SlideShare a Scribd company logo
Michael Scheidell, CISSP,
CCISO, SMIEEE
RISKY
BUSINESSPrepare and Defend.
InfraGard slidesha.re/1H0uVSL
© 2014-2015 All Rights Reserved
Security Priva(eers
Sub headline
AGENDAMichael Scheidell, CISSP, CCISO, SMIEEE
Risky Business
@scheidell
561-948-1305 / michael@securityprivateers.com
http://www.securityprivateers.com
• CISSP, Certified CISO
• SE Regional Rep, Infragard
National
• Board Member, InfraGard, South
Florida Members Alliance
• Delegate to NIST CSF workshop
• Retained CISO
• Member ISSA, IAPP, ISACA, PMI,
SFTA, CSA, FISA, IEEE
• Patents in Network Security
• Founded 3 technology companies
Sub headline
AGENDAAGENDA
© 2014 All Rights Reserved Security Priva(eers
• Evolution, Revolution or Anarchy
• Who is Responsible for IT Security?
• Please Stop calling it InfoSec
• IT Risk Management
• Risk Officer / Risk Committee
• Types of Risk Management
• Risk of Too Much Management
• Risk Management Frameworks
• Do or Not Do. There is no Try
Restricted
Access
Evolution, Revolution or Anarchy
Restricted
Access
Evolution, Revolution or Anarchy
Secrets
Restricted
Access
Evolution, Revolution or Anarchy
Secrets Protection
Sub headline
AGENDAWho is Responsible for IT Security
Not My Job
CFO
IT Security
Network
Manager
CIO
Dir IT
CEO
Please Stop Calling it Information Security
Information Security
Usually in the IT department, no visability
into business practices. Revolves around the
Information Security Policy and one of several
InfoSec Frameworks.
1 IT Risk Management
Without direct involvement with all
stakeholders you can’t allocate resources or
determine what to protect and why.
2
Executive
Operations
Information
Technology
Legal
Finance
CRO
IT
Retail
Add in LOSS PREVENTION
1 Marketing
PR for when things go wrong
2
Risk Management
It’s Everyone’s Job
Chief Risk Officer
From here to there and back again
Risk Management Steps
1
Business Impact Analysis
What will it cost us. Needed for
DRP and BCP also.
2
Identify Risks
Governance, Risk, Compliance
3
Priorize Mitigation
Budget, Business Impact, Legal
4
Fund Failure
It will happen. Decide what to
do before it happens.
LIKELIHOOD CONSEQUENCES
How likely is the
event to occur ?
What is the Severity of Injuries/potential damages/financial ?
Almost certain -
MODERATE
RISK
HIGH
RISK
HIGH
RISK
CRITICAL
RISK
CRITICAL
RISK
Expected in normal
circumstances: 100%
Likely -
MODERATE
RISK
MODERATE
RISK
HIGH
RISK
HIGH
RISK
CRITICAL
RISK
Probably occur in
most circumstances:
10%
Possible -
LOW
RISK
MODERATE
RISK
HIGH
RISK
HIGH
RISK
CRITICAL
RISK
Might occur at some
time: 1%
Unlikely -
LOW
RISK
MODERATE
RISK
MODERATE
RISK
HIGH
RISK
HIGH
RISK
Could occur at some
future time: 0.1%
Rare -
LOW
RISK
LOW
RISK
MODERATE
RISK
HIGH
RISK
HIGH
RISK
Only in exceptional
circumstances: 0.01%
Insignificant Minor Moderate Major Catastrophic
No Injuries
No Envir Impact
< $1,000 Damage
Some First Aid
Low Envir Impact
< $10K Damage
External Medical
Medium Impact
< $100K Damage
Extensive injuries
High Envir Impact
< $1MM Damage
Death/Major injury
Toxic Envir Impact
> $1MM Damage
Enterprise Risk1
© Copyright 2014
security Priva(eers
Sub headline
AGENDATypes of Risk Management
There is more than one way to go bankrupt
Operational Risk2
Regulatory and Legal Risk3
Financial Risk4
Unknown Risk5
Where does
Information Risk Management Fit?
Operational Risk
Operational risks exist in every organization, regardless of its size, in any number
of forms including hurricanes, blackouts, computer hacking, and organized fraud.
Types of Risk Management
Regulatory and Legal Risk
International, Federal, State, Local, Legal and Industry Specific:
Safe Harbor, GLBA, SOX, Sarbanes-Oxley, HIPAA, PCI
Financial Risk
The loss of key resources like funding through Credit Risk, Investment Risk,
Liquidity Risk and Market Risk
Enterprise Risk
Enterprise risk management (ERM) is a framework to reduce earnings volatility
through a robust risk governance structure and strong risk culture, supported by
sound risk management capabilities.
Unknown Risk
“There are known knowns. These are things we know that we know. There are known
unknowns. That is to say, there are things that we know we don’t know. But there are also
unknown unknowns. There are things we don’t know we don’t know” Donald Rumsfeld
© Copyright 2014 Security Priva(eers
Harvard Business Review, June 2012
Preventable Risks
• Risks that can be controlled
• Employee misconduct
• Unauthorized, illegal
• No strategic benefit
• Manage pro-actively
• Monitoring processes
• Guiding behaviors
• Rules-based compliance
1
Strategy Risks
• Must Accept Some Risks
• Lender Accepts Risk
• R & D Spending
• Not inherently undesirable
• Higher Reward-Higher Risk
• Rules-based won’t work
Requires a risk-management
system designed to reduce
the probability that the
assumed risks actually
materialize and to improve
the company’s ability to
manage or contain risk events
should they occur.
2
External Risks
• Beyond Company Control
• Natural Disasters
