14Eyl
Does a Risk Management approach work in Cybersecurity?
I was recently with a client discussing their cyber risks and what main risks we were going to focus on.
"And your top 5 information security risks are risks 1,2,3,4,5"
He then said to me, "what about the other risks?"
I said, well in X industry, these risks have the highest probability of affecting you, so most of our mitigations will be covering the top 5 on the list.
He then said "But's its probably one of the other risks that will end up catching us out"
And I secretly agreed him. So, does this risk management approach work when it comes to cybersecurity?