Michael Scheidell, CISSP, CCISO, SMIEEE

RISKYBUSINESS

Prepare and Defend.

InfraGard slidesha.re/1H0uVSL

© 2014-2015 All Rights ReservedSecurity

Priva(eers

Sub headlineAGENDAMichael Scheidell, CISSP, CCISO, SMIEEE

Risky Business

@scheidell561-948-1305 / michael@securityprivateers.com

http://www.securityprivateers.com

• CISSP, Certified CISO• SE Regional Rep, Infragard

National• Board Member, InfraGard, South

Florida Members Alliance• Delegate to NIST CSF workshop

• Retained CISO• Member ISSA, IAPP, ISACA, PMI,

SFTA, CSA, FISA, IEEE• Patents in Network Security• Founded 3 technology companies

Sub headlineAGENDAAGENDA

© 2014 All Rights ReservedSecurity

Priva(eers

•Evolution, Revolution or Anarchy

•Who is Responsible for IT Security?

•Please Stop calling it InfoSec

•IT Risk Management

•Risk Officer / Risk Committee

•Types of Risk Management

•Risk of Too Much Management

•Risk Management Frameworks

•Do or Not Do. There is no Try

Risky Business

Restricted Access

Evolution, Revolution or Anarchy

Restricted Access

Evolution, Revolution or Anarchy

Secrets

Restricted Access

Evolution, Revolution or Anarchy

Secrets Protection

Sub headlineAGENDAWho is Responsible for IT Security

Not My Job

CFO

IT Security

NetworkManager

CIO

Dir IT

CEO

Information Security depends on Policy

Please Stop Calling it Information Security

Information SecurityUsually in the IT department, no visability into business practices. Revolves around the Information Security Policy and one of several InfoSec Frameworks.

1

Sample Risk Management Matrix

IT Risk ManagementWithout direct involvement with all stakeholders you can’t allocate resources or determine what to protect and why.

2

Executive

Operations

InformationTechnology

Legal

Finance

CRO

IT

RetailAdd in LOSS PREVENTION

1 MarketingPR for when things go wrong

2

Risk ManagementIt’s Everyone’s Job

Chief Risk Officer

From here to there and back againRisk Management Steps

1

Business Impact Analysis

What will it cost us. Needed for DRP and BCP also.

2

Identify Risks

Governance, Risk, Compliance

3

Priorize Mitigation

Budget, Business Impact, Legal

4

Fund Failure

It will happen. Decide what to do before it happens.

LIKELIHOOD CONSEQUENCESHow likely is the event to occur ?

What is the Severity of Injuries/potential damages/financial ?

Almost certain -MODERATE

RISKHIGHRISK

HIGHRISK

CRITICALRISK

CRITICALRISK

Expected in normal circumstances: 100%

Likely -MODERATE

RISKMODERATE

RISKHIGHRISK

HIGHRISK

CRITICALRISK

Probably occur in most circumstances: 10%

Possible - LOWRISK

MODERATERISK

HIGHRISK

HIGHRISK

CRITICALRISK

Might occur at some time: 1%

Unlikely -LOWRISK

MODERATERISK

MODERATERISK

HIGHRISK

HIGHRISK

Could occur at some future time: 0.1%

Rare -LOWRISK

LOWRISK

MODERATERISK

HIGHRISK

HIGHRISK

Only in exceptional circumstances: 0.01%

Insignificant Minor Moderate Major CatastrophicNo InjuriesNo Envir Impact< $1,000 Damage

Some First AidLow Envir Impact< $10K Damage

External MedicalMedium Impact< $100K Damage

Extensive injuriesHigh Envir Impact< $1MM Damage

Death/Major injuryToxic Envir Impact> $1MM Damage

Enterprise Risk1

© Copyright 2014 security Priva(eers

Sub headlineAGENDATypes of Risk Management

There is more than one way to go bankrupt

Operational Risk2

Regulatory and Legal Risk3

Financial Risk4

Unknown Risk5

Where doesInformation Risk Management Fit?

Operational Risk

Operational risks exist in every organization, regardless of its size, in any number of forms including hurricanes, blackouts, computer hacking, and organized fraud.

Types of Risk Management

Regulatory and Legal Risk

International, Federal, State, Local, Legal and Industry Specific: Safe Harbor, GLBA, SOX, Sarbanes-Oxley, HIPAA, PCI

Financial Risk

The loss of key resources like funding through Credit Risk, Investment Risk, Liquidity Risk and Market Risk

Enterprise Risk

Enterprise risk management (ERM) is a framework to reduce earnings volatility through a robust risk governance structure and strong risk culture, supported by sound risk management capabilities.

Unknown Risk

“There are known knowns. These are things we know that we know. There are known unknowns. That is to say, there are things that we know we don’t know. But there are also unknown unknowns. There are things we don’t know we don’t know” Donald Rumsfeld

© Copyright 2014 Security Priva(eers

Harvard Business Review, June 2012

Preventable Risks

•Risks that can be controlled

•Employee misconduct•Unauthorized, illegal•No strategic benefit•Manage pro-actively•Monitoring processes•Guiding behaviors•Rules-based

compliance

1Strategy Risks

•Must Accept Some Risks

•Lender Accepts Risk•R & D Spending•Not inherently

undesirable•Higher Reward-Higher

Risk•Rules-based won’t

work

Requires a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain risk events should they occur.

