Priyanka Aash, profile picture
Uploaded byPriyanka Aash
PDF, PPTX239 views

Top 5 secrets to successfully jumpstarting your cyber-risk program

The document outlines the strategies and lessons learned by Autodesk in jumpstarting their cyber-risk program amidst a business transformation to a cloud-based model. It emphasizes a holistic approach to cybersecurity through five key secrets: taking a comprehensive view, prioritizing strategy, adopting an agile mindset, fostering a risk management culture, and using risk for decision-making. The approach aims to enhance communication of the organization's risk posture and align all stakeholders towards common objectives in an efficient manner.

Embed presentation

Download as PDF, PPTX
SESSION ID:SESSION ID: #RSAC Chris Houlder Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program GRC-W03 CISO Autodesk, Inc. @chrishoulder chris.houlder@autodesk.com Husam Brohi Director, Cybersecurity and Privacy PwC LLP @husambrohi husam.brohi@pwc.com
#RSAC Situational Context 2 Autodesk undergoing massive business transformation to cloud subscription model Risk at center of Board and Senior Executive Agenda Executives wanted more real-time, transparent reporting beyond what Enterprise Risk Program (ERM) was providing Agile and DevOps mindset viewed security, risk and governance as barriers Multiple, interrelated disciplines operating in federated manner
#RSAC Our Challenge Board Business Information Security Product Security Data Privacy What are our risks? What are we doing? Is it enough? Overcome a skeptical customer Align strategies and investments Problem Statement Develop a strategic vision and program for effectively communicating our holistic risk posture and response – and move everyone towards a common direction 3
#RSAC What Are We Here To Do 4 Share our story and walk through the process and key considerations for taking our cyber risk program from concept to launch in under 6 months Discuss how risk management serves as the core of our cybersecurity program and strategy Provide lessons learned with you and discuss the challenges we faced, hoping that the approach we took will be useful in your journey This is NOT a discussion on risk management methodologies or artifacts
#RSAC Our Approach – Top 5 Secrets 5 #1 Take a holistic view of Cybersecurity #2 Focus on strategy first #3 Go Agile – Build and iterate #4 Create a risk management culture #5 Use risk for decision making
“In union there is strength” ― Aesop, Ancient Greek Fabulist
#RSAC Our Approach – Top 5 Secrets 7 #1 Take a holistic view of Cybersecurity
#RSAC Understand That Cybersecurity is Multi-Discipline 8 Business Led IT Business Led IT Business Led IT Information Security Product Security Data Privacy Strategy Investment Capabilities Strategy Investment Capabilities Strategy Investment Capabilities Scope: Focus on “big picture” view of risks, investment and maturity of capabilities – build a common platform which spans:
#RSAC Unify Purpose and Approach 9 Vision Mission Deliver security risk management capabilities that highlight the value proposition of investments and give Autodesk a competitive advantage. Support management’s ability to make informed resource allocation decisions by providing visibility into current security risks. Security Risk Management Capabilities People Process Technology Innovation and Agility Shareholder Value Brand ProtectionCustomer Loyalty Legal and Regulatory Commitments Business Drivers Third Party Security Management Security Strategy, Governance and Management Risk, Compliance and Policy Management Identity and Access Management Security Architecture and Operations Information Privacy and Protection Threat Intelligence and Vulnerability Management Physical and Environment Security Incident and Crisis Management Information Security Program Execution
“The essence of strategy is choosing what not to do” ― Michael Porter, Harvard Business School Professor
#RSAC Our Approach – Top 5 Secrets 11 #1 Take a holistic view of Cybersecurity #2 Focus on strategy first
