Common sense on cybersecurity

Today’s post contrasts two recent pieces.

PwC shared some very traditional thinking in Overseeing cyber risk: the board’s role.

It says volumes when their web page that links to the report has this:

Questions for directors and management about embedding cyber risk

  • Does the company employ multi-factor authentication on all accounts (including VPN access) to control access?
  • Who has responsibility for the company’s third-party risk management program?
  • Does the company engage in robust patching and vulnerability management?

These are hardly the first questions that should be asked!!

I prefer:

  • Where’s the risk to the business?
  • Is it acceptable?
  • What should we be doing about it?

While they say that we should “ensure cyber risk is embedded in strategic decisions – and the company’s culture”, they don’t explain how that should occur. How do you see the big picture, all the risks (including and not limited to cyber) and opportunities, to make an informed and intelligent decision?

They don’t even ask that management perform and then maintain a business impact analysis so they can start to answer my three questions.

Let’s toss that to one side, agree not to hire them, and consider the other piece.

Brian Barnier is one of the smartest people I know and a good friend[1]. Recently, he has been promoting design thinking as an approach for cybersecurity. You can see more at He also stresses that instead of considering cyber in a silo, you need to see it as part of a system. Critical thinking is the third part of his message. I recommend exploring his website fully. In December, Brian sat down with former Canadian Security Intelligence Service senior executive manager Dan Faughan to discuss cyber. But I want to focus instead on an interview in January.

Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *