Developing a Risk Management Approach to Cybersecurity
By now most CISOs understand that focusing your cybersecurity program on regulatory compliance is no longer sufficient. Meeting those requirements will always be a crucial part of cybersecurity — but only one part. Far too many other “unregulated” risks still abound.
Moreover, a cybersecurity program that focuses on compliance isn’t what the board should want from the CISO either. The board needs assurance that the organization’s cybersecurity program works effectively to help employees achieve business objectives, period. Regulatory compliance is one important part of that assurance, but it’s still only one part.
So CISOs have an opportunity to reorient their cybersecurity programs away from a focus on compliance, toward a focus on risk. The security program then becomes...