#RSAC Multi-Tiered Risk Assessment 12 Tactical Risks Strategic Risks Tier 0 Tier 1 Tier 2 Security Risks (SRM) Cybersecurity risks to organization strategic initiatives and sensitive information derived from Uber Risks. Information/Asset Asset and information level (systems, services, etc.) risks based on security risks. Uber Risks (ERM) Risks that could affect the achievement of business outcomes are classified as strategic and enterprise risks. Intended Audience Executives and Board Level Executives, Board Level, Security Risk and Compliance Business Units and System Domain Owners
“Make it simple, but significant” ― Don Draper, Fictional Character from Mad Men
#RSAC Framework-Agnostic Approach 14 Risks • Risk analysis/threat model • Asset scoping Cyber Readiness • Capability maturity • Key security controls Risk Action • Risk profiles • Risk remediation
#RSAC Risk Scenarios Tailored To Audience 15 with initiates against leads to Actor • Hacker • Employee • Third party • Customer • Competition • Nature Intent • Accidental • Malicious • Environmental Attack Surface (threat target) • People • Customer • Facilities • Infrastructure • Information assets • Platforms Consequence • Loss of sensitive data • Loss of data integrity • Loss of intellectual property • System unavailability • Fraud • Legal/regulatory non-compliance Event (threat type) • Malware attack • DDOS attack • Theft of data • Social engineering attack • Breach of platform • Theft of physical items/hardware
#RSAC Example of Cyber Risk Scenario 16 <Risk ID> Third Party accidentally breaches cloud platform resulting in loss of customer data Risk Level How impactful would a risk be in case it materializes, how likely is it to materialize and how well are we addressing it? Risk Event Drivers Which events are most likely causing the risk to materialize? Cyber Readiness Aggregated view of current state maturity of capabilities and controls needed to ensure proper risk mitigation. Actor Landscape What actor is most likely to initiate a successful attack? Importance of Capabilities How important are associated capabilities for risk mitigation and where should improvement efforts being focused? Attack Surface Which information assets are most likely to be targeted and how impactful would it be? Effect on Risk Mitigation How does the effect on risk mitigation look like after improvements are made?
“Life’s too short to build something no one wants.” ― Ash Maurya, Author of Running Lean and Creator of Lean Canvas
#RSAC Our Approach – Top 5 Secrets 18 #1 Take a holistic view of Cybersecurity #2 Focus on strategy first #3 Go Agile – Build and iterate
#RSAC Go Agile – Build and Iterate 19 Minimum Viable Product • Raised everything a level • Directional quantification versus precision • Threat modeling • Establish a method for assessing OE (defense levels) • Audits and assessments aligned to this process – practical use of results • Start with proxy data • Support strategic planning • Board level communication within 6 months Sprint # 1 – Internal Team Development / Refinement Sprint # 2 Strategic Planning Process Sprint # 3 Pilot for Executives Minimum Viable Product Lifecycle What was excluded? • Perfect mathematical formulas • Full threat coverage; 80/20 approach to the threats – not every scenario represented • Cost analysis model – be to included in future iterations
#RSAC 20 OE Calculator (OEC) Risk Valuation Tool (RVT) Purpose The OE Calculator (OEC) facilitates the assessment process in order to determine an OE Score. This OE Score is used to understand Cyber Readiness posture (residual risk, compliance to policies) and guides investment decisions. OE is assessed using integrated scorecards. The risk valuation tool (RVT) supports the risk process in order to identify, estimate, evaluate and respond to risk. It highlights relevant risks and supports definition and planning of projects to respond against risk. It’s dashboards provides an holistic overview of risk and investments. OE Dashboard Policy Compliance Threat Lab Capabilities Modules Integrated scorecards OE view and RVT link Project evaluation Dashboards Building MVP – OE and Risk Valuation Tools
“If you don’t get culture right, nothing else matters” ― John Taft, Former CEO of RBC Wealth Management “It is a terrible thing to look over your shoulder when you are trying to lead – and find no one there” ― Franklin Roosevelt
#RSAC Our Approach – Top 5 Secrets 22 #1 Take a holistic view of Cybersecurity #2 Focus on strategy first #3 Go Agile – Build and iterate #4 Create a risk management culture
