization; they are confident of their preparation and their message. But, almost immediately upon beginning, the[…]
The frequency and scale of cyberattacks continues to grow, and the financial stakes appear to be rising too. Revenue losses, liability costs, recovery fees, and even regulatory fines are all consequences facing companies experiencing successful cyber incidents. In the recent past, ransomware attacks like NotPetya, one of the most devastating cyber events ever, caused millions[…]