SlideShare a Scribd company logo

Risk Management Metrics That Matter

Ed Bellis
Ed Bellis

Security risk management metrics and methodology. Includes examples of good and bad security metrics using a risk-based approach.

Technology
1 of 34
Download to read offline
Risk Management Metrics that Matter
Ed Bellis • Co-founder and CTO at Kenna Security, an automated risk & vulnerability intelligence platform • Orbitz CISO for 6 years • 20+ years Info Security experience including Bank of America, CSC, E&Y • Contributing Author Beautiful Security • Frequent speaker at events such as… About Me
Warning This presentation contains large amounts of data used for the purpose of proving an information security theory. No marketers were harmed during the making of this presentation.
You Are What You Measure
JET FUEL X PEANUT BUTTER = SHINY -ALEX HUTTON
Inherent Risk Residual Risk Know & Measure the Difference vs. Hint: This is NOT a math formula
Inherent Risk: 80 Please Don’t Do This! Control Effectiveness: 50% X Residual Risk: 40
JET FUEL X PEANUT BUTTER = SHINY -ALEX HUTTON
Do This Instead 1. Calculate Risk 2. Identify Potential Key Controls 3. ReCalculate Risk
The Language Barrier *source: Cyber Balance Sheet - The Cyentia Institute
The Language Barrier *source: Cyber Balance Sheet - The Cyentia Institute What the CISO perceives as important versus what the BoD believes is important often don’t match and often neither are actually given.
The Language Barrier *source: Cyber Balance Sheet - The Cyentia Institute
But First… Threats, Vulnerabilities & Risks.. oh my!
But First… Some Definitions Threat: A negative scenario you want to avoid. Threat Actor: the agent that makes the threat happen. Vulnerabilities: a weakness that can be exploited. Risk: a negative scenario you want to avoid combined with its probability & impact.
FAIR Example: Risk Taxonomy
Integrate or Die
Operationalizing Security Risk Management Measurement + Integration
Risk Management Decision Making
Selecting the Right Metrics for Risk Management Risks > Counts Results > Work Quantitative Where Possible
Know Your Assets Some Useful Metrics 1.External Asset Coverage 2.Internal Asset Coverage 3.Time to Discover
Know Your Business Some useful metrics here include: 1. System Susceptibility 1. Value to Attackers 2. Vulnerabilities 2. Time to Compromise: How long would it take to compromise any of the key controls for these assets and applications? 3. Threat Accessibility 1. Access Points and Attack Surface 4. Threat Actor Capability 1. Tools 2. Resources c. 3. Techniques Does Your Threat Model Include Alexa Ratings?
Know Your Risk Some Useful Metrics 1.Risk by Asset 2.Risk by Business Unit 3.Trending Risk over Time 4.Mean Time to Risk Reduction *use targets/goals and mature to SLAs
Know Your Resources Some Useful Metrics 1.Budget Spent on Security Remediation 2.Risk Carried Above Tolerance Level 3.Hours spent per Security Solution
Know Your Direction Some Useful Metrics 1.Risk Reduction by Group Over Time 2.Risk Goal/SLA by Group 3.Cumulative Risk Accepted Over Time
Some Not So Useful Metrics 1. Measuring Work AKA “atta boy metrics” Number of Vulnerabilities Closed Number of Patches Deployed Number of Incidents Responded to
Some Not So Useful Metrics 2. Measuring Counts “vanity metrics” Number of Packets Dropped Number of Malware Detections Number of IDS Alerts
Some Not So Useful Metrics 3. Averages can be a Fool’s Errand Average Age of Vulnerability Average Time to Discover Average Time to Respond Hint: Averages are skewed by outliers. Medians are your friend.
Aging Can Incent Wrong Behavior
Remember This?
Your Coworkers Have Day Jobs Too Leverage Existing Tools • Bug Trackers • Trouble Ticketing • Configuration Management • Continuous Integration & Deployment Bonus Points: Leverage Existing Tools for Security Purposes
Your Coworkers Have Day Jobs Too Leverage Existing Processes • Change Management • Bug Fixing • Design Reviews • QA Testing • Continuous Integration
The Payoff Operationalizing Security Risk Management Security Teams Operations Teams Development Teams Executive Management Common Language Distinct Objectives Efficiency Effectiveness
References FAIR Risk Taxonomy: http://www.opengroup.org/subjectareas/security/risk Cyber Balance Sheet: https://go.focal-point.com/cyber-balance-sheet-report Risk Management Metrics That Matter: https://blog.kennasecurity.com/ 2017/03/creating-risk-management-metrics-that-matter/
Q&A