#RSAC Design Principles “Develop an efficient and effective system for enabling organizationally aligned risk decision making, risk reduction/mitigation and continuous monitoring.” Main Objective Intended Outcomes Accountability and responsibility for risk oversight and ownership shall be defined and with the “right people” Decision making on risk treatment (funding, resource, etc.) should be consistent, efficient and effective. Decisions taken shall be implemented with strategic alignment and executed to ensure proper and effective risk mitigation. 1 2 3 Enhance stakeholder risk IQ Align organizational value Achieve stakeholder buy-in 23
“In real life, strategy is actually very straightforward. You pick a general direction and implement like hell.” ― Jack Welsh, Former CEO of General Electric
#RSAC Our Approach – Top 5 Secrets 25 #1 Take a holistic view of Cybersecurity #2 Focus on strategy first #3 Go Agile – Build and iterate #4 Create a risk management culture #5 Use risk for decision making
#RSAC Use Risk for Decision Making and Take Action Resource Forecasting Enable better decision making by forecasting needs for headcount and skill sets to target hiring and training efforts. Process Reporting and Efficiency Evaluate efficiency of risk controls and processes and refine program based on measured performance over time. Technology Investment Prioritize investment decisions for technology implementation, aiming to maximize reduction of risk per dollar spent. 01 02 03 04 Cybersecurity investments are not revenue generating – it’s purely a risk tolerance discussion Decisions on how much to invest depend on how much risk the organization is willing to tolerate Quantifying the risk requires inputs from multiple frameworks, processes and skillsets Defining cybersecurity risk in business context and estimating exposure is a relatively new concept The relationship between defensive capabilities and cybersecurity business risks is the key to informed investment decisions 01 02 03 04 Cybersecurity investments are not revenue generating – it’s purely a risk tolerance discussion Decisions on how much to invest depend on how much risk the organization is willing to tolerate Quantifying the risk requires inputs from multiple frameworks, processes and skillsets Defining cybersecurity risk in business context and estimating exposure is a relatively new concept Benefits of Risk Based Decisions
#RSAC Closing Summary 27 Before Program Stand Up #1 Take a holistic view of Cybersecurity #2 Focus on strategy first #3 Go Agile – build and iterate #4 Create a risk management culture #5 Use risk for decision making • Focus on “What” • Capability oriented approach • Duplicate, disparate efforts; bottoms up prioritization • Difficulty including executives in technical discussions • Focus on “What” and “Why” • Risk oriented, targeted approach • Unified activity aligned to common risk reduction goals • Ability to articulate investment at board level through risk data support After
#RSAC Future State Vision Articulating ROI on Risk Investments in Dollars 28 What’s next? 1) Enrich data-set of tool by integrating output from our threat management capability 2) Measure “OE” across the organization through controls efficacy and capability maturity assessments 3) Continue to enhance the risk modelling tools to help quantify risks in dollars and measure ROI of risk investments, improve our strategy, planning and budgeting
#RSAC Future State Vision Articulating ROI on Risk Investments in Dollars 29
#RSAC Future State Vision Articulating ROI on Risk Investments in Dollars 30
#RSAC 1 Next week you should: • Assess how you are communicating the value and focus of your program - Do you discuss technology without capabilities? Capabilities without risk? - Recommend framing the discussion from Risk to Capabilities to Technology 2 In the first three months following this presentation you should: • Begin your cultural change to risk management – assessment, ownership and reduction 3 Within six months you should be able to articulate a response to three main questions: 1) What are our risks? 2) What are we doing? 3) Is it enough? . Apply What You Have Learned Today 31

