A robust data protection or cybersecurity risk assessment is a specialist undertaking. Specialists are in short supply. If your assessment target handles very little data and can be down for a month, how serious can a broken control really be?
You cannot pen test everything. Not every vulnerability is an intolerable risk. That’s where Sustainable Risk Triage (SRT) can come in.
Oversimplification gifted us a thousand tick-box compliance memes and arbitrary scoping decisions, often just based on spend. Starting at the top of a testing to-do list and just working downwards. Burn out, incidents, and audit points, because time and money ran out.
This session is about a middle way. A governance approach standardising and simplifying conversations about achievable work and risk. Creating a defensible justification for de-scoping or deferral. Building hooks into next steps. Linking to available resource.
Whether for Schrems II, 3rd party assessment, or applying a better quality risk lens to vulnerability reports, this session will look at how SRT works as a concept and how it could be tailored for different purposes.