Recommended

Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your Worries
Ed Bellis
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the Cloud
ProtectWise
 
See Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the EndpointSee Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the Endpoint
ProtectWise
 
Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnect
ThreatConnect
 
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskGlobal CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
EC-Council
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Caveon Webinar Series - The Art of Test Security - Know Thy Enemy - November ...
Caveon Webinar Series - The Art of Test Security - Know Thy Enemy - November ...Caveon Webinar Series - The Art of Test Security - Know Thy Enemy - November ...
Caveon Webinar Series - The Art of Test Security - Know Thy Enemy - November ...
Caveon Test Security
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident Response
SilvioPappalardo
 

Recommended

Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your Worries
Ed Bellis
 
Building a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the CloudBuilding a Threat Hunting Practice in the Cloud
Building a Threat Hunting Practice in the Cloud
ProtectWise
 
See Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the EndpointSee Clearly and Respond Quickly from the Network to the Endpoint
See Clearly and Respond Quickly from the Network to the Endpoint
ProtectWise
 
Managing Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnectManaging Indicator Deprecation in ThreatConnect
Managing Indicator Deprecation in ThreatConnect
ThreatConnect
 
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity RiskGlobal CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
Global CISO Forum 2017: How To Measure Anything In Cybersecurity Risk
EC-Council
 
Security Testing for Test Professionals
Security Testing for Test ProfessionalsSecurity Testing for Test Professionals
Security Testing for Test ProfessionalsTechWell
 
Caveon Webinar Series - The Art of Test Security - Know Thy Enemy - November ...
Caveon Webinar Series - The Art of Test Security - Know Thy Enemy - November ...Caveon Webinar Series - The Art of Test Security - Know Thy Enemy - November ...
Caveon Webinar Series - The Art of Test Security - Know Thy Enemy - November ...
Caveon Test Security
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident Response
SilvioPappalardo
 
Why is Security Management So Hard?
Why is Security Management So Hard?Why is Security Management So Hard?
Why is Security Management So Hard?
inaz2
 
How to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security DollarHow to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security Dollar
Hostway|HOSTING
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
SeniorStoryteller
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
Eoin Keary
 
Security as Code
Security as CodeSecurity as Code
Security as CodeEd Bellis
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wanted
Cyphort
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cyber Solutions
 
Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times
Denise Bailey
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon
 
Quantifying Cyber Risk
Quantifying Cyber Risk Quantifying Cyber Risk
Quantifying Cyber Risk
Phil Huggins FBCS CITP
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the Way
SeniorStoryteller
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs
bugcrowd
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
OpenDNS
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
Nevada County Tech Connection
 
Preventing Information Flow with Jeeves - Singapore Data Privacy Workshop
Preventing Information Flow with Jeeves - Singapore Data Privacy WorkshopPreventing Information Flow with Jeeves - Singapore Data Privacy Workshop
Preventing Information Flow with Jeeves - Singapore Data Privacy Workshop
jxyz
 
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ... Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Skybox Security
 
New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of Transformation
DevOps Indonesia
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test
bugcrowd
 
Agentless Patch Management for the Data Center
Agentless Patch Management for the Data CenterAgentless Patch Management for the Data Center
Agentless Patch Management for the Data Center
Ivanti
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced Attack
Ivanti
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
Stephen Cobb
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
Kabul Education University
 

More Related Content

What's hot

Why is Security Management So Hard?
Why is Security Management So Hard?Why is Security Management So Hard?
Why is Security Management So Hard?
inaz2
 
How to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security DollarHow to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security Dollar
Hostway|HOSTING
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
SeniorStoryteller
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
Eoin Keary
 
