There are few buzz phrases in IT risk and security today with as much clout as “Zero Trust” and “Digital Twins”. Both represent significant departures from legacy practices that comprise much of the planning, design, and activity of current IT risk and security programs for many organizations, large and small alike. In a past posting[…]
There is a whole category of threats to cyber risk and security often ignored despite its potential to impose catastrophic disruption and damage—business interruption! We attend to human malice in many forms, and its diverse efforts to gain unauthorized access to secure information, capture control of devices and systems, or perform all kinds of mischief[…]
Overview“It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security. The Federal Government must lead by example.”[1] So states the Executive Order (EO) on Improving The Nation’s Cybersecurity! Noble by intent, and certainly appropriate, it has not[…]
Summertime, and the living is, once again, easy—sort of. Just a few summers ago these were the days of occasional remote work, long weekends, holidays, vacations, and for some companies, shortened “summer hours”. As our work routines have made the separation of office, work, and personal time a fluid continuum, our risk perimeter and footprint[…]
Once upon a time…Some of us, those with mostly grey hair, more or less, may recall days without mobile phones, notebook computers, or even desktop devices. I know, I know, and we were all chased by dinosaurs to school, uphill, both ways, while hauling bookbags bursting with textbooks and homework, in blizzards…I get it. But[…]
There are lessons to be learned from the Colonial Pipeline ransomware attack. Panic is not one of them—it will yield no improvement nor progress for any situation. The event does strongly highlight how much more attention we need to pay to cyber risk now than past efforts demonstrate. The details of this ransomware incident are[…]
Some Risk Managers rely upon reported findings from internal risk assessments as the primary source of risk data in their Third Party Risk Management (TPRM) programs. Too often this approach generalizes over time from a primary to an exclusive source. That’s a missed opportunity to leverage value from other contributors to your operations, by incorporating[…]
This month, I’m going to depart a bit from the independent discussions of IT risk and cybersecurity to explore some of the specific ways this blog’s host, DoubleCheck Software, provides tools, resources, and value to companies working to manage their supply chain and partner risk—TPRM (Third Party Risk Management). The DoubleCheck GRC offers a platform[…]
If your company relies upon software from any third party, (and frankly today is there any organization that doesn’t) there is a third-party risk out there you are probably ignoring. It’s unlikely you wrote your own internet browser, or email system, word processor, or spreadsheet programs, or network management systems. It’s equally unlikely you are[…]
Third Party Risk Management (TPRM) is often viewed as a linear process. This is a misunderstanding of the actions that in total represent the processes involved. First, it’s a continuous system, renewing itself in different cycles and frequencies, depending upon the risk level of the third party’s service, and the practices of procurement; second, its[…]
