A simple path & "outcomes-based" model towards fixing what's wrong with the "Security Industry" and maximizing success in your risk management program. This deck is from a talk I gave at the 2018 PEER150 National CyberAttic series. It sets out a simple model and some key points to consider when analyzing how to improve a risk management program. I look forward to engaging with the wider global community with questions and/or comments. Thank you.

1. Questioning
Assumptions
Building, Improving, and Maintaining
Trust

2. Words have Meaning
We can’t “Secure” anything, so
we should stop telling people we
can.
2

3. We Identify, Analyze,
Communicate, & Manage
RiskThere is a false sense of “security” within leadership teams and Boards –
Why?
∎ The term “security” carries a lot of baggage that must be overcome
∎ The function has become an uneducated “consumer” of industry marketing
∎ The function suffers from cognitive bias, bureaucratic competition, and a tendency
towards “success theatre”
3

4. 4
Defense is always a
balancing act between Risk
& Resources

5. Seek first to understand, then to
be understood
5
- DrStephenRCovey,The7HabitsofHighlyEffectivePeople

6. 7,000,000$ -
3,860,000$
1:4Average chance of experiencing a breach
That’s a lot of money, but is it really?
6
- PonemonInstitute,CalculatingtheCostofaDataBreachin2018,theAgeofAIandtheIoT

7. Asking Why?
Understanding assumptions
and revealing bias will define:
requirements, resources,
priorities, synergies, and risk.
Understanding
The Value-Proposition
Identify the Elemental
Problem
Do we need an autonomous
laser-guided subterranean
mining robot or do we just
need a hole dug? 7
How does this Increase the
Margin?
Everything we do should increase
the Margin by reducing cost,
enhancing productivity, increasing
revenue, or reducing Loss. Have

8. Simplify
Translating complex ambiguous
situations into clear concise relevant
stories with actionable
recommendations is your single most
important responsibility
Transparency &
Managing Expectations
Explain Capability & Limitation
Risk Management is highly complex and
we never have all the information we want.
Identify what you know, what you don’t,
what you can do & how you will manage
the gaps. 8

9. Relationshi
psWe will only be successful by
acting by, with, and
through our employees and
partners
Sensors9

10. The Jurassic Park
Theorum
"Uh, life
will find a
10- JeffGoldblum, JurassicPark,1990

11. Why User
Experience Should
Be the Foundation of Risk
Management Programs 11

12. User Experience
Culture & Social
Expectations
Whether we want to admit it or not, we
are all competing against Amazon &
Uber
Work-arounds & Shadow
IT
Understand what a user (or
business) needs to do and make it
easier for them to do it while
managing risk
Risk Management
Solutions should focus on
creating visibility, proactive
analytics, and comprehensive
audit; not controls
12

13. Realit
yWhat is actually going on in
your environment; not what it
was designed to do and not
what you think is going on
Mapping
13

14. THANKS!Any questions?
You can find me at willk2250@hushmail.com
@GTMDIR William Killgallon
14