More Related Content

PDF
An Intro to Resolver's Incident Management Application
byResolver Inc.
 
PDF
Information Security Strategic Management
byMarcelo Martins
 
PPTX
Information Security Risk Management
byNikhil Soni
 
PDF
Technology leadership driving business innovation
byJoAnna Cheshire
 
PDF
Cyber risk management-white-paper-v8 (2) 2015
byAccounting_Whitepapers
 
PDF
From checkboxes to frameworks
byAndréanne Clarke
 
PDF
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
byResolver Inc.
 
PDF
Why Corporate Security Professionals Should Care About Information Security
byResolver Inc.
 
An Intro to Resolver's Incident Management Application
byResolver Inc.
 
Information Security Strategic Management
byMarcelo Martins
 
Information Security Risk Management
byNikhil Soni
 
Technology leadership driving business innovation
byJoAnna Cheshire
 
Cyber risk management-white-paper-v8 (2) 2015
byAccounting_Whitepapers
 
From checkboxes to frameworks
byAndréanne Clarke
 
Why Your Organization Should Leverage Data Science for Risk Intelligence and ...
byResolver Inc.
 
Why Corporate Security Professionals Should Care About Information Security
byResolver Inc.
 

What's hot

PDF
Risksense: 7 Experts on Threat and Vulnerability Management
byMighty Guides, Inc.
 
PPTX
Information Security Metrics - Practical Security Metrics
byJack Nichelson
 
PDF
Aligning Risk Management with ITIL
byAustin Songer
 
PPTX
IT Risk Management
byComputer Aid, Inc
 
PDF
The Journey to Integrated Risk Management: Lessons from the Field
byResolver Inc.
 
PPTX
Risk Management Methodology - Copy
byRabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
PPT
Security Maturity Assessment
byClaude Baudoin
 
PDF
w-cyber-risk-modeling Owasp cyber risk quantification 2018
byOpen Security Summit
 
PDF
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
byawish11
 
PDF
Security of the future - Adapting Approaches to What We Need
bysimplyme12345
 
PPTX
Linked in misti_rs_1.0
byVincent Toms
 
PPTX
How to Mitigate Risk From Your Expanding Digital Presence
bySurfWatch Labs
 
PDF
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
byLaura Tibbo
 
PDF
Priming your digital immune system: Cybersecurity in the cognitive era
byLuke Farrell
 
PPT
Implementing Business Aligned Security Strategy Dane Warren Li
byDaneWarren
 
PPTX
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
bySurfWatch Labs
 
PDF
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
byLevi Shapiro
 
PDF
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
byMighty Guides, Inc.
 
PDF
2016 Scalar Security Study Roadshow
byScalar Decisions
 
PDF
Using Security Metrics to Drive Action
byMighty Guides, Inc.
 
Risksense: 7 Experts on Threat and Vulnerability Management
byMighty Guides, Inc.
 
Information Security Metrics - Practical Security Metrics
byJack Nichelson
 
Aligning Risk Management with ITIL
byAustin Songer
 
IT Risk Management
byComputer Aid, Inc
 
The Journey to Integrated Risk Management: Lessons from the Field
byResolver Inc.
 
Risk Management Methodology - Copy
byRabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
Security Maturity Assessment
byClaude Baudoin
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
byOpen Security Summit
 
Adaptive & Unified Approach to Risk Management & Compliance-via-ccf
byawish11
 
Security of the future - Adapting Approaches to What We Need
bysimplyme12345
 
Linked in misti_rs_1.0
byVincent Toms
 
How to Mitigate Risk From Your Expanding Digital Presence
bySurfWatch Labs
 
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
byLaura Tibbo
 
Priming your digital immune system: Cybersecurity in the cognitive era
byLuke Farrell
 
Implementing Business Aligned Security Strategy Dane Warren Li
byDaneWarren
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
bySurfWatch Labs
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
byLevi Shapiro
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
byMighty Guides, Inc.
 
2016 Scalar Security Study Roadshow
byScalar Decisions
 
Using Security Metrics to Drive Action
byMighty Guides, Inc.
 

