5 Must Read Books to Jumpstart Your Career in Risk Management

FAIR Institute blog by Isaiah McGowan

Read Books to Jumpstart Your Career in Risk Management

What are the must have resources for people new to operational and cyber risk? This list outlines what books I would recommend to new analyst or manager.

They’re not ranked by which book is best. Instead, I list them in the recommended reading order. Let’s take a look at the list.

hubbard_failure_of_risk_management_cover.jpg#1 – The Failure of Risk Management: Why It’s Broken and How to Fix It (Douglas Hubbard)

In The Failure of Risk Management, Hubbard highlights flaws in the common approaches to risk management. His solutions are as simple as they are elegant. (Spoiler alert: the answer is quantitative risk analysis). The Failure of Risk Management shows up as #1 because it sets the tone for the others in the list. First, understand the problems. With the common problems in mind you can identify them on a regular basis. The next book provides approaches to modeling the problem.

fair-book-cover.jpg#2 – Measuring and Managing Information Risk: A FAIR Approach (Jack Jones & Jack Freund)
In Measuring and Managing Information Risk, the authors communicate a high volume of foundational knowledge. The authors outline the FAIR-based approach to measuring and managing risk. They tackle critical concepts often overlooked or taken for granted by risk practitioners.

With that foundation in place, they move on to the FAIR approach to risk analysis. Finally, they lay out foundational concepts for risk management.

This book is not an advanced perspective on analyzing or managing risk. Instead, it provides a systemic solution to our problems.

Books #1 and #2 lay the foundation to understand the common risk management and analysis problems. They also provide approaches for solving those problems. The next two books are critical to improving the execution of these approaches.

Superforecasting_cover.jpg#3 – Superforecasting: The Art and Science of Prediction (Phillip Tetlock & Dan Gardner)

We require Superforecasting. Risk analysis is always about forecasting future loss (frequency and magnitude). As practitioners, it is critical to learn the problems with forecasting. Knowing is half the battle. Superforecasting takes the audience through the battlefield by offering a process for improvement.

If there is one book you could read out of order, it is Superforecasting. Yet, it shows up at #3 because it will hammer home forecasting as a skill once the other books open your eyes.

Tetlock_expert_judgement_cover.jpg#4 – Expert Political Judgment: How Good Is It? How Can We Know? (Phillip Tetlock)

Yes, another book by Tetlock appears in our list. Published first, tackled second. His work in understanding forecasting is tremendously valuable. Superforecasting builds on the research that resulted in publishing Expert Political Judgment.

Tetlock seeks to improve the reader’s ability to identify and understand errors of judgment. If we improve this skill, we will improve our ability to evaluate expert inputs in risk management.

Thinking_fast_and_slow_cover.jpg#5 – Thinking, Fast and Slow (Daniel Kahneman)

Rounding out the list is Thinking, Fast and Slow. Improving your understanding of thinking in general is the next best step. Take the time to read this book. Peel out nuggets of wisdom before tackling more advanced risk management and analysis concepts.

There it is…

This is my go-to list of 5. I recite it to anyone who has made or will make the leap into risk management and analysis. These books will set the foundation for thinking about risk. They will also push you down a path towards improving your skills beyond your peers.
What books would you have in your top 5? How does your mileage vary?


Leave a Comment

Why you should care about ISO 22301?


Business Continuity is the term now given to mean the strategies and planning by which an organization prepares to respond to catastrophic events such as fires, floods, cyber-attacks, or more common human errors and accidents

Business Continuity Management System (BCMS) puts such a program in the context of an ISO Management Systems, and ISO 22301:2012 sets a certifiable standard for a BCMS. It is the first and most recognized international standard for business continuity.

Several other standards, particularly BS 25999 have had wide international acceptance, however, they are now largely supplanted by ISO 22301.
The obvious benefits to an organization having a robust, mature business continuity program have been outlined in this Newsletter previously (April, 2015). They center on being able to respond to disruptions so an organization stays in business and meets its obligations and commitments to all stakeholders.
However, there are additional ways that an organization can benefit from adhering to a business continuity standard, particularly ISO 22301. These benefits can accrue from obtaining certification to the Standard, and also from formally aligning to the Standard without actual certification.
For more on additional benefits: So, why should you care about 22301?

