Organizations Deal With Cyber Risks Emotionally

Story Link: https://www.fairinstitute.org/blog/the-risk-therapist-on-your-team-when-its-time-for-an-intervention

Far too often managing cyber risk comes down to emotions. Sadly, this makes for unclear guidance and instability for the security teams working to achieve and maintain controls that should meet the organizations risk-appetite goals. Resources are not focused on the right areas and long-term risks go unaddressed. But it does not need to be that way. When measuring risk, the key is consistency and comprehensiveness. Risk management frameworks establish the structure to accomplish both. Otherwise, executives look at various measures, charts, and news stories that fuel fear and promote very narrow viewpoints. This often results in chaotic and snap decisions focused on short term threats. Well managed security organizations are methodical in the measures and metrics they use to consistently evaluate the most relevant aspects across their domain in support of justifiable decisions that are less subject to Fear, Uncertainty, and Doubt (FUD).

So, find a framework that works and get away from emotion-based risk management.