Dan Desko’s Post

Everyone’s really hung up on the materiality and reporting aspects of the SEC requirements around cyber risk management, and rightfully so. But I’m more concerned about “proper” cyber risk management. It’s not enough for organizations to just follow basic control frameworks. they need to think about the larger business impact of their cyber risk management policies. When they adhere only to the basic frameworks, they’re getting systematic identification, assessment, and mitigation of threats, yes, but they may not be thinking in a holistic way about how the framework fits in with their specific business. With proper cyber risk management, however, organizations can move beyond the basic controls, and look at things like threats, vulnerabilities, impact, probability, and underlying resulting residual risk - and then determine if they have the right number of controls to mitigate all those risks. In other words, they’re zooming out to look at the full picture of their business, and prioritizing risk management policies based on business-focused outcomes - not just applying a potentially ill-fitting framework to check a box. Most organizations are off to a great start: they’re meeting their basic cyber risk management requirements by following control frameworks. But to truly protect themselves, they need to upgrade their approach to a more robust risk management approach… one that takes into account overarching business impacts.

100%. If you're viewing this in a mature risk lens, the materiality requirements should be minimally complex and don't require reinventing of the wheel.

To view or add a comment, sign in

Explore topics