Blame Poor or Missing Risk Assessments
Rick Howard, CSO, Palo Alto Networks
"One of the reasons the blame game exists in information security is that as a community, network defenders are horrible at assessing risk. The tendency is for network defenders to assess risk as either high, medium or low based on experience. But, if we are asked to defend our assessments by C-Level executives or board members, there usually is not a lot of precision underneath the first layer of spreadsheets."
This is beginning to change though. At this year’s Cybersecurity Canon Awards Ceremony, Jack Freund and Jack Jones were inducted into the Hall of Fame for their book: "Measuring and Managing Information Risk: A FAIR Approach.” I believe this book is the future for the network defender community. It provides a methodology to assess risk with enough rigor that if a C-Level executive or board member asked for details about the assessment, the math behind the assessment is non-refutable."
Image Source: imsmartin / Palo Alto Networks