To address these risks, an extreme approach would be to remove all connections. The side effect would be a major loss of competitiveness and a probable bankruptcy. It is therefore necessary to manage these risks wisely. Putting in place adequate protections while leaving room for the company’s operations and value creation.
The complexity of cybersecurity means that we cannot rely on common sense alone to manage security risks; systems and organizations have become far too complex for that. Implementing an effective risk management requires deep thinking on how to structure a multi-phased response and how to lead the resulting changes.
Two approaches to managing cyber risks are often mentioned: the compliance approach and the risk approach. Opposing them would be wrong; they are complementary. And regardless of the approach and method used, the objective remains the same: to obtain information, to make informed choices and take action. Risks or non-compliances without choice and action are useless.
The following document presents both approaches, their pros and cons and when they should be used.