SlideShare a Scribd company logo

Risk bridges business and security

M
M. Isaiah McGowan

The document discusses the relationship between risk management and cybersecurity, emphasizing that effective risk management aims to cost-effectively handle acceptable levels of risk rather than achieving complete security. It identifies common failures in addressing risk, such as poor models and assumptions, and advocates for data-driven analysis and the use of formal risk frameworks like FAIR. The ultimate goal is to align cybersecurity operations with business language and needs for better decision-making and resource allocation.

Technology
Related topics:
Information Security
1 of 26
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Why is risk the bridge between business & security worlds? I s a i a h M c G o w a n # A T L S e c C o n 2 0 1 7
C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . It’s ‘medium-high’ because it highly effects operations! The risk is ‘high’ because it’s easy to conduct the attack! It’s ‘medium’ because we have compensating controls!
The Goal of Cybersecurity Symptoms of Failure Treating Root Causes The Way Forward
The Goal of Cybersecurity
C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . •All business functions dealing with adverse events share our goal: •To cost-effectively manage to an acceptable level of risk. •We are not here to make the business ‘secure’! “The value of information security is our ability to affect exposure to loss.” -Jack Jones, Inventor of FAIR
C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . The Board of Directors Responsible for all opportunities and risks Executive Management Responsible for executing priorities set by the board CISO Responsible for managing cybersecurity risk to an acceptable level Cybersecurity Operations Responsible for executing security initiatives to affect the frequency and/or magnitude of adverse events
Symptoms of Failure
C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . •Unicorn syndrom •Failing to address underlying assumptions •Leveraging poor models of the problem space •Expecting the business to speak our language •Mixing cybersecurity jargon with business terms Common symptoms affecting our ability to manage risk:
C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . What’s the risk of this bald tire? •What were your assumptions? •How did you define ‘risk’?
C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . f a i r i n s t i t u t e . o r g / b l o g / f i x i n g - n i s t - 8 0 0 - 3 0 Broken models are broken
Would you go to the moon if…
The Risk Register!! It’s out of control!!
C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . A disease resulting in a Denial of Service attack on an organization attempting to prioritize cybersecurity issues. Risk-register-itis /risk/ˈrejəstər/itis noun •Putting any possible issue into a risk register •A signal-to-noise ratio too great to overcome Common conditions include:
Treating Root Causes
C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Risk is the probable frequency & probable magnitude of future loss. erm… How likely will adverse events occur and how unfavorable are they likely to be.
C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Cloud Computing Unexpired passwords Privileged Insiders SQLi Mobile Devices Ransomware Weak VPN encryption Asset Control condition Threat Attack technique Asset Threat Control condition Can you spot the risks?
C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Vulns Findings Exceptions Control Gaps Missing Policies Please Stop!
C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . “Treat risk as a science, not a dark art. Use scenario analysis. Think things through all the way to the end. Then come back to the beginning and ask yourself "what if?". While predicting the future is hard, formal risk models like FAIR and bow-tie can help tremendously.” -Dr. Ramzan, CTO, RSA
Risk Loss Event Frequency (LEF) Loss Magnitude (LM) Threat Event Frequency (TEF) Vulnerability Contact Frequency Probability of Action (PoA) Threat Capability (TCap) Resistance Strength (RS) Random Regular Intentional Value Level of Effort Risk Skills -- Knowledge -- Experience Resources -- Time -- Materials Primary Loss Secondary Risk Secondary Loss Event Frequency Secondary Loss Magnitude Factor Analysis of Information Risk (FAIR) Analysis Scoping 1. Identify the asset(s) 2. Identify relevant threat(s) 3. Define Loss Type: C - I - A Productivity Loss - Loss that results from an operational inability to deliver products or services Response Costs - Loss associated with the costs of managing an event Risk - The probable frequency and probable magnitude of future loss Loss Event Frequency - The frequency, within a given timeframe, that loss is expected to occur
Data-driven risk analysis Risk-oriented Cybersecurity Operations Formal risk models Incorporating terms that aligns to the business •Classification patterns •VDBIR •Attack trends •Threat profiles •Threat modeling •STRIDE Threat Intelligence •Incident classification alignment •VERIS •MITRE •Reusable data Incident Management
•Security posture •Vulnerabilities •Configuration flaws •Variance in compliance Auditing & Scanning Node Telemetry •Asset inventory •Data at risk •Automated •Manual •Outsourced •Red Team Testing
C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Risk management is an analytical discipline Enterprise risk Uncover key risk drivers Systematic analysis Analyses become repeatable and operationalized Scientific analysis results drive better recommendations to the business, resulting in cost- effectively managing risk to an acceptable level. Risk Management Goal Data (telemetry) Feeds analysis to drive objective results
The Way Forward
C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . •The FAIR Institute •fairinstitute.org (membership is free) •Measuring & Managing Information Risk: A FAIR Approach •Amazon •‘Getting Started’ reading list •fairinstitute.org/blog/5-must-read-books-to-jumpstart-your-career-in-risk- management Resources:
Risk bridges business and security
C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Questions?!

