Thought Leadership - Navigating the Risk Based Supervision Process
Talking Risk with Leadership
-
Upload
anitian -
Category
Leadership & Management
-
view
110 -
download
1
Transcript of Talking Risk with Leadership
intelligent information securityANITIAN
TALKING RISKWITH LEADERSHIP
ANITIAN
intelligent information securityANITIAN
Overview
My intention…• Define the challenges of discussing risk with executives• Outline some strategies for communicating risk more effectively
to leadership• Show off Anitian’s Risk Management practice
Outline1. The risk challenge2. Business Risk Intelligence 3. RiskNow – Rapid Risk Assessment 4. Final thoughts and best practices
intelligent information securityANITIAN
Meet the Speaker – Andrew Plato• President / CEO of Anitian • 20 years of experience in IT & security• Completed thousands of security
assessments & projects• Discovered SQL injection in 1995• Helped develop first in-line IPS engine
(BlackICE) • Co-developed RiskNow™ - Rapid Risk
Assessment approach • Industry analyst for technology acquisitions
totaling $20B over a 5 year period
intelligent information securityANITIAN
Vision: Security makes the world a better place. Mission: Build great security leaders.
We deliver security and threat intelligence via a range of services:• Compliance (PCI, HIPAA, NERC, etc.)• Risk assessment • Penetration testing & code review• Incident response • Technology integration• Sherlock – Managed Threat Intelligence
ANITIAN
intelligent information securityANITIAN
THE RISK CHALLENGE
intelligent information securityANITIAN
Something Is Not Right Here
We keep hearing the same things…“We got a next-generation firewall, we’re safe.” “Oh, you’re just paranoid. We have nothing of value.”“There isn’t anything we can do to stop the hackers. ”“What am I supposed to do with this big risk report?”“Seriously, what are the real problems?” “I don’t care about the details, just tell me how to fix it!” “Are we really in danger?”“What do all these numbers, charts and worksheets mean?”“This is just stupid compliance stuff, get it checked off!” “Just keep us off the Kreb’s Blog!”
intelligent information securityANITIAN
Incident-Driven Security Programs • Panic, make short-sighted decisions• Buy whatever is cool and makes the
biggest promises • Slap teams and controls together at
the last minute• Obsess over sensational, unlikely
attacks • Compensate for a lack of intelligence
with process and policy• Easily distracted and easily hacked• Expose the business, the data, and
themselves to risk
intelligent information securityANITIAN
DO WE HAVE A RISK MANAGEMENT PROBLEM?
YESBUT WHY?
intelligent information securityANITIAN
I just want to do the right things
intelligent information securityANITIAN
Building higher walls...
…that stop nothing
VULNERABILITY CONTAINMENT
intelligent information securityANITIAN
VOLATILE
intelligent information securityANITIAN
You don’t need to be the best,
just slightly better than the rest.
GOOD ENOUGH
intelligent information securityANITIAN
CHECKBOX RISKERODES TRUST
intelligent information securityANITIAN
Apps, cloud, access…
…the back door is wide open.
THIRD PARTY RISK
intelligent information securityANITIAN
SLOW
intelligent information securityANITIAN
OPSEC IS
DISTRACTED
intelligent information securityANITIAN
THEY ARE FAILING TO
REMEMBER THE MISSION
intelligent information securityANITIAN
PEOPLEARE THE CAUSE OF AND SOLUTION TO MANAGING RISK
intelligent information securityANITIAN
IS THERE ANY
HOPE?
intelligent information securityANITIAN
MEANING
intelligent information securityANITIAN
FOCUS
intelligent information securityANITIAN
RELEVANCE
intelligent information securityANITIAN
ACTION
intelligent information securityANITIAN
NEW WAY TO DISCUSS RISK
intelligent information securityANITIAN
BUILDING BUSINESS RISK INTELLIGENCE
intelligent information securityANITIAN
The Core Six• Risk is an over-used word that is often misunderstood
• Stick to these Core Six words, and use them correctly:
Threat: Something bad that might happen
Vulnerability: A weakness a threat could exploit
Impact: How bad a threat can damage the business
Probability: How likely a threat is in a given timeframe
Control: Something that mitigates threat
Risk: An assessment of a threat based upon itsprobability and impact in relation to therelevant controls
intelligent information securityANITIAN
Foundations of Communicating Risk
• Why do we care?WHY
• What is at stake?WHAT
• How do we look at what is at risk? HOW
• What does risk mean to us?SO WHAT?
• Who does this affect?WHO
• How do we fix it?ACTION (WHEN)
intelligent information securityANITIAN
WHY: The Golden Circles
Simon Sinek: www.startwithwhy.com
intelligent information securityANITIAN
WHY?• Why we are here? <- Vision• Why do what we do? <- Mission• My intention today is…
• This grounds your conversations in what is really important• Executives like to discuss this• It establishes the mission
intelligent information securityANITIAN
WHAT: Is at Stake? • Data, systems, reputation, money, privacy? • What are the stakes in this game?• Is there anyway to organize those assets?
