Manage Your Risk, Not Somebody Else's

489 views

Published on

More than 99 percent of U.S. employer firms are in the small and midsize (SMB) space, and they’re getting crushed by countless regulations and standards. There must be a better way to manage the seemingly endless train of auditors and fire drills. Even more importantly, do any of these regulations reduce business risk and help improve business resilience? Just whose risk is really being managed? This presentation will discuss cost effective steps to regain control while simultaneously meeting regulatory obligations and achieving a legally defensible risk posture that helps ensure business survivability.

Published in: Economy & Finance, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
489
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • “More than 99 percent of U.S. employer firms are in the small and midsize (SMB) space, and they’re getting crushed by countless regulations and standards. There must be a better way to manage the seemingly endless train of auditors and fire drills. Even more importantly, do any of these regulations reduce business risk and help improve business resilience? Just whose risk is really being managed? This presentation will discuss cost effective steps to regain control while simultaneously meeting regulatory obligations and achieving a legally defensible risk posture that helps ensure business survivability.”http://www.scmagazine.com/manage-your-risk-not-somebody-elses/article/234885/
  • The Problem Space * All of these regs and stds... * Limited resources... * Being reactive isn't getting it done...
  • “More than 99 percent of U.S. employer firms are in the small and midsize (SMB) space.”PCI:Cisero’s (Park City), Genesco
  • Define Your Profile * How does the business operate? * What is most important in keeping the doors open and the paychecks printing? * 3 steps: business processes, assets, prioritization via risk analysis
  • Define Your Profile * How does the business operate? * What is most important in keeping the doors open and the paychecks printing? * 3 steps: business processes, assets, prioritization via risk analysis
  • Get Organized * collaborate with business leaders across multiple areas * formalize methods and policies * strategically deploy key technologies to optimize program quality and performance
  • Get Organized * collaborate with business leaders across multiple areas * formalize methods and policies * strategically deploy key technologies to optimize program quality and performance
  • Practical Application #1: Taming the Compliance Beast
  • Practical Application #2: Scaling Risk Management PracticesScale risk management practices * What’s an appropriate level of effort and resources? -- Set a reasonable definition of sufficiency - that is, set a defensible definition of "good enough"! * Insource vs. Outsource: When to own it and when to transfer it out -- don't forget insurance options! * If you can’t win, then change the rules -- resilience, anti-fragile, survivability, rugged, whatever - the goal is not to stop all bad things from happening (impossible)
  • Scale risk management practices * What’s an appropriate level of effort and resources? -- Set a reasonable definition of sufficiency - that is, set a defensible definition of "good enough"! * Insource vs. Outsource: When to own it and when to transfer it out -- don't forget insurance options! * If you can’t win, then change the rules -- resilience, anti-fragile, survivability, rugged, whatever - the goal is not to stop all bad things from happening (impossible)
  • Practical Application #3: DevOps, RM, & The 3 Ways
  • Practical Application - DevOps, RM, & The 3 Ways * The First Way: Systems Thinking * The Second Way: Amplify Feedback Loops * The Third Way: Culture of Continual Experimentation and Learning
  • The Three Ways - The First Way: Systems Thinking – The performance of the entire system is paramount. Silos must be eliminated in favor of managing the business as a whole, including looking at all business value streams and how they are enabled (or, conversely, hindered) by ICT. Defects cannot be allowed to flow downstream, and optimization must be considered globally instead of locally, in order to achieve a Deming’esque understanding of the system . - The Second Way: Amplify Feedback Loops – Communication is vitally important, with a premium placed on ensuring that feedback is provided and incorporated quickly and at all levels . An interesting benefit of the second way is to also embed knowledge, which helps improve overall performance and quality while diminishing bottlenecks (as anticipated by the “theory of constraints” ). - The Third Way: Culture of Continual Experimentation and Learning – One of the largest challenges facing enterprises today is the notion of “technology debt.” How many ICT projects have languished, deprioritized by competing new work, only to crop up as a legacy failure point that introduces defects, continuously undermines performance, and, ultimately, business value? At the same time, experimentation and growth is of equal importance. As an example, consider the core values of Netflix corporate culture, which thrives on the “Freedom & Responsibility” mantra, and which encourages experimentation provided that problems are fixed quickly. Put another way, failing fast means learning fast , which not only enables creativity and innovation, but also results in more resilient code and operations.
  • Manage Your Risk, Not Somebody Else's

    1. 1. Manage Your Risk, Not Somebody Else’s Ben Tomhave, MS, CISSP @falconsview
    2. 2. Society of Information Risk Analysts SciTech Information Security Committee
    3. 3. Image: http://www.flickr.com/photos/gsfc/5940408282/sizes/l/in/photostream/
    4. 4. The Problem Space… All these regulations and standards… – PCI: Arbitrary & Capricious? – HIPAA: Confusing & Misunderstood? – NERC CIPs Limited resources Being reactive – how’s that working out?
    5. 5. Image: http://www.flickr.com/photos/supersonicphotos/3999192675/sizes/l/in/photostream/
    6. 6. Define Your Profile How does your business operate? What is most important to survival? 3 key attributes: 1. Business processes 2. Assets 3. Prioritization (via risk analysis)
    7. 7. Image: http://www.flickr.com/photos/juhansonin/4734829999/sizes/l/in/photostream/
    8. 8. Get Organized Collaborate across the business Formalize methods and policies Identify strategic tools – Improve communication – Optimize quality – Improve overall performance
    9. 9. Image: http://commons.wikimedia.org/wiki/File:Lion_tamer_(LOC_pga.03749).jpg
    10. 10. Practical Application #1 1. “Right Size” your obligations (outsource!) 2. Optimize the proactive to reduce the reactive 3. Reduce complexity (KISS principle) Taming the Compliance Beast
    11. 11. Image: http://www.flickr.com/photos/jdhancock/3562071888/sizes/l/in/photostream/
    12. 12. Practical Application #2 Appropriate LOE and resources? – Set a defensible definition of “good enough” Insource vs. Outsource – When to own it? – When to transfer it out? – What about insurance / self-insurance? If you can’t win, then change the rules. – Resilience, anti-fragile, survivability, rugged, etc. – The goal is not to stop all bad things from happening! Scaling Risk Management Practices
    13. 13. Image: http://www.flickr.com/photos/27745117@N00/3845403469/sizes/l/in/photostream/
    14. 14. Practical Application #3 DevOps, RM, and the 3 Ways Images: http://itrevolution.com/ 1. Context 2. Assessment3. Treatment 4. Monitor & Review Communication
    15. 15. The Three Ways The First Way: Systems Thinking The Second Way: Amplifying Feedback Loops The Third Way: Culture of Continual Experimentation & Learning Holistic, No Silos, Understand Value Streams Communication, Rapid Response, Embed Knowledge Innovate, Fail Fast / Learn Fast, “Freedom & Responsibility” Image: http://itrevolution.com/the-three-ways-principles-underpinning-devops/
    16. 16. Image: http://www.flickr.com/photos/dexxus/5820866907/sizes/l/in/photostream/
    17. 17. To Recap… Understand the problem space Define your risk profile Get organized Practical application 1. Tame the compliance beast 2. Scale risk management practices 3. The DevOps revolution
    18. 18. Ben Tomhave, MS, CISSP @falconsview www.secureconsulting.net

    ×