More Related Content

PDF
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
EC-Council
 
PDF
Threat Hunting 102: Beyond the Basics
Cybereason
 
PPTX
Machine learning cyphort_malware_most_wanted
Cyphort
 
PDF
Pitfalls of Cyber Data
Phil Huggins FBCS CITP
 
PDF
Its time to grow up by Eric C.
ISSA LA
 
PPTX
Security Analytics Beyond Cyber
Phil Huggins FBCS CITP
 
PPTX
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
EC-Council
 
PDF
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
EC-Council
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
EC-Council
 
Threat Hunting 102: Beyond the Basics
Cybereason
 
Machine learning cyphort_malware_most_wanted
Cyphort
 
Pitfalls of Cyber Data
Phil Huggins FBCS CITP
 
Its time to grow up by Eric C.
ISSA LA
 
Security Analytics Beyond Cyber
Phil Huggins FBCS CITP
 
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
EC-Council
 
Thwarting the Insider Threat: Developing a Robust “Defense in Depth” Data Los...
EC-Council
 

What's hot (20)

PDF
Collaborated cyber defense in pandemic times
Denise Bailey
 
PDF
2019 DerbyCon - Ryan Elkins - Scientific Computing for Information Security
Ryan Elkins
 
PDF
Make IR Effective with Risk Evaluation and Reporting
Priyanka Aash
 
PDF
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
PPTX
Modern Security Risk
Phil Huggins FBCS CITP
 
PDF
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
PDF
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
PPTX
Threat modeling the security of the enterprise
Rafal Los
 
PPTX
Cyber Resilience: Managing Cyber Shocks
Phil Huggins FBCS CITP
 
PPTX
Agentless Patch Management for the Data Center
Ivanti
 
PDF
Security Testing for Test Professionals
TechWell
 
PPTX
The Diamond Model for Intrusion Analysis - Threat Intelligence
ThreatConnect
 
PDF
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
KEY
Introduction to MicroSolved, Inc.
MRMaguire
 
PDF
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
 
PPT
Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin
 
PDF
ISO 27005 Risk Assessment
Smart Assessment
 
PPTX
Resilience is the new cyber security
Phil Huggins FBCS CITP
 
PPTX
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
beltface
 
PDF
Building a Threat Hunting Practice in the Cloud
ProtectWise
 
Collaborated cyber defense in pandemic times
Denise Bailey
 
2019 DerbyCon - Ryan Elkins - Scientific Computing for Information Security
Ryan Elkins
 
Make IR Effective with Risk Evaluation and Reporting
Priyanka Aash
 
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Modern Security Risk
Phil Huggins FBCS CITP
 
The Incident Response Playbook for Android and iOS
Priyanka Aash
 
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
Threat modeling the security of the enterprise
Rafal Los
 
Cyber Resilience: Managing Cyber Shocks
Phil Huggins FBCS CITP
 
Agentless Patch Management for the Data Center
Ivanti
 
Security Testing for Test Professionals
TechWell
 
The Diamond Model for Intrusion Analysis - Threat Intelligence
ThreatConnect
 
Threat hunting 101 by Sandeep Singh
OWASP Delhi
 
Introduction to MicroSolved, Inc.
MRMaguire
 
Outpost24 webinar - Differentiating vulnerabilities from risks to reduce time...
Outpost24
 
Anton Chuvakin on What is NOT Working in Security 2004
Anton Chuvakin
 
ISO 27005 Risk Assessment
Smart Assessment
 
Resilience is the new cyber security
Phil Huggins FBCS CITP
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
beltface
 
Building a Threat Hunting Practice in the Cloud
ProtectWise
 
Ad

Similar to Risk bridges business and security (20)

PDF
Outpost24 webinar: Security Analytics: what's in a risk score
Outpost24
 
PPTX
Cyber-Security-Presentation for use in office .pptx
jtdavis5523
 
PDF
Relating Risk to Vulnerability
Resolver Inc.
 
