We’ve previously discussed the importance of risk management, and the challenges that come from approaching risk through large-scale frameworks. According to an abstract framework, many organizations aren’t necessarily equipped to mobilize far-ranging risk assessments.
Here, we’ll discuss a compromise to combine the best of both worlds: standards-based risk management.
In our previous article, we discussed the concept of risk management–what it is and why it’s important.
However, risk management in cybersecurity isn’t new, and many organizations are working towards normalizing risk as an approach for comprehensive cybersecurity and compliance efforts.
While this move is a good one, we also find that many organizations will over-rely on frameworks as an end-all, be-all approach to security, which can prove more confusing than helpful.
With the Department of Defense unveiling CMMC version 2.0 last November, many contractors breathed a sigh of relief. The relaxed assessment requirements and streamlined structure signaled a willingness from the DoD to work with assessors and contractors to find a way to promote security over Controlled Unclassified Information (CUI) without making the process harder than it needed to be.