Similar to Top 5 secrets to successfully jumpstarting your cyber-risk program

PPTX
Week-3_Lecture-1.pptxccccccccccccccccccccc
byAmirMohamedNabilSale
 
PDF
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
byPriyanka Aash
 
PPTX
Ten Tenets of CISO Success
byFrank Kim
 
PDF
Bridging the Gap Between Threat Intelligence and Risk Management
byPriyanka Aash
 
PDF
Briefing the board lessons learned from cisos and directors
byPriyanka Aash
 
PDF
Bridging the Gap Between Threat Intelligence and Risk Management
byPriyanka Aash
 
PDF
There’s No Such Thing as a Cyber-Risk
byPriyanka Aash
 
PDF
The Measure of Success: Security Metrics to Tell Your Story
byPriyanka Aash
 
PDF
The Measure of Success: Security Metrics to Tell Your Story
byPriyanka Aash
 
PPT
practical-approach-to-strategic-risk-management.ppt
byolusholaJoseph
 
PDF
Creating Order from Chaos: Metrics That Matter
byPriyanka Aash
 
PDF
No more security empires - The ciso as an individual contributor
byPriyanka Aash
 
PDF
SBIC Report : Transforming Information Security: Future-Proofing Processes
byEMC
 
PDF
Make IR Effective with Risk Evaluation and Reporting
byPriyanka Aash
 
PDF
Threat intel- -content-curation-organizing-the-path-to-successful-detection
byPriyanka Aash
 
PPTX
1234567RISK-MANAGEMENT-FOR-SECURITY.pptx
byJOHNLLOYDFERIDO
 
PDF
Partnership with a CFO: On the Front Line of Cybersecurity
byPriyanka Aash
 
PDF
Rsac2015 burns-fighting the right battle
byBill Burns
 
PDF
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
byDell EMC World
 
PDF
Threat modeling from the trenches to the clouds
byPriyanka Aash
 
Week-3_Lecture-1.pptxccccccccccccccccccccc
byAmirMohamedNabilSale
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
byPriyanka Aash
 
Ten Tenets of CISO Success
byFrank Kim
 
Bridging the Gap Between Threat Intelligence and Risk Management
byPriyanka Aash
 
Briefing the board lessons learned from cisos and directors
byPriyanka Aash
 
Bridging the Gap Between Threat Intelligence and Risk Management
byPriyanka Aash
 
There’s No Such Thing as a Cyber-Risk
byPriyanka Aash
 
The Measure of Success: Security Metrics to Tell Your Story
byPriyanka Aash
 
The Measure of Success: Security Metrics to Tell Your Story
byPriyanka Aash
 
practical-approach-to-strategic-risk-management.ppt
byolusholaJoseph
 
Creating Order from Chaos: Metrics That Matter
byPriyanka Aash
 
No more security empires - The ciso as an individual contributor
byPriyanka Aash
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
byEMC
 
Make IR Effective with Risk Evaluation and Reporting
byPriyanka Aash
 
Threat intel- -content-curation-organizing-the-path-to-successful-detection
byPriyanka Aash
 
1234567RISK-MANAGEMENT-FOR-SECURITY.pptx
byJOHNLLOYDFERIDO
 
Partnership with a CFO: On the Front Line of Cybersecurity
byPriyanka Aash
 
Rsac2015 burns-fighting the right battle
byBill Burns
 
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
byDell EMC World
 
Threat modeling from the trenches to the clouds
byPriyanka Aash
 

More from Priyanka Aash

PDF
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 

Recently uploaded

PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PPT
software-security-intro in information security.ppt
byismaeelsahib032
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PPTX
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
PDF
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
PPTX
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
PDF
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PPTX
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
PPTX
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
PPTX
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
software-security-intro in information security.ppt
byismaeelsahib032
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Cybersecurity Best Practices - Step by Step guidelines
byYasir Naveed Riaz
 
Day 1 - Cloud Security Strategy and Planning ~ 2nd Sight Lab ~ Cloud Security...
by2nd Sight Lab
 
Data Privacy and Protection: Safeguarding Information in a Connected World
byYasir Naveed Riaz
 