• Political Disasters
• Economic Disasters
• Can’t prevent them
• Can’t predict them
• Focus on identification
• Plan:
• Business Impact Analysis
• Disaster Recovery Plan
• Business Continuity Plan
• Insurance
3
Working With Risks
Enterprise Operational Regulatory Financial
Strategic Risks
Preventable Risks
External Risks
Acceptable Risks
IT-related Risk
Enterprise Risk
Strategic
Risk
Environmental
Risk
Market
Risk
Credit
Risk
Operational
Risk
Sub headline
AGENDAIT Risk in the Risk Hierarchy
Where IT fits in
IT Benefit/Value
Enablement Risk
IT Program and
Project Delivery Risk
IT Operations and
Service Delivery Risk
IT risk is a component of the overall risk universe
of the enterprise. In many enterprises, IT-related
risk is considered to be a component of
operational risk, e.g., in the financial industry in
the Basel II. However, even strategic risk can have
an IT component to it, especially where IT is the
key enabler of new business initiatives.
The same applies for credit risk, where poor IT
(security) can lead to lower credit ratings. For that
reason it is better not to depict IT risk with a
hierarchic dependency on one of the other risk
categories, but perhaps as shown in the example
given.
Sub headline
AGENDAWorking with Risks
COBIT 5 for Risk
Sub headline
AGENDAIT Risk Frameworks
NIST 800-37
Connect to
Business
Objectives
Align IT Risk
Management
With ERM
Balance
Cost/Benefit
of IT Risk
Promote Fair
and Open
Discourse
Establish Tone
and
Accountability
at the Top
Function as
Part of Daily
Activities
Sub headline
AGENDAIT Risk Frameworks
ISACA’s RISK IT Framework
Risk IT
Principles
Sub headline
AGENDAIT-related Risk Management
Risk IT is not limited to information security. It covers all IT-
related risks, including:
• Late project delivery
• Not achieving enough
value from IT
• Compliance
• Misalignment
• Obsolete or inflexible
IT architecture
• IT service delivery
problems
You take the blue pill – the story
ends, you wake up in your bed and
believe whatever you want to
believe.
You take the red pill, … you stay in
Wonderland, and I show you, how
deep the rabbit-hole goes.
Sub headline
AGENDATwo choices
This is your last chance ... After this, there is no turning back.
© Copyright 2014 Security Priva(eers
Harvard Business Review, June 2012
Preventable Risks
• Risks that can be controlled
• Employee misconduct
• Unauthorized, illegal
• No strategic benefit
• Manage pro-actively
• Monitoring processes
• Guiding behaviors
• Rules-based compliance
1
Strategy Risks
• Must Accept Some Risks
• Lender Accepts Risk
• R & D Spending
• Not inherently undesirable
• Higher Reward-Higher Risk
• Rules-based won’t work
Requires a risk-management
system designed to reduce
the probability that the
assumed risks actually
materialize and to improve
the company’s ability to
manage or contain risk events
should they occur.
2
External Risks
• Beyond Company Control
• Natural Disasters
• Political Disasters
• Economic Disasters
• Can’t prevent them
• Can’t predict them
• Focus on identification
• Plan:
• Business Impact Analysis
• Disaster Recovery Plan
• Business Continuity Plan
• Insurance
3
Running with Scissors
Why RISK is Good
Sub headline
AGENDARisk of Too Much Management
• What major systemic failure can
you think of in Security and
Privacy?
• Where has too much Security
eliminated Privacy and did nothing
for Security?
• Have you experienced too much
security?
Sub headline
AGENDA$93 Billion Dollars spent since 2001
Sub headline
AGENDAWhere to put priorities
• Identify
• Risk Assessment
• Likelihood
• Logs
• Security Alerts
• Consequences
• Business Impact
Analysis
• Data Valuation
• Unavailable
• Modified
• Exfiltrated
• Data Classification
• Public
• Private
• Classified
• THEN AUDIT
Sub headline
AGENDAWhere to put priorities
• Exfiltrated Public Data
• State Code DB
• DoS Ketchup Formula
• Corrupt ICBM Codes
• 40MM Dumps with PIN
Sub headline
AGENDABusiness Impact Analysis
Data Valuation / Data Classification
Data Breach
Profitibility
BCP/DRP/RISK IT
BIA
Missing Backup
Internet Outage
Power Outage
Responsibility
Executive Management
(go to www.hotjobs.com)
1 Start to work
Partner with other
departments
2 Without a destination,
any path will do.
3
© 2014 All Rights Reserved
• Join InfraGard http://www.infragard.org/
• Join ISACA http://www.isaca.org
• Join ISSA http://www.issa.org
• Presentation: http://slidesha.re/1H0uVSL
• Learn about RISK IT and COBIT
• Training / Certifications: CISSP, CCISO, CRISC
Sub headline
AGENDANew Platform, Old Mistakes
Keep doing the same thing hoping for different results
© 2014-2015 All Rights Reserved
Risk Management Programs
• Build your IT Risk Management
Team
• Help Management Implement
RISK IT
• Training
• Web App Assessment
• SDLC Review
• IT Risk Assessments
• Retained CISO
Sub headline
AGENDARisky Business
Where to get Help
@scheidell
561-948-1305 / michael@securityprivateers.com
http://www.securityprivateers.com
Call to set up an appointment for initial review

