What I see in all the risk assessments, I have reviewed, is a holistic context and approach with each of the individual risk assessments. The risk assessment is addressing the cybersecurity aspects of the technology in question, showing how and why this technology is a fit for its risk fits into the entire organization business/strategy plan and cybersecurity plan. They are all showing how the technology and the management of the dangers fit into the overall project. They also show how the company is managing all areas affected by cybersecurity as a unified whole. The Cognitive CISO understands the risk assessment is as much art as science.
All the assessments are showing how the technology plays into a cybersecurity-related approach. There are pages on the business justification for the technology as it relates to the overall business plan of the unit and the company.
Each of the baker’s dozen assessments I have reviewed recently is addressing the areas of leadership in evolvement in the choosing of the technology both from a business and technology perspective. Showing how the technology and the management of the risks are accomplishing the strategy, the effect on customers, workforce, and operations both business process and IT processes, as well as the results that achieved.
There are a substantial section on Measurements. They are explaining what measurements they are using, what the analysis of the technology led them to choose the technology, and what knowledge management gained after implementation. What I am finding interesting is the assessments address all of these components within an “Organizational Context.” The evaluations show how they define their organization’s distinctive characteristics and situation as they relate to cybersecurity. They demonstrate an understanding of human nature, thought and science. Think Physics.
In my conversations with leading CISO’s, they said the advice they received via regulators is that they are looking to see if you address a way to measure the effectiveness of the cybersecurity framework within the organization via the risk assessments. They are seeking to understand via the evaluation of the decisions around cybersecurity, and how it is going to impact your organization and what it does and how it does it.
What I see as the Key aspects in the risk assessments:
Detailing cybersecurity-related activities that are important to business strategy and the delivery of critical services;
Prioritize investments in managing cybersecurity risk; They are showing how this is all part of the overall long-term plan
Demonstrates the approach the company took to determine the effectiveness and efficiency of the technology in using cybersecurity standards, guidelines, and practices in the company
Detail showing the process how they went about assessing their cybersecurity risk and the results thereof;
Risk assessment identify priorities for improvement and the plan over the next 24 months to implement it.