Defining security risk appetite statements for a Financial Services client
Working with the Security and Risk functions of a Financial Services client, we defined a series of security risk appetite statements with varying degrees of criticality. For example: “We have zero appetite for customer detriment due to cyber risk.” This statement enabled the team to design metrics such as the number of databases containing customer personal information which are not protected by encryption technology.
324 turned the detailed metric set into project requirements for embedding into the change process. The higher level metrics were reported to the Board as a single dashboard.
Over time, senior management was able to see the progress towards improving their control over pre-defined areas of cyber risk, without getting lost in technical detail.
To find out more about our service, please click here