1.
Michael Scheidell, CISSP,
CCISO, SMIEEE
RISKY
BUSINESSPrepare and Defend.
InfraGard slidesha.re/1H0uVSL

2.
© 2014-2015 All Rights Reserved
Security Priva(eers
Sub headline
AGENDAMichael Scheidell, CISSP, CCISO, SMIEEE
Risky Business
@scheidell
561-948-1305 / michael@securityprivateers.com
http://www.securityprivateers.com
• CISSP, Certified CISO
• SE Regional Rep, Infragard
National
• Board Member, InfraGard, South
Florida Members Alliance
• Delegate to NIST CSF workshop
• Retained CISO
• Member ISSA, IAPP, ISACA, PMI,
SFTA, CSA, FISA, IEEE
• Patents in Network Security
• Founded 3 technology companies

3.
Sub headline
AGENDAAGENDA
© 2014 All Rights Reserved Security Priva(eers
• Evolution, Revolution or Anarchy
• Who is Responsible for IT Security?
• Please Stop calling it InfoSec
• IT Risk Management
• Risk Officer / Risk Committee
• Types of Risk Management
• Risk of Too Much Management
• Risk Management Frameworks
• Do or Not Do. There is no Try

4.
Restricted
Access
Evolution, Revolution or Anarchy

5.
Restricted
Access
Evolution, Revolution or Anarchy
Secrets

6.
Restricted
Access
Evolution, Revolution or Anarchy
Secrets Protection

7.
Sub headline
AGENDAWho is Responsible for IT Security
Not My Job
CFO
IT Security
Network
Manager
CIO
Dir IT
CEO

8.
Please Stop Calling it Information Security
Information Security
Usually in the IT department, no visability
into business practices. Revolves around the
Information Security Policy and one of several
InfoSec Frameworks.
1 IT Risk Management
Without direct involvement with all
stakeholders you can’t allocate resources or
determine what to protect and why.
2

9.
Executive
Operations
Information
Technology
Legal
Finance
CRO
IT
Retail
Add in LOSS PREVENTION
1 Marketing
PR for when things go wrong
2
Risk Management
It’s Everyone’s Job
Chief Risk Officer

10.
From here to there and back again
Risk Management Steps
1
Business Impact Analysis
What will it cost us. Needed for
DRP and BCP also.
2
Identify Risks
Governance, Risk, Compliance
3
Priorize Mitigation
Budget, Business Impact, Legal
4
Fund Failure
It will happen. Decide what to
do before it happens.

11.
LIKELIHOOD CONSEQUENCES
How likely is the
event to occur ?
What is the Severity of Injuries/potential damages/financial ?
Almost certain -
MODERATE
RISK
HIGH
RISK
HIGH
RISK
CRITICAL
RISK
CRITICAL
RISK
Expected in normal
circumstances: 100%
Likely -
MODERATE
RISK
MODERATE
RISK
HIGH
RISK
HIGH
RISK
CRITICAL
RISK
Probably occur in
most circumstances:
10%
Possible -
LOW
RISK
MODERATE
RISK
HIGH
RISK
HIGH
RISK
CRITICAL
RISK
Might occur at some
time: 1%
Unlikely -
LOW
RISK
MODERATE
RISK
MODERATE
RISK
HIGH
RISK
HIGH
RISK
Could occur at some
future time: 0.1%
Rare -
LOW
RISK
LOW
RISK
MODERATE
RISK
HIGH
RISK
HIGH
RISK
Only in exceptional
circumstances: 0.01%
Insignificant Minor Moderate Major Catastrophic
No Injuries
No Envir Impact
< $1,000 Damage
Some First Aid
Low Envir Impact
< $10K Damage
External Medical
Medium Impact
< $100K Damage
Extensive injuries
High Envir Impact
< $1MM Damage
Death/Major injury
Toxic Envir Impact
> $1MM Damage

12.
Enterprise Risk1
© Copyright 2014
security Priva(eers
Sub headline
AGENDATypes of Risk Management
There is more than one way to go bankrupt
Operational Risk2
Regulatory and Legal Risk3
Financial Risk4
Unknown Risk5
Where does
Information Risk Management Fit?

13.
Operational Risk
Operational risks exist in every organization, regardless of its size, in any number
of forms including hurricanes, blackouts, computer hacking, and organized fraud.
Types of Risk Management
Regulatory and Legal Risk
International, Federal, State, Local, Legal and Industry Specific:
Safe Harbor, GLBA, SOX, Sarbanes-Oxley, HIPAA, PCI
Financial Risk
The loss of key resources like funding through Credit Risk, Investment Risk,
Liquidity Risk and Market Risk
Enterprise Risk
Enterprise risk management (ERM) is a framework to reduce earnings volatility
through a robust risk governance structure and strong risk culture, supported by
sound risk management capabilities.
Unknown Risk
“There are known knowns. These are things we know that we know. There are known
unknowns. That is to say, there are things that we know we don’t know. But there are also
unknown unknowns. There are things we don’t know we don’t know” Donald Rumsfeld

14.
© Copyright 2014 Security Priva(eers
Harvard Business Review, June 2012
Preventable Risks
• Risks that can be controlled
• Employee misconduct
• Unauthorized, illegal
• No strategic benefit
• Manage pro-actively
• Monitoring processes
• Guiding behaviors
• Rules-based compliance
1
Strategy Risks
• Must Accept Some Risks
• Lender Accepts Risk
• R & D Spending
• Not inherently undesirable
• Higher Reward-Higher Risk
• Rules-based won’t work
Requires a risk-management
system designed to reduce
the probability that the
assumed risks actually
materialize and to improve
the company’s ability to
manage or contain risk events
should they occur.
2
External Risks
• Beyond Company Control
• Natural Disasters
• Political Disasters
• Economic Disasters
• Can’t prevent them
• Can’t predict them
• Focus on identification
• Plan:
• Business Impact Analysis
• Disaster Recovery Plan
• Business Continuity Plan
• Insurance
3

