Translating Risk Discussions into Language Your Board Will Relate to and Respect

Every CIO, CISO, and CRO has had this experience, even if only once.  They have a meeting with their Board of Directors, for which they have prepared volumes of detailed factual data about the state of risk in their organization; they are confident of their preparation and their message. But, almost immediately upon beginning, the[…]

An Argument for Comprehensive Cyber Risk Management Including Insurance: And GRC Can Help

The frequency and scale of cyberattacks continues to grow, and the financial stakes appear to be rising too. Revenue losses, liability costs, recovery fees, and even regulatory fines are all consequences facing companies experiencing successful cyber incidents. In the recent past, ransomware attacks like NotPetya, one of the most devastating cyber events ever, caused millions[…]

Applying NIST Standards to Managing Cyber Risk and Regulatory Compliance

In our last blog, we explored the content and value of the New York State Department Of Financial Services 23 NYCRR 500; Cybersecurity Requirements For Financial Services Companies. In this article, we’ll explore how the application of a framework like NIST 800-53, or the NIST Cybersecurity Framework helps structure and achieve strong compliance with regulations[…]

A New York State Cybersecurity Regulation; A NY State of Mind and Direction for Financial Services

Exploring the intent and value offered through the New York State Department Of Financial Services 23 NYCRR 500; Cybersecurity Requirements For Financial Services Companies From time to time it’s worthwhile to explore an example of a regulation put into place to help define, encourage, and oblige sound cybersecurity and risk management practices. Financial institutions are[…]

Once Upon A Time in Cyber Land…From ATM’s to AI and Beyond

I’m old enough to remember a time before ATM’s, cell phones, the internet, and portable computing in any number of form factors. No, there were no dinosaurs stealing my school lunch, and I didn’t learn to write on a clay tablet with a stick (despite what my now grown children might think). But the depth[…]

Addressing the Right Cyber Risk…. An Example

Recently there was a malware attack discovered. “So?”, you might ask?  “There’s always a malware attack of some sort or another being identified, reported and measured for its scope and impact.”  Well, this one was unique in several ways: First, it seemed to target Mac OS, which is a rarity for technical (its UNIX roots)[…]

Exploring Risk Management software: What Separates the Good from the Great – A User’s Perspective

Choosing a risk management platform is an important process.  First, and foremost, companies often think this software must reflect the priorities, practices, and processes of your current operating risk management processes— “model what we do and how we do it”, so to speak.  This can be a fundamental, strategic error. If you are in the[…]

Reporting Risk Assessment Findings… enriching content with context

One of the greatest challenges to managing cyber risk is communications. Often the technologies and tools used to deploy effective countermeasures, monitor activity on networks, and online points of contact between an enterprise and its stakeholders, clients, customers, and partners are described using language uncommon to non-technical audiences. Also lost to those outside cybersecurity and[…]

How Technology Enables Enterprise Risk Management

This is the final blog of a four-part series on ERM from guest blogger Michael Rasmussen of GRC 20/20 Research.   Risk management fails when information is scattered, redundant, non-reliable, and managed as a system of parts that do not integrate and work as a collective whole. The risk management information architecture supports the process architecture[…]