More Related Content

What's hot

How to Manage Strategic & Reputation Risk in Turbulent Times
How to Manage Strategic & Reputation Risk in Turbulent TimesHow to Manage Strategic & Reputation Risk in Turbulent Times
How to Manage Strategic & Reputation Risk in Turbulent Times
PECB
 
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingHow to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
Tony Martin-Vegue
 
Risk managemet made easy
Risk managemet made easyRisk managemet made easy
Risk managemet made easy
sheyam selvaraj
 
Risk management automation
Risk management automationRisk management automation
Risk management automation
sheyam selvaraj
 

What's hot (20)

Formal Risk Assessment Workshop
Formal Risk Assessment WorkshopFormal Risk Assessment Workshop
Formal Risk Assessment Workshop
 
Reputation Risk: Why Companies Need to Care
Reputation Risk: Why Companies Need to CareReputation Risk: Why Companies Need to Care
Reputation Risk: Why Companies Need to Care
 
Mtgt2017 preaccelerator day3
Mtgt2017 preaccelerator day3Mtgt2017 preaccelerator day3
Mtgt2017 preaccelerator day3
 
How to Manage Strategic & Reputation Risk in Turbulent Times
How to Manage Strategic & Reputation Risk in Turbulent TimesHow to Manage Strategic & Reputation Risk in Turbulent Times
How to Manage Strategic & Reputation Risk in Turbulent Times
 
Finding and Protecting Your Organizations Crown Jewels
Finding and Protecting Your Organizations Crown JewelsFinding and Protecting Your Organizations Crown Jewels
Finding and Protecting Your Organizations Crown Jewels
 
Whose risk counts
Whose risk countsWhose risk counts
Whose risk counts
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
 
Managing Risk or Reacting to Compliance
Managing Risk or Reacting to ComplianceManaging Risk or Reacting to Compliance
Managing Risk or Reacting to Compliance
 
Executive Travel, Keeping Your Employees Safe
Executive Travel, Keeping Your Employees SafeExecutive Travel, Keeping Your Employees Safe
Executive Travel, Keeping Your Employees Safe
 
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat ModelingHow to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
How to Improve Your Risk Assessments with Attacker-Centric Threat Modeling
 
OH&S Risk Management: Due Diligence in the Workplace
OH&S Risk Management: Due Diligence in the WorkplaceOH&S Risk Management: Due Diligence in the Workplace
OH&S Risk Management: Due Diligence in the Workplace
 
IT Risk Management - the right posture
IT Risk Management - the right postureIT Risk Management - the right posture
IT Risk Management - the right posture
 
Risk management models - Core Consulting
Risk management models - Core ConsultingRisk management models - Core Consulting
Risk management models - Core Consulting
 
Keynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware DallasKeynote @ ISC2 Cyber Aware Dallas
Keynote @ ISC2 Cyber Aware Dallas
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
 
Risk managemet made easy
Risk managemet made easyRisk managemet made easy
Risk managemet made easy
 
Risk management automation
Risk management automationRisk management automation
Risk management automation
 
Grc t17
Grc t17Grc t17
Grc t17
 
Risk Management in Pilotage - By Mr. Marantis Stylianos
Risk Management in Pilotage - By Mr. Marantis StylianosRisk Management in Pilotage - By Mr. Marantis Stylianos
Risk Management in Pilotage - By Mr. Marantis Stylianos
 
Using ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and GovernanceUsing ISO 31000 as a strategic tool for National Planning and Governance
Using ISO 31000 as a strategic tool for National Planning and Governance
 