Steps in ISO 22301 implementation are the following:
1. Obtain management support
2. Identify all applicable requirements
3. Develop top-level Business Continuity Policy and objectives
4. Write documents that support the management system
5. Perform risk assessment and treatment
6. Perform business impact analysis
7. Develop business continuity strategy
8. Write the business continuity plan(s)
9. Implement training and awareness programs
10. Maintain the documentation
11. Perform exercising and testing
12. Perform post-incident reviews
13. Communicate continuously with the interested parties
14. Measure and evaluate the BCMS
15. Perform internal audit
16. Implement all the necessary corrective and preventive actions, and
17. Perform the management review

Leave a Comment

Information Security Expertise Bundle


If you’re just starting a new job in information security, you’ve just finished your university degree, or you’re looking for the next step in your career but not sure which direction to take, try this…

Information Security Expertise Bundle

Designed to help you develop your knowledge and understanding of key information security topics, this collection of best-selling titles will help you learn more about open source intelligence techniques, penetration testing, information security best practices, and how to succeed in the industry.

The bundle includes:

• Information Security – A Practical Guide
• The Tao of Open Source Intelligence
• The Security Consultant’s Handbook
• Penetration Testing: Protecting Networks and Systems

»» Buy now Information Security Expertise Bundle

Leave a Comment

Fundamentals of Information Risk Management Auditing


An introductory guide to information risk management auditing, giving an interesting and useful insight into the risks and controls/mitigations that you may encounter when performing or managing an audit of information risk. Case studies and chapter summaries impart expert guidance to provide the best grounding in information risk available for risk managers and non-specialists alike.

For any modern business to thrive, it must assess, control, and audit the risks it faces in a manner appropriate to its risk appetite. As information-based risks and threats continue to proliferate, it is essential that they are addressed as an integral component of your enterprise’s risk management strategy, not in isolation. They must be identified, documented, assessed, and managed, and assigned to risk owners so that they can be mitigated and audited.

Fundamentals of Information Risk Management Auditing provides insight and guidance on this practice for those considering a career in information risk management, and an introduction for non-specialists, such as those managing technical specialists.

 Book overview

Fundamentals of Information Risk Management Auditing – An Introduction for Managers and Auditors has four main parts:

  • What is risk and why is it important? An introduction to general risk management and information risk.
  • Introduction to general IS and management risks An overview of general information security controls, and controls over the operation and management of information security, plus risks and controls for the confidentiality, integrity, and availability of information.
  • Introduction to application controls An introduction to application controls, the controls built into systems to ensure that they process data accurately and completely.
  • Life as an information risk management specialist/auditor A guide for those considering, or undergoing, a career in information risk management.


Each chapter contains an overview of the risks and controls that you may encounter when performing an audit of information risk, together with suggested mitigation approaches based on those risks and controls.

Chapter summaries provide an overview of the salient points for easy reference, and case studies illustrate how those points are relevant to businesses.

The book concludes with an examination of the skills and qualifications necessary for an information risk management auditor, an overview of typical job responsibilities, and an examination of the professional and ethical standards that an information risk auditor should adhere to.

Topics covered

Fundamentals of Information Risk Management Auditing covers, among other subjects, the three lines of defense; change management; service management; disaster planning; frameworks and approaches, including Agile, COBIT®5, CRAMM, PRINCE2®, ITIL®, and PMBOK; international standards, including ISO 31000, ISO 27001, ISO 22301, and ISO 38500; the UK Government’s Cyber Essentials scheme; IT security controls; and application controls.

Download your copy of Fundamentals of Information Risk Management Auditing

Leave a Comment

Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes

By Kelly Jackson Higgins

New study reveals that none of the top 10 US university computer science and engineering program degrees requires students take a cybersecurity course.

There’s the cybersecurity skills gap, but a new study shows there’s also a major cybersecurity education gap — in the top US undergraduate computer science and engineering programs.

An analysis of the top 121 US university computer science and engineering programs found that none of the top 10 requires students take a cybersecurity class for their degree in computer science, and three of the top 10 don’t offer any cybersecurity courses at all. The higher-education gap in cybersecurity comes amid the backdrop of some 200,000 unfilled IT security jobs in the US, and an increasing sense of urgency for organizations to hire security talent as cybercrime and cyber espionage threats escalate.

