[Reading time: 17 seconds]

Cyber security is not about IT. It’s about risk management.

So, here’s my rough-and-ready “Introduction to Risk Management”:


1. Risk management involves:

  • Identifying,
  • Assessing,
  • Prioritising, and only then
  • Treating risks.


2. Treating a risk involves:

  • Avoiding it,
  • Accepting it,
  • Transferring it, and/or
  • Reducing it.


3. Reducing a risk involves identifying and implementing the most effective ways to reduce:

  • The likelihood of the risk becoming a reality, and/or
  • The impact if the risk became a reality.


What’s my point?

If you ever feel like cyber security is some sort of magic…

It’s not.

It’s just risk management.


So what?

Before we rush into addressing the latest cyber security risk, we need to make sure it has gone through the full risk management process.

Otherwise, we may end up addressing the latest risks…

rather than the highest-priority ones.