Giving a talk at ATLSecCon on Thursday April 9 at 3pm. The thesis: cybersecurity is always and everywhere a risk management function.
Frameworks, certs, Bodies of Knowledge — everyone has an answer to how we should do security. But ask "what are we actually trying to accomplish?" and things get quieter.
Rick Howard's formulation: reduce the probability of a material cyber event in the next business cycle. Not perfect security. Not audit compliance. Risk.
Come tell me I'm wrong.