Viewers also liked

Spss Estimation of Multiple Regression ...Adi...
Spss Estimation of Multiple Regression ...Adi...Spss Estimation of Multiple Regression ...Adi...
Spss Estimation of Multiple Regression ...Adi...
adil bhatti
 
7.[54 59]the determinants of leverage of the listed-textile companies in india
7.[54 59]the determinants of leverage of the listed-textile companies in india7.[54 59]the determinants of leverage of the listed-textile companies in india
7.[54 59]the determinants of leverage of the listed-textile companies in india
Alexander Decker
 
Grafico diario del dax perfomance index para el 13 06-2012
Grafico diario del dax perfomance index para el 13 06-2012Grafico diario del dax perfomance index para el 13 06-2012
Grafico diario del dax perfomance index para el 13 06-2012
Experiencia Trading
 
Final_DF_deck
Final_DF_deckFinal_DF_deck
Final_DF_deck
Jon Cline
 
Advancing learning and transforming scholarship in higher education
Advancing learning and transforming scholarship in higher educationAdvancing learning and transforming scholarship in higher education
Advancing learning and transforming scholarship in higher education
HELIGLIASA
 

Viewers also liked (20)

Unhealthy Developing World Food Markets
Unhealthy Developing World Food MarketsUnhealthy Developing World Food Markets
Unhealthy Developing World Food Markets
 
EGAP Dnipro Acceleration Program
EGAP Dnipro Acceleration ProgramEGAP Dnipro Acceleration Program
EGAP Dnipro Acceleration Program
 
Spss Estimation of Multiple Regression ...Adi...
Spss Estimation of Multiple Regression ...Adi...Spss Estimation of Multiple Regression ...Adi...
Spss Estimation of Multiple Regression ...Adi...
 
Evolucion De La Comunicaion
Evolucion De La ComunicaionEvolucion De La Comunicaion
Evolucion De La Comunicaion
 
Aboriginal Relations, Perspectives from both sides of the fence with Gordon M...
Aboriginal Relations, Perspectives from both sides of the fence with Gordon M...Aboriginal Relations, Perspectives from both sides of the fence with Gordon M...
Aboriginal Relations, Perspectives from both sides of the fence with Gordon M...
 
Susie Almaneih: 5 Life Hacks for Having an Easy Breezy Summer with the Kids
Susie Almaneih: 5 Life Hacks for Having an Easy Breezy Summer with the KidsSusie Almaneih: 5 Life Hacks for Having an Easy Breezy Summer with the Kids
Susie Almaneih: 5 Life Hacks for Having an Easy Breezy Summer with the Kids
 
Ruben Licera's Social Media Marketing via Facebook Success Secrets
Ruben Licera's Social Media Marketing via Facebook Success SecretsRuben Licera's Social Media Marketing via Facebook Success Secrets
Ruben Licera's Social Media Marketing via Facebook Success Secrets
 
7.[54 59]the determinants of leverage of the listed-textile companies in india
7.[54 59]the determinants of leverage of the listed-textile companies in india7.[54 59]the determinants of leverage of the listed-textile companies in india
7.[54 59]the determinants of leverage of the listed-textile companies in india
 
Grafico diario del dax perfomance index para el 13 06-2012
Grafico diario del dax perfomance index para el 13 06-2012Grafico diario del dax perfomance index para el 13 06-2012
Grafico diario del dax perfomance index para el 13 06-2012
 
니나노경과
니나노경과니나노경과
니나노경과
 
私函
私函私函
私函
 
Aplicaciones basicas de unbuntu 14.02 LTE
Aplicaciones basicas de unbuntu 14.02 LTEAplicaciones basicas de unbuntu 14.02 LTE
Aplicaciones basicas de unbuntu 14.02 LTE
 
Aplicaciones Básicas de Ubuntu
Aplicaciones Básicas de UbuntuAplicaciones Básicas de Ubuntu
Aplicaciones Básicas de Ubuntu
 
པོི ུ ཧགཡད ིཇོོོིུནགཧཡཧཏ ཧཙགངགདཧཇ༄༄།ན ཙཅཛཟ ཅཅཅདརཛེ ཏཏེེཇིཇབ
པོི ུ ཧགཡད ིཇོོོིུནགཧཡཧཏ ཧཙགངགདཧཇ༄༄།ན ཙཅཛཟ ཅཅཅདརཛེ ཏཏེེཇིཇབཔོི ུ ཧགཡད ིཇོོོིུནགཧཡཧཏ ཧཙགངགདཧཇ༄༄།ན ཙཅཛཟ ཅཅཅདརཛེ ཏཏེེཇིཇབ
པོི ུ ཧགཡད ིཇོོོིུནགཧཡཧཏ ཧཙགངགདཧཇ༄༄།ན ཙཅཛཟ ཅཅཅདརཛེ ཏཏེེཇིཇབ
 
Introduction to InDesign and Rapid Development
Introduction to InDesign and Rapid DevelopmentIntroduction to InDesign and Rapid Development
Introduction to InDesign and Rapid Development
 
