Enterprise Risk Management

In the face of mounting cyber security regulations

Cyber Security

o Rules established by government

o A lot of attention right now

o Misconceptionso Struggle for

businesses to stay safeo Cyber economicso Company culture

Government Approach

All Hazards

ISO 31000Principles and guidelines to formalize enterprise risk management to accommodate multiple ‘silo-centric’ management systems

ISO 27005Assists the satisfactory implementation of information security based on a risk management approach

Risk Management for BusinessF.A.I.R.

WHERE ARE YOU STARTING?Cyber Security

HOW ARE YOU BALANCING PRIORITIES?

ERM and Cyber Security

ARE YOUR EXECUTIVES ENGAGED?WHAT ARE THEY ASKING FOR?

DOES TRADITIONAL RISK MANAGEMENT WORK WITH CYBER?What’s failing?Does all-hazards work outside of the government?

The Argument for

Reasonable Security

Phil AgcaoiliDistinguished Fellow and Fellows Chairman, Ponemon Institute

Board of Advisors, PCI Security Standards Council (SSC)

Financial Services – Information Sharing & Analysis Center (FS-ISAC)Payments Processing Information Sharing Council (PPISC)

Contributor, NIST Cybersecurity Framework

Co-Founder & Board Member, Southern CISO Security Council

Founding Member, Cloud Security Alliance (CSA) Inventor & Co-Author

CSA Cloud Controls Matrix (ISO 27017/27018)Security, Trust and Assurance Registry (STAR), and CSA Open Certification Framework (OCF) – AICPA SOC 2

@hacksec https://www.linkedin.com/in/philA

Thanks