I am speaking from the perspective of someone who has been running cybersecurity for 30 years in very large companies. It will be different from smaller-sized entities, where both the risk landscape and the capabilities differ.
This is really a two-layered approach: you need to have a mechanism to manage your processes, and a real-life risk assessment. This last part is usually what fails most because there are not many people who can build a comprehensive risk analysis.
The problem with risk analysis is that you either have consultants who read books about risk but never operationally managed cybersecurity (and they provide "high level" risks which as useless without the "low level" part), or tech people who understand their part very well and see it as the most important. Having a very good CISO is what helps.
This CISO should also have politico-socialo-whatever leverage to make things happen. Put them in a position where their words are not the words of god and you fail immediately.
A large company is absolutely not homogeneous - as opposed to what reports will state. There is usually a core that is well known, and then 10 or 100 tentacles of semi-controlled systems where bad things happen. This blindness to the reality of the company is what hits the hardest.
How to manage a complex system is not for a HN comment, this requires time, resources and know-how. And leverage.
I am speaking from the perspective of someone who has been running cybersecurity for 30 years in very large companies. It will be different from smaller-sized entities, where both the risk landscape and the capabilities differ.
This is really a two-layered approach: you need to have a mechanism to manage your processes, and a real-life risk assessment. This last part is usually what fails most because there are not many people who can build a comprehensive risk analysis.
The problem with risk analysis is that you either have consultants who read books about risk but never operationally managed cybersecurity (and they provide "high level" risks which as useless without the "low level" part), or tech people who understand their part very well and see it as the most important. Having a very good CISO is what helps.
This CISO should also have politico-socialo-whatever leverage to make things happen. Put them in a position where their words are not the words of god and you fail immediately.
A large company is absolutely not homogeneous - as opposed to what reports will state. There is usually a core that is well known, and then 10 or 100 tentacles of semi-controlled systems where bad things happen. This blindness to the reality of the company is what hits the hardest.
How to manage a complex system is not for a HN comment, this requires time, resources and know-how. And leverage.