7-7-2023 by Gilbert van Zeijl
I like the guidance documents from the UK National Cyber Security Centre (NCSC.gov.uk). They are pragmatic and guide the different stakeholders—for example, Cyber Security Toolkit for Boards.
Their toolkit is divided into three sections, and I would like to zoom in on section 2 as this is a showcase for using Risk Model Canvas.
Section two is about the business context of cyber threats and risks. Ask the IT department for the critical assets in the organization, and you will probably get a long list, or they will return the question with a Business Impact Analysis. The way the IT department thinks about assets is mostly not in alignment with the line of thinking of the board.
This is why we promote Risk Model Canvas, as it enables the board to think about assets, risks, and threats in their usual business context. Within Risk Model Canvas, the critical assets are easily found in the left corner blocks like ‘Key partners,’ ‘Key Activities,’ and ‘ Key resources.’ (the blue blocks)
Using Risk Model Canvas will result in a board-level view of critical assets, threats, and risks in a much-appreciated one-page format. IT and Security department need a more detailed view of these aspects. But they can refine the result of Risk Model Canvas to meet their needs. The added value is the much-needed management involvement, an aspect many security professionals struggle with.