Hosted by:ISACA, Austin Chapter
The Beauty of Risk: Effectively Communicating Risk Throughout Your Organization
Presented by:Tim VirtueChief Information Security OfficerTexas NICUSA
The Lawyers Made Me Do It Any references to specific organizations, people,
products, or services, are purely examples or learning opportunities and neither criticisms nor endorsements
The views presented are strictly my own and may or may not represent any organizations or affiliations I have (mostly because they have not seen the light yet )
It’s OK to agree to disagree, but anyone who gets that worked up over slides needs a vacation or drink
ABC Soup & Street Cred CISSP, HCISPP, CSM, CCSK, CISA, CIPP/G, CFE, ITIL V3,
CVE, QGVM, blah blah blah… Over 20 years experience in Security, Risk
Management and IT Executive Master of Science in Information Systems
from a top business school Cyber Security Instructor, Author & Speaker Not bragging – just showing perspective & credibility
05/07/2023 4
Since 2002, the Texas.gov program has grown to offer more than 1,000 online services that securely processed more than 214 million transactions — all worth over $31 billion.
The program's mission is two-fold: deliver the State's official website for constituents to access information and complete online services, and provide enterprise technology services to Texas government.
The Texas.gov portal provides hosted online applications and payment processing for many consumer-facing government services like driver license renewals, vital record orders, vehicle registration renewals, and more.
Who We Are
05/07/2023 5
Review strategies for easily and effectively communicating risk
Learn to identify the most relevant elements of risk, from an enterprise perspective
Utilize a community-building approach when communicating risk
Balance business objectives with security, privacy, & compliance objectives
Learning Objectives
05/07/2023 6
FUD Is Not Risk Management
Managing by Fear, Uncertainty & Doubt (FUD) does not drive change or manage risk
The same event means different things to different people – communicate the same risk in a different but meaningful way to each stakeholder.
05/07/2023 7
There are many types of risk.• Reputational, Operational, Compliance, Financial, etc.
Most stakeholders are only focused on risks directly related to their business unit.
They create silos that weaken the overall risk community.
When you take an organizational approach, to managing the numerous types of risk, the enterprise can be more successful.
Security Driven Risk Management
05/07/2023 8
Compliance with operational goalsIsolated reportingManagement reporting (productivity &
budgeting) Governance
Traditional Use of Metrics
Time For A Change
Something to be ignored
Something Security should try and stop
Something done in isolation
A tool or one time implementation
What Data Driven Enterprise Risk Management Is Not
Organizational collaboration
Avoid redundancy and wasted resources
Increased business value
Removal of FUD Factor Elimination of checkbox
focused risk management
Benefits – If Data Driven ERM Is Done Right
So Don’t Be This Guy
Security Says…
NO!!!
How Security Can Save The Day
Business Value
Organizational Alignment
Strategic Planning
Cross-Functional Communication
Creating a Security Conscious Culture
Data Driven Enterprise Risk Management
1405/07/2023
Collaboration • Work together so the output is
business focused and communicated across the enterprise
• Learn to speak the language of business but share data driven Security perspectives too
Innovation• Work across the enterprise to
support traditional Security & Compliance goals while supporting the business
How Do We Get There?
05/07/2023 16
Use a “What’s in it for me” approach, with stakeholders Simple, repeatable, visual, data driven, all while adding
business value Align with business goals or organizational mission (Are
you reading annual reports?) Use analogies – not geek speak Translate into financial or mission critical impact
• If the system is compromised, we will see a 15% decrease in revenue
• NOT – Dot you want to be on the cover of WSJ like XZY Company tomorrow?
Strategies For Communicating Risk
05/07/2023 17
Start with a baselineKISS (Keep It Simple Security)Develop metrics with receiving
stakeholdersFocus on outcomes & actionable itemsLess is moreAutomated, easy, repeatable, multi-use
Design & Deployment
Sharing Meaningful Metrics
Know your audiencePush vs. Pull
Static vs. Interactive
Frequency
Traditional vs. Mobile
Develop with actionable purpose
Develop metrics & delivery model with receiving stakeholders
We really only care about content – let them choose mechanics
05/07/2023 18
Focusing on technology and ignoring organizational culture
Lack of creativity Lack of executive support Loosing sight business goals and
desired outcomes
Cause of Failure
Proper training Starting small Alignment with business Creating a culture of agility Incremental improvement Focus on the intent of security
requirements Risk based approach
Cause of Success
More & improved collaboration and communication
More open minds and increased knowledge
Flexible solutions that address the intent of CIA while not getting hung up on “Old School” and we have always done it that way methodologies
Become change agents in the security community (including risk managers, auditors, compliance professionals)
What Needs To Change - Security
05/07/2023 22
• Percent effective to goal• Aging metrics• Aggregate risk• Risk by business unit• Policy exceptions over
time
• % of software bugs with security impact
• Cost/schedule variance from planned security activities
• % of budget allocated to security
• % of contracts that include security requirements
• % of recurring issues
Tim’s
05/07/2023 23
http://www.securitymetrics.org/ Security Metrics, A Beginner's Guide by Caroline Wong
(Oct 20, 2011) Security Metrics: Replacing Fear, Uncertainty, and Doubt
by Andrew Jaquith (Apr 5, 2007) SP 800-55 Rev. 1 Performance Measurement Guide for
Information Security (Jul 2008)
Additional Resources
Start today• You invested the time in this session –
take the next step Avoid overthinking
• You don’t need to rollout the perfect solution
Iterative approach• Crawl, Walk, Run
Be constructively dissatisfied• Deliver continuous improvement
Lead by example & and build business value into the process
Call to Action
05/07/2023 25
Q & A
Thank You! Help me spread the message to others Build data driven security & ERM into your
organizational culturePlease check me out on LinkedIn
http://www.linkedin.com/in/timvirtueOr follow me on Twitter
https://twitter.com/timvirtue
05/07/2023 27
For more information about Security, contact:
Tim VirtueChief Information Security [email protected]
512-651-9420
For more information about Texas.gov solutions, contact:
Daniel MorenoOutreach [email protected] 512-651-9803
Contact Us