Risk Management

Every action we make or decision we take will contain a level of risk, and that's perfectly fine. The key is understanding these risks and taking the ones we can afford to take. This is called Risk Management.

• Computer Security Resource Center (CSRC) at US NIST

  The Computer Security Resource Center (CSRC) has information on many of NIST's cybersecurity- and information security-related projects, publications, news and events. CSRC supports people and organisations in government, industry, and academia—both in the U.S. and internationally.

  • NIST Risk Management Framework

  • NIST Guide for Conducting Risk Assessments (NIST SP 800-30)

  • NIST Guide for Developing Security Plans for Federal Information Systems (NIST SP 800-18)

  • NIST Managing Information Security Risk: Organization, Mission, and Information System View (NIST SP 800-39)

• Institute of Directors New Zealand - Cyber risk practice guide

• MITRE ATT&CK Framework

Privacy

• Office of the Privacy Commissioner New Zealand - Privacy Act 2020 and the Privacy Principles

  • Codes of practice

  • e-Learning (free)

• US NIST Privacy Framework

  The NIST Privacy Framework is a voluntary tool developed in collaboration with stakeholders intended to help organisations identify and manage privacy risks to build innovative products and services while protecting individuals’ privacy.

  • Detailed Framework (PDF)

  • Core Framework: PDF / XLSX / DOCX

Cyber Security

• US Cybersecurity & Infrastructure Security Agency (CISA)

  CISA has a lot of excellent material. Here are some of the highlights.

  • CISA Cyber Essentials Starter Kit

  • CISA Cyber Essentials Toolkits

    This is a set of modules designed to break down the CISA Cyber Essentials into bite-sized actions for IT and C-suite leadership.

• Computer Security Resource Center (CSRC) at US NIST

  The Computer Security Resource Center (CSRC) has information on many of NIST's cybersecurity- and information security-related projects, publications, news and events. CSRC supports people and organisations in government, industry, and academia—both in the U.S. and internationally.

  • The NIST Cybersecurity Framework 2.0 (Draft)

    This is the public draft of the NIST CSF 2.0, which replaces version 1.1, a widely used cybersecurity framework.

• NZ Institute of Directors - Cyber risk: A practical guide

Secure Development

• OWASP, of course.

Incident Response

• Institute of Directors New Zealand - Cyber incident response executive checklist

Reporting

• Institute of Directors New Zealand - Reporting cybersecurity to boards

Industry Reports

• World Economic Forum - Global Cybersecurity Outlook 2023

  • WEF - Global Cybersecurity Outlook 2023

    “ Cyberattackers are more likely to focus on business disruption and reputational damage. These are the top two concerns among respondents. “

  • WEF - Global Cybersecurity Outlook 2022

• CERT NZ - Quarterly Reports

  • Cyber Security Insights 2022Q3

  • Cyber Security Insights 2022Q2

  • Cyber Security Insights 2022Q1

• Verizon - Data Breach Investigation Report (DBIR)

  • DBIR - 2023: PDF

    “ The three primary ways in which attackers access an organisation are stolen credentials, by far, phishing and exploitation of vulnerabilities. “

  • DBIR - 2022: PDF

    “ 82% of breaches involved the human element. Whether it is the Use of stolen credentials, Phishing, Misuse, or simply an Error, people continue to play a very large role in incidents and breaches alike. “

  • DBIR - 2021: PDF

Blogs and Podcasts

Podcasts

• The CISO Stories Podcast: Each week CISO Stories takes a deep dive into security leadership with one of the contributors to Todd Fitzgerald’s latest book, the best-selling CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers.

• Risky.biz: Risky Business is a weekly cybersecurity news podcast. The show is hosted by Patrick Gray and Paul Vixie, who discuss the latest news and trends in cybersecurity. Risky Business is a great way to stay up-to-date on the latest threats and vulnerabilities.

• Darknet Diaries: Darknet Diaries is a podcast that tells stories from the dark side of the internet. Each episode tells a true story about a hack, breach, or other cybercrime. The show is hosted by Jack Rhysider, who makes the stories informative and engaging, even for non-technical audiences.

• CyberWire Daily: CyberWire Daily is a daily podcast that provides a roundup of the top cybersecurity news stories. The show is hosted by Dave Bittner, who does a great job of explaining the complex topics in a way that is easy to understand.

• Hacking Humans: A weekly podcast that focuses on the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organisations around the world

• Malicious Life: Malicious Life is a podcast that tells the stories of cyberattacks, breaches, and other cybersecurity incidents. The show is hosted by Ran Levi, a cybersecurity expert and author. Malicious Life is more technical than Darknet Diaries but is still accessible to a general audience.

• Smashing Security: Smashing Security is a weekly cybersecurity podcast hosted by Graham Cluley and Carole Theriault. The show covers various topics, including malware, phishing, social engineering, and cloud security. Smashing Security is a great podcast for both beginners and experienced cybersecurity professionals.

Blogs

• Risky.Biz is a cybersecurity news and analysis website that was founded in 2007. The website is run by Patrick Gray, a cybersecurity journalist and author. It is an excellent resource for anyone who wants to stay up-to-date on the latest cybersecurity threats and trends. The website covers various topics, including malware, phishing, hacking, and data breaches.

• Krebs on Security: Written by Brian Krebs, a former Washington Post reporter and cybersecurity expert, Krebs on Security is a must-read blog for anyone who wants to stay up-to-date on the latest cybersecurity threats and trends.

• Schneier on Security: Written by Bruce Schneier, a world-renowned security technologist, Schneier on Security is another must-read blog for cybersecurity professionals and enthusiasts.

• Graham Cluley: Written by Graham Cluley, a popular cybersecurity blogger and author, Graham Cluley is an excellent blog for anyone who wants to learn more about cybersecurity in a fun and engaging way.

• The Hacker News: The Hacker News is a popular cybersecurity news website and blog that covers the latest security threats, vulnerabilities, and hacking techniques.

• SecurityWeek: SecurityWeek is another popular cybersecurity news website and blog that covers the latest security threats, vulnerabilities, and hacking techniques.

• Infosecurity Magazine: Infosecurity Magazine is a leading cybersecurity publication that covers the latest security threats, trends, and technologies.

• CSO Online: CSO Online is a leading cybersecurity website and blog that covers the latest security threats, trends, and technologies for IT security professionals.

• Tripwire: Tripwire is a leading cybersecurity company that publishes a blog that covers the latest security threats, trends, and technologies.

• Daniel Miessler: Daniel Miessler is a cybersecurity expert and author who writes a blog that covers a wide range of security topics, including malware, phishing, and social engineering.

• Troy Hunt: Troy Hunt is a cybersecurity expert and author who writes a blog that covers a wide range of security topics, including passwords, data breaches, and hacking techniques.

Training

• Cybrary

• Udemy

• Coursera