Risk Management Strategy

In the NIST cyber security framework it prescribes that you have a risk management strategy. I find this to be something that’s present in more mature organizations that have been working on risk management for a while. Essentially what that means is that your organization will make a decision about what risk management processes you’re going to have in place, and everybody knows and understands what those things are. The stakeholders within your organization agree and participate in making sure that those processes are in place and being followed. An organization that’s at that level of maturity for risk management will know and understand what their risk tolerance is. I find this to be pretty rare out there today. People aren’t able to articulate what they’re willing to accept when it comes to risk to their organization and what they’re doing about it to manage it and keep it below an acceptable level. So, this is a conversation to have after you've gone through a lot of the foundational things in establishing your risk assessment once the organization really understands why you’re doing risk assessment and how you’re doing it and they’re familiar with reviewing the results of your assessment. It’s time to talk about things like risk tolerance and how we're going to manage this on a day-to-day basis to keep things where we expect them to be. So, continue on your journey and mature in these practices because the NIST cyber security framework can be an excellent guide to support you in that. It provides tools and resources to help you establish your risk management strategy.  

Related Videos