- CPA to Cybersecurity
- Posts
- How to Make a Cyber Risk Scorecard That Wins Hearts and Minds
How to Make a Cyber Risk Scorecard That Wins Hearts and Minds
Oct 31 Pre-SIMPLY CYBERCON #GRC Workshop
Steve McMichael
October 18, 2024
Nov 1 update: That’s a wrap! Here a link to the recording: https://www.youtube.com/live/mQls1c6IKow
🗓️📺️ Tune into www.youtube.com/@SimplyCyberCon a day early on Oct 31 at 12:30 PM ET (direct link here) to learn how to make a scorecard like this:
To improve cyber risk communication like this:
Using tools like this:
NIST Cybersecurity Framework Profiles
Cyber Risk Management Action Plan capability scoring and process steps
Excel Tables, Slicers, Pivot Tables, Charts, Power Query
Fabric open source framework for augmenting humans with AI
Know Your Cybersecurity Framework Current Profile and Top 5 Cyber Risks?
So What, What’s Next?!
Agenda
Preamble
Thanks for being here
Views expressed are my own
30-45 mins at a brisk pace to cover all of the material
If we run out of time and you have a question that doesn’t get answered:
We can continue the conversation asynchronously (I’ll be outside 9-5) on SimplyCYBERCON Discord
@cpatocybersecurity
Let’s elevate our skills, methods and mindset to advance cyber risk reduction
👉️ Link to the Spreadsheet we develop in this workshop: https://docs.google.com/spreadsheets/d/11I65SXAXhMhz4qBAq5T8fSgnTXbI5z9A/edit?usp=drive_link&ouid=102206236113995310098&rtpof=true&sd=true
Simply Cyber Values
🤝INCLUSION: Create an environment where everyone feels welcome.
🌱SUPPORT: Promote a safe space for learning and growth.
💎VALUE DELIVERY: Deliver high quality services with exceptional value
📚 EMPOWERMENT: Equip individuals with knowledge and skills
👥 COLLABORATION: Foster and seek collective wisdom and cooperation
🎉 PASSION FOR SUCCESS: Take joy in community success
⚖️ INTEGRITY: Decisions are made for the benefit of the community
TeamSC LET’s GO!
NIST Cybersecurity Framework 2.0 Primer
🤔 What Problems Does the NIST CSF Help Solve?
Bottom line:
Cybersecurity risk continues to increase, with no signs of slowing down
Costs of cybersecurity risk continue to grow
🔄 Reasonable and Repeatable Cybersecurity Practices
⚙️ Take a Systematic Approach: “Rinse and Repeat”
NIST CSF Fig. 3: “Repeat…”
“Just like everything else in GRC, rinse and repeat! I hate to make it sound so uncool-or whetever- but this is the deal.
This is how you become a baller GRC Analyst: by understanding what these [CSF subcategories] are asking and being able to convey an example.”
Cyber Risk Management Action Plan (CR MAP)
NIST CSF tells us what to do, and CR MAP is how to do it
📋The Five Questions
Once you have created your cyber risk management action plan, you should be able to confidently answer the following five questions:
🔝 What are the top five cyber risks to my organization?
💰️Am I getting the biggest return possible for my cyber risk management dollars?
👔 Do all our organization’s executives and leaders understand our cybersecurity plans?
⚠️ Does everyone at work know how they can help to mitigate our top cyber risks?
🗣️ What do I tell our biggest customers or stakeholders when they ask, “What are you all doing about cybersecurity?”
👣 CR-MAP Steps
👀 Step 1: Widen Your Scope
People | Process | Management | Technology |
|---|---|---|---|
- Employee cyber risk awareness - Adherence to cybersecurity practices | - Effectiveness of established procedures and protocols | - Leadership commitment - Oversight | - Robustness of the technological systems and infrastructure |
💙 🧠 Step 2: Get Buy-In: “Winning Hearts and Minds”
Change is Hard. Here Are 4 Steps to Gain Buy-In:
👥 Step 3: Select Interviewees
The “Cyber Risk Experts” across key departments such as Finance, HR, Operations and IT