Robert Thomas, CEO of CloudPassage, whose company conducted the study, says the security gap in traditional computer science programs is worrisome, albeit not too surprising. “The results were pretty profound,” Thomas says. “When we tested the top universities’ computer science degrees, it was disturbing to find that very few require any kind of cybersecurity [instruction] as part of the curriculum to graduate” with a computer science degree, he says.

With IT security departments scrambling to fill positions, Thomas says CloudPassage wanted to gauge how universities are preparing computer science graduates for the cybersecurity job market. “Universities have a responsibility to start moving … to [address] bigger problems in security,” he says.

Graduate-level cybersecurity programs are emerging, such as those of Carnegie Mellon, the University of Maryland-Baltimore County, and the University of South Florida, but the study was focused on undergrad computer science programs and their integration with cybersecurity. The universities in the study were based on rankings from US News & World ReportBusiness Insider, and QS World of the top schools in the field.

The University of Michigan, which is ranked 12th among US computer science programs by US News & World Report, is the only university in the top 36 that requires computer science students take a cybersecurity course, CloudPassage’s study found. Among the top 10, there are three universities that don’t offer cybersecurity courses as electives, either.

Michigan (#11 in Business Insider’s Top 50 US computer science schools), Brigham Young (#48 in that rankings list), and Colorado State (#49), are the only top comp sci programs that require at least one cybersecurity class for a degree.

Among the universities in the study offering the most cybersecurity electives in their computer science programs are Rochester Institute of Technology (10 security elective courses) which is in the top 50 of Business Insider’s list; Tuskegee University (10); DePaul University (9); University of Maryland (8); University of Houston (7); Pace University (6); California Polytechnic State University (5); Cornell University (5); Harvard University (5); and Johns Hopkins University (5).

Meanwhile, the University of Alabama, which is not ranked in either the US News & World Report nor Business Insider as a top comp sci program, was the only university that requires three or more cybersecurity courses, the study found.

A lack of awareness about cybersecurity among college-age students is another element of the education-gap equation. A recent study by Raytheon and the National Cyber Security Alliance found that millennials worldwide just aren’t entering the cybersecurity field, mainly due to lack of awareness of just what security careers entail. Half of women ages 18- to 26 say they don’t have cybersecurity programs and activities available to them, and 40% of men in that age bracket say the same. Nearly half of millennial men aren’t aware of what cybersecurity jobs entail.

ISC2, a nonprofit that offers cybersecurity certifications, has tracked the lack of higher-education programs in cybersecurity. Over the past two years, ISC2 via its International Academic Program has offered cybersecurity classroom materials and other services for colleges to use in their curriculum, as well as for faculty training. The goal of the program is to beef up cybersecurity content in the curriculum.

“If you look across the total number of colleges, a very small percentage have a cybersecurity curriculum,” says David Shearer, CEO of ISC2. “Many have not had the money or time or skills to develop cybersecurity programs.”

Shearer says ISC2 is working to fill those gaps with its academic outreach program. “If there’s not a formal education for kids once they get to universities, we [the US] haven’t accomplished a whole lot,” he says.



Awareness Gap

Aside from the top computer science programs not offering or requiring cybersecurity courses, many computer science graduates just aren’t aware of the opportunities in the cybersecurity field. Many are drawn to computer science because they’re interested in writing new applications to solve problems in their areas of interest. Coding is considered “cool,” security experts say, while security is seen as a hindrance to application development, for example.

ISC2’s Shearer says cybersecurity gets a bad rap sometimes in application development, and security is seen as mainly about strong passwords and patches, for instance. “They don’t see it as exciting, intriguing work, but they should,” he says. “With greater awareness and education in this area [cybersecurity], today’s youth could see things like hacking as an interesting area they’d want to learn about.”

CloudPassage, meanwhile, also is reaching out to universities: it announced today that it will offer free CloudPassage Halo security-as-a-service platform accounts to US computer science programs as well as instructional templates, tutorials, and support. “They can use our infrastructure and products as an illustration, to get some experience,” CloudPassage’s Thomas says.

