Talking Risk with Leadership

intelligent information securityANITIAN

TALKING RISKWITH LEADERSHIP

ANITIAN


Overview

My intention…• Define the challenges of discussing risk with executives• Outline some strategies for communicating risk more effectively

to leadership• Show off Anitian’s Risk Management practice

Outline1. The risk challenge2. Business Risk Intelligence 3. RiskNow – Rapid Risk Assessment 4. Final thoughts and best practices


Meet the Speaker – Andrew Plato• President / CEO of Anitian • 20 years of experience in IT & security• Completed thousands of security

assessments & projects• Discovered SQL injection in 1995• Helped develop first in-line IPS engine

(BlackICE) • Co-developed RiskNow™ - Rapid Risk

Assessment approach • Industry analyst for technology acquisitions

totaling $20B over a 5 year period


Vision: Security makes the world a better place. Mission: Build great security leaders.

We deliver security and threat intelligence via a range of services:• Compliance (PCI, HIPAA, NERC, etc.)• Risk assessment • Penetration testing & code review• Incident response • Technology integration• Sherlock – Managed Threat Intelligence

ANITIAN


THE RISK CHALLENGE


Something Is Not Right Here

We keep hearing the same things…“We got a next-generation firewall, we’re safe.” “Oh, you’re just paranoid. We have nothing of value.”“There isn’t anything we can do to stop the hackers. ”“What am I supposed to do with this big risk report?”“Seriously, what are the real problems?” “I don’t care about the details, just tell me how to fix it!” “Are we really in danger?”“What do all these numbers, charts and worksheets mean?”“This is just stupid compliance stuff, get it checked off!” “Just keep us off the Kreb’s Blog!”


Incident-Driven Security Programs • Panic, make short-sighted decisions• Buy whatever is cool and makes the

biggest promises • Slap teams and controls together at

the last minute• Obsess over sensational, unlikely

attacks • Compensate for a lack of intelligence

with process and policy• Easily distracted and easily hacked• Expose the business, the data, and

themselves to risk


DO WE HAVE A RISK MANAGEMENT PROBLEM?

YESBUT WHY?


I just want to do the right things


Building higher walls...

…that stop nothing

VULNERABILITY CONTAINMENT


VOLATILE


You don’t need to be the best,

just slightly better than the rest.

GOOD ENOUGH


CHECKBOX RISKERODES TRUST


Apps, cloud, access…

…the back door is wide open.

THIRD PARTY RISK


SLOW


OPSEC IS

DISTRACTED


THEY ARE FAILING TO

REMEMBER THE MISSION


PEOPLEARE THE CAUSE OF AND SOLUTION TO MANAGING RISK


IS THERE ANY

HOPE?


MEANING


FOCUS


RELEVANCE


ACTION


NEW WAY TO DISCUSS RISK


BUILDING BUSINESS RISK INTELLIGENCE


The Core Six• Risk is an over-used word that is often misunderstood

• Stick to these Core Six words, and use them correctly:

Threat: Something bad that might happen

Vulnerability: A weakness a threat could exploit

Impact: How bad a threat can damage the business

Probability: How likely a threat is in a given timeframe

Control: Something that mitigates threat

Risk: An assessment of a threat based upon itsprobability and impact in relation to therelevant controls


Foundations of Communicating Risk

• Why do we care?WHY

• What is at stake?WHAT

• How do we look at what is at risk? HOW

• What does risk mean to us?SO WHAT?

• Who does this affect?WHO

• How do we fix it?ACTION (WHEN)


WHY: The Golden Circles

Simon Sinek: www.startwithwhy.com


WHY?• Why we are here? <- Vision• Why do what we do? <- Mission• My intention today is…

• This grounds your conversations in what is really important• Executives like to discuss this• It establishes the mission


WHAT: Is at Stake? • Data, systems, reputation, money, privacy? • What are the stakes in this game?• Is there anyway to organize those assets?

• However….• For many leaders the pyramid looks

a lot different • The more you can center

risk on how it benefits the individual, the more value it has to them

$$P

HI

PUBLIC

MEJ

OB

REPUTATION


HOW: Chase the Rabbit• Let people talk, this helps define their pain• Ask big, open-ended questions:• What could really harm this business? • What are you most concerned about? • Is there an area where you are particularly vulnerable? • What is valuable to you? • How do you do your job? Why do you do it that way? • What would happen if…

• Focus on threat and weakness (vulnerability) not risk• What is the person’s intention and feelings?


