Mar. 15, 2023
March 15, 2023 Baseline: is clear a true understand of cyber risk and state of affairs is not prevalent most in the arena get it wrong too, so you are the norm. My comments overlap due to state of cyber risk industry - you are saying the words that exist in the industry yet these words have yet to adequately solve cyber risk right (e.g. why Biden Cyber mandate exists). You need to spoon feed the horse to the watering hole - what framework, what specifically - too many people lead them stray. PCI DSS and HIPAA fall short, creating gaps, ultimately confusion. Then cyber risk must be applied on top, creating complexity and more funding needs, confusing Board/Execs - you see the snowball here right. Due diligence is needed to: +ID existing frameworks -note which are lackluster (PCI, HIPAA..) and which minimize gaps FEDRAMP, STIGS?..) +confirm how companies should address risk most simply guess by qualifying (not quant-i-fying) risk for decision making +understand 100% security (no breach occurs) is a myth and business cannot exist without risk