Risk is much more than a report shown to the board every quarter. It’s a major point of discussion for any CISO regardless of industry, and not just on the mitigation side. The ability to effectively assess risk is a critical part of any program – but it has to be done realistically.
Risk is an inherently personal aspect of security because it is tied directly to what is important to the business. This makes it very difficult to have any sort of baseline, because two organizations even in the same industry might have two very different risk registers and tolerances. Take two banks for instance. One handles a large swath of clients with average wealth, and one manages few clients with enormous wealth. While they are technically in the same industry, they have two very different focuses. Thus, they have very different risk registers and tolerances. This is why it is difficult to define an effective blanket risk framework. Here are some (of many) of the challenges that occur in creating a risk program: