CISOOnline

7 cyber risk assessment gotchas to avoid

“As a result, it becomes difficult to communicate the real risks of breaches and other risks,” he states. “Worse yet, it gives security team members an excuse to complain about being misunderstood or not valued, which degrades team effectiveness.”

It’s important to be specific and targeted, Moore advises. “For instance, don’t say, ‘We have 95% patch compliance,’” he suggests. “Instead, talk about the risk unpatched systems pose to the business.” Some systems, such as legacy systems that aren’t connected to the internet or the core business, carry a lower risk than others, even if they have the same patch issues. “Acknowledge that fact and weigh your response.”

6. Confusing compliance with real-world security

Compliance alone doesn’t lead to good security, nor does it satisfy even the baseline requirements for effective protection, says Adriel Desautels, CEO of Netragard, a penetration testing and security advisory company.



Source link