, 12 tweets, 2 min read Read on Twitter
Cybersecurity as a first class business risk. A thread.

I see a lot of commentary on the need to “treat cyber/info-security as a business issue not an IT issue”. The problem is it implies that this is not still also a technology issue. This is, of course, incorrect.

1/12
The reality (being generous, what I think people really mean) is that we need to treat cyber/info-security as a first class business risk. So how do we do this, as opposed to just wishing it so. In my experience there are 3 themes you need to drive.

2/12
1. Enterprise Integration - make this part of the fabric of business decision making.

Embed risk considerations into the enterprise governance apparatus (Boards, Committees, management oversight), establish or use a risk committee and make this topic a major part of that.

3/12
Conduct risk assessments (quantitative and qualitative) and establish a risk appetite - with particular focus on what level of the organization in what way can accept risk or authorize exceeding stated appetite.

4/12
Integrate risk considerations into all business processes - especially: strategy, business development, capital planning, budgets, hiring, promotions, employee reviews and rewards, new products, acquisition, divestment, technology investments and supply chain management.

5/12
2. Technology Integration - make this a core part of how technology is built and operated - secure products not just security products.

6/12
Recognize that basic and relentless technology controls (e.g. CIS Top 20), hygiene/operational discipline are essential. They won’t stop all attacks but will stop many (depending on your threat model). Note: “basic” doesn’t mean easy - hence “relentless” is the key word.

7/12
Embed automation/iterative improvement into the heart of tech delivery. Continuously monitor control effectiveness, presence, and operation. Strive for ambient controls - in preference to expecting employees/customers to be a significant part of your front-line defense.

8/12
3. Resilience & Recovery - plan for failure & constantly exercise/drill.

No matter how good any organization is there will always be things that go wrong, either because the adversary is awesome or (more likely) because of some misstep, slowness, dependency or complexity.

9/12
So, detect early, respond decisively, formalize accountability and test constantly (and apply lessons from tests quickly). Limit the blast radius of potential events through business and technology process adjustment (for example: data minimization).

10/12
Find and fix “broken windows” [hygiene issues that while not necessarily a top risk, nevertheless signal the acceptance of sloppiness]. Integrate cyber/info-security incident response with enterprise operational resilience and business continuity approaches.

11/12
Bottom line : don’t confuse saying cyber/info-security is a business risk with actually then managing it as a first-class enterprise risk. To do that you actually have to, well, do things to make that happen.

12/12
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Phil Venables
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!