Cyber risk is an enterprise risk. For example, APRA CPS 234 mandates APRA-regulated entity (Board) to be ultimately responsible for the information security of the entity. The Board must ensure that the entity maintains information security in a manner commensurate with the size and extent of threats to its information assets, and which enables the continued sound operation of the entity. The draft NISTIR 8286 standard provides a roadmap for organizations looking to better align cyber risk management operations with an enterprise risk management function. The document has a strong focus on using quantification (in terms of economic impact) of cyber events as being representative of the gold standard for aligning cyber and enterprise risk. The FAIR Institute is acknowledged as a contributor to the standard. This presentation will provide an overview of NISTIR 8286 and how to use the Open Group FAIR cyber risk quantification framework to evolve an organization’s risk management maturity. Executives from the AISA and RMIA Sydney chapters will discuss the resources available to their members to learn more about this emerging topic.