2External Risks

•Beyond Company Control

•Natural Disasters•Political Disasters•Economic Disasters•Can’t prevent them•Can’t predict them•Focus on

identification•Plan:•Business Impact

Analysis•Disaster Recovery

Plan•Business Continuity

Plan•Insurance

3

Working With Risks

Enterprise Operational Regulatory Financial

Strategic Risks

Preventable Risks

External Risks

Acceptable Risks

IT-related Risk

Enterprise Risk

StrategicRisk

Environmental

RiskMarket

RiskCredit

RiskOperational Risk

Compliance Risk

Sub headlineAGENDAIT Risk in the Risk Hierarchy

Where IT fits in

IT Benefit/Value Enablement Risk

IT Program and Project Delivery Risk

IT Operations and Service Delivery Risk

IT risk is a component of the overall risk universe of the enterprise. In many enterprises, IT-related risk is considered to be a component of operational risk, e.g., in the financial industry in the Basel II. However, even strategic risk can have an IT component to it, especially where IT is the key enabler of new business initiatives.

The same applies for credit risk, where poor IT (security) can lead to lower credit ratings. For that reason it is better not to depict IT risk with a hierarchic dependency on one of the other riskcategories, but perhaps as shown in the example given.

Sub headlineAGENDAWorking with Risks

COBIT 5 for Risk

Sub headlineAGENDAIT Risk Frameworks

NIST 800-37

Connect to Business Objectives

Align IT Risk Management With

ERM

Balance Cost/Benefit of IT Risk

Promote Fair and Open Discourse

Establish Tone and Accountability at the

Top

Function as Part of Daily Activities

Sub headlineAGENDAIT Risk Frameworks

ISACA’s RISK IT Framework

Risk IT Principles

Sub headlineAGENDAIT-related Risk Management

Risk IT is not limited to information security. It covers all IT-related risks, including:

• Late project delivery• Not achieving enough

value from IT• Compliance• Misalignment• Obsolete or inflexible

IT architecture• IT service delivery

problems

You take the blue pill – the story ends, you wake up in your bed and believe whatever you want to believe.

You take the red pill, … you stay in Wonderland, and I show you, how deep the rabbit-hole goes.

Sub headlineAGENDATwo choices

This is your last chance ... After this, there is no turning back.

© Copyright 2014 Security Priva(eers

Harvard Business Review, June 2012

Preventable Risks

•Risks that can be controlled

•Employee misconduct•Unauthorized, illegal•No strategic benefit•Manage pro-actively•Monitoring processes•Guiding behaviors•Rules-based

compliance

1Strategy Risks

•Must Accept Some Risks

•Lender Accepts Risk•R & D Spending•Not inherently

undesirable•Higher Reward-Higher

Risk•Rules-based won’t

work

Requires a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain risk events should they occur.

2External Risks

•Beyond Company Control

•Natural Disasters•Political Disasters•Economic Disasters•Can’t prevent them•Can’t predict them•Focus on

identification•Plan:•Business Impact

Analysis•Disaster Recovery

Plan•Business Continuity

Plan•Insurance

3

Running with ScissorsWhy RISK is Good

Sub headlineAGENDARisk of Too Much Management

• What major systemic failure can you think of in Security and Privacy?

• Where has too much Security eliminated Privacy and did nothing for Security?

• Have you experienced too much security?

Sub headlineAGENDA$93 Billion Dollars spent since 2001

Sub headlineAGENDAWhere to put priorities

• Identify• Risk Assessment

• Likelihood• Logs• Security Alerts

• Consequences• Business Impact

Analysis• Data Valuation

• Unavailable• Modified• Exfiltrated

• Data Classification• Public• Private• Classified

• THEN AUDIT

Sub headlineAGENDAWhere to put priorities

• Exfiltrated Public Data• State Code DB

• DoS Ketchup Formula

• Corrupt ICBM Codes

• 40MM Dumps with PIN

Sub headlineAGENDABusiness Impact Analysis

Data Valuation / Data Classification

Data BreachProfitibility

BCP/DRP/RISK IT

BIA

Missing Backup

Internet Outage

Power Outage

Responsibility

Executive Management(go to www.hotjobs.com)

1 Start to workPartner with other departments

2 Without a destination, any path will do.

3

© 2014 All Rights Reserved

• Join InfraGard http://www.infragard.org/• Join ISACA http://www.isaca.org• Join ISSA http://www.issa.org• Presentation: http://slidesha.re/1H0uVSL• Learn about RISK IT and COBIT• Training / Certifications: CISSP, CCISO, CRISC

Sub headlineAGENDANew Platform, Old Mistakes

Keep doing the same thing hoping for different results

© 2014-2015 All Rights Reserved

Risk Management Programs• Build your IT Risk Management

Team• Help Management Implement

RISK IT

• Training• Web App Assessment• SDLC Review• IT Risk Assessments• Retained CISO

Sub headlineAGENDARisky Business

Where to get Help

@scheidell561-948-1305 / michael@securityprivateers.comhttp://www.securityprivateers.com

Call to set up an appointment for initial review