Definitely wise - you're more of a veteran here than I am. And of course that's the standard any company/analyst should shoot for.
I'm curious how policy will shape anything outside of that standard, however. Because for a company, that philosophy (full mitigation is not the goal, risk acceptance is) is sufficient. But for civil function, it stops a little short. It's unacceptable at the policy level if major banks go offline for 48 hours - or if traffic lights stop working on major roads - or if the hospitals go offline.
I don't have a solution, either - I'm just pointing out that when Cybersecurity is talked about, it really isn't understood from this perspective. Really, all we can do is mitigate risk, BUT, there will be a time where all these vectors will be utilized (hopefully not) and when/if that happens, people will debate how we got there. It's a near-impossible thing to avoid.
Risk management still gives you the correct answers, even for civil concerns.
Lets break down what it really means to apply risk management to strategy and actions:
You think through potential outcomes of security breaches, and plot them on a likelihood/consequence grid. Then you put a lot of energy into high likelihood, high consequence items to move those concerns down on one or both of those axes, or to have detailed mitigation plans in place if there are items that truly cannot be moved.
When that is done, you move on to the 2 quadrants that require more strategic thought - high likelihood/low impact and low likelihood/high impact. Personally, I try to come up with mitigation plans for low likelihood/high impact, while trying to move the needle down on the high likelihood/low impact concerns.
If you get all that done, you either have corrected or mitigated everything other than low likelihood/low impact, and you are likely in a "good enough" state, where you can breathe a bit easier and just work on incremental improvements.
All that being said, corporate vs. civil doesn't change your process - what it changes is the "impact" axis. Different data, same approach.
I'm curious how policy will shape anything outside of that standard, however. Because for a company, that philosophy (full mitigation is not the goal, risk acceptance is) is sufficient. But for civil function, it stops a little short. It's unacceptable at the policy level if major banks go offline for 48 hours - or if traffic lights stop working on major roads - or if the hospitals go offline.
I don't have a solution, either - I'm just pointing out that when Cybersecurity is talked about, it really isn't understood from this perspective. Really, all we can do is mitigate risk, BUT, there will be a time where all these vectors will be utilized (hopefully not) and when/if that happens, people will debate how we got there. It's a near-impossible thing to avoid.