The document discusses the challenges organizations face in managing increasing complexity and volume of cyber risks within the context of integrated business and digital strategies. It highlights the inadequacies of current risk management techniques in addressing new risks created by digital business models and emphasizes the need for organizations to adopt a holistic approach to risk management. Additionally, it outlines the importance of aligning technology and business strategies to improve risk oversight and resilience.

1. Risk Intelligence – Making the
Right Choices in Cyber Security
Mason Karrer, Principal GRC Strategist, RSΛ

2. 2
Companies are struggling to obtain a holistic
view of risk and show risk management ROI
Risk Complexity
Risk Volatility
Volume of Risks
Resource Demands
Operational Risk Today

3. 3
• IT risks – such as cyber,cloud,IoT
• Reputation and social media
• Third-partyrelationships
• Accountability to ensure effective oversightof
risks
• Strategic change management
• Increased Regulations(GDPR)
• Talent recruitment and retention
• Complexfinancial and operating models
• Resiliencyrisks
Emerging Risks

4. 4
• Engage business units identify and manage
the increasing volume and complexity of risk
• Address risk consistently across your
organization
• Tie strategy to execution
Inspire Everyone to Own Risk

5. 5
25%
Technology
initiatives are second
priority
Business Growth & Technology
Growth
is the highest
priority
54%
From Gartner’s report “The 2015 CEO and Senior Executive Survey: ‘Committing to Digital’
Executive Priorities

6. 6
From Gartner’s report “The 2015 CEO and Senior Executive Survey: ‘Committing to Digital’:
77% 65% 83%
Higher risk levels
challenging the business
Risk Management
falling behind
Agility
increasingly important
CEO Perspectives on Risk

7. 7
89%
69%
New risks
created by digital
business
Risk Management
techniques are
inadequate
‘89% of CIOs globally believe that digital business models
are creating new levels of risk for their organization...
69% believed that current risk management techniques are
inadequate to address this increased risk in a digital world.’
- Gartner "Flipping to Digital Leadership: The 2015 CIO Agenda"
CIO Perspectives on Risk

8. 8
References: Journal of Accountancy,
EY and PwC
Does Risk Management Really Drive Growth?

9. 9
The business relies on technology
like never before.
Business and Digital strategies are
intertwined.
Technology risk is a board level topic.
To be successful in today’s market,
organizations must address
cyber risk and business risk
together.
Risk Convergence

10. 10
12
The least developed capability across the survey
is an organization’s ability to catalog, assess, and
mitigate risk.
45% of those surveyed described their capabilities
in this area as non-existent or ad hoc
Only 24% believe they have mature or mastered
capabilities in this domain.
MATURE
24%
45%
AD HOC
RSA Cybersecurity Poverty Index 2016

11. 11
GRC
IT Services
Resiliency
Security
Cyber Risk
“the potential of loss or harm related
to technical infrastructure or the use
of technology within an organization.”
Appetite
“the aggregate level of cyber risk that
an organization is willing to accept,
or to avoid, in order to achieve its
business objectives” IT Infrastructure
Cloud
Shadow IT
Business Tech
Appetite
InherentRisk
ResidualRisk
What is Cyber Risk Appetite?

12. 12
Internal
External
UnintentionalMalicious
The 4 Quadrants of Cyber Risk

13. 13
Internal
External
UnintentionalMalicious
Internal Malicious: Deliberate acts of sabotage,
theft or other malfeasance committed by employees
and other insiders.
The 4 Quadrants of Cyber Risk

14. 14
Internal
External
UnintentionalMalicious
Internal Malicious: Deliberate acts of sabotage,
theft or other malfeasance committed by employees
and other insiders.
External Malicious: The most publicized cyber risk;
pre-meditated attacks from outside parties, including
criminal syndicates, hacktivists and nation states.
The 4 Quadrants of Cyber Risk

15. 15
Internal
External
UnintentionalMalicious
Internal Malicious: Deliberate acts of sabotage,
theft or other malfeasance committed by employees
and other insiders.
External Malicious: The most publicized cyber risk;
pre-meditated attacks from outside parties, including
criminal syndicates, hacktivists and nation states
Internal Unintentional:Acts leading to damage or
loss stemming from human error committed by
employees and other insiders.
The 4 Quadrants of Cyber Risk

16. 16
Internal
External
UnintentionalMalicious
Internal Malicious: Deliberate acts of sabotage,
theft or other malfeasance committed by employees
and other insiders.
External Malicious: The most publicized cyber risk;
pre-meditated attacks from outside parties, including
criminal syndicates, hacktivists and nation states
Internal Unintentional:Acts leading to damage or
loss stemming from human error committed by
employees and other insiders.
External Unintentional:Accidental, non-deliberate,
incidents involving external parties that cause loss or
damage to business.
The 4 Quadrants of Cyber Risk

17. 17
Internal Malicious: Deliberate acts of sabotage,
theft or other malfeasance committed by employees
and other insiders.
External Malicious: The most publicized cyber risk;
pre-meditated attacks from outside parties, including
criminal syndicates, hacktivists and nation states
Internal Unintentional:Acts leading to damage or
loss stemming from human error committed by
employees and other insiders.
External Unintentional:Accidental, non-deliberate,
incidents involving external parties that cause loss or
damage to business.
Internal
External
Monitoring &
Detection
Risk Treatment -
Internal Controls
Malicious Unintentional
The 4 Quadrants of Cyber Risk

18. 18
VISIBILITY
& ANALYTICS
Detect threats /
make responders faster
IDENTITY & ACCESS
ASSURANCE
Address the most
consequential attack vector
RISK
INTELLIGENCE
Understand business impact /
prioritize effectively
Strategic Focus: The capabilities that matter most

19. 19
Manage
known & unknown risks
Compliance OpportunityRisk
Siloed
point solutions
multiple management consoles
basic reporting
Managed
integrated security
expanded visibility
improved analysis/metrics
Advantaged
fully risk aware
strategic focus
identify opportunity
Meet
regulatory obligations
Make
risk-based decisions
Planning Your Journey

20. FinalThoughts
• Discuss and define appetites and tolerances
• Understand and prioritize assets
• Plan your journey