I thought I might post an actual Cyber Security / InfoSec thing for once.

"Visibility without consequences is not governance."

https://www.csoonline.com/article/4136995/boards-dont-need-cyber-metrics-they-need-risk-signals.html

This is a great article.

A large portion of my job is quantifying risk and turning it into numbers to help prioritize vulnerabilities, pen test findings, CNAPP reports, compliance failures,, and misconfigurations. I use all kinds of values to calculate "a number" for each finding. I'll probably throw up my methodology on gist soon because I'd like feedback and ideas for how to make it better. Incidentally, is there a gist equivalent on Codeberg?

With that said, this article talks about all the things that "a number" cannot do and all the other important things the board and other stakeholders and decision makers at that level should know.

There are lots of quotable lines, but my favorite, the one I'd like on a T-shirt or hanging on posters in every break room is: "Visibility without consequences is not governance."

It's important because we run up against it time and time again. A business line WONTFIX so they get an exception for X months (or years). That number no longer counts against them. As my boss likes to joke, "we'll just tell the malicious actors we have an exception and ask them not to exploit it." That doesn't work. It hides risk. But when all you care about is "a number" then fixing that number becomes the goal, not fixing the underling risk.

Again, this is a good article. Read it. Agree with it. Gnash your teeth that you can't do the things it suggests and that your board would never go for it. Or, more likely, your board will never know this is an option because the C-level execs are too terrified of rocking the boat.

#InfoSec #Metrics #GRC #CyberSecurity #VulnerabilityMetrics #ITRisk #ITRiskManagement #ITSecurity #CyberRisk #CyberRiskManagement

Microsoft attributes recent Windows 11 boot failures to devices left in an unstable state after failed December 2025 security updates.

Applying later updates on those systems resulted in boot errors, despite no active exploitation being reported. The issue appears limited to physical devices, with investigations still underway.

What safeguards do you use to validate update rollbacks?

Follow TechNadu for clear and unbiased security reporting.

Souce: https://www.bleepingcomputer.com/news/microsoft/microsoft-links-windows-11-boot-failures-to-failed-december-2025-update/

#Microsoft #Windows11 #PatchManagement #EndpointSecurity #ITRisk #SystemIntegrity #InfoSec

How secure is your infrastructure? F5 Networks just released critical patches after a major breach. If your network stack isn't on alert, it should be.

#CyberSecurity #ITRisk #EnterpriseTech https://zurl.co/ODllR

Too often, companies focus on the price of security tools instead of the actual risks they face. This results in overspending on the wrong solutions while leaving critical vulnerabilities unaddressed.

Dive into our guide to find out why risk assessment matters, what makes up your risk landscape, and how organizations can take a more structured approach to identifying and prioritizing their greatest threats. ⬇️

https://bit.ly/4ix6PWx

#IT #ITrisk #cybersecurity

𝐓𝐡𝐞 𝐉𝐚𝐦 𝐒𝐞𝐬𝐬𝐢𝐨𝐧🎙️- 𝐂𝐭𝐫𝐥+𝐀𝐥𝐭+𝐃𝐞𝐜𝐞𝐢𝐯𝐞: 𝐓𝐡𝐞 𝐀𝐫𝐭 𝐨𝐟 𝐭𝐡𝐞 𝐃𝐢𝐠𝐢𝐭𝐚𝐥 𝐃𝐮𝐩𝐞
🤴🏾It’s not just Nigerian princes anymore.

𝑾𝑯𝑬𝑹𝑬: LIVE on InsightJam.com
𝑾𝑯𝑬𝑵: Friday, July 11th, 10:00 MDT | Noon EDT
𝑭𝑬𝑨𝑻𝑼𝑹𝑰𝑵𝑮: Carlin Dornbusch, CISSP, Laura Harder, CISSP, CIPM, & Mike Pedrick

🎸Join the Insight Jam platform for FREE and watch LIVE: https://insightjam.com/share/M2hAd6Gh4wQgxjBP

#CyberSecurity #InfoSec #ITRisk #SecurityAwareness #DataProtection
#DigitalTrust #CyberThreats #PhishingScams #CyberHygiene #HumanFirewall

The Arts Council of Ireland has written off €5.3m on ‘substandard work’ and an IT system that was ‘not fit for purpose’ while artists try to make ends meet. This has to be the beginning of real change, writes Toner Quinn.
https://journalofmusic.com/opinion/arts-council-s-rte-moment-and-serious-change-must-follow

#ArtsCouncil #ArtsCouncilIreland #ITRisk #projectmanagement #ITfailure #JournalOfMusic

https://www.postofficescandal.uk/post/proposed-amendment-to-legal-assumption-about-the-reliability-of-computers/

UK: Proposed amendment to legal presumption about the reliability of computers

Long campaign by Stephen Mason, one of the keynote speakers at #eusprig 2024.
#itrisk #postmaster #horizon #scandal
@EuSpRIG

https://www.education-ni.gov.uk/news/department-education-statement-data-breach
"An email issued on 1 August 2024 to 174 individuals who had registered interest for an event about the End-to End Review of Special #Educational Needs (SEN). #Attached in #error
was a #spreadsheet containing the names, email address and titles of 407 individuals who had registered an interest in attending End-to End Review of SEN events across #Northern #Ireland.
Follow us on X @Education_NI"

@EuSpRIG
#databreach #itrisk

@EuSpRIG programme 4-5 July London contd

Exploring Higher #Education #Competencies through Spreadsheet Self-#Assessment and Time. Maria Csernoch, U. Debrecen

Subject integration with spreadsheets: Ignoring education is the greatest risk ever
Mária Csernoch et al.

Prospects for using #Generative #AI to Create #Spreadsheet #Models, Prof. Thomas Grossman, USFCA

#Eusprig #risk #ITrisk

https://eusprig2024.eventbrite.co.uk
https://www.eusprig.org https://groups.io/g/eusprig/ https://x.com/@eusprig