• However….• For many leaders the pyramid looks
a lot different • The more you can center
risk on how it benefits the individual, the more value it has to them
$$P
HI
PUBLIC
MEJ
OB
REPUTATION
intelligent information securityANITIAN
HOW: Chase the Rabbit• Let people talk, this helps define their pain• Ask big, open-ended questions:• What could really harm this business? • What are you most concerned about? • Is there an area where you are particularly vulnerable? • What is valuable to you? • How do you do your job? Why do you do it that way? • What would happen if…
• Focus on threat and weakness (vulnerability) not risk• What is the person’s intention and feelings?
intelligent information securityANITIAN
HOW: Keep the Threats and Vulns in their Place
Threats• Malware steals sensitive data (I get fired)• Data is leaked to a competitor (I get fired)• Authentication data is stolen (I get fired)• Important third party resources are unavailable (I get fired)
Vulnerabilities• Old, poorly configured firewall (NGFW) (I deserve to be fired)• We use a checkbox auditor (Yeah, fired)• We don’t patch anything because … reasons (Later)• Why fix anything when I can complain about it all day (Gone)• We treat our employees like cattle (Yep, deadmeat)
intelligent information securityANITIAN
SO WHAT?: Connect the Dots• What are the threats?• What vulnerabilities can it exploit?• How bad is it? How likely is it? • How serious is the risk to the business?• What will reduce the impact or the likelihood?
Connect the dots…
ThreatVulnerabilityImpactProbabilityRiskSoliutionTHREAT VULNERABILITY IMPACT PROBABILITY RISK ACTION
intelligent information securityANITIAN
WHO: Get to the Lizard Brain
source: www.salesbrain.com
intelligent information securityANITIAN
WHO: Respect the Lizard• Make it about them:
We can help you.• Provide clear rational for action:
We can protect the business, otherwise Krebs Blog! • Have an tangible action:
Websense Triton will give you intelligence to act smarter. • Have a timeline:
We can have it running in a month. • Show it, don’t say it:
See these consoles, they will help you. • Make it emotional:
We are with you on this. We can do this!
intelligent information securityANITIAN
ACTION: Do or Do Not, There is No Try• Focus on the big threats, not all of them (5-10 at a time) • Have clear answers, not murky concepts• Use actionable, commitment words• Eliminate vulnerability: lower probability or impact
intelligent information securityANITIAN
ACTION: Use the Force • Focus on the top 5-10 threats• Have clear answers, not murky concepts• Associate a cost (time or money) to every effort• Show how to: • Eliminate vulnerabilities (weakness)• Lower the probability of a threat• Reduce the impact of the threat• Lower risk
ThreatVulnerabilityImpactProbabilityRiskSoliutionWHY? WHAT? HOW? SO WHAT? WHO? ACTION!
intelligent information securityANITIAN
Risk Driven Security Programs • Make decisions better• Select more effective technologies • Invest in their people and controls completely • Hire and cultivate intelligent people • Focus on the most likely or serous threats to the business• Balance agility with policy and process • Stay on mission • Protect the business, the data, and their jobs
intelligent information securityANITIAN
RISKNOW RAPID RISK ASSESSMENT
intelligent information securityANITIAN
RiskNow Accelerates Risk Assessment• Accelerated, condensed version of NIST
800-30 • Facilitated interviews, minimal
questionnaires• Integrated penetration testing and
critical controls configuration analysis• Unique “lensing” process to categorize
assets • Simplified expression of probability and
impact • Brief reports designed for leadership• Action plan with specific technology
recommendations• Fully vetted for HIPAA, PCI, FFIEC, NERC
intelligent information securityANITIAN
RiskNow Process
1. Scope project2. Lens the assets3. Review artifacts (policies, procedures, plans, etc.) 4. Interview stakeholders5. Conduct technical tests (pentest, config review, architecture) 6. Document threats into a Risk Matrix7. Refine into a Business Risk Intelligence Report 8. Brief leadership on top threats and Action Plan
Duration: 2-4 weeksCost: Starts at $14,995
intelligent information securityANITIAN
RiskNow Output• RiskNow Intelligence Report • Business Risk Intelligence Brief• Threat Intelligence Brief• Action Plan
• Threat Matrix (aka Risk Register)• Technical Appendices
intelligent information securityANITIAN
Sample Risk Intelligence Briefing
intelligent information securityANITIAN
Sample of Threat Intelligence Briefing
intelligent information securityANITIAN
Sample Action Plan
intelligent information securityANITIAN
Sample Risk Matrix (Part 1)
intelligent information securityANITIAN
Sample Risk Matrix (Part 2)
intelligent information securityANITIAN
Why RiskNow: Rapid Risk Assessment
Fast
Clear
Accurate
Actionable
Rational
Practical
intelligent information securityANITIAN
FINAL THOUGHTS
intelligent information securityANITIAN
Risk Fuels Decision Making • Keep things in the order
1. Threats (something bad that could happen)2. Vulnerabilities (weaknesses)3. Risk (a measurement of a threat) 4. Action (the fix)
• Stay true to the “Core Six”• Establish authority with decisive, simple language• Identify tangible, actionable recommendations• Make it personal• Engage Anitian to help your clients understand their risks
intelligent information securityANITIAN
Thank YouEMAIL: [email protected]: @andrewplato
@AnitianSecurityWEB: www.anitian.comBLOG: blog.anitian.comSLIDES: bit.ly/anitianCALL: 888-ANITIAN