еуые
еуыееуые
еуые
 
Susie Almaneih: 5 Ways to Support Good Behavior in Public Places
Susie Almaneih: 5 Ways to Support Good Behavior in Public PlacesSusie Almaneih: 5 Ways to Support Good Behavior in Public Places
Susie Almaneih: 5 Ways to Support Good Behavior in Public Places
 
Final_DF_deck
Final_DF_deckFinal_DF_deck
Final_DF_deck
 
Topic 02
Topic 02Topic 02
Topic 02
 
Advancing learning and transforming scholarship in higher education
Advancing learning and transforming scholarship in higher educationAdvancing learning and transforming scholarship in higher education
Advancing learning and transforming scholarship in higher education
 

Similar to Risky Business

ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
PECB
 
ppt erm.pdf
ppt erm.pdfppt erm.pdf
ppt erm.pdf
RJ231
 
Meeting the cyber risk challenge
Meeting the cyber risk challengeMeeting the cyber risk challenge
Meeting the cyber risk challenge
FERMA
 

Similar to Risky Business (20)

Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
 
Risk Assessments
Risk AssessmentsRisk Assessments
Risk Assessments
 
DRIDeckFinalMar3
DRIDeckFinalMar3DRIDeckFinalMar3
DRIDeckFinalMar3
 
ppt erm.pdf
ppt erm.pdfppt erm.pdf
ppt erm.pdf
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk Management
 
MCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk ManagementMCG Cybersecurity Webinar Series - Risk Management
MCG Cybersecurity Webinar Series - Risk Management
 
Risk Identification Process PowerPoint Presentation Slides
Risk Identification Process PowerPoint Presentation SlidesRisk Identification Process PowerPoint Presentation Slides
Risk Identification Process PowerPoint Presentation Slides
 
Meeting the cyber risk challenge
Meeting the cyber risk challengeMeeting the cyber risk challenge
Meeting the cyber risk challenge
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - Fortinet
 
Crash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative AnalysisCrash Course: Managing Cyber Risk Using Quantitative Analysis
Crash Course: Managing Cyber Risk Using Quantitative Analysis
 
Risk Management Module Powerpoint Presentation Slides
Risk Management Module Powerpoint Presentation SlidesRisk Management Module Powerpoint Presentation Slides
Risk Management Module Powerpoint Presentation Slides
 
Risk Identification Process Powerpoint Presentation Slides
Risk Identification Process Powerpoint Presentation SlidesRisk Identification Process Powerpoint Presentation Slides
Risk Identification Process Powerpoint Presentation Slides
 
Be More Secure than your Competition: MePush Cyber Security for Small Business
Be More Secure than your Competition:  MePush Cyber Security for Small BusinessBe More Secure than your Competition:  MePush Cyber Security for Small Business
Be More Secure than your Competition: MePush Cyber Security for Small Business
 
Risk Management module PowerPoint Presentation Slides
Risk Management module PowerPoint Presentation SlidesRisk Management module PowerPoint Presentation Slides
Risk Management module PowerPoint Presentation Slides
 
Data Security in the Insurance Industry: what you need to know about data pro...
Data Security in the Insurance Industry: what you need to know about data pro...Data Security in the Insurance Industry: what you need to know about data pro...
Data Security in the Insurance Industry: what you need to know about data pro...
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
How to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approachHow to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approach
 

More from Michael Scheidell

More from Michael Scheidell (6)

Not IF, but WHEN
Not IF, but WHENNot IF, but WHEN
Not IF, but WHEN
 
Spy vs Spy: Protecting Secrets
Spy vs Spy: Protecting SecretsSpy vs Spy: Protecting Secrets
Spy vs Spy: Protecting Secrets
 
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle:  CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...Protecting the Castle:  CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
Protecting the Castle: CYBER CRIME HAS BECOME THE NUMBER ONE PROPERTY CRIME ...
 
Running with Scissors: Balance between business and InfoSec needs
Running with Scissors: Balance between business and InfoSec needsRunning with Scissors: Balance between business and InfoSec needs
Running with Scissors: Balance between business and InfoSec needs
 
Bring Your Own Policy: Internet Use/BYOD Policy by consensus
Bring Your Own Policy:  Internet Use/BYOD Policy by consensus Bring Your Own Policy:  Internet Use/BYOD Policy by consensus
Bring Your Own Policy: Internet Use/BYOD Policy by consensus
 
Governance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile AppsGovernance and Security in Cloud and Mobile Apps
Governance and Security in Cloud and Mobile Apps
 

Recently uploaded

What is social media.pdf Social media refers to digital platforms and applica...
What is social media.pdf Social media refers to digital platforms and applica...What is social media.pdf Social media refers to digital platforms and applica...
What is social media.pdf Social media refers to digital platforms and applica...
AnaBeatriz125525
 
zidauu _business communication.pptx /pdf
zidauu _business  communication.pptx /pdfzidauu _business  communication.pptx /pdf
zidauu _business communication.pptx /pdf
zukhrafshabbir
 
