I see a lot of commentary on the need to “treat cyber/info-security as a business issue not an IT issue”. The problem is it implies that this is not still also a technology issue. This is, of course, incorrect.
1/12
2/12
Embed risk considerations into the enterprise governance apparatus (Boards, Committees, management oversight), establish or use a risk committee and make this topic a major part of that.
3/12
4/12
5/12
6/12
7/12
8/12
No matter how good any organization is there will always be things that go wrong, either because the adversary is awesome or (more likely) because of some misstep, slowness, dependency or complexity.
9/12
10/12
11/12
12/12