Several studies conducted in other fields showed how spending effort on analysis improved confidence even when the actual performance was not improved. 

A study by the University of Chicago in 2008 tracked the probability of outcomes of sporting events as assigned by participants. These participants were given varying amounts of information about the teams, except the team’s name or players. As fans were given more information, their confidence in picking the winner increased, despite the chance of picking the winner remaining nearly flat no matter how much information was provided.

Imagine how many metrics and measures we have in cybersecurity; is your confidence level increasing or your performance on the outcome? 

Don’t be so quick to accept metrics and measures labeled “best practices;” best practice does not mean it was measured and scientifically proven to be the best performer among a set of practices. 

Focus on reducing risk; are your...

There are two types of third-party risk: product vendors and service providers. Product vendors outsource software, platform, and infrastructure, known as SaaS, PaaS, and IaaS. According to some estimates, only 40% of applications are hosted on-premises.

The service providers are consulting third-party vendors, such as management consultants, IT consultants, Cybersecurity consultants, and managed service consultants. However, regardless of the type of third-party vendor, these are the five focus areas your third-party risk management program should focus on:

1. Data access: who has access to your data? What kind of data is it? How is it stored? This is a confidentiality issue. Reviewing and discussing your providers' policy, procedures, and contractual language is essential. This is an area you should involve your legal team.
2. Security program transparency: where is the data center? What are physical controls in place? Make sure these questions are asked and, if possible, validated to...

The third-party outsourcing trend will continue to grow in the coming years, which places third-party risk as a significant concern for organizations, large or small. Depending on which statistics you read, 39-63% of breaches are caused by third parties. One of the most notorious breaches is the case of Target, where the HVAC vendor’s credential was stolen, resulting in the retailer's breach of 40 million credit and debit card numbers and 70 million records of personal information stolen.

How you manage this risk vector is the inspiration of several books and articles; however, it will all start in the contract and what you were able to negotiate upfront; then a mixed methodology assessment, where you use qualitative and quantitative elements to assess the vendor based on industry-accepted standards, such as NIST CSF or ISO 27001.

I would use caution in leveraging Service Organization Control (SOC) 2 reports; these reports vary by organization and may not cover all...

Amid a global financial crisis and potentially facing cybersecurity budget challenges, you are now facing a tough decision; how to do more with less. What if I told you that you can; change the focus of your cybersecurity risk management program from a threat/vulnerability-centric focus to a mission-centric focus.

Using the same people, processes, and technologies you have but targeting critical systems in your organization. This change in strategy will allow your cybersecurity organization to provide valuable services by redirecting the same resources to a mission-centric approach, hence, innovating your cybersecurity strategy while being a good steward of your financial resources.

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza 
• Instagram: https://www.instagram.com/drbillsouza/ 

Author: Dr. Bill Souza...

Rules for Effective Cybersecurity Metrics

First, you must establish agreement among your leadership on the actual risk(s) to measure, then select which data will provide the most accurate representation of the risk.

The following are 5 fundamental rules for measuring cybersecurity risk:

1. Select informative measures with actionable value to leadership
2. Research other subject matter experts have done and worked
3. Keep the math simple and clear
4. Develop a standard reporting format and reporting governance
5. Keep consistent and allow your measures and metrics to mature over time

Bonus rule: Gain buy-in from your stakeholders.

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/

Author: Dr. Bill Souza | Jul 14, 2022 

In a mission-based risk assessment, the question is, how do you perform one? 

A four-layer approach will be a good start: 

1. Mission layer
2. Operational layer
3. Application layer
4. Infrastructure layer

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/ 

Author: Dr. Bill Souza | Jul 13, 2022 

When measuring risk in your organization, you’ll typically discover two challenges: First, top key risk measures that do not have supporting data (aspirational). Second, you’ll be developing middle to low measures with supporting data that do not entirely address the risk. 

The lack of data to calculate a particular measure is no reason not to measure the risk; these are your aspirational measures; setting an organizational ambition or goal for your cybersecurity program to report over time is a good strategy; allow your cybersecurity program mature.

To calculate the percentage of assets identified as critical will require two data points, first, the total number of assets, and second, the total number of critical assets; if you don’t have these numbers, you can start by collecting secondary data and establishing secondary measures that will drive towards the aspirational goal of calculating the percentage of assets identified as critical.

========

• Blog: ...

There is a three-point framework to keep in mind when preparing a report to the Board, especially if you are a small to medium-size business with annual revenue between $100M to $700M with [potentially] no CISO in your organization.

1. What are key risks the Board should be aware of at a high level? What should they be offered a deeper understanding of?
2. How do these risks align with the organization's strategic initiatives?
3. What is your opinion? What do you recommend? - A solution.

One key factor to remember is to be prepared to answer how your organization compares to others in the industry. I suggest discussing with other organizations in the same industry and of similar size.

 ========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/ 

Author: Dr. Bill Souza | Jul 8,...

How do you understand a digital asset's business value?

First, let’s define what a digital asset is; a digital asset is a system, process, data, and technology that is used. A cyber event could affect one or more of these digital assets, resulting in a loss for the business.

These digital assets have a hierarchical relationship:

• Organization
• Function
• Business Unit
• Own & Use
• Business Process
• Own & Use
• System
• Supports
• Technology 
• Process & Store
• Data Type

Understanding this hierarchy in your organization will lead you to the critical systems in your organization. 

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/ 

Author: Dr. Bill Souza | Jul 7, 2022 

NIST has developed a cybersecurity risk management framework that addresses the issue as a comprehensive process that requires organizations to:

1. Frame risk
2. Assess the vulnerabilities
3. Respond to risk once determined
4. Monitor risk on an ongoing basis

These four pillars must be addressed by all small and midsize businesses. A small and midsize business (SMB) is a business that, due to its size, has different IT requirements — and often faces different IT challenges — than do large enterprises, and whose IT resources (usually budget and staff) are often highly constrained.

========

• Blog: https://www.execcybered.com/blog
• Training: https://www.execcybered.com/iso27001foundationcourse
• Linkedin: https://www.linkedin.com/company/exceccybered/
• Twitter: https://twitter.com/DrBillSouza
• Instagram: https://www.instagram.com/drbillsouza/ 

Author: Dr. Bill Souza | Jul 6, 2022