Digit Expo 2025 - EICC Edinburgh 27th November
byRay Bugg
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
December Patch Tuesday
byIvanti
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Cybercrime in the Digital Age: Risks, Impact & Protection
byYasir Naveed Riaz
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Eredità digitale sugli smartphone: cosa resta di noi nei dispositivi mobili
bySpeck&Tech
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Unit-4-ARTIFICIAL NEURAL NETWORKS.pptx ANN ppt Artificial neural network
byssuserd4481a
 
Kanban India 2025 | Daksh Gupta | Modeling the Models, Generative AI & Kanban
byLeanKanbanIndia
 

Top 5 secrets to successfully jumpstarting your cyber-risk program

  • 1.
    SESSION ID:SESSION ID: #RSAC ChrisHoulder Top Five Secrets to Successfully Jumpstarting Your Cyber-Risk Program GRC-W03 CISO Autodesk, Inc. @chrishoulder chris.houlder@autodesk.com Husam Brohi Director, Cybersecurity and Privacy PwC LLP @husambrohi husam.brohi@pwc.com
  • 2.
    #RSAC Situational Context 2 Autodesk undergoingmassive business transformation to cloud subscription model Risk at center of Board and Senior Executive Agenda Executives wanted more real-time, transparent reporting beyond what Enterprise Risk Program (ERM) was providing Agile and DevOps mindset viewed security, risk and governance as barriers Multiple, interrelated disciplines operating in federated manner
  • 3.
    #RSAC Our Challenge Board BusinessInformation Security Product Security Data Privacy What are our risks? What are we doing? Is it enough? Overcome a skeptical customer Align strategies and investments Problem Statement Develop a strategic vision and program for effectively communicating our holistic risk posture and response – and move everyone towards a common direction 3
  • 4.
    #RSAC What Are WeHere To Do 4 Share our story and walk through the process and key considerations for taking our cyber risk program from concept to launch in under 6 months Discuss how risk management serves as the core of our cybersecurity program and strategy Provide lessons learned with you and discuss the challenges we faced, hoping that the approach we took will be useful in your journey This is NOT a discussion on risk management methodologies or artifacts
  • 5.
    #RSAC Our Approach –Top 5 Secrets 5 #1 Take a holistic view of Cybersecurity #2 Focus on strategy first #3 Go Agile – Build and iterate #4 Create a risk management culture #5 Use risk for decision making
  • 6.
    “In union thereis strength” ― Aesop, Ancient Greek Fabulist
  • 7.
    #RSAC Our Approach –Top 5 Secrets 7 #1 Take a holistic view of Cybersecurity
  • 8.
    #RSAC Understand That Cybersecurityis Multi-Discipline 8 Business Led IT Business Led IT Business Led IT Information Security Product Security Data Privacy Strategy Investment Capabilities Strategy Investment Capabilities Strategy Investment Capabilities Scope: Focus on “big picture” view of risks, investment and maturity of capabilities – build a common platform which spans:
  • 9.
    #RSAC Unify Purpose andApproach 9 Vision Mission Deliver security risk management capabilities that highlight the value proposition of investments and give Autodesk a competitive advantage. Support management’s ability to make informed resource allocation decisions by providing visibility into current security risks. Security Risk Management Capabilities People Process Technology Innovation and Agility Shareholder Value Brand ProtectionCustomer Loyalty Legal and Regulatory Commitments Business Drivers Third Party Security Management Security Strategy, Governance and Management Risk, Compliance and Policy Management Identity and Access Management Security Architecture and Operations Information Privacy and Protection Threat Intelligence and Vulnerability Management Physical and Environment Security Incident and Crisis Management Information Security Program Execution
  • 10.
    “The essence ofstrategy is choosing what not to do” ― Michael Porter, Harvard Business School Professor
  • 11.
    #RSAC Our Approach –Top 5 Secrets 11 #1 Take a holistic view of Cybersecurity #2 Focus on strategy first
  • 12.