Leave a Comment

25 Years of Information Security

Opening theme video from RSA Conference 2016 – #RSA2016

Observations from the 2016 RSA Conference

Leave a Comment

Top 10 Open Source Web Testing Tools


by Arif Majeed

Web Testing tools are used to find/identify bugs or errors in a website before it was launched officially for the public on the web. You can find many such tools on the web now a days some are also free.  Here is the list of the finest web testing tools available in the Open source market right now. These tools will not only help you identify the bugs/errors in your website before you launch it publicly but also save your time of finding the suitable Open source web testing tool.


The Grinder

The grinder is a Java load testing framework that makes it easy for you to run  disorganized testing with the help of many load injecting machines.
You can easily find this tools on web. The key features of this tool is Generic approach ( enables you to test anything that has a JAVA API) , Flexible scripting (Test scripts are written in the powerful Jython and Clojurelanguages) , Disrupted framework (allows you to control and monitor multiple load  injectors) and HTTP support (auto management of cookies and client connections).


This is an open source framework for performance and load-testing. Multi-Mechanize runs concurrent Python scripts to generate load (synthetic transactions) against a remote site or service. This Open-Source tool will help you to create programmatically test scripts to simulate virtual user activity. Afterwards it will generate HTTP requests to intelligently navigate a web site.


If you want to simplify process of integration testing Capybara is the best solution for you. This open source tools helps to simulate how a actual user would get across with a web application. It is agnostic about the driver running your tests and comes with Rack::Test and Selenium support built in. WebKit is supported through an external gem.


JMeter is an open source software which is specifically designed for testing functional behavior and measure performance. It is used to test performance on both static and dynamic resources such as ( PHP, Java, Files, Perl scripts, Data Bases and Queries, FTP Servers and others). It can be used to simulate a heavy load on a server, group of servers, network or object to test its strength or to analyze overall performance under different load types.


Selenium is a suite which includes Selenium WebDrivers, Selenium IDE, Selenium Grid, Selenium Remote control which helps to test the web application. Selenium supports some of the largest web browsers like FireFox, IE,Safari,Opera,Chrome which allows you to record, edit, and debug tests. It is also the core technology in countless other browser automation tools, APIs and frameworks.


 This is a free open source tool for testing performance and scalability of web services. It runs HTTP load tests, which are useful for capacity planning, benchmarking, analysis, and system tuning. This tool is designed for the developers, performance engineers and testers. For the full utilization of this open source tool the developer or the performance tester should have  a good idea about HTTP, XML, and performance testing. Some features of Pylton are HTTP and HTTPS (SSL) support, execution or monitoring console, automatic cookie handling, response verification with regular expressions, cross-platform, real-time stats and more.


Webrat is another open source tool which enables the developer to quickly write expressive and robust acceptance tests for a Ruby web application. It also supports frameworks like Merb, Rails and Sinatra. Webrat also supports the most popular test frameworks such as: Cucumber, RSpec, Test::Unit and Shoulda.


Open System Testing Architecture (OpenSTA) is an open source tool which helps to perform scripted HTTP and HTTPS heavy load tests with performance measurements from Win32 platforms. The OpenSTA tools are designed for performance testing consultants or other technically proficient individuals. Results and statistics are collected during test runs by a variety of automatic and user controlled mechanisms. These can include scripted timers, SNMP data, Windows Performance Monitor stats and HTTP results & timings. The tools is free of cost because it is licensed under GPL (General Public License).


The WebLOAD Open Source Load Generation Engine is an open source project sponsored by RadView Software. This project is intended for ISVs, SIs and software developers who need to integrate a professional load generation engine into their applications.




Leave a Comment

RSA 2016 feature presentations and keynotes


Excellence in the Field of Mathematics

The Cryptographers’ Panel

Crypto 101: Encryption, Codebreaking, SSL and Bitcoin

Beyond Encryption: Why We Can’t Come Together on Security and Privacy

Peek into the Future: Symantec

Ascending the Path to Better Security: Cisco

Louder Than Words: Intel Security

Trust in the Cloud in Tumultuous Times: Microsoft

The (Inevitable?) Decline of the Digital Age: Palo Alto

The Sleeper Awakes: RSA

Turning the Tables: HP

The Power of Storytelling: StoryCorps

Sean Penn at RSA2016

Leave a Comment

How should an organization deal with #ransomware?


by Stephen Northcutt

A question came up on the GIAC Advisory Board: “How should an organization deal with ransomware?”