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot ReportFuture of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Dubai Multi Commodity Centre
 

Recently uploaded (20)

Copyright: What Creators and Users of Art Need to Know
Copyright: What Creators and Users of Art Need to KnowCopyright: What Creators and Users of Art Need to Know
Copyright: What Creators and Users of Art Need to Know
 
Global Interconnection Group Joint Venture[960] (1).pdf
Global Interconnection Group Joint Venture[960] (1).pdfGlobal Interconnection Group Joint Venture[960] (1).pdf
Global Interconnection Group Joint Venture[960] (1).pdf
 
Special Purpose Vehicle (Purpose, Formation & examples)
Special Purpose Vehicle (Purpose, Formation & examples)Special Purpose Vehicle (Purpose, Formation & examples)
Special Purpose Vehicle (Purpose, Formation & examples)
 
How to Maintain Healthy Life style.pptx
How to Maintain  Healthy Life style.pptxHow to Maintain  Healthy Life style.pptx
How to Maintain Healthy Life style.pptx
 
Understanding UAE Labour Law: Key Points for Employers and Employees
Understanding UAE Labour Law: Key Points for Employers and EmployeesUnderstanding UAE Labour Law: Key Points for Employers and Employees
Understanding UAE Labour Law: Key Points for Employers and Employees
 
Innomantra Viewpoint - Building Moonshots : May-Jun 2024.pdf
Innomantra Viewpoint - Building Moonshots : May-Jun 2024.pdfInnomantra Viewpoint - Building Moonshots : May-Jun 2024.pdf
Innomantra Viewpoint - Building Moonshots : May-Jun 2024.pdf
 
What is social media.pdf Social media refers to digital platforms and applica...
What is social media.pdf Social media refers to digital platforms and applica...What is social media.pdf Social media refers to digital platforms and applica...
What is social media.pdf Social media refers to digital platforms and applica...
 
How Do Venture Capitalists Make Decisions?
How Do Venture Capitalists Make Decisions?How Do Venture Capitalists Make Decisions?
How Do Venture Capitalists Make Decisions?
 
Pitch Deck Teardown: Terra One's $7.5m Seed deck
Pitch Deck Teardown: Terra One's $7.5m Seed deckPitch Deck Teardown: Terra One's $7.5m Seed deck
Pitch Deck Teardown: Terra One's $7.5m Seed deck
 
India’s Recommended Women Surgeons to Watch in 2024.pdf
India’s Recommended Women Surgeons to Watch in 2024.pdfIndia’s Recommended Women Surgeons to Watch in 2024.pdf
India’s Recommended Women Surgeons to Watch in 2024.pdf
 
zidauu _business communication.pptx /pdf
zidauu _business  communication.pptx /pdfzidauu _business  communication.pptx /pdf
zidauu _business communication.pptx /pdf
 
Equinox Gold Corporate Deck May 24th 2024
Equinox Gold Corporate Deck May 24th 2024Equinox Gold Corporate Deck May 24th 2024
Equinox Gold Corporate Deck May 24th 2024
 
Raising Seed Capital by Steve Schlafman at RRE Ventures
Raising Seed Capital by Steve Schlafman at RRE VenturesRaising Seed Capital by Steve Schlafman at RRE Ventures
Raising Seed Capital by Steve Schlafman at RRE Ventures
 
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot ReportFuture of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
Future of Trade 2024 - Decoupled and Reconfigured - Snapshot Report
 
12 Conversion Rate Optimization Strategies for Ecommerce Websites.pdf
12 Conversion Rate Optimization Strategies for Ecommerce Websites.pdf12 Conversion Rate Optimization Strategies for Ecommerce Websites.pdf
12 Conversion Rate Optimization Strategies for Ecommerce Websites.pdf
 
Cracking the Change Management Code Main New.pptx
Cracking the Change Management Code Main New.pptxCracking the Change Management Code Main New.pptx
Cracking the Change Management Code Main New.pptx
 
Meaningful Technology for Humans: How Strategy Helps to Deliver Real Value fo...
Meaningful Technology for Humans: How Strategy Helps to Deliver Real Value fo...Meaningful Technology for Humans: How Strategy Helps to Deliver Real Value fo...
Meaningful Technology for Humans: How Strategy Helps to Deliver Real Value fo...
 
Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...
Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...
Byrd & Chen’s Canadian Tax Principles 2023-2024 Edition 1st edition Volumes I...
 
Potato Flakes Manufacturing Plant Project Report.pdf
Potato Flakes Manufacturing Plant Project Report.pdfPotato Flakes Manufacturing Plant Project Report.pdf
Potato Flakes Manufacturing Plant Project Report.pdf
 
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
Unleash Data Power with EnFuse Solutions' Comprehensive Data Management Servi...
 