Security as Code
Security as CodeSecurity as Code
Security as CodeEd Bellis
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wanted
Cyphort
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cyber Solutions
 
Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times
Denise Bailey
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon
 
Quantifying Cyber Risk
Quantifying Cyber Risk Quantifying Cyber Risk
Quantifying Cyber Risk
Phil Huggins FBCS CITP
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the Way
SeniorStoryteller
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs
bugcrowd
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
OpenDNS
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
Nevada County Tech Connection
 
Preventing Information Flow with Jeeves - Singapore Data Privacy Workshop
Preventing Information Flow with Jeeves - Singapore Data Privacy WorkshopPreventing Information Flow with Jeeves - Singapore Data Privacy Workshop
Preventing Information Flow with Jeeves - Singapore Data Privacy Workshop
jxyz
 
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ... Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Skybox Security
 
New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of Transformation
DevOps Indonesia
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test
bugcrowd
 
Agentless Patch Management for the Data Center
Agentless Patch Management for the Data CenterAgentless Patch Management for the Data Center
Agentless Patch Management for the Data Center
Ivanti
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced Attack
Ivanti
 

What's hot (20)

Why is Security Management So Hard?
Why is Security Management So Hard?Why is Security Management So Hard?
Why is Security Management So Hard?
 
How to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security DollarHow to Spend Your Cloud Security Dollar
How to Spend Your Cloud Security Dollar
 
The R.O.A.D to DevOps
The R.O.A.D to DevOpsThe R.O.A.D to DevOps
The R.O.A.D to DevOps
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
 
Security as Code
Security as CodeSecurity as Code
Security as Code
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wanted
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
 
Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times Collaborated cyber defense in pandemic times
Collaborated cyber defense in pandemic times
 
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
DevSecCon Singapore 2018 - Measuring and maximizing vuln discovery efforts by...
 
Quantifying Cyber Risk
Quantifying Cyber Risk Quantifying Cyber Risk
Quantifying Cyber Risk
 
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the WayOps Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the Way
 
[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs[Webinar] The Art & Value of Bug Bounty Programs
[Webinar] The Art & Value of Bug Bounty Programs
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
 
Evolving Cybersecurity Threats
Evolving Cybersecurity Threats Evolving Cybersecurity Threats
Evolving Cybersecurity Threats
 
Preventing Information Flow with Jeeves - Singapore Data Privacy Workshop
Preventing Information Flow with Jeeves - Singapore Data Privacy WorkshopPreventing Information Flow with Jeeves - Singapore Data Privacy Workshop
Preventing Information Flow with Jeeves - Singapore Data Privacy Workshop
 
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ... Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
Best Practice Next-Generation Vulnerability Management to Identify Threats, ...
 
New Barriers of Transformation
New Barriers of TransformationNew Barriers of Transformation
New Barriers of Transformation
 
4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test4 Reasons to Crowdsource Your Pen Test
4 Reasons to Crowdsource Your Pen Test
 
Agentless Patch Management for the Data Center
Agentless Patch Management for the Data CenterAgentless Patch Management for the Data Center
Agentless Patch Management for the Data Center
 
OSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced AttackOSB340R: Disrupting an Advanced Attack
OSB340R: Disrupting an Advanced Attack
 

Similar to Risk Management Metrics That Matter

How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
Stephen Cobb
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
Kabul Education University
 
Cyber Security for Digital-Era
Cyber Security for Digital-EraCyber Security for Digital-Era
Cyber Security for Digital-Era
JK Tech
 
Project risk analysis
Project risk analysisProject risk analysis
Project risk analysis
Nur E Alam Siddike
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2
Manish Kumar
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - Fortinet
MarcoTechnologies
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
Cam Fulton
 
Ctia course outline
Ctia course outlineCtia course outline
Ctia course outline
ShivamSharma909
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
PECB
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Shawn Tuma
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Joe Bartolo
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
Cigital
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
Black Duck by Synopsys
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Sigma Software
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
Vlad Styran
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security Defense
Roger Grimes
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdf
Chinatu Uzuegbu
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
Empired
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical Hacking
UK Defence Cyber School
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 

