talking risk with leadership
TRANSCRIPT
![Page 1: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/1.jpg)
intelligent information securityANITIAN
TALKING RISKWITH LEADERSHIP
ANITIAN
![Page 2: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/2.jpg)
intelligent information securityANITIAN
Overview
My intention…• Define the challenges of discussing risk with executives• Outline some strategies for communicating risk more effectively
to leadership• Show off Anitian’s Risk Management practice
Outline1. The risk challenge2. Business Risk Intelligence 3. RiskNow – Rapid Risk Assessment 4. Final thoughts and best practices
![Page 3: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/3.jpg)
intelligent information securityANITIAN
Meet the Speaker – Andrew Plato• President / CEO of Anitian • 20 years of experience in IT & security• Completed thousands of security
assessments & projects• Discovered SQL injection in 1995• Helped develop first in-line IPS engine
(BlackICE) • Co-developed RiskNow™ - Rapid Risk
Assessment approach • Industry analyst for technology acquisitions
totaling $20B over a 5 year period
![Page 4: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/4.jpg)
intelligent information securityANITIAN
Vision: Security makes the world a better place. Mission: Build great security leaders.
We deliver security and threat intelligence via a range of services:• Compliance (PCI, HIPAA, NERC, etc.)• Risk assessment • Penetration testing & code review• Incident response • Technology integration• Sherlock – Managed Threat Intelligence
ANITIAN
![Page 5: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/5.jpg)
intelligent information securityANITIAN
THE RISK CHALLENGE
![Page 6: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/6.jpg)
intelligent information securityANITIAN
Something Is Not Right Here
We keep hearing the same things…“We got a next-generation firewall, we’re safe.” “Oh, you’re just paranoid. We have nothing of value.”“There isn’t anything we can do to stop the hackers. ”“What am I supposed to do with this big risk report?”“Seriously, what are the real problems?” “I don’t care about the details, just tell me how to fix it!” “Are we really in danger?”“What do all these numbers, charts and worksheets mean?”“This is just stupid compliance stuff, get it checked off!” “Just keep us off the Kreb’s Blog!”
![Page 7: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/7.jpg)
intelligent information securityANITIAN
Incident-Driven Security Programs • Panic, make short-sighted decisions• Buy whatever is cool and makes the
biggest promises • Slap teams and controls together at
the last minute• Obsess over sensational, unlikely
attacks • Compensate for a lack of intelligence
with process and policy• Easily distracted and easily hacked• Expose the business, the data, and
themselves to risk
![Page 8: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/8.jpg)
intelligent information securityANITIAN
DO WE HAVE A RISK MANAGEMENT PROBLEM?
YESBUT WHY?
![Page 9: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/9.jpg)
intelligent information securityANITIAN
I just want to do the right things
![Page 10: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/10.jpg)
intelligent information securityANITIAN
Building higher walls...
…that stop nothing
VULNERABILITY CONTAINMENT
![Page 11: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/11.jpg)
intelligent information securityANITIAN
VOLATILE
![Page 12: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/12.jpg)
intelligent information securityANITIAN
You don’t need to be the best,
just slightly better than the rest.
GOOD ENOUGH
![Page 13: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/13.jpg)
intelligent information securityANITIAN
CHECKBOX RISKERODES TRUST
![Page 14: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/14.jpg)
intelligent information securityANITIAN
Apps, cloud, access…
…the back door is wide open.
THIRD PARTY RISK
![Page 15: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/15.jpg)
intelligent information securityANITIAN
SLOW
![Page 16: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/16.jpg)
intelligent information securityANITIAN
OPSEC IS
DISTRACTED
![Page 17: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/17.jpg)
intelligent information securityANITIAN
THEY ARE FAILING TO
REMEMBER THE MISSION
![Page 18: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/18.jpg)
intelligent information securityANITIAN
PEOPLEARE THE CAUSE OF AND SOLUTION TO MANAGING RISK
![Page 19: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/19.jpg)
intelligent information securityANITIAN
IS THERE ANY
HOPE?