One of the members, Alan Waggoner, gave a good answer. All posts to that mailing list are private, so this is reposted with his permission.

1. Get reliable, tested backups of everything that is important.
2. Talk to the managers about their risk acceptance. They probably don’t realize what the potential damage and loss productivity, data, and revenue they are facing. Point out downtime and cost to recover.
3. White-listing applications like Bit9/Carbon Black won’t be effective in an environment where any user can install any software they want.
4. Limited administrative access on local computers is excellent for most malware, but ransom-ware tends to run as the local user and doesn’t require elevated privileges.
5. Centralize management of your endpoint AV so you would get real time notification of malware detection. However, don’t count on it because it would be signature based and relatively easy to bypass.
6. Segment the network and data as much as possible. Focus of accounting and payroll. Those departments should not have a need for local admin rights or installing random software.
7. End user security awareness training should be mandatory, with periodic phishing tests.

8. Set up gateway based email filtering (block dangerous extensions) and web content/malware filtering.

There is a lot more to do, but the above list should be enough to keep you busy for the foreseeable future and put you and your company on a better path than they are on now.

Leave a Comment

10 Bestselling InfoSec eBooks of 2015


The top titles your peers have been reading this year

IT Governance Publishing (ITGP) publishes industry-leading titles on all aspects of IT governance, risk management, and compliance.

ITGP 2015 bestsellers will give you the knowledge you need to transform your working life in 2016. Browse through top 10 below:


1) Web Application Security is a Stack
Understand the threat from web application attacks and learn how to defend your organization.

2) Two-Factor Authentication
Gain a comprehensive evaluation of popular secondary authentication methods.

3) Directing the Agile Organisation
Learn how to improve business adaptability, staff engagement, and quality for the benefit of your customers.

4) Running IT Like a Business
Learn the secrets of an award-winning IT function with this real-life IT transformation case study, authored by Accenture’s former COO.

“Very innovative and ground breaking, this is an excellent book.”

Jeffrey D. Klauer

5) ISO27001/ISO27002 – A Pocket Guide
Packed with practical advice, this indispensable pocket guide provides a useful overview of two important information security standards.

6) Agile Governance and Audit
Discover how to dramatically improve communication between the auditor and the Agile team, improving audit and project outcomes.

“So far this book is paying handsomely and it is making me look good already at my new job. Thanks Chris!”


7) An Introduction to Information Security and ISO27001:2013 – A Pocket Guide
The perfect introduction to the principles of information security management and ISO 27001:2013.

8) Nine Steps to Success – An ISO27001:2013 Implementation Overview
Learn the six secrets and nine steps that significantly increase your chances of getting ISO 27001 registered first time.

“It’s like having a $300/hr consultant at your elbow…”

Thomas F. Witwicki

9) ITIL Lifecycle Essentials
An official ITIL-licensed product, this book covers the entry-level ITIL Foundation syllabus and gives you a solid grounding in the key elements, concepts, and terminology used in the ITIL service lifecycle.

10) In Hindsight – A compendium of Business Continuity case studies
Learn from real life how and why to avoid business continuity disasters.

“…an interesting, thought provoking and stimulating collection of studies”


Available in:
Softcover – Adobe eBook – ePub – Kindle

Leave a Comment

Assessing Information Security

AssessingInfoSec Assessing Information Security – Strategies, Tactics, Logic and Framework draws on the work of Clausewitz and Sun Tzu, and applies it to the understanding of information security that the authors have built up through their extensive experience in the field. The result is expert guidance on information security, underpinned by a profound understanding of human conflict.

Assessing Information Security – Strategies, Tactics, Logic and Framework, Second edition
  • Shows how to use principles of military strategy to defend against cyber attacks, enabling organizations to have a more structured response to malicious intrusions.
  • Explains the priorities for robust cybersecurity , helping readers to decide which security measures will be the most effective.
  • Buy today and discover how to integrate cybersecurity into your organization’s normal operations.