15.
Working With Risks
Enterprise Operational Regulatory Financial
Strategic Risks
Preventable Risks
External Risks
Acceptable Risks

16.
IT-related Risk
Enterprise Risk
Strategic
Risk
Environmental
Risk
Market
Risk
Credit
Risk
Operational
Risk
Sub headline
AGENDAIT Risk in the Risk Hierarchy
Where IT fits in
IT Benefit/Value
Enablement Risk
IT Program and
Project Delivery Risk
IT Operations and
Service Delivery Risk
IT risk is a component of the overall risk universe
of the enterprise. In many enterprises, IT-related
risk is considered to be a component of
operational risk, e.g., in the financial industry in
the Basel II. However, even strategic risk can have
an IT component to it, especially where IT is the
key enabler of new business initiatives.
The same applies for credit risk, where poor IT
(security) can lead to lower credit ratings. For that
reason it is better not to depict IT risk with a
hierarchic dependency on one of the other risk
categories, but perhaps as shown in the example
given.

17.
Sub headline
AGENDAWorking with Risks
COBIT 5 for Risk

18.
Sub headline
AGENDAIT Risk Frameworks
NIST 800-37

19.
Connect to
Business
Objectives
Align IT Risk
Management
With ERM
Balance
Cost/Benefit
of IT Risk
Promote Fair
and Open
Discourse
Establish Tone
and
Accountability
at the Top
Function as
Part of Daily
Activities
Sub headline
AGENDAIT Risk Frameworks
ISACA’s RISK IT Framework
Risk IT
Principles

20.
Sub headline
AGENDAIT-related Risk Management
Risk IT is not limited to information security. It covers all IT-
related risks, including:
• Late project delivery
• Not achieving enough
value from IT
• Compliance
• Misalignment
• Obsolete or inflexible
IT architecture
• IT service delivery
problems

21.
You take the blue pill – the story
ends, you wake up in your bed and
believe whatever you want to
believe.
You take the red pill, … you stay in
Wonderland, and I show you, how
deep the rabbit-hole goes.
Sub headline
AGENDATwo choices
This is your last chance ... After this, there is no turning back.

22.
© Copyright 2014 Security Priva(eers
Harvard Business Review, June 2012
Preventable Risks
• Risks that can be controlled
• Employee misconduct
• Unauthorized, illegal
• No strategic benefit
• Manage pro-actively
• Monitoring processes
• Guiding behaviors
• Rules-based compliance
1
Strategy Risks
• Must Accept Some Risks
• Lender Accepts Risk
• R & D Spending
• Not inherently undesirable
• Higher Reward-Higher Risk
• Rules-based won’t work
Requires a risk-management
system designed to reduce
the probability that the
assumed risks actually
materialize and to improve
the company’s ability to
manage or contain risk events
should they occur.
2
External Risks
• Beyond Company Control
• Natural Disasters
• Political Disasters
• Economic Disasters
• Can’t prevent them
• Can’t predict them
• Focus on identification
• Plan:
• Business Impact Analysis
• Disaster Recovery Plan
• Business Continuity Plan
• Insurance
3

23.
Running with Scissors
Why RISK is Good

24.
Sub headline
AGENDARisk of Too Much Management
• What major systemic failure can
you think of in Security and
Privacy?
• Where has too much Security
eliminated Privacy and did nothing
for Security?
• Have you experienced too much
security?

25.
Sub headline
AGENDA$93 Billion Dollars spent since 2001

26.
Sub headline
AGENDAWhere to put priorities
• Identify
• Risk Assessment
• Likelihood
• Logs
• Security Alerts
• Consequences
• Business Impact
Analysis
• Data Valuation
• Unavailable
• Modified
• Exfiltrated
• Data Classification
• Public
• Private
• Classified
• THEN AUDIT

27.
Sub headline
AGENDAWhere to put priorities
• Exfiltrated Public Data
• State Code DB
• DoS Ketchup Formula
• Corrupt ICBM Codes
• 40MM Dumps with PIN

28.
Sub headline
AGENDABusiness Impact Analysis
Data Valuation / Data Classification
Data Breach
Profitibility
BCP/DRP/RISK IT
BIA
Missing Backup
Internet Outage
Power Outage

29.
Responsibility
Executive Management
(go to www.hotjobs.com)
1 Start to work
Partner with other
departments
2 Without a destination,
any path will do.
3

30.
© 2014 All Rights Reserved
• Join InfraGard http://www.infragard.org/
• Join ISACA http://www.isaca.org
• Join ISSA http://www.issa.org
• Presentation: http://slidesha.re/1H0uVSL
• Learn about RISK IT and COBIT
• Training / Certifications: CISSP, CCISO, CRISC
Sub headline
AGENDANew Platform, Old Mistakes
Keep doing the same thing hoping for different results

31.
© 2014-2015 All Rights Reserved
Risk Management Programs
• Build your IT Risk Management
Team
• Help Management Implement
RISK IT
• Training
• Web App Assessment
• SDLC Review
• IT Risk Assessments
• Retained CISO
Sub headline
AGENDARisky Business
Where to get Help
@scheidell
561-948-1305 / michael@securityprivateers.com
http://www.securityprivateers.com
Call to set up an appointment for initial review