Optimal Risk Introduction to 'Are You Prepared for Anything'
-
Upload
dan-solomon-ba-mba -
Category
Business
-
view
72 -
download
1
description
Transcript of Optimal Risk Introduction to 'Are You Prepared for Anything'
Be Prepared. For Anything
Dan SolomonDirector of Cyber Risk & Security Services
Prepared for Anything?
Developing Awareness and Preparedness
What is at risk
Is there awareness?
Is there preparedness?
What are the roadblocks
Threat-Modeled Risk Framework
Recommendations!
PresentationStructure
2
Contacts
Prepared for Anything?Be Prepared. For Anything
Developing Awareness and Preparedness
A pre-emptive forensic approach
FraudExtortion
Trade Secrets
Kidnapping
TerrorismAccident
IndustrialAccident
EnvironmentalProductLiability
Health &Safety
ProfessionalLiability
Designs
Forgery
Plans
TrademarkInfringement
DistributionContinuity
Sourcing &Supply Chain
ProductionSystems
ProductionContinuity
Vandalism
Stock
Arson
EquipmentDataLoss
ClientConfidentiality
IntellectualProperty
Reputation
YourOrganisation
LIABILITY
DISASTER
THEFT & DAMAGE:PHYSICAL ASSETS
CRIME
INTANGIBLE ASSETS
PRODUCT
CONTINUITY
Security Risk Orbits
3 ©Dan Solomon. All rights reserved 2012.
Developing Awareness and Preparedness
FraudExtortion
Trade Secrets
Kidnapping
TerrorismAccident
IndustrialAccident
EnvironmentalProductLiability
Health &Safety
ProfessionalLiability
Designs
Forgery
Plans
TrademarkInfringement
DistributionContinuity
Sourcing &Supply Chain
ProductionSystems
ProductionContinuity
Vandalism
Stock
Arson
EquipmentDataLoss
ClientConfidentiality
IntellectualProperty
Reputation
YourOrganisation
LIABILITY
DISASTER
THEFT & DAMAGE:PHYSICAL ASSETS
CRIME
INTANGIBLE ASSETS
PRODUCT
CONTINUITY
Converged Cyber Risk Orbits
4 ©Dan Solomon. All rights reserved 2012.
Developing Awareness and Preparedness
• Where is awareness evident in the organisation
– How does it feed into security concerns
– Are specific complex scenarios like espionage directly or indirectly referenced and how
– How does the board reflect concerns or confidence in preparedness
• Who is aware or has responsibility for awareness
– How does awareness manifest differently between IT vs Physical security
– To what extent is awareness feeding into security planning vs business continuity
• How do we know that there is awareness
– How acute is the awareness
– How complete is awareness
– How developed is that awareness
5
The Current State of AwarenessBe Prepared. For Anything
Developing Awareness and Preparedness
• Is awareness leading it backed by appropriate action
– How has awareness informed changes to the business and its processes
– How has awareness permeated different functions of security, risk and business continuity.
– Have converged threats fallen between stools of IT and physical security
• Preparedness for what?
– How is espionage being approached, and by whom?
– How are sophisticated threats positioned within overall preparedness for security risks?
• Appropriate: Is preparation appropriate to the threat and vulnerabilities?
– How are threats and vulnerabilities monitored and informing organizational preparedness?
• Effective: Is effective preparation delivering an effective capability?
– How is preparedness assured?
• Relevance: Are measures and methods obsolete or incomplete in the current context?
– What steps are taken to provide assurance about the ‘current-cy’ of measures?
6
The Current State of PreparednessBe Prepared. For Anything
Developing Awareness and Preparedness
Dealing With Deception
Be Prepared. For Anything
Roadblocks
Developing Awareness and PreparednessOptimal Risk 2013
Symptoms of Delusion
Insurance
Compliance
Silver Bullets
Cultural Myopia
Accepting MediocrityAnalytical Bias
Perspectives on ‘Cold War’
Ignorance
LeadershipRisk-Informed
Intelligence
Reactive approach Vulnerability Scanning
Analytical Failure
Formalised Policy & Planning
Board-level Consensus
Outdated methods
Budgets
Forewarning
Tackling Uncertainty
Effective Capability
Misaligned StrategyConverged Threat Awareness
Complacency
Competing Priorities
Inertia
Silos
Cost
Assessing Probabilities
Risk
Outdated Assumptions
Information Assurance
‘Black Swans’
• More complex integration of security activities requires better coordination
• Less about ‘how do you do it?’..... but ‘how do you embrace it?’
• ‘Raise your gaze’ and seek better foresight and insight
• Anticipation of the unexpected: Forewarned is Forearmed
• Embrace the plausible threats, not just the probable ones
• Develop a ‘forensic’ approach to potential causes of security failure
• Be reluctant to simplify plans and preparation
• Practice makes perfect: builds assurance and trust in capabilities
• Declare an organisational commitment to proactivity
8
Where do you start?:
What is Pre-emptive Forensics? Be Prepared. For Anything
Developing Awareness and Preparedness
Threat-modelled Risk
Framework
Threat-modelledRisk Framework
Risk Modelling
IntelligenceGathering
ProcessMapping
AssetMapping
VulnerabilityScanning
ThreatModelling
DataProtection
Threat-Modelled = Risk-Informed ManagementBe Prepared. For Anything
Intelligence Gathering
Performed on two levels – informational and human
Business Process Mapping
Identifying data flows in the organization, the critical processes, to be used in the threat modelling and risk management process.
Asset Mapping
Provides a clear view of all assets, including “replacement” value, and additional intrinsic values from a compliance standpoint, and a competitive damages value.
Vulnerability and Exposure Analysis
Asset location and access are ubiquitous, both logical as well as physical. Analysis is not limited to technical vulnerabilities, but also risks to business processes, 3rd party providers, and any other aspect of the asset lifecycle.
A register of vulnerabilities is constructed incorporating countermeasures identified and classified accordingly, and key technical evaluations include focus on the less standard devices.
Threat Modelling
Relevant threats for each asset are identified, correlated to the intelligence gathered, and evaluated on the basis of the threat’s exposure frequency to the asset, and its capability to successfully attack the asset.
Dataflow Protection Analysis
This analysis of any means, includes all communication systems, as well as business/human processes.
Risk Modelling
A model of the expected frequency and the severity of an incident: for all the identified assets, and a $value applied to it, based on the expected liability it yields.
1. Consider a broader range of potential threats, and specifically converged threats
2. Specific perspectives should be developed by executive management
3. Systematically question all assumptions regularly about threats and vulnerabilities
4. Establish cross-department involvement in security strategy
5. Incorporate more annual scenario-building exercises into the strategy process
6. Greater managerial emphasis to a risk register-centric approach
7. Attention should be given to modeling threats and in particular the quantification of risk
8. Plans must have appropriate oversight, and testing in order to identify their validity
9. Design security exercises to test ‘current’ complex vulnerabilities
10. Incident response & contingency planning must include senior management
10
Be Prepared. For Anything
Recommendations
Developing Awareness and Preparedness
Converged Security Risk Services
PHYSICAL SECURITY
RED TEAMBLUE TEAM
CYBER SECURITY
Consultancy & Planning
Surveys & Audits
Response &Protection
Threat Modeling & Forensics
Advanced Cyber Defence
Risk Analysis
Reinforcing Your Security
Building Your ResilienceTesting Your Preparedness
Exercising Your Response
Be Prepared. For Anything
Dan SolomonDirector, Cyber Risk & Security Services
Tel: +44 7850 761834Email: [email protected]
Crisis, Risk & Security Specialists