Building on the success of the first edition, this new edition covers the most recent developments in the threat landscape and the best-practice advice available in the latest version of ISO 27001.

“Gives you new practical perspective and new way how to think about infosec, many views nicely packed in one book.” Ivan Kopacik

Building on the success of the first edition, this new edition covers the most recent developments in the threat landscape and the best-practice advice available in the latest version of ISO 27001:2103.


Product overview:

  1. Information Security Auditing and Strategy

  2. Security Auditing, Governance, Policies and Compliance

  3. Security Assessments Classification

  4. Advanced Pre-Assessment Planning

  5. Security Audit Strategies and Tactics

  6. Synthetic Evaluation of Risks

  7. Presenting the Outcome and Follow-Up Acts

  8. Reviewing Security Assessment Failures and Auditor Management Strategies

Available in: Softcover, Adobe eBook, ePub, Kindle              ===>>>  Buy now  

Buy today and discover how to integrate cyber security into your organisation’s everyday operations >>

Leave a Comment

Keep certification simple using ITGP’s toolkits


When implementing ISO management systems, most of us would like to:

  • get it right first time,
  • keep it as straightforward as possible,
  • be able to integrate the system with other frameworks,
  • reduce common errors that are made during the process, and
  • cut implementation costs where possible.


Implementing management systems has never been easier with ITGP’s toolkits

Authored by industry experts and used by over 4,000 organisations worldwide, ITGP’s toolkits will help you do all of the above and more.

Comprising pre-written templates, customisable worksheets, policies and helpful guidance, the documentation toolkits are perfect for organisations seeking certification, compliance and/or best-practice implementation.

View all toolkits >>

Leave a Comment

New York Stock Exchange cybersecurity guide recommends ISO 27001

by Neil Ford

The New York Stock Exchange (NYSE) has released a 355-page guide to cybersecurity (Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers), written by more than 80 individual contributors representing organizations including Booz Allen Hamilton, Dell SecureWorks, Georgia Institute of Technology, the Internet Security Alliance, Rackspace Inc., the US Department of Justice Cybersecurity Unit, Visa, Wells Fargo, and the World Economic Forum.

This ‘definitive guide’ collects “the expertise and experience of CEOs, CIOs, lawyers, forensic experts, consultants, academia, and current and former government officials”, and “contains practical and expert advice on a range of cybersecurity issues including compliance and breach avoidance, prevention and response.”

“No issue today has created more concern within corporate C-suites and boardrooms than cybersecurity risk.”

Tom Farley, President, New York Stock Exchange

Among the report’s many opinions is one that we at IT Governance have maintained for a long time: the recommendation that organizations align their cybersecurity program with “at least one standard… so progress and maturity can be measured. In determining which standard to use as a corporate guidepost, organizations should consider the comprehensiveness of the standard. […] ISO/IEC 27001… is a comprehensive standard and a good choice for any size of organization because it is respected globally and is the one most commonly mapped against other standards.”

All NYSE-listed company board members will receive a copy of the guide; if you are yet to receive your copy, it can be downloaded here >>

For more information on ISO 27001 and how it can help your organization with a best-practice cybersecurity posture, click here >>

“This is not simply an IT issue. It is a business problem of the highest level.”

Charles W. Scharf, CEO, Visa Inc.

ISO 27001 information security management

An information security management system (ISMS), as described by ISO 27001, provides a risk-based approach to information security that enables organizations of all sizes, sectors, and locations to mitigate the risks they face with appropriate controls. An ISMS addresses people, processes, and technology, providing an enterprise-wide approach to protecting information – in whatever form it is held – based on the specific threats the organization actually faces, thereby limiting the inadvertent threats posed by untrained staff, inadequate procedures, out-of-date software solutions, and more.

Priced from only $659, IT Governance’s ISO 27001 Packaged Solutions provide unique information security implementation resources for all organizations, whatever their size, budget, or preferred project approach. Combining standards, tools, books, training, and online consultancy and support, they allow all organizations to implement an ISMS with the minimum of disruption and difficulty.