HOW: Keep the Threats and Vulns in their Place

Threats• Malware steals sensitive data (I get fired)• Data is leaked to a competitor (I get fired)• Authentication data is stolen (I get fired)• Important third party resources are unavailable (I get fired)

Vulnerabilities• Old, poorly configured firewall (NGFW) (I deserve to be fired)• We use a checkbox auditor (Yeah, fired)• We don’t patch anything because … reasons (Later)• Why fix anything when I can complain about it all day (Gone)• We treat our employees like cattle (Yep, deadmeat)


SO WHAT?: Connect the Dots• What are the threats?• What vulnerabilities can it exploit?• How bad is it? How likely is it? • How serious is the risk to the business?• What will reduce the impact or the likelihood?

Connect the dots…

ThreatVulnerabilityImpactProbabilityRiskSoliutionTHREAT VULNERABILITY IMPACT PROBABILITY RISK ACTION


WHO: Get to the Lizard Brain

source: www.salesbrain.com


WHO: Respect the Lizard• Make it about them:

We can help you.• Provide clear rational for action:

We can protect the business, otherwise Krebs Blog! • Have an tangible action:

Websense Triton will give you intelligence to act smarter. • Have a timeline:

We can have it running in a month. • Show it, don’t say it:

See these consoles, they will help you. • Make it emotional:

We are with you on this. We can do this!


ACTION: Do or Do Not, There is No Try• Focus on the big threats, not all of them (5-10 at a time) • Have clear answers, not murky concepts• Use actionable, commitment words• Eliminate vulnerability: lower probability or impact


ACTION: Use the Force • Focus on the top 5-10 threats• Have clear answers, not murky concepts• Associate a cost (time or money) to every effort• Show how to: • Eliminate vulnerabilities (weakness)• Lower the probability of a threat• Reduce the impact of the threat• Lower risk

ThreatVulnerabilityImpactProbabilityRiskSoliutionWHY? WHAT? HOW? SO WHAT? WHO? ACTION!


Risk Driven Security Programs • Make decisions better• Select more effective technologies • Invest in their people and controls completely • Hire and cultivate intelligent people • Focus on the most likely or serous threats to the business• Balance agility with policy and process • Stay on mission • Protect the business, the data, and their jobs


RISKNOW RAPID RISK ASSESSMENT


RiskNow Accelerates Risk Assessment• Accelerated, condensed version of NIST

800-30 • Facilitated interviews, minimal

questionnaires• Integrated penetration testing and

critical controls configuration analysis• Unique “lensing” process to categorize

assets • Simplified expression of probability and

impact • Brief reports designed for leadership• Action plan with specific technology

recommendations• Fully vetted for HIPAA, PCI, FFIEC, NERC


RiskNow Process

1. Scope project2. Lens the assets3. Review artifacts (policies, procedures, plans, etc.) 4. Interview stakeholders5. Conduct technical tests (pentest, config review, architecture) 6. Document threats into a Risk Matrix7. Refine into a Business Risk Intelligence Report 8. Brief leadership on top threats and Action Plan

Duration: 2-4 weeksCost: Starts at $14,995


RiskNow Output• RiskNow Intelligence Report • Business Risk Intelligence Brief• Threat Intelligence Brief• Action Plan

• Threat Matrix (aka Risk Register)• Technical Appendices


Sample Risk Intelligence Briefing


Sample of Threat Intelligence Briefing


Sample Action Plan


Sample Risk Matrix (Part 1)


Sample Risk Matrix (Part 2)


Why RiskNow: Rapid Risk Assessment

Fast

Clear

Accurate

Actionable

Rational

Practical


FINAL THOUGHTS


Risk Fuels Decision Making • Keep things in the order

1. Threats (something bad that could happen)2. Vulnerabilities (weaknesses)3. Risk (a measurement of a threat) 4. Action (the fix)

• Stay true to the “Core Six”• Establish authority with decisive, simple language• Identify tangible, actionable recommendations• Make it personal• Engage Anitian to help your clients understand their risks


Thank YouEMAIL: [email protected]: @andrewplato

@AnitianSecurityWEB: www.anitian.comBLOG: blog.anitian.comSLIDES: bit.ly/anitianCALL: 888-ANITIAN

Talking Risk with Leadership

Leadership & Management

Transcript of Talking Risk with Leadership