CISOs & IT Directors: Risk Transfer Can Work!

I have been in many meetings and seminars over the past few years where I have been astounded at the response that CISOs, CIOs and IT Directors have given when a point has been raised that risk transfer might be of help. The type of risk transfer generally being referred to is provided through insurance products covering such areas as business interruption, errors and omissions and cyber liability. A typical reaction by an IT or InfoSec executive when asked whether cyber insurance should be considered is that they have sufficient security and availability systems in place, firewalls, intrusion detection systems etc. so why would they need insurance! I am not sure why this position is taken a

Risk is not an 'absence of control'

I regularly visit so many organisations and attend so many meetings where the overwhelming view of risk is that it is inversely proportional to control. All of the other factors that make up scientifically derived risk through objective assessment are either implied (and subjectively guessed) or absent from the analysis: I say "analysis" but really mean "observation". Analogies? To me it's like saying a bus shelter is a house, a sponge is a brick or my Mum is the Queen. Sure there are some resemblances and from a distance who could tell right? Err, wrong! You cannot live (for any meaningful length of time) in a bus shelter before you catch pneumonia or are moved on as a nuisance. You cannot

Keep Calm and Respond Well

The development of incident response, be it in the origins of Computer Emergency Response Teams or the modern equivalent provided by the growing number of commercial breach response companies, has tended to focus on two key factors - both of which I think are a little short-sighted. We saw these challenges when setting up ReSecure and set about, over 4 years ago, to address them with a different approach. So what are these two issues? Issue A: The Blinkered Approach As a cynic, I believe that most organisations have a lot to do internally before they can truly say that Information Technology is part of their business DNA. I hold that most government and commercial organisations tend to diver

Archive
Search by Tags