    #RSAC Multi-Tiered Risk Assessment 12 TacticalRisks Strategic Risks Tier 0 Tier 1 Tier 2 Security Risks (SRM) Cybersecurity risks to organization strategic initiatives and sensitive information derived from Uber Risks. Information/Asset Asset and information level (systems, services, etc.) risks based on security risks. Uber Risks (ERM) Risks that could affect the achievement of business outcomes are classified as strategic and enterprise risks. Intended Audience Executives and Board Level Executives, Board Level, Security Risk and Compliance Business Units and System Domain Owners
  • 13.
    “Make it simple,but significant” ― Don Draper, Fictional Character from Mad Men
  • 14.
    #RSAC Framework-Agnostic Approach 14 Risks • Riskanalysis/threat model • Asset scoping Cyber Readiness • Capability maturity • Key security controls Risk Action • Risk profiles • Risk remediation
  • 15.
    #RSAC Risk Scenarios TailoredTo Audience 15 with initiates against leads to Actor • Hacker • Employee • Third party • Customer • Competition • Nature Intent • Accidental • Malicious • Environmental Attack Surface (threat target) • People • Customer • Facilities • Infrastructure • Information assets • Platforms Consequence • Loss of sensitive data • Loss of data integrity • Loss of intellectual property • System unavailability • Fraud • Legal/regulatory non-compliance Event (threat type) • Malware attack • DDOS attack • Theft of data • Social engineering attack • Breach of platform • Theft of physical items/hardware
  • 16.
    #RSAC Example of CyberRisk Scenario 16 <Risk ID> Third Party accidentally breaches cloud platform resulting in loss of customer data Risk Level How impactful would a risk be in case it materializes, how likely is it to materialize and how well are we addressing it? Risk Event Drivers Which events are most likely causing the risk to materialize? Cyber Readiness Aggregated view of current state maturity of capabilities and controls needed to ensure proper risk mitigation. Actor Landscape What actor is most likely to initiate a successful attack? Importance of Capabilities How important are associated capabilities for risk mitigation and where should improvement efforts being focused? Attack Surface Which information assets are most likely to be targeted and how impactful would it be? Effect on Risk Mitigation How does the effect on risk mitigation look like after improvements are made?
  • 17.
    “Life’s too shortto build something no one wants.” ― Ash Maurya, Author of Running Lean and Creator of Lean Canvas
  • 18.
    #RSAC Our Approach –Top 5 Secrets 18 #1 Take a holistic view of Cybersecurity #2 Focus on strategy first #3 Go Agile – Build and iterate
  • 19.
    #RSAC Go Agile –Build and Iterate 19 Minimum Viable Product • Raised everything a level • Directional quantification versus precision • Threat modeling • Establish a method for assessing OE (defense levels) • Audits and assessments aligned to this process – practical use of results • Start with proxy data • Support strategic planning • Board level communication within 6 months Sprint # 1 – Internal Team Development / Refinement Sprint # 2 Strategic Planning Process Sprint # 3 Pilot for Executives Minimum Viable Product Lifecycle What was excluded? • Perfect mathematical formulas • Full threat coverage; 80/20 approach to the threats – not every scenario represented • Cost analysis model – be to included in future iterations
  • 20.
    #RSAC 20 OE Calculator (OEC)Risk Valuation Tool (RVT) Purpose The OE Calculator (OEC) facilitates the assessment process in order to determine an OE Score. This OE Score is used to understand Cyber Readiness posture (residual risk, compliance to policies) and guides investment decisions. OE is assessed using integrated scorecards. The risk valuation tool (RVT) supports the risk process in order to identify, estimate, evaluate and respond to risk. It highlights relevant risks and supports definition and planning of projects to respond against risk. It’s dashboards provides an holistic overview of risk and investments. OE Dashboard Policy Compliance Threat Lab Capabilities Modules Integrated scorecards OE view and RVT link Project evaluation Dashboards Building MVP – OE and Risk Valuation Tools
  • 21.
    “If you don’tget culture right, nothing else matters” ― John Taft, Former CEO of RBC Wealth Management “It is a terrible thing to look over your shoulder when you are trying to lead – and find no one there” ― Franklin Roosevelt
  • 22.