PPTX
Risk Management Insights in a World Gone Mad
Ivanti
 
PDF
OSB50: Operational Security: State of the Union
Ivanti
 
PDF
Cyber security cyber security cyber security cyber security cyber security cy...
pranavbodhak
 
PDF
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
PPTX
WANTED – People Committed to Solving our Information Security Language Problem
SecurityStudio
 
PPTX
Cyber Security # Lec 3
Kabul Education University
 
PDF
CYFIRMA_prezo_CyberSecID deck presentation.pdf
ZharfanHanif
 
PPTX
Allianz Global CISO october-2015-draft
Eoin Keary
 
PPTX
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
Mitchell Grooms
 
PDF
Scot Secure 2016
Ray Bugg
 
PDF
Role of Data Science in ERM @ Nashville Analytics Summit Sep 2014
John Liu
 
PDF
The Role of Data Science in Enterprise Risk Management, Presented by John Liu
NashvilleTechCouncil
 
PDF
Trending it security threats in the public sector
Core Security
 
PPTX
Crash Course: Managing Cyber Risk Using Quantitative Analysis
"Apolonio \"Apps\"" Garcia
 
PPTX
WANTED - People Committed to Solving Our Information Security Language Problem
Evan Francen
 
PPTX
Keynote @ ISC2 Cyber Aware Dallas
Evan Francen
 
PPTX
How to Secure America
SecurityStudio
 
Outpost24 webinar: Security Analytics: what's in a risk score
Outpost24
 
Cyber-Security-Presentation for use in office .pptx
jtdavis5523
 
Relating Risk to Vulnerability
Resolver Inc.
 
Risk Management Insights in a World Gone Mad
Ivanti
 
OSB50: Operational Security: State of the Union
Ivanti
 
Cyber security cyber security cyber security cyber security cyber security cy...
pranavbodhak
 
Bridging the Gap Between Threat Intelligence and Risk Management
Priyanka Aash
 
WANTED – People Committed to Solving our Information Security Language Problem
SecurityStudio
 
Cyber Security # Lec 3
Kabul Education University
 
CYFIRMA_prezo_CyberSecID deck presentation.pdf
ZharfanHanif
 
Allianz Global CISO october-2015-draft
Eoin Keary
 
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
Mitchell Grooms
 
Scot Secure 2016
Ray Bugg
 
Role of Data Science in ERM @ Nashville Analytics Summit Sep 2014
John Liu
 
The Role of Data Science in Enterprise Risk Management, Presented by John Liu
NashvilleTechCouncil
 
Trending it security threats in the public sector
Core Security
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
"Apolonio \"Apps\"" Garcia
 
WANTED - People Committed to Solving Our Information Security Language Problem
Evan Francen
 
Keynote @ ISC2 Cyber Aware Dallas
Evan Francen
 
How to Secure America
SecurityStudio
 
Ad

Recently uploaded (20)

PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Cloud computing and distributed systems.
kkkkkhan
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
A Presentation on Artificial Intelligence
memembruh336
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Approach and Philosophy of On baking technology
30anthuong17
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 

