[Reading time: 23 seconds]

I recently discussed the link between cyber security and risk management.

Let’s delve a little further into this.


Your cyber security efforts should involve:

  • Identifying and assessing the cyber security risks to which your firm is exposed, and then
  • Treating the risks of most concern.


Treating a risk could involve:

  • Avoiding,
  • Accepting,
  • Transferring and/or
  • Mitigating (aka reducing) the risk.


Reducing a cyber security risk could impact your…

  • Policies and Processes, and/or
  • People, and/or
  • Technology


What’s my point?

Take a look back at the steps from start to finish.

Where does “technology” get mentioned?


So what?

If we try to manage cyber security risk by focusing on technology rather than risk reduction:

We may end up with lots of technology …

But very little risk reduction!


So what?

I’m not an accountant, but even I know that’s a pretty awful Return on Investment!