Leave a Comment

Cyber crime costs the global economy $445 billion a year


A new report – A Guide to Cyber Risk: Managing the Impact of Increasing Interconnectivity – reveals that cyber crime costs the world $445 billion annually, with the top ten economies accounting for more than 50% of the costs. Since 2005 there have been 5,029 reported data breach incidents in the US alone, and at least 200 breaches in Europe involving 227 million records.

It is estimated that the average cost of a data breach is $3.8 million, which is up from $3.3 million a year earlier.


Source: A Guide to Cyber Risk: Managing the Impact of Increasing Interconnectivity, Allianz Global Corporate & Specialty (AGCS)

Cyber risks are underestimated

Published by Allianz Global Corporate & Specialty (AGCS), the report warns that “cyber risk is the risk most underestimated by businesses” and asserts that “everyone is a target”.

73% of respondents who took part in an Allianz Risk Barometer 2015 believe that underestimation of cyber risks is preventing companies from being better prepared for them. Other hindrances include budget constraints (59%), failure to analyze the problem (54%), IT infrastructure that is too sensitive for major changes (30%) and failure to identify the right personnel (10%).

The US shows higher levels of awareness of cyber risk due to having tougher legislation than other countries. The majority of US states require companies to notify individuals of a breach. Europe is heading in the same direction, with the European Union (EU) currently reviewing its data protection law and planning to introduce more stringent rules in terms of data breaches.

Data shows that cyber attacks are becoming more frequent and sophisticated. The number of detected cyber attacks was up by 48% in 2014 according to the Global State of Information Security Survey 2015.

In order to protect themselves from breaches, businesses should identify key assets at risk and make decisions as to what risks to accept, avoid, mitigate or transfer.

Future cyber risk trends

The AGCS report makes predictions that businesses will be increasingly exposed to risks from the supply chain and that we are yet to witness “a major cyber event of truly catastrophic proportions”.

Jens Krickhahn, practice leader, Cyber & Fidelity at AGCS Financial Lines Central & Eastern Europe, explains:

“Business exchanges with partners are increasingly electronic.

“Even if a company is confident in its own IT controls, it is still exposed to cyber risk through its business partners, contractors and supply chains.”

The Internet of Things (IoT) is seen as one of the biggest factors that will change the face of cyber threats leading to interconnected risks. It will exacerbate vulnerabilities, bringing increasing potential for physical loss and data breaches.

ISO 27001 and cyber risks

Management of information security risks is at the core of the ISO 27001, the international standard that sets out the specifications of an information security management system (ISMS).

ISO 27001 requires compliant organizations to carry out risk assessments based on agreed criteria. The outcome of the risk assessment should enable the business to balance expenditure on controls against the business harm likely to result from security failures.

Download IT Governance’s free green paper, Risk Assessment and ISO 27001, to learn more about managing cyber risks.

Leave a Comment

North America has largest growth rate of ISO 27001 registrations

by Melanie Watson

North America is currently the fastest growing region in terms of ISO 27001 registrations, according to ISO Survey 2014.

Now totalling 836 registrations, North America boasts an annual growth rate of 17.42% in 2014.

Other regions include the Middle East with a growth rate of 13.53%, Central and South Asia with 12.54%, Europe with 9.53%, East Asia and Pacific with 4.07%, Central/South America with 1.84% and Africa with a decline of 18.18%.

ISO 27001 – The CyberSecurity Standard

ISO 27001, the international cybersecurity standard, has long been regarded as the leading framework for implementing an information security management system (ISMS) that enables organizations to obtain an independent registration to prove their cybersecurity credentials.

In fact, the US has the ninth largest number of ISO 27001 registrations globally (664), moving up one place from last year.


ISO27001 registration is often a supply chain requirement and, as such, can help organizations broaden their client base and supply chain network, while supporting business opportunities in international markets where the Standard is recognized.

Other ISO 27001 benefits include: enhanced reputation, increased stakeholder trust, meeting regulatory and compliance requirements, and improved internal processes.

Find out more about ISO 27001

More and more companies across North America have come to realise the benefits of implementing an ISO 27001-accredited information security management system, both in terms of improving security and gaining a competitive advantage.

Find out more about ISO 27001 >>

New to ISO 27001? Learn from the experts >>


Leave a Comment