Risky Business

  • 1. Michael Scheidell, CISSP, CCISO, SMIEEE RISKY BUSINESSPrepare and Defend. InfraGard slidesha.re/1H0uVSL
  • 2. © 2014-2015 All Rights Reserved Security Priva(eers Sub headline AGENDAMichael Scheidell, CISSP, CCISO, SMIEEE Risky Business @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com • CISSP, Certified CISO • SE Regional Rep, Infragard National • Board Member, InfraGard, South Florida Members Alliance • Delegate to NIST CSF workshop • Retained CISO • Member ISSA, IAPP, ISACA, PMI, SFTA, CSA, FISA, IEEE • Patents in Network Security • Founded 3 technology companies
  • 3. Sub headline AGENDAAGENDA © 2014 All Rights Reserved Security Priva(eers • Evolution, Revolution or Anarchy • Who is Responsible for IT Security? • Please Stop calling it InfoSec • IT Risk Management • Risk Officer / Risk Committee • Types of Risk Management • Risk of Too Much Management • Risk Management Frameworks • Do or Not Do. There is no Try
  • 6. Restricted Access Evolution, Revolution or Anarchy Secrets Protection
  • 7. Sub headline AGENDAWho is Responsible for IT Security Not My Job CFO IT Security Network Manager CIO Dir IT CEO
  • 8. Please Stop Calling it Information Security Information Security Usually in the IT department, no visability into business practices. Revolves around the Information Security Policy and one of several InfoSec Frameworks. 1 IT Risk Management Without direct involvement with all stakeholders you can’t allocate resources or determine what to protect and why. 2
  • 9. Executive Operations Information Technology Legal Finance CRO IT Retail Add in LOSS PREVENTION 1 Marketing PR for when things go wrong 2 Risk Management It’s Everyone’s Job Chief Risk Officer
  • 10. From here to there and back again Risk Management Steps 1 Business Impact Analysis What will it cost us. Needed for DRP and BCP also. 2 Identify Risks Governance, Risk, Compliance 3 Priorize Mitigation Budget, Business Impact, Legal 4 Fund Failure It will happen. Decide what to do before it happens.
  • 11. LIKELIHOOD CONSEQUENCES How likely is the event to occur ? What is the Severity of Injuries/potential damages/financial ? Almost certain - MODERATE RISK HIGH RISK HIGH RISK CRITICAL RISK CRITICAL RISK Expected in normal circumstances: 100% Likely - MODERATE RISK MODERATE RISK HIGH RISK HIGH RISK CRITICAL RISK Probably occur in most circumstances: 10% Possible - LOW RISK MODERATE RISK HIGH RISK HIGH RISK CRITICAL RISK Might occur at some time: 1% Unlikely - LOW RISK MODERATE RISK MODERATE RISK HIGH RISK HIGH RISK Could occur at some future time: 0.1% Rare - LOW RISK LOW RISK MODERATE RISK HIGH RISK HIGH RISK Only in exceptional circumstances: 0.01% Insignificant Minor Moderate Major Catastrophic No Injuries No Envir Impact < $1,000 Damage Some First Aid Low Envir Impact < $10K Damage External Medical Medium Impact < $100K Damage Extensive injuries High Envir Impact < $1MM Damage Death/Major injury Toxic Envir Impact > $1MM Damage
  • 12. Enterprise Risk1 © Copyright 2014 security Priva(eers Sub headline AGENDATypes of Risk Management There is more than one way to go bankrupt Operational Risk2 Regulatory and Legal Risk3 Financial Risk4 Unknown Risk5 Where does Information Risk Management Fit?
  • 13. Operational Risk Operational risks exist in every organization, regardless of its size, in any number of forms including hurricanes, blackouts, computer hacking, and organized fraud. Types of Risk Management Regulatory and Legal Risk International, Federal, State, Local, Legal and Industry Specific: Safe Harbor, GLBA, SOX, Sarbanes-Oxley, HIPAA, PCI Financial Risk The loss of key resources like funding through Credit Risk, Investment Risk, Liquidity Risk and Market Risk Enterprise Risk Enterprise risk management (ERM) is a framework to reduce earnings volatility through a robust risk governance structure and strong risk culture, supported by sound risk management capabilities. Unknown Risk “There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know” Donald Rumsfeld
  • 14. © Copyright 2014 Security Priva(eers Harvard Business Review, June 2012 Preventable Risks • Risks that can be controlled • Employee misconduct • Unauthorized, illegal • No strategic benefit • Manage pro-actively • Monitoring processes • Guiding behaviors • Rules-based compliance 1 Strategy Risks • Must Accept Some Risks • Lender Accepts Risk • R & D Spending • Not inherently undesirable • Higher Reward-Higher Risk • Rules-based won’t work Requires a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain risk events should they occur. 2 External Risks • Beyond Company Control • Natural Disasters • Political Disasters • Economic Disasters • Can’t prevent them • Can’t predict them • Focus on identification • Plan: • Business Impact Analysis • Disaster Recovery Plan • Business Continuity Plan • Insurance 3
