The Four Corners of Risk

Who would say? Something interesting came up on LinkedIn a few weeks ago. Andy Ellis analysed the four corners of the Risk Assessment Matrix from a CISO point of view, and I’m posting a TLDR so I can easily retrieve the information.

Ellis suggests that each of the four corners should be handled differently, with the following approach:

Litter: Automate away
Hygiene: Automatically identified, remediation scheduled for post-haste
Incidents: (mostly) take care of themselves — no need to tell people to prioritise
Programs: Get processes in place and change technology, processes, or organisations to handle complex risk.

He also argues that security teams aren’t, but should be, focusing on “Program” types of issues, and leaves a nice nugget:

All of those should have robust processes to ensure they happen; if they don’t, the problem isn’t the pile of litter or hygiene; the problem is the lack of mature processes in the organization.
(…) Security teams spend all their time nagging other teams to do their jobs safely — are we the Karens of the organization? — instead of challenging organizations to behave appropriately.

Nice idea to think about. Check Ellis’ full post here.