I thought I might post an actual Cyber Security / InfoSec thing for once.
"Visibility without consequences is not governance."
https://www.csoonline.com/article/4136995/boards-dont-need-cyber-metrics-they-need-risk-signals.html
This is a great article.
A large portion of my job is quantifying risk and turning it into numbers to help prioritize vulnerabilities, pen test findings, CNAPP reports, compliance failures,, and misconfigurations. I use all kinds of values to calculate "a number" for each finding. I'll probably throw up my methodology on gist soon because I'd like feedback and ideas for how to make it better. Incidentally, is there a gist equivalent on Codeberg?
With that said, this article talks about all the things that "a number" cannot do and all the other important things the board and other stakeholders and decision makers at that level should know.
There are lots of quotable lines, but my favorite, the one I'd like on a T-shirt or hanging on posters in every break room is: "Visibility without consequences is not governance."
It's important because we run up against it time and time again. A business line WONTFIX so they get an exception for X months (or years). That number no longer counts against them. As my boss likes to joke, "we'll just tell the malicious actors we have an exception and ask them not to exploit it." That doesn't work. It hides risk. But when all you care about is "a number" then fixing that number becomes the goal, not fixing the underling risk.
Again, this is a good article. Read it. Agree with it. Gnash your teeth that you can't do the things it suggests and that your board would never go for it. Or, more likely, your board will never know this is an option because the C-level execs are too terrified of rocking the boat.
#InfoSec #Metrics #GRC #CyberSecurity #VulnerabilityMetrics #ITRisk #ITRiskManagement #ITSecurity #CyberRisk #CyberRiskManagement
