the art of cyber risk management...about the presenter •asaf weisberg, cism, crisc, cisa,...
TRANSCRIPT
![Page 1: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/1.jpg)
The Art of Cyber Risk Management
Asaf Weisberg CISM, CISA, CRISC, CEGIT
Amsterdam, 11.4.2019
![Page 2: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/2.jpg)
About the Presenter
• Asaf Weisberg, CISM, CRISC, CISA, CGEIT
• Founder & CEO, introSight Ltd.
• Immediate Past President of the ISACA Israel Chapter
• 2019-2020 Director, ISACA Int’l Board of Directors
• Over 25 years of hands-on, managerial and mentoring experience
• Develops Cybersecurity Methodological tools & exercise them in the field
![Page 3: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/3.jpg)
F I R S T M A N N E D M O O N L A N D I N GF I R S T M A N N E D M O O N L A N D I N G
![Page 4: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/4.jpg)
What I talk about when I talk aboutCyber Risks?
![Page 5: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/5.jpg)
Why Business Alignment?
![Page 6: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/6.jpg)
Bottom-UP or Top-Down?
![Page 7: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/7.jpg)
Why not Connect the Two Approaches?
![Page 8: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/8.jpg)
![Page 9: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/9.jpg)
A Business Oriented Cyber Risk Management ModelThe heart of the BCRM is its Mathematical algorithm:
• The algorithm calculates the Residual BusinessRisk to processes, as a function of InherentBusiness Risk & IT controls effectiveness
• A Semi-Quantitative approach, enhanced withranks and weights, provides granular riskprioritization
• Prioritization of the risk reduction plan is based onthe calculated Residual Business Risk
• Slicing & Dicing the calculated data allowsanalyzing risks from various views
![Page 10: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/10.jpg)
Working with the model
![Page 11: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/11.jpg)
Cyber Risks: “Traditional” Top 10 View
![Page 12: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/12.jpg)
The Art of Cyber Risk Management
Efficiently Reduce Cyber Risks According to Business Priorities
![Page 13: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/13.jpg)
Cyber Risks: Process Systems View
![Page 14: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/14.jpg)
Think like an Attacker
https://resources.infosecinstitute.com/the-psychological-profile-of-a-hacker-with-emphasis-on-security-awareness/#gref
![Page 15: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/15.jpg)
Attack Surfaces
![Page 16: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/16.jpg)
Cyber Risks: Attack Surface View
![Page 17: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/17.jpg)
We are going through a Paradigm Shift!
![Page 18: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/18.jpg)
From Prevention to Containment
![Page 19: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/19.jpg)
Organizational View: Controls Effect’ by NIST FunctionsCurrent state:
Reasonable “Traditional”controls
Evolving “Cyber-Era”controls
![Page 20: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/20.jpg)
An Adaptive Cyber Risk Management Model• Risk management is a long term process, changes are inevitable.
The BCRM model allows to:– Change risk factors, as new threats emerge
– Add new controls to mitigate existing risks, as exposure changes
– Add or remove business processes & information systems
– Change ranks & weights, according to organization’s policy
• Continuously update the BCRM with:– Risk assessment sprints results
– Internal audit findings
![Page 21: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/21.jpg)
Takeaways
• To establish Business alignment - start at the process level
• Adjust resources allocation to support shifting from Prevention to Containment
• Think like an attacker - Consider emerging as well as traditional Attack Surfaces
• Prioritize Cyber Risk Reduction activities, according to Residual Business Risks
• Adopt Continuous Risk Management practices
• Measure the change of Residual Business Risks, as a result of IT investments
Cyber Risk Management is Art, make sure it is based on facts
![Page 22: The Art of Cyber Risk Management...About the Presenter •Asaf Weisberg, CISM, CRISC, CISA, CGEIT•Founder & CEO, introSight Ltd. •Immediate Past President of the ISACA Israel Chapter](https://reader036.vdocument.in/reader036/viewer/2022081601/60fa8b6c94d81414d935b768/html5/thumbnails/22.jpg)
[email protected]://www.linkedin.com/in/asafweisberg