  • 15. Working With Risks Enterprise Operational Regulatory Financial Strategic Risks Preventable Risks External Risks Acceptable Risks
  • 16.
  • 17. IT-related Risk Enterprise Risk Strategic Risk Environmental Risk Market Risk Credit Risk Operational Risk Sub headline AGENDAIT Risk in the Risk Hierarchy Where IT fits in IT Benefit/Value Enablement Risk IT Program and Project Delivery Risk IT Operations and Service Delivery Risk IT risk is a component of the overall risk universe of the enterprise. In many enterprises, IT-related risk is considered to be a component of operational risk, e.g., in the financial industry in the Basel II. However, even strategic risk can have an IT component to it, especially where IT is the key enabler of new business initiatives. The same applies for credit risk, where poor IT (security) can lead to lower credit ratings. For that reason it is better not to depict IT risk with a hierarchic dependency on one of the other risk categories, but perhaps as shown in the example given.
  • 18. Sub headline AGENDAWorking with Risks COBIT 5 for Risk
  • 19. Sub headline AGENDAIT Risk Frameworks NIST 800-37
  • 20. Connect to Business Objectives Align IT Risk Management With ERM Balance Cost/Benefit of IT Risk Promote Fair and Open Discourse Establish Tone and Accountability at the Top Function as Part of Daily Activities Sub headline AGENDAIT Risk Frameworks ISACA’s RISK IT Framework Risk IT Principles
  • 21. Sub headline AGENDAIT-related Risk Management Risk IT is not limited to information security. It covers all IT- related risks, including: • Late project delivery • Not achieving enough value from IT • Compliance • Misalignment • Obsolete or inflexible IT architecture • IT service delivery problems
  • 22. You take the blue pill – the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill, … you stay in Wonderland, and I show you, how deep the rabbit-hole goes. Sub headline AGENDATwo choices This is your last chance ... After this, there is no turning back.
  • 23. © Copyright 2014 Security Priva(eers Harvard Business Review, June 2012 Preventable Risks • Risks that can be controlled • Employee misconduct • Unauthorized, illegal • No strategic benefit • Manage pro-actively • Monitoring processes • Guiding behaviors • Rules-based compliance 1 Strategy Risks • Must Accept Some Risks • Lender Accepts Risk • R & D Spending • Not inherently undesirable • Higher Reward-Higher Risk • Rules-based won’t work Requires a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain risk events should they occur. 2 External Risks • Beyond Company Control • Natural Disasters • Political Disasters • Economic Disasters • Can’t prevent them • Can’t predict them • Focus on identification • Plan: • Business Impact Analysis • Disaster Recovery Plan • Business Continuity Plan • Insurance 3
  • 25. Sub headline AGENDARisk of Too Much Management • What major systemic failure can you think of in Security and Privacy? • Where has too much Security eliminated Privacy and did nothing for Security? • Have you experienced too much security?
  • 26. Sub headline AGENDA$93 Billion Dollars spent since 2001
  • 27. Sub headline AGENDAWhere to put priorities • Identify • Risk Assessment • Likelihood • Logs • Security Alerts • Consequences • Business Impact Analysis • Data Valuation • Unavailable • Modified • Exfiltrated • Data Classification • Public • Private • Classified • THEN AUDIT
  • 28. Sub headline AGENDAWhere to put priorities • Exfiltrated Public Data • State Code DB • DoS Ketchup Formula • Corrupt ICBM Codes • 40MM Dumps with PIN
  • 29. Sub headline AGENDABusiness Impact Analysis Data Valuation / Data Classification Data Breach Profitibility BCP/DRP/RISK IT BIA Missing Backup Internet Outage Power Outage
  • 30. Responsibility Executive Management (go to www.hotjobs.com) 1 Start to work Partner with other departments 2 Without a destination, any path will do. 3
  • 31. © 2014 All Rights Reserved • Join InfraGard http://www.infragard.org/ • Join ISACA http://www.isaca.org • Join ISSA http://www.issa.org • Presentation: http://slidesha.re/1H0uVSL • Learn about RISK IT and COBIT • Training / Certifications: CISSP, CCISO, CRISC Sub headline AGENDANew Platform, Old Mistakes Keep doing the same thing hoping for different results
  • 32. © 2014-2015 All Rights Reserved Risk Management Programs • Build your IT Risk Management Team • Help Management Implement RISK IT • Training • Web App Assessment • SDLC Review • IT Risk Assessments • Retained CISO Sub headline AGENDARisky Business Where to get Help @scheidell 561-948-1305 / michael@securityprivateers.com http://www.securityprivateers.com Call to set up an appointment for initial review