    #RSAC Our Approach –Top 5 Secrets 22 #1 Take a holistic view of Cybersecurity #2 Focus on strategy first #3 Go Agile – Build and iterate #4 Create a risk management culture
  • 23.
    #RSAC Design Principles “Develop anefficient and effective system for enabling organizationally aligned risk decision making, risk reduction/mitigation and continuous monitoring.” Main Objective Intended Outcomes Accountability and responsibility for risk oversight and ownership shall be defined and with the “right people” Decision making on risk treatment (funding, resource, etc.) should be consistent, efficient and effective. Decisions taken shall be implemented with strategic alignment and executed to ensure proper and effective risk mitigation. 1 2 3 Enhance stakeholder risk IQ Align organizational value Achieve stakeholder buy-in 23
  • 24.
    “In real life,strategy is actually very straightforward. You pick a general direction and implement like hell.” ― Jack Welsh, Former CEO of General Electric
  • 25.
    #RSAC Our Approach –Top 5 Secrets 25 #1 Take a holistic view of Cybersecurity #2 Focus on strategy first #3 Go Agile – Build and iterate #4 Create a risk management culture #5 Use risk for decision making
  • 26.
    #RSAC Use Risk forDecision Making and Take Action Resource Forecasting Enable better decision making by forecasting needs for headcount and skill sets to target hiring and training efforts. Process Reporting and Efficiency Evaluate efficiency of risk controls and processes and refine program based on measured performance over time. Technology Investment Prioritize investment decisions for technology implementation, aiming to maximize reduction of risk per dollar spent. 01 02 03 04 Cybersecurity investments are not revenue generating – it’s purely a risk tolerance discussion Decisions on how much to invest depend on how much risk the organization is willing to tolerate Quantifying the risk requires inputs from multiple frameworks, processes and skillsets Defining cybersecurity risk in business context and estimating exposure is a relatively new concept The relationship between defensive capabilities and cybersecurity business risks is the key to informed investment decisions 01 02 03 04 Cybersecurity investments are not revenue generating – it’s purely a risk tolerance discussion Decisions on how much to invest depend on how much risk the organization is willing to tolerate Quantifying the risk requires inputs from multiple frameworks, processes and skillsets Defining cybersecurity risk in business context and estimating exposure is a relatively new concept Benefits of Risk Based Decisions
  • 27.
    #RSAC Closing Summary 27 Before Program StandUp #1 Take a holistic view of Cybersecurity #2 Focus on strategy first #3 Go Agile – build and iterate #4 Create a risk management culture #5 Use risk for decision making • Focus on “What” • Capability oriented approach • Duplicate, disparate efforts; bottoms up prioritization • Difficulty including executives in technical discussions • Focus on “What” and “Why” • Risk oriented, targeted approach • Unified activity aligned to common risk reduction goals • Ability to articulate investment at board level through risk data support After
  • 28.
    #RSAC Future State Vision ArticulatingROI on Risk Investments in Dollars 28 What’s next? 1) Enrich data-set of tool by integrating output from our threat management capability 2) Measure “OE” across the organization through controls efficacy and capability maturity assessments 3) Continue to enhance the risk modelling tools to help quantify risks in dollars and measure ROI of risk investments, improve our strategy, planning and budgeting
  • 29.
    #RSAC Future State Vision ArticulatingROI on Risk Investments in Dollars 29
  • 30.
    #RSAC Future State Vision ArticulatingROI on Risk Investments in Dollars 30
  • 31.
    #RSAC 1 Next week youshould: • Assess how you are communicating the value and focus of your program - Do you discuss technology without capabilities? Capabilities without risk? - Recommend framing the discussion from Risk to Capabilities to Technology 2 In the first three months following this presentation you should: • Begin your cultural change to risk management – assessment, ownership and reduction 3 Within six months you should be able to articulate a response to three main questions: 1) What are our risks? 2) What are we doing? 3) Is it enough? . Apply What You Have Learned Today 31