Post on 02-Jun-2020
www.onShore.com PANOPTIC CYBERDEFENSE™
Understanding Risk Appetite for Information Security
Chris Johnson Chief Strategist, Cybersecurity Leadership
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
ABOUT Headquartered in Chicago In Business for over 25 Years
Managed Cybersecurity Founded in 1991, onShore Security is a leading provider of managed cybersecurity. Began as network consultants and software developers, launched managed cybersecurity in 1998.
What we do. Why We Do It. Our purpose remains enabling our clients. This is why we provide security.. We provide Guidance so you can make the best decisions pertaining to Governance, Risk and Compliance - Get Compliant, Stay Compliant.
Our Mission To protect the freedom of information by revolutionizing cyber defense and governance.
Who am I? 20 Years in IT Service Delivery Last 5 years focused exclusively on Cybersecurity and Regulatory Compliance Chief Strategist
FYI… I HATE POWERPOINT BULLETS… I have successfully removed them all!
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
Your Risk Appetite and Your Risk Management May not be aligned.
The way that your risk is managed may reflect a risk Appetite that is
divergent from the risk appetite you have?
MY HYPOTHESIS
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
I AM YOUR BABEL FISH
IS RISK APPETITE A TOWER OF BABEL?
Image from Hitchhiker’s guide to the galaxy
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
Risk Appetite and Information Security
Risk Avoidance vs Risk Awareness vs Risk Appetite (relevance)
Who are Your Stakeholders?
What is Risk Appetite?
A Workable Plan
WHAT WE WILL COVER
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
Is Is Not
Informs Your Risk Strategy Risk Management
Measurable Risk Assessment
Dynamic and Fluid Risk Tolerance
Decision Support Governance
A Threshold Compliance
Executive Stakeholders Department-Level Management
Required Optional
IS/IS NOT
Risk Appetite and Information Security
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
Risk management comes from knowing risk appetite.
If we don’t know our appetite for risk
how can we possibly manage it?
RISK APPETITE IS KEY
Risk Appetite and Information Security
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
Risk Capacity
Risk Appetite
Risk Tolerance
Risk Target
Risk Limit
RISK APPETITE TERMS
Risk Appetite and Information Security
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
COMPONENTS TO DETERMINING RISK APPETITE
Risk Appetite and Information Security
Corporate Values – What Risks will we not accept?
Strategy – What are the risks we need to take?
Stakeholders – What risks are they willing to bear, and to what level?
Capacity – What resources are required to manage those risks?
There is no “One Size Fits All”!
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
RISK APPETITE
Risk Appetite and Information Security
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
RELEVANCE
Risk Avoidance vs Risk Awareness vs Risk Appetite
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
RELEVANCE
Risk Avoidance vs Risk Awareness vs Risk Appetite
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
RELEVANCE AND CONTEXT
Risk Avoidance vs Risk Awareness vs Risk Appetite
WHAT IS RELEVANT FOR YOU?
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
Who Are Your Stakeholders?
RISK APPETITE DECISION MAKERS
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
Who Are Your Stakeholders?
GEEKS + SUITS TDM + BDM
TECHNICAL DECISION MAKERS BUSINESS DECISION MAKERS
RISK APPETITE DECISION MAKERS
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
CONSESUS IS HARDER THAN YOU THINK…
Who Are Your Stakeholders?
EVERY STAKEHOLDER’S APPETITE IS DIFFERENT…
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
Formal Risk Appetite Study 70% had none 17% had one that was working 13% had one but nobody used it SURPRISED???
RISK APPETITE SURVEY
What Is Risk Appetite?
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
MEASUREMENT STARTS WITH…
Corporate Values – What Risks will we not accept? Strategy – What are the Risks we need to take? Stakeholders – What are they willing to bear, and to what level? Capacity – What resources are required to manage?
What Is Risk Appetite?
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
HOW DO WE DO IT?
A Workable Plan
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
RISK APPETITE PROCESS
A Workable Plan
Identify
Measure Impact
Address
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
To identify risk appetite you must do these 4 things in some fashion: Articulate Corporate Values Document Corporate Strategy Assess Stakeholder alignment with Corporate Strategy Survey Stakeholder Tolerance Levels Analyze Risk Management Resource Availability/Capacity
A Workable Plan
ELEMENTS OF THE “IDENTIFY” STEP
To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
A Workable Plan
ELEMENTS OF THE “MEASURE” STEP
To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426
To measure risk appetite you must classify your risks as ones you are willing to: Accept - High Mitigate - Medium Transfer - Low Avoid – None Your Risk Appetite is along this range.
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
“We are a company that prefers to (accept, mitigate, transfer, avoid) risk. Overall we are willing/unwilling to stay at this level of risk appetite.” If unwilling you need to shift your risk appetite to your preferred level. This involves: 1. Review the impact of remaining in
place 2. Estimate the amount of effort required
to make the change
A Workable Plan
ELEMENTS OF THE ADDRESS PROCESS
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
A Workable Plan
YOUR TWO TAKEAWAYS
To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426
If you take away nothing else, remember these two things: Risk Appetite involves stakeholders Because you built consensus with stakeholders for Risk Appetite, you are well positioned to optimize your Risk Management System
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
A Workable Plan
BONUS 5 MIN WORKSHOP
To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426
Lets Play 4 Questions. You will have 1 minute to think about how your organizations cybersecurity stakeholders would answer. I will do a 15 second walk through of each question and the process you might take to address any deficiencies it may reveal.
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
A Workable Plan
BONUS 5 MIN WORKSHOP
To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426
Question 1 of 4: What are our principal Cybersecurity risks that influence our risk appetite? (Top 3)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
A Workable Plan
BONUS 5 MIN WORKSHOP
To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426
Question 2 of 4: How does our risk appetite affect our process for identifying, assessing and managing our Cybersecurity risk? Watch this video itglue.com (it is the first video you can play on homepage)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
A Workable Plan
BONUS 5 MIN WORKSHOP
To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426
Question 3 of 4: How do we ensure that our recommendations stemming from our Cybersecurity risk appetite are communicated and followed?
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com
A Workable Plan
BONUS 5 MIN WORKSHOP
To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426
Question 4 of 4: How do we help fellow stakeholders develop enough relevant knowledge and experience to address Cybersecurity risk appetite?
THANK YOU!
Thank you for your time today!
Text/email me if you want a consult. Use subject line “Risk Appetite” Chris.Johnson@onshore.com (213) 400-9426