Optimal Risk Introduction to 'Are You Prepared for Anything'

Be Prepared. For Anything

Dan SolomonDirector of Cyber Risk & Security Services

Prepared for Anything?

Developing Awareness and Preparedness

What is at risk

Is there awareness?

Is there preparedness?

What are the roadblocks

Threat-Modeled Risk Framework

Recommendations!

PresentationStructure

2

Contacts

Prepared for Anything?Be Prepared. For Anything


A pre-emptive forensic approach

FraudExtortion

Trade Secrets

Kidnapping

TerrorismAccident

IndustrialAccident

EnvironmentalProductLiability

Health &Safety

ProfessionalLiability

Designs

Forgery

Plans

TrademarkInfringement

DistributionContinuity

Sourcing &Supply Chain

ProductionSystems

ProductionContinuity

Vandalism

Stock

Arson

EquipmentDataLoss

ClientConfidentiality

IntellectualProperty

Reputation

YourOrganisation

LIABILITY

DISASTER

THEFT & DAMAGE:PHYSICAL ASSETS

CRIME

INTANGIBLE ASSETS

PRODUCT

CONTINUITY

Security Risk Orbits

3 ©Dan Solomon. All rights reserved 2012.


FraudExtortion

Trade Secrets

Kidnapping

TerrorismAccident

IndustrialAccident

EnvironmentalProductLiability

Health &Safety

ProfessionalLiability

Designs

Forgery

Plans

TrademarkInfringement

DistributionContinuity

Sourcing &Supply Chain

ProductionSystems

ProductionContinuity

Vandalism

Stock

Arson

EquipmentDataLoss

ClientConfidentiality

IntellectualProperty

Reputation

YourOrganisation

LIABILITY

DISASTER

THEFT & DAMAGE:PHYSICAL ASSETS

CRIME

INTANGIBLE ASSETS

PRODUCT

CONTINUITY

Converged Cyber Risk Orbits

4 ©Dan Solomon. All rights reserved 2012.


• Where is awareness evident in the organisation

– How does it feed into security concerns

– Are specific complex scenarios like espionage directly or indirectly referenced and how

– How does the board reflect concerns or confidence in preparedness

• Who is aware or has responsibility for awareness

– How does awareness manifest differently between IT vs Physical security

– To what extent is awareness feeding into security planning vs business continuity

• How do we know that there is awareness

– How acute is the awareness

– How complete is awareness

– How developed is that awareness

5

The Current State of AwarenessBe Prepared. For Anything


• Is awareness leading it backed by appropriate action

– How has awareness informed changes to the business and its processes

– How has awareness permeated different functions of security, risk and business continuity.

– Have converged threats fallen between stools of IT and physical security

• Preparedness for what?

– How is espionage being approached, and by whom?

– How are sophisticated threats positioned within overall preparedness for security risks?

• Appropriate: Is preparation appropriate to the threat and vulnerabilities?

– How are threats and vulnerabilities monitored and informing organizational preparedness?

• Effective: Is effective preparation delivering an effective capability?

– How is preparedness assured?

• Relevance: Are measures and methods obsolete or incomplete in the current context?

– What steps are taken to provide assurance about the ‘current-cy’ of measures?

6

The Current State of PreparednessBe Prepared. For Anything


Dealing With Deception


Roadblocks

Developing Awareness and PreparednessOptimal Risk 2013

Symptoms of Delusion

Insurance

Compliance

Silver Bullets

Cultural Myopia

Accepting MediocrityAnalytical Bias

Perspectives on ‘Cold War’

Ignorance

LeadershipRisk-Informed

Intelligence

Reactive approach Vulnerability Scanning

Analytical Failure

Formalised Policy & Planning

Board-level Consensus

Outdated methods

Budgets

Forewarning

Tackling Uncertainty

Effective Capability

Misaligned StrategyConverged Threat Awareness

Complacency

Competing Priorities

Inertia

Silos

Cost

Assessing Probabilities

Risk

Outdated Assumptions

Information Assurance

‘Black Swans’

• More complex integration of security activities requires better coordination

• Less about ‘how do you do it?’..... but ‘how do you embrace it?’

• ‘Raise your gaze’ and seek better foresight and insight

• Anticipation of the unexpected: Forewarned is Forearmed

• Embrace the plausible threats, not just the probable ones

• Develop a ‘forensic’ approach to potential causes of security failure

• Be reluctant to simplify plans and preparation

• Practice makes perfect: builds assurance and trust in capabilities

• Declare an organisational commitment to proactivity

8

Where do you start?:

What is Pre-emptive Forensics? Be Prepared. For Anything


Threat-modelled Risk

Framework

Threat-modelledRisk Framework

Risk Modelling

IntelligenceGathering

ProcessMapping

AssetMapping

VulnerabilityScanning

ThreatModelling

DataProtection

Threat-Modelled = Risk-Informed ManagementBe Prepared. For Anything

Intelligence Gathering

Performed on two levels – informational and human

Business Process Mapping

Identifying data flows in the organization, the critical processes, to be used in the threat modelling and risk management process.

Asset Mapping

Provides a clear view of all assets, including “replacement” value, and additional intrinsic values from a compliance standpoint, and a competitive damages value.

Vulnerability and Exposure Analysis

Asset location and access are ubiquitous, both logical as well as physical. Analysis is not limited to technical vulnerabilities, but also risks to business processes, 3rd party providers, and any other aspect of the asset lifecycle.

A register of vulnerabilities is constructed incorporating countermeasures identified and classified accordingly, and key technical evaluations include focus on the less standard devices.

Threat Modelling

Relevant threats for each asset are identified, correlated to the intelligence gathered, and evaluated on the basis of the threat’s exposure frequency to the asset, and its capability to successfully attack the asset.

Dataflow Protection Analysis

This analysis of any means, includes all communication systems, as well as business/human processes.

Risk Modelling

A model of the expected frequency and the severity of an incident: for all the identified assets, and a $value applied to it, based on the expected liability it yields.

1. Consider a broader range of potential threats, and specifically converged threats

2. Specific perspectives should be developed by executive management

3. Systematically question all assumptions regularly about threats and vulnerabilities

4. Establish cross-department involvement in security strategy

5. Incorporate more annual scenario-building exercises into the strategy process

6. Greater managerial emphasis to a risk register-centric approach

7. Attention should be given to modeling threats and in particular the quantification of risk

8. Plans must have appropriate oversight, and testing in order to identify their validity

9. Design security exercises to test ‘current’ complex vulnerabilities

10. Incident response & contingency planning must include senior management

10


Recommendations


Converged Security Risk Services

PHYSICAL SECURITY

RED TEAMBLUE TEAM

CYBER SECURITY

Consultancy & Planning

Surveys & Audits

Response &Protection

Threat Modeling & Forensics

Advanced Cyber Defence

Risk Analysis

Reinforcing Your Security

Building Your ResilienceTesting Your Preparedness

Exercising Your Response


Dan SolomonDirector, Cyber Risk & Security Services

Tel: +44 7850 761834Email: [email protected]

Crisis, Risk & Security Specialists

Optimal Risk Introduction to 'Are You Prepared for Anything'

Business

Transcript of Optimal Risk Introduction to 'Are You Prepared for Anything'