Failure to Link Cyber Risk to Corporate ObjectivesAug 12, 2022
Unfortunately, for various reasons, a large percentage of cybersecurity risk assessment work done in many different organizations, including small and midsized businesses, fails to tie to specific organizational objectives.
Executives must be aware of which of the organization’s most important value creation and value preservation objectives are likely to be impacted by the lack of cybersecurity mitigation. In some extreme cases, the communication to executives by cybersecurity risk assessors is that having high levels of computer security should be an objective; however, the recommendation fails to provide linkage to impacted organizational objectives or a cost-benefit analysis.
Senior leaders and boards, for that matter, are challenged to decide how much of the organization’s limited resources should be dedicated to cybersecurity without high-quality information to assess which organizational objectives will be impacted by the lack of mitigation.
Was your cybersecurity strategy developed with a mission-based risk impact on the organization? Or is your cybersecurity team trying to boil the ocean? Do you assign a dollar amount to your risk rating?
Any level of quantitative risk is better than most qualitative or expert judgments.
*** FREE GUIDE ***
Author: Dr. Bill Souza | Aug 12, 2022