Does the CISO own all cyber related risks to the business? It depends, but in many businesses that is the default position. Who is responsible for risk identification and analysis; identification, rating and selection of treatment options; and for managing residual risks within the defined risk appetite? Is it the security function, the business service owner, the application owner, the data owner, or is it potentially none of these? Should we not logically separate risk management responsibility and risk ownership? What about systemic risks?

In this episode regular hosts Martin and Maurice are joined by Bill Schultz from Vanderbilt University Medical Center to discuss cyber risk management. We’ll discuss our ideas, VUMC’s architected approaches, and the realities of cyber risk management in a business where lives are at risk and privacy is paramount.