This morning, a diverse group of cybersecurity professionals gathered for a breakfast roundtable at The Exchange in Andaz Liverpool Street, London. The focus was the Cybersecurity Human Risk Management (CHRM) framework, kicking off a series of workshops. Attendees included representatives from BAE, Murphy Group, The University of the Arts London, Wawanesa Insurance, KPMG, and OutThink.
Key discussions covered:
- Human Risk Management Challenges: Sharing insights and innovative strategies.
- CHRM Framework Review: Examining its maturity model with industry input.
- Measuring Cyber-Risk: Assessing personnel exposure and calculating ROI for security programs.
- Engaging Non-Security Staff: Encouraging broader ownership of cybersecurity issues.
Key Takeaways on Metrics:
- Simplicity Matters: Use straightforward metrics like completion rates and phishing click rates for better board understanding.
- Company-Wide Exposure: Focus on overall risk exposure for a clearer picture.
- Identify Hotspots: Target critical areas where risks concentrate for effective action.
- Promote Awareness: Implement visual reminders, such as displaying days since the last incident.
Business Case for CHRM:
- Risk Valuation: Utilize models like Monte Carlo simulations to estimate the cost of potential cyber incidents.
- Revenue Impact: Assess how poor cyber hygiene affects company revenue to highlight the importance of investment.
Major Challenge:
Engaging all employees, from the board to line workers, remains difficult. Many don’t grasp the importance of security, leading to repeated breaches despite incidents.