Risk is always a part of your cyber strategy. It evolves based on your environment. It could be calm one moment, then a disastrous storm the next. The key to managing risk is to continually take care of your critical business areas and all interested parties.
REGULATORY UPDATE: The SEC’s new rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure require public companies to describe their cybersecurity programs in their periodic reporting and how they manage RISK.
But how do you manage the needs of many with different priorities?
By establishing reasonable security through the Duty of Care Risk Analysis (DoCRA). Duty of care requires that organizations demonstrate they used controls to ensure that risk was reasonable to the organization and appropriate to other interested parties at the time of the breach. This approach enables users to:
- Prioritize security investments
- Consider the needs of all interested parties
- Demonstrate that the risk is ‘Acceptable’ or ‘Reasonable’
- Protect the organization without overly burdening it
- Continuously manage to ‘enough’ security
- Manage your cyber insurance coverage appropriately
We also incorporate the Sedona Conference’s “Test for Reasonable Security Controls” establish that safeguards must not pose a higher risk to the organization than the lack of safeguards poses to others. By balancing an organization’s mission, objectives, and obligations, your risk strategy will have the appropriate balance of compliance, security, and corporate responsibility. You will be practicing ‘reasonable security’.
View the Compliance Week Webinar, “Five Deliverables Every Cybersecurity Team Needs to Survive, Thrive and Comply with the New SEC Cybersecurity Rule.”
- Defining a Clear Line of Acceptable Risk below which you can accept risks and above which you must remediate.
- Ensuring your security program is Legally Defensible and complies with the new SEC Cybersecurity Rule.
- Understanding and Presenting the Known Risk to your organization.
- Providing the C-Suite with a Roadmap of your Cybersecurity Program.
- Communicating Risks and Justifying Expenditure Requests in business terms.