About this talk:
A robust data protection or cybersecurity risk assessment is a specialist undertaking. Specialists are in short supply. If your assessment target handles very little data and can be down for a month, how serious can a broken control really be? You cannot pen test everything. Not every vulnerability is an intolerable risk. That’s where Sustainable Risk Triage (SRT) can come in. Oversimplification gifted us a thousand tick-box compliance memes and arbitrary scoping decisions, often just based on spend. Starting at the top of a testing to-do list and just working downwards. Burn out, incidents, and audit points, because time and money ran out. This session is about a middle way. Standardizing and simplifying conversations about achievable work and risk. Creating a defensible justification for de-scoping or deferral. Building hooks into next steps. Linking to available resource Whether for Schrems II, 3rd party assessment, or applying a better quality risk lens to vulnerability reports, this session will look at how SRT works and how it could be tailored for different purposes