Risk bridges business and security

  • 1. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Why is risk the bridge between business & security worlds? I s a i a h M c G o w a n # A T L S e c C o n 2 0 1 7
  • 2. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . It’s ‘medium-high’ because it highly effects operations! The risk is ‘high’ because it’s easy to conduct the attack! It’s ‘medium’ because we have compensating controls!
  • 3. The Goal of Cybersecurity Symptoms of Failure Treating Root Causes The Way Forward
  • 4. The Goal of Cybersecurity
  • 5. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . •All business functions dealing with adverse events share our goal: •To cost-effectively manage to an acceptable level of risk. •We are not here to make the business ‘secure’! “The value of information security is our ability to affect exposure to loss.” -Jack Jones, Inventor of FAIR
  • 6. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . The Board of Directors Responsible for all opportunities and risks Executive Management Responsible for executing priorities set by the board CISO Responsible for managing cybersecurity risk to an acceptable level Cybersecurity Operations Responsible for executing security initiatives to affect the frequency and/or magnitude of adverse events
  • 8. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . •Unicorn syndrom •Failing to address underlying assumptions •Leveraging poor models of the problem space •Expecting the business to speak our language •Mixing cybersecurity jargon with business terms Common symptoms affecting our ability to manage risk:
  • 9. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . What’s the risk of this bald tire? •What were your assumptions? •How did you define ‘risk’?
  • 10. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . f a i r i n s t i t u t e . o r g / b l o g / f i x i n g - n i s t - 8 0 0 - 3 0 Broken models are broken
  • 11. Would you go to the moon if…
  • 12. The Risk Register!! It’s out of control!!
  • 13. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . A disease resulting in a Denial of Service attack on an organization attempting to prioritize cybersecurity issues. Risk-register-itis /risk/ˈrejəstər/itis noun •Putting any possible issue into a risk register •A signal-to-noise ratio too great to overcome Common conditions include:
  • 15. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Risk is the probable frequency & probable magnitude of future loss. erm… How likely will adverse events occur and how unfavorable are they likely to be.
  • 16. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Cloud Computing Unexpired passwords Privileged Insiders SQLi Mobile Devices Ransomware Weak VPN encryption Asset Control condition Threat Attack technique Asset Threat Control condition Can you spot the risks?
  • 17. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Vulns Findings Exceptions Control Gaps Missing Policies Please Stop!
  • 18. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . “Treat risk as a science, not a dark art. Use scenario analysis. Think things through all the way to the end. Then come back to the beginning and ask yourself "what if?". While predicting the future is hard, formal risk models like FAIR and bow-tie can help tremendously.” -Dr. Ramzan, CTO, RSA
  • 19. Risk Loss Event Frequency (LEF) Loss Magnitude (LM) Threat Event Frequency (TEF) Vulnerability Contact Frequency Probability of Action (PoA) Threat Capability (TCap) Resistance Strength (RS) Random Regular Intentional Value Level of Effort Risk Skills -- Knowledge -- Experience Resources -- Time -- Materials Primary Loss Secondary Risk Secondary Loss Event Frequency Secondary Loss Magnitude Factor Analysis of Information Risk (FAIR) Analysis Scoping 1. Identify the asset(s) 2. Identify relevant threat(s) 3. Define Loss Type: C - I - A Productivity Loss - Loss that results from an operational inability to deliver products or services Response Costs - Loss associated with the costs of managing an event Risk - The probable frequency and probable magnitude of future loss Loss Event Frequency - The frequency, within a given timeframe, that loss is expected to occur
  • 20. Data-driven risk analysis Risk-oriented Cybersecurity Operations Formal risk models Incorporating terms that aligns to the business •Classification patterns •VDBIR •Attack trends •Threat profiles •Threat modeling •STRIDE Threat Intelligence •Incident classification alignment •VERIS •MITRE •Reusable data Incident Management
  • 21. •Security posture •Vulnerabilities •Configuration flaws •Variance in compliance Auditing & Scanning Node Telemetry •Asset inventory •Data at risk •Automated •Manual •Outsourced •Red Team Testing
  • 22. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Risk management is an analytical discipline Enterprise risk Uncover key risk drivers Systematic analysis Analyses become repeatable and operationalized Scientific analysis results drive better recommendations to the business, resulting in cost- effectively managing risk to an acceptable level. Risk Management Goal Data (telemetry) Feeds analysis to drive objective results
  • 24. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . •The FAIR Institute •fairinstitute.org (membership is free) •Measuring & Managing Information Risk: A FAIR Approach •Amazon •‘Getting Started’ reading list •fairinstitute.org/blog/5-must-read-books-to-jumpstart-your-career-in-risk- management Resources:
  • 26. C o p y r i g h t 2 0 1 7 R i s k L e n s , I n c . Questions?!