Excerpt from GARP.org
Budgeting and other decision-making improve when cyber and other risks are measured in a common way.
By David X Martin
Managing cyber security risks requires three lines of defense.
The first is to prevent cyber incidents from occurring and protect the organization. This is the responsibility of everyone in the entire organization, and especially the technology and information security departments.
The second line of defense is providing independent oversight to ensure that risks are actively and appropriately managed. Those who are most intimately involved in cyber security may occasionally miss things because they’re in the trenches every day. An independent perspective provides an objective perspective – a fresh pair of eyes, if you will.
The third line of cyber security defense is the audit function, which periodically tests the policies and controls that are in place.
The evolution of cyber risk management into an effective oversight role has been hampered by most organizations’ inability to organize, to classify, and most importantly, to measure cyber risks – that is, in the way all other risks are handled.
I would argue that the quantification of cyber security risk can and does bring a number of additional improvements, several of them significant.