Building a Risk Management Mindset
Building a Risk Management Mindset
File Size:
5.86 MB
Author:
Sharon Mudd
Date:
29 November 2024
Risk management has been traditionally viewed as a business problem, i.e., financial risk, market risk, enterprise risk. However, with the rapid technological evolution that has produced today's always-on connected world, the tenets and processes of risk management have become an integral part of ensuring organizations' information assets are protected. The key questions information risk management tries to shed light on are – what needs to be protected and why? How should organizations establish and prioritize protective measures? How do you get key players in the organization on the same page? The starting point for these higher-level goals is to develop a practical understanding of what "Risk" means, which can be fundamentally different than how the term is currently used. For example, people often say risk to mean there are threats that may target an organization; or, to mean an organization has vulnerabilities in some systems or processes to shore up. Threats and vulnerabilities are factors of risk but alone neither is a good indicator of what risks an organization has or how do deal with them. Having a practical understanding for how to judge or quantify risk is critical for building effective risk assessments, prioritization strategies, and management processes. This session examines common misconceptions about information security risk and what every cybersecurity professional needs to learn to be an effective part of the risk management program.
The concepts in this workshop have been used to challenge organizational decision-makers and information security practitioners worldwide. The lessons learned will help participants in defining, understanding, and teaching risk management for individuals who lack this foundational mindset. Cybersecurity education and on-the-job training focus on the technical aspects of the field which often has the unintended consequence of building a black and white perspective of cybersecurity. Things are either good / right or bad / wrong. Understanding risk management helps individuals develop a mindset to embrace the nuances for evaluating risks that are more in a grey area and accept that some risk must exist in order for business to thrive while working with their resources most effectively. This workshop helps to lay the groundwork for moving away from a reactionary approach and towards a proactive approach for securing critical systems and data. If you want to understand the right level of protection needed for your data, you must understand where protection is needed, how critical the data is to the organization, and what is required to understand and manage the associated risk.