![Page 20: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/20.jpg)
intelligent information securityANITIAN
MEANING
![Page 21: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/21.jpg)
intelligent information securityANITIAN
FOCUS
![Page 22: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/22.jpg)
intelligent information securityANITIAN
RELEVANCE
![Page 23: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/23.jpg)
intelligent information securityANITIAN
ACTION
![Page 24: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/24.jpg)
intelligent information securityANITIAN
NEW WAY TO DISCUSS RISK
![Page 25: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/25.jpg)
intelligent information securityANITIAN
BUILDING BUSINESS RISK INTELLIGENCE
![Page 26: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/26.jpg)
intelligent information securityANITIAN
The Core Six• Risk is an over-used word that is often misunderstood
• Stick to these Core Six words, and use them correctly:
Threat: Something bad that might happen
Vulnerability: A weakness a threat could exploit
Impact: How bad a threat can damage the business
Probability: How likely a threat is in a given timeframe
Control: Something that mitigates threat
Risk: An assessment of a threat based upon itsprobability and impact in relation to therelevant controls
![Page 27: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/27.jpg)
intelligent information securityANITIAN
Foundations of Communicating Risk
• Why do we care?WHY
• What is at stake?WHAT
• How do we look at what is at risk? HOW
• What does risk mean to us?SO WHAT?
• Who does this affect?WHO
• How do we fix it?ACTION (WHEN)
![Page 28: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/28.jpg)
intelligent information securityANITIAN
WHY: The Golden Circles
Simon Sinek: www.startwithwhy.com
![Page 29: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/29.jpg)
intelligent information securityANITIAN
WHY?• Why we are here? <- Vision• Why do what we do? <- Mission• My intention today is…
• This grounds your conversations in what is really important• Executives like to discuss this• It establishes the mission
![Page 30: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/30.jpg)
intelligent information securityANITIAN
WHAT: Is at Stake? • Data, systems, reputation, money, privacy? • What are the stakes in this game?• Is there anyway to organize those assets?
• However….• For many leaders the pyramid looks
a lot different • The more you can center
risk on how it benefits the individual, the more value it has to them
$$P
HI
PUBLIC
MEJ
OB
REPUTATION
![Page 31: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/31.jpg)
intelligent information securityANITIAN
HOW: Chase the Rabbit• Let people talk, this helps define their pain• Ask big, open-ended questions:• What could really harm this business? • What are you most concerned about? • Is there an area where you are particularly vulnerable? • What is valuable to you? • How do you do your job? Why do you do it that way? • What would happen if…
• Focus on threat and weakness (vulnerability) not risk• What is the person’s intention and feelings?
![Page 32: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/32.jpg)
intelligent information securityANITIAN
HOW: Keep the Threats and Vulns in their Place
Threats• Malware steals sensitive data (I get fired)• Data is leaked to a competitor (I get fired)• Authentication data is stolen (I get fired)• Important third party resources are unavailable (I get fired)
Vulnerabilities• Old, poorly configured firewall (NGFW) (I deserve to be fired)• We use a checkbox auditor (Yeah, fired)• We don’t patch anything because … reasons (Later)• Why fix anything when I can complain about it all day (Gone)• We treat our employees like cattle (Yep, deadmeat)
![Page 33: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/33.jpg)
intelligent information securityANITIAN
SO WHAT?: Connect the Dots• What are the threats?• What vulnerabilities can it exploit?• How bad is it? How likely is it? • How serious is the risk to the business?• What will reduce the impact or the likelihood?
Connect the dots…
ThreatVulnerabilityImpactProbabilityRiskSoliutionTHREAT VULNERABILITY IMPACT PROBABILITY RISK ACTION
![Page 34: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/34.jpg)
intelligent information securityANITIAN
WHO: Get to the Lizard Brain
source: www.salesbrain.com
![Page 35: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/35.jpg)
intelligent information securityANITIAN
WHO: Respect the Lizard• Make it about them:
We can help you.• Provide clear rational for action:
We can protect the business, otherwise Krebs Blog! • Have an tangible action:
Websense Triton will give you intelligence to act smarter. • Have a timeline:
We can have it running in a month. • Show it, don’t say it:
See these consoles, they will help you. • Make it emotional:
We are with you on this. We can do this!