Similar to Risk Management Metrics That Matter (20)

How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
Cyber Security for Digital-Era
Cyber Security for Digital-EraCyber Security for Digital-Era
Cyber Security for Digital-Era
 
Project risk analysis
Project risk analysisProject risk analysis
Project risk analysis
 
Security metrics 2
Security metrics 2Security metrics 2
Security metrics 2
 
Stay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - FortinetStay Ahead of Threats with Advanced Security Protection - Fortinet
Stay Ahead of Threats with Advanced Security Protection - Fortinet
 
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
When to Implement a Vulnerability Assessment or Pen Test | IT Security & Risk...
 
Ctia course outline
Ctia course outlineCtia course outline
Ctia course outline
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
Aceds 2015 Cyberseucity and the Legal Profession - NYC - April 7, 2015
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
 
Open Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best PracticesOpen Source Security for Newbies - Best Practices
Open Source Security for Newbies - Best Practices
 
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир СтиранГірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
 
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software SecuritySigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security Defense
 
Combating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdfCombating Cyber Crimes Proactively.pdf
Combating Cyber Crimes Proactively.pdf
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Introduction to Ethical Hacking
Introduction to Ethical HackingIntroduction to Ethical Hacking
Introduction to Ethical Hacking
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 

More from Ed Bellis

Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
Ed Bellis
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksBSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
Ed Bellis
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea Leaves
Ed Bellis
 
Fix What Matters
Fix What MattersFix What Matters
Fix What Matters
Ed Bellis
 
BSidesLV Vulnerability & Exploit Trends
BSidesLV Vulnerability & Exploit TrendsBSidesLV Vulnerability & Exploit Trends
BSidesLV Vulnerability & Exploit Trends
Ed Bellis
 
Palmer Symposium
Palmer SymposiumPalmer Symposium
Palmer SymposiumEd Bellis
 
BSides SF Security Mendoza Line
BSides SF Security Mendoza LineBSides SF Security Mendoza Line
BSides SF Security Mendoza Line
Ed Bellis
 
SecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineSecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza Line
Ed Bellis
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info Security
Ed Bellis
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011Ed Bellis
 
SecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeSecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent Life
Ed Bellis
 
Metricon 6 That's So Meta
Metricon 6 That's So MetaMetricon 6 That's So Meta
Metricon 6 That's So Meta
Ed Bellis
 

More from Ed Bellis (12)

Security as Code: DOES15
Security as Code: DOES15Security as Code: DOES15
Security as Code: DOES15
 
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksBSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
 
Reading the Security Tea Leaves
Reading the Security Tea LeavesReading the Security Tea Leaves
Reading the Security Tea Leaves
 
Fix What Matters
Fix What MattersFix What Matters
Fix What Matters
 
BSidesLV Vulnerability & Exploit Trends
BSidesLV Vulnerability & Exploit TrendsBSidesLV Vulnerability & Exploit Trends
BSidesLV Vulnerability & Exploit Trends
 
Palmer Symposium
Palmer SymposiumPalmer Symposium
Palmer Symposium
 
BSides SF Security Mendoza Line
BSides SF Security Mendoza LineBSides SF Security Mendoza Line
BSides SF Security Mendoza Line
 
SecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineSecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza Line
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info Security
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011
 
SecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent LifeSecTor - The Search For Intelligent Life
SecTor - The Search For Intelligent Life
 
Metricon 6 That's So Meta
Metricon 6 That's So MetaMetricon 6 That's So Meta
Metricon 6 That's So Meta
 

Recently uploaded

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Tobias Schneck
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 

Recently uploaded (20)

FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 

Risk Management Metrics That Matter

  • 2. Ed Bellis • Co-founder and CTO at Kenna Security, an automated risk & vulnerability intelligence platform • Orbitz CISO for 6 years • 20+ years Info Security experience including Bank of America, CSC, E&Y • Contributing Author Beautiful Security • Frequent speaker at events such as… About Me
  • 3. Warning This presentation contains large amounts of data used for the purpose of proving an information security theory. No marketers were harmed during the making of this presentation.
  • 4. You Are What You Measure
  • 5. JET FUEL X PEANUT BUTTER = SHINY -ALEX HUTTON
  • 6. Inherent Risk Residual Risk Know & Measure the Difference vs. Hint: This is NOT a math formula
  • 7. Inherent Risk: 80 Please Don’t Do This! Control Effectiveness: 50% X Residual Risk: 40
  • 8. JET FUEL X PEANUT BUTTER = SHINY -ALEX HUTTON
  • 9. Do This Instead 1. Calculate Risk 2. Identify Potential Key Controls 3. ReCalculate Risk
  • 10. The Language Barrier *source: Cyber Balance Sheet - The Cyentia Institute
  • 11. The Language Barrier *source: Cyber Balance Sheet - The Cyentia Institute What the CISO perceives as important versus what the BoD believes is important often don’t match and often neither are actually given.
  • 12. The Language Barrier *source: Cyber Balance Sheet - The Cyentia Institute
  • 14. But First… Some Definitions Threat: A negative scenario you want to avoid. Threat Actor: the agent that makes the threat happen. Vulnerabilities: a weakness that can be exploited. Risk: a negative scenario you want to avoid combined with its probability & impact.
  • 15. FAIR Example: Risk Taxonomy
  • 17. Operationalizing Security Risk Management Measurement + Integration
  • 19. Selecting the Right Metrics for Risk Management Risks > Counts Results > Work Quantitative Where Possible
  • 20. Know Your Assets Some Useful Metrics 1.External Asset Coverage 2.Internal Asset Coverage 3.Time to Discover
  • 21. Know Your Business Some useful metrics here include: 1. System Susceptibility 1. Value to Attackers 2. Vulnerabilities 2. Time to Compromise: How long would it take to compromise any of the key controls for these assets and applications? 3. Threat Accessibility 1. Access Points and Attack Surface 4. Threat Actor Capability 1. Tools 2. Resources c. 3. Techniques Does Your Threat Model Include Alexa Ratings?
  • 22. Know Your Risk Some Useful Metrics 1.Risk by Asset 2.Risk by Business Unit 3.Trending Risk over Time 4.Mean Time to Risk Reduction *use targets/goals and mature to SLAs
  • 23. Know Your Resources Some Useful Metrics 1.Budget Spent on Security Remediation 2.Risk Carried Above Tolerance Level 3.Hours spent per Security Solution
  • 24. Know Your Direction Some Useful Metrics 1.Risk Reduction by Group Over Time 2.Risk Goal/SLA by Group 3.Cumulative Risk Accepted Over Time
  • 25. Some Not So Useful Metrics 1. Measuring Work AKA “atta boy metrics” Number of Vulnerabilities Closed Number of Patches Deployed Number of Incidents Responded to
  • 26. Some Not So Useful Metrics 2. Measuring Counts “vanity metrics” Number of Packets Dropped Number of Malware Detections Number of IDS Alerts
  • 27. Some Not So Useful Metrics 3. Averages can be a Fool’s Errand Average Age of Vulnerability Average Time to Discover Average Time to Respond Hint: Averages are skewed by outliers. Medians are your friend.
  • 28. Aging Can Incent Wrong Behavior
  • 30. Your Coworkers Have Day Jobs Too Leverage Existing Tools • Bug Trackers • Trouble Ticketing • Configuration Management • Continuous Integration & Deployment Bonus Points: Leverage Existing Tools for Security Purposes
  • 31. Your Coworkers Have Day Jobs Too Leverage Existing Processes • Change Management • Bug Fixing • Design Reviews • QA Testing • Continuous Integration
  • 32. The Payoff Operationalizing Security Risk Management Security Teams Operations Teams Development Teams Executive Management Common Language Distinct Objectives Efficiency Effectiveness
  • 33. References FAIR Risk Taxonomy: http://www.opengroup.org/subjectareas/security/risk Cyber Balance Sheet: https://go.focal-point.com/cyber-balance-sheet-report Risk Management Metrics That Matter: https://blog.kennasecurity.com/ 2017/03/creating-risk-management-metrics-that-matter/
  • 34. Q&A