Steve Durbin, Managing Director, Information Security Forum Ltd.

The chief risk officer, Nathan, put it plainly to CEO Tom: “To say that
cybersecurity presents complex challenges is an understatement. The
scope of risk to sensitive information has grown exponentially during
the twenty-first century. Those risks not only involve technical factors,
but human, cultural, and legal factors, as well as economics. Of course,
the profession of cybersecurity has struggled to grow in tandem with these
challenges. But nobody has the resources to ensure complete data security.
Figuring out where security investments are justified requires a sophisticated
understanding of the risk landscape.”

Hardly a day goes by when the evening news does not include a report
about a major institution reluctantly announcing that its files have been
hacked. The stories tend to follow a familiar pattern: expressions of official
regret, attempts at reassurance, and pledges to do whatever is required to
prevent its future recurrence.
Attacks on institutional and corporate databases have become the new
normal. A generation of workers comfortable with information sharing has
also grown accustomed to its negative consequences. The capabilities of
cybercriminals continue advancing at an alarming pace. And the losses associated
with major data attacks, which run into the millions, are increasingly
seen as just another cost of doing business.

At the same time, however, there is a growing understanding of those
consequences. A movement in the leadership ranks of both business and government
agencies to manage cyber risks more effectively and to improve the
resilience of security tools already in place, has followed. This is a welcome
development because, until fairly recently, most senior managers and board
members regarded cybersecurity as essentially a technical problem for their IT
departments—not as an existential issue requiring greater investment as well as
the engagement of personnel throughout the organization. That said, however,
some of the issues really do involve the organization’s network technology.
Technology flaws—whether in design, encryption, event logging or software
malfunction—create opportunities for attackers to infiltrate an organization’s
technical infrastructure. Understanding and realistically assessing
the vulnerabilities of an organization’s system components is essential. But it
is people, far more than technology, that present the greatest risks.

(Extract from Chapter 7: Identifying, Analyzing, and Evaluating Cyber Risks, by Steve Durbin, Managing Director ISF).

To purchase the full Cyber Risk Handbook, click here.


PDF of ISF Chapter 7

Cyber Risk Handbook: CH7 ISF: Identifying, Analyzing, and Evaluating Cyber Risks

Please fill out the form below to download a complimentary PDF of ISF Chapter 7.