Читать книгу Cybersecurity and Third-Party Risk - Gregory C. Rasner - Страница 21

Many companies of larger size have departments or groups that are designed to manage and report risk for the whole company. These teams are very important as centralized groups for risk management at big organizations. Often, these teams perform the process and compliance work for third‐party risk, including the cybersecurity domain.

While these professionals are trained and certified in how to evaluate risk within an organization, the issue of evaluating cybersecurity risk produces better results when performed by trained and certified cybersecurity professionals. The cybersecurity domain is very complex, as illustrated in the section titled “Cybersecurity and Third‐Party Risk.” Even within the field, there are numerous specialty fields and certifications along with a fast‐changing environment. Expecting a generalist risk professional to opine on controls for information security topics might produce adequate, but not necessarily accurate, data.

In cases where a risk organization consists of general risk professionals who don't have the specialty training and experience of cybersecurity professionals, it is optimal if these professionals, like the TPRM team, collaborate with the cybersecurity teams at their company for that level of expertise.