![Page 36: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/36.jpg)
intelligent information securityANITIAN
ACTION: Do or Do Not, There is No Try• Focus on the big threats, not all of them (5-10 at a time) • Have clear answers, not murky concepts• Use actionable, commitment words• Eliminate vulnerability: lower probability or impact
![Page 37: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/37.jpg)
intelligent information securityANITIAN
ACTION: Use the Force • Focus on the top 5-10 threats• Have clear answers, not murky concepts• Associate a cost (time or money) to every effort• Show how to: • Eliminate vulnerabilities (weakness)• Lower the probability of a threat• Reduce the impact of the threat• Lower risk
ThreatVulnerabilityImpactProbabilityRiskSoliutionWHY? WHAT? HOW? SO WHAT? WHO? ACTION!
![Page 38: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/38.jpg)
intelligent information securityANITIAN
Risk Driven Security Programs • Make decisions better• Select more effective technologies • Invest in their people and controls completely • Hire and cultivate intelligent people • Focus on the most likely or serous threats to the business• Balance agility with policy and process • Stay on mission • Protect the business, the data, and their jobs
![Page 39: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/39.jpg)
intelligent information securityANITIAN
RISKNOW RAPID RISK ASSESSMENT
![Page 40: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/40.jpg)
intelligent information securityANITIAN
RiskNow Accelerates Risk Assessment• Accelerated, condensed version of NIST
800-30 • Facilitated interviews, minimal
questionnaires• Integrated penetration testing and
critical controls configuration analysis• Unique “lensing” process to categorize
assets • Simplified expression of probability and
impact • Brief reports designed for leadership• Action plan with specific technology
recommendations• Fully vetted for HIPAA, PCI, FFIEC, NERC
![Page 41: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/41.jpg)
intelligent information securityANITIAN
RiskNow Process
1. Scope project2. Lens the assets3. Review artifacts (policies, procedures, plans, etc.) 4. Interview stakeholders5. Conduct technical tests (pentest, config review, architecture) 6. Document threats into a Risk Matrix7. Refine into a Business Risk Intelligence Report 8. Brief leadership on top threats and Action Plan
Duration: 2-4 weeksCost: Starts at $14,995
![Page 42: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/42.jpg)
intelligent information securityANITIAN
RiskNow Output• RiskNow Intelligence Report • Business Risk Intelligence Brief• Threat Intelligence Brief• Action Plan
• Threat Matrix (aka Risk Register)• Technical Appendices
![Page 43: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/43.jpg)
intelligent information securityANITIAN
Sample Risk Intelligence Briefing
![Page 44: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/44.jpg)
intelligent information securityANITIAN
Sample of Threat Intelligence Briefing
![Page 45: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/45.jpg)
intelligent information securityANITIAN
Sample Action Plan
![Page 46: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/46.jpg)
intelligent information securityANITIAN
Sample Risk Matrix (Part 1)
![Page 47: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/47.jpg)
intelligent information securityANITIAN
Sample Risk Matrix (Part 2)
![Page 48: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/48.jpg)
intelligent information securityANITIAN
Why RiskNow: Rapid Risk Assessment
Fast
Clear
Accurate
Actionable
Rational
Practical
![Page 49: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/49.jpg)
intelligent information securityANITIAN
FINAL THOUGHTS
![Page 50: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/50.jpg)
intelligent information securityANITIAN
Risk Fuels Decision Making • Keep things in the order
1. Threats (something bad that could happen)2. Vulnerabilities (weaknesses)3. Risk (a measurement of a threat) 4. Action (the fix)
• Stay true to the “Core Six”• Establish authority with decisive, simple language• Identify tangible, actionable recommendations• Make it personal• Engage Anitian to help your clients understand their risks
![Page 51: Talking Risk with Leadership](https://reader030.vdocument.in/reader030/viewer/2022032620/55cb51c4bb61ebcb238b45ed/html5/thumbnails/51.jpg)
intelligent information securityANITIAN
Thank YouEMAIL: [email protected]: @andrewplato
@AnitianSecurityWEB: www.anitian.comBLOG: blog.anitian.comSLIDES: bit.ly/anitianCALL: 888-ANITIAN