Should risk quantification frameworks be more widely adopted?

The prevalence of cybersecurity issues in New Zealand right now comes down to a lack of risk modeling from the governance committees and boards involved. Recently, the Waikato district health board has been suffering a ransomware attack. As a result, they have been completely offline as they go through it, along with their core hospital—which together are responsible for about 500K people across the country—plus all their satellite hospitals and clinics. My gut tells me they have not done any modeling or risk analysis leading into that. And as a result, they haven't invested in the right area. I'm definitely seeing NIST come through. ISO is still a standard that's been held up in some areas, but NIST is the predominant one, it's just not widespread enough in New Zealand for me to say that I sleep well at night knowing that everyone's got a handle on cyber risk.

Anonymous Author
The prevalence of cybersecurity issues in New Zealand right now comes down to a lack of risk modeling from the governance committees and boards involved. Recently, the Waikato district health board has been suffering a ransomware attack. As a result, they have been completely offline as they go through it, along with their core hospital—which together are responsible for about 500K people across the country—plus all their satellite hospitals and clinics. My gut tells me they have not done any modeling or risk analysis leading into that. And as a result, they haven't invested in the right area. I'm definitely seeing NIST come through. ISO is still a standard that's been held up in some areas, but NIST is the predominant one, it's just not widespread enough in New Zealand for me to say that I sleep well at night knowing that everyone's got a handle on cyber risk.
1 upvotes
Anonymous Author
Frameworks are important, but we have to stick to one. People get confused between ratings—what do Scorecard and BitSight do what does CyberGRX do with third-party risk, what does RiskRecon do as a FAIR model, and how do all those compare to what you can put together internally on spreadsheets? It's all over the map. It’s an issue if technology leaders cannot talk about risk ratings, because we're rating vulnerabilities and how they’d create an inherited risk for operations, which is different than looking at the various models. I see a lot of confusion and the word risk is played quite a bit as the frameworks get dragged in. Do you write into a FAIR model, or NIST, or your own? Where do you fit in this overall risk registry from a governance, risk, and compliance (GRC) perspective?
0 upvotes