5 out of the 5 most common mistakes that companies make when it comes to risk management and security

– and how to go about it!

Yan Knudtskov Nielsen In the last blog posts we’ve been sharing the most common mistakes we see in companies when it comes to risk management and security. Did you miss the other posts? Find them here: [1/5], [2/5], [3/5] and [4/5]. The last common mistake I often see is: # 5: Top management doesn’t understand the value of security initiatives There are several reasons for this. First of all, the cost of security is unconnected to business and therefore not appreciated by top management. This is a big mistake. As I have mentioned before security initiatives need to be an integrated part of the business. Thus, security and risk management has to be connected to the overall strategy of the company and top management need to understand that lack of security can have huge consequences for the business. There is something called organisational culture, and this must be cultivated from the bottom to the top, and however vague or abstract it may seem it is the responsibility of the management team to do this cultivation. And one point would be to instill what might be referred to as the risk and security mindset. Read more about measuring this culture and the mindsets needed in relation to risk, compliance and security here. Read the rest of the common mistakes here https://elberling.uk/1-out-of-the-5-most-common-mistakes https://elberling.uk/2-out-of-the-5-most-common-mistakes https://elberling.uk/3-out-of-the-5-most-common-mistakes...

4 out of the 5 most common mistakes that companies make when it comes to risk management and security

– and how to go about it!

Yan Knudtskov Nielsen (Follow our LinkedIn page to make sure you don’t miss out) The 4th mistake when it comes to security and risk management in companies is: the common assumption that security is only within IT. Security is often addressed from the technical point of view only, missing people, awareness, discipline and behaviour. Security is about covering the entire organisation. That’s why I often ask: what’s most valuable to you in the organisation? That’s where you need to start. We need a more broad understanding of the security term and it simply has to be an integrated part of the business, not just of IT. Build your security framework on the basis of compliance and risk – but understand that you need the bigger picture. If not, it’s just expensive and in the way. You can find the other common mistakes here: 1rst common mistake: Lack of or inadequate dialogue between the business and IT 2nd common mistake: Inadequate Risk Management 3rd common mistake: Compliance is something from another...

3 out of the 5 most common mistakes that companies make when it comes to risk management and security

– and how to go about it!

Yan Knudtskov Nielsen (Follow our LinkedIn page to make sure you don’t miss out) Here comes the third most common mistake in our series. # 3: Compliance is something from another planet Many people simply don’t get compliance. They think it’s all about law and they think it’s something very complicated. But actually, it can be broken down to smaller pieces in order to identify when expert help is needed and when it’s not. Another common mistake when it comes to compliance is lack of accountability; Often I find teams that are actually in compliance but are failing to prove it with the right level of documentation which is a sad reason to fail compliance. The only way to go about this is to stay updated and insist on getting help from professionals, which especially is difficult when it’s a large company with many different parts of compliance to take into account. Read more in our blog post: Why Compliance isn’t just about...

2 out of the 5 most common mistakes that companies make when it comes to risk management and security

– and how to go about it!

Yan Knudtskov Nielsen We’re sharing the 5 most common mistakes we encounter in companies. (Follow our LinkedIn page to make sure you don’t miss out) Here is the second mistake I often see. # 2: Inadequate risk management The second mistake I often see in companies is that they have inadequate risk management meaning that they believe that they have got it all covered, but actually that’s far from the truth. What they are missing is the bigger picture. There is an old joke about surgery: “The operation was successful, but the patient died”, which seems to underpin my point. Let me give you a few examples: People may be aware of risk management when it comes to projects – but not the entire lifecycle of the product. Projects tends to focus on delivering on time and cost instead of delivering a solid product – what happens if the product isn’t good enough? Many people seem to have trouble relating to risks that are not visible when looking at past event. This is tend to end a bit like when someone refuses to wear the seatbelt because he or she has never had an incident where it came in handy. So apparently it must be a waste of time. A real life example is the case of Berlin Airport Berlin Airport was supposed to be Europe’s most modern and futuristic airport and was intended to handle 27 million passengers a year. The project however ended up being a huge embarrassment and a very costly one for several reasons. One of the big issues was concerning the fire alarms which failed...

1 out of 5: The most common mistakes companies make regarding risk management and security

Yan Knudtskov Nielsen In the following posts we’ll share the 5 most common mistakes that companies make when it comes to risk management and security – and how to go about it! (Follow our LinkedIn page to make sure you don’t miss out) # 1: Lack of or inadequate dialogue between the business and IT This is a classic mistake. The IT-department is so focused on making tech-savvy solutions that they forget to link it to the actual business which in worst case can end up killing the business. At one point I was working in a company and the IT-department had to move a system from one country to another in a weekend. The product owner of the system contacted us desperately saying that there was no way we could do that. It turned out that even in weekends he had a huge number of customers and transactions meaning that it would have huge consequences business wise. What you can do The IT department had no idea about this. And that’s why we need dialogue. Dialogue about business impact analysis, volume of business, etc. You can create a questionnaire in order to understand the business and the consequences. If you want to learn how to include the business in the overall processes related to IT, you may want to take a look at COBIT (Control Objective for Information and Related Technology Standards), which is a best practice for governance and...