实现网络安全：基于风险控制的基础之上

最前沿的机构正在从“成熟”走向以“风险为基础”的方法来管理网络风险。
本文细述了他们是怎么做的。
Top managers at most companies recognize
cyberrisk as an essential topic on their agendas.
Worldwide, boards and executive leaders want
to know how well cyberrisk is being managed in
their organizations. In more advanced regions and
sectors, leaders demand, given years of significant
cybersecurity investment, that programs also
prove their value in risk-reducing terms. Regulators
are challenging the levels of enterprise resilience
that companies claim to have attained. And nearly
everyone—business executives, regulators,
customers, and the general public—agree that
cyberrisk is serious and calls for constant attention
(Exhibit 1).
What, exactly, organizations should do is a more
difficult question. This article is advancing a “risk
based” approach to cybersecurity, which means
that to decrease enterprise risk, leaders must
identify and focus on the elements of cyberrisk to
target. More specifically, the many components
of cyberrisk must be understood and prioritized
for enterprise cybersecurity efforts. While this
approach to cybersecurity is complex, best
practices for achieving it are emerging.
To understand the approach, a few definitions are
in order. First, our perspective is that cyberrisk
is “only” another kind of operational risk. That is,
cyberrisk refers to the potential for business losses
of all kinds—financial, reputational, operational,
productivity related, and regulatory related—in the
digital domain. Cyberrisk can also cause losses in
the physical domain, such as damage to operational
equipment. But it is important to stress that
cyberrisk is a form of business risk.