In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.
GRC: Be Connected! – Risk Management
9 February 2021 – Cyber Security Coalition
GRC: Be Connected! about risk management
Zero risk is not of this world, particularly in the world of IT. So risk management is a must, though also quite a challenge. The second webinar in the GRC: Be Connected! series – an initiative of the Cyber Security Coalition (CSC), ISACA Belgium and the Solvay Brussels School of Economics & Management – bears once again down on a very practical ‘point of view’ related to this hot topic.
Peter Debasse, Group CISO KBC Group & chair of the CSC Governance Risk Compliance (GRC) focus group, kicked off the seminar with a broad overview of all aspects pertaining to risk management. Starting with ‘why risk management’, the reasons range from the growing attack danger to imperative regulations. He also identifies the numerous internal stakeholders in a company, including the active lines of defence (up to board level), with a need of monitoring at all levels. The scope of risk management must map the risk onto the control universe, structured by means of standards and frameworks down to hands on controls. The process starts from the context, through identification of risks, analysis and action, to monitoring. This also includes risk/maturity assessment (how to reach the target) and compliance checks (be prepared). Complex? Indeed, it is a collection of interconnected processes. Companies will strive to digitize risk management, starting from the initial phase of acquiring fundamental skills and tools, with qualitative outcome. Later, aspects can be automated, requiring additional automation skills, and keeping a grip on the quality of data from multiple sources. Ultimately, the digitalization of risk management can result in a real-time analysis of aggregated data, supported by data science skills with a predictive outcome. Clearly, people will appreciate a helping hand while going through all the phases, so Peter Debasse welcomes new members in the GRC focus group.
Dina Quraishi, Risk Management Leader, followed up on this overview by drilling down on specific building blocks of risk management. She illustrated the interconnectedness of all these blocks with the neat metaphor of the interplay of musicians and specialists in an orchestra. Getting the essentials right implies understanding the importance of the context of every company, and adapting risk management to the specific constraints of a specific company. Beware of tools if you don’t understand their output, and do communicate with other stakeholders. Interesting tip for risk managers: apply risk assessment to your own processes, to check whether a particular approach makes sense. Go for standards (don’t re-invent the wheel), but do adapt them to your company. Discuss risk appetite and risk tolerance (two different aspects!). Provide for continuous improvement, as situations will change.
Of crucial importance is the attention you pay to your team, whether this is small or large. Create a community within the company, and look for outside cooperation. Balance inside expertise with fresh views from newcomers.
The skillful Chief Risk Officer (CRO) combines professional expertise with communicative skills to other groups in the company, including executive and board level, and defends both instant and long term ROI of risk management. And the CRO knows how to time new measures and approaches.
Having acquired the necessary skills is fine, but proving you have the skills is better. Arnold Meyers, Information Risk Manager Argenta & Certification Director ISACA Belgium, pointed out the added value of certifications for teams because of more effectiveness through more structured expertise, and for individuals through better job retention and improved personal marketability. He provided information about two ISACA certifications: Certified in Risk and Information Systems Control (CRISC) and Certificate IT Risk Fundamentals. How to study for these certificates (e.g. ISACA Belgium boot camps), prepare for the exam, and apply for the certification. A final plus: you join a worldwide community of 158,000+ experts, of which 900+ are Belgian colleagues.
Other blog posts
Ransomware – today’s universal cyberworry – is but one aspect of a crime: cyber extortion. Orange Cyberdefense provides some insights into this scourge, based on its ‘Security Navigator 2022’-report.
The Cyber Security Coalition and top cybersecurity trainer SANS Institute joined forces to provide specially needed insights and recommendations on successful cloud security, as well as how to handle cyber security in these times of war.
It is easy to drown in the sea of dire warnings about the danger of AI, in particular to our privacy. The main point is that AI in good trust is possible, but requires solid, long term and well-structured approaches. This session of the Privacy focus group offers some crucial insights and welcome examples.
On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.