Tackling Risk Probability and Impact

cybersecurity risk Oct 14, 2021

Today I’ll discuss risk probability and impact and give you some examples to build your own impact and probability table.

  • Probability
  • Impact

Dr. Bill Souza
E|CE - Executive Cyber Education 

Continue Reading...

Cybersecurity Foundation - What You Need to Know


We are so focused on the threats and the vulnerabilities that allowed a hack to occur that we forget the basics. The protection necessary to prevent or slow down these attacks already exists, and they exist for a long time.


Continue Reading...

Cybersecurity Exceptions - Part 3 (FINAL)

compliance risk Aug 19, 2021

Welcome to the Executive Cyber Education podcast, cyber risk management driving real impact; I am Dr. Bill Souza. As I mentioned in my previous episode, today we will discuss exceptions tracking and expirations.

Exceptions to any cybersecurity policy or standards must be reviewed and approved by management and then tracked for expiration and mitigation. Here are a few elements you should have in your exception record:

  • Title (perhaps goes without saying, but just in case)
  • Business justification
  • Mitigation or remediation plan
  • Owner

These elements are the minimum required from the individual entering the exception; everything else will be entered by the cybersecurity department, such as inherent risk, residual risk, expiration date, security control, and who in the organization will be signing/accepting the risk. The rule of thumb is the following:

  • Very high or high exceptions not to exceed 12 months (or six months if you have the resources)
  • Medium...
Continue Reading...

Cybersecurity Exceptions - Part 2

compliance risk Aug 12, 2021

As I mentioned in my previous episode, there’s much more to discuss on cybersecurity exceptions, such as the risk they pose to the organization and the hidden dangers of cumulative risk.  

Exceptions to any cybersecurity policy or standards must be reviewed and approved by management, and this will vary by organization; however, a good rule to follow is the basis on residual risk, for example: 

  • Very high: Senior Vice President 
  • High: Vice President 
  • Medium: Director 
  • Low/Very low: Senior Manager 

Your organization may have different titles or a three-tier risk level (high, medium, and low) instead of a five-tier level. It is also vital that two individuals sign off on the exception, the requestor’s management, following the same residual risk-based process, and the cybersecurity leadership. The only difference is that the...

Continue Reading...

Cybersecurity Exceptions - Part 1

compliance risk Aug 05, 2021

If your cybersecurity standards were written to protect the organization, why do you have security exceptions? Today, I will dive into why security exceptions are the norm, discuss the risk they posed, cumulative risk, tracking, expirations, and exception metrics.

Your standard development team writes an excellent standard; it follows all the best practices of the NIST Cybersecurity Framework, the ISO 27001, or any other industry-recognized standards and frameworks, but most of all, it is common sense, right? Anyone working on or with a cybersecurity team in a large organization knows this does not happen! Exceptions happen. The typical exceptions vary; however, the pattern usually falls into three categories:

  • First, it comes from projects or any deployments, such as new servers (or replacement/upgrades) or applications.
  • Second, and this one is more typical in larger organizations. That is when the corporate office or parent company pushes new security standards to strategic...
Continue Reading...

Cybersecurity - Asset Classification

compliance governance risk Jul 30, 2021


Assets Classification

Let us start with why asset classification is so essential; asset classification is the foundation of everything else to come in cybersecurity; it will help your organization, for example, small or large, to better understand, manage, identify, and classify your assets. Here is the challenge, the business will hear, "oh, you want to spend how much, just to know what we have, which you should have known to begin with?" These are tricky questions to answer, as the business sees no value in this effort, it is not making their product or service better, the customer does not see any improvements in service or features, and so on.

However, it will assist your leadership in determining which processes and assets are the most important in assuring critical operations, service delivery, and overall business resilience. This, in turn, indicates where to focus your cybersecurity investments in a world of limited budgets and increasing costs. Now you could...

Continue Reading...

50% Complete

Two Step

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.