SlideShare ist ein Scribd-Unternehmen logo

Wisegate_GeekSpeak_LG

Brian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
Brian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
1 von 7
Downloaden Sie, um offline zu lesen
WISEGATEIT.COM Geek Speak for the C-Suite HOW TO EFFECTIVELY COMMUNICATE SECURITY RISKS TO THE BOARD with insights from Brian O’Hara, ISO, Do It Best Corp
2GEEK SPEAK FOR THE C-SUITE This question is all too familiar. Wisegate member Brian O’Hara, ISO at Do It Best Corp, recently held a roundtable with senior IT professionals to address the difficulties of communicating with senior company executives. The driving force behind much of infosecurity today is risk management. But in order to manage risk, CISOs need to explain that risk to Business management - and that is not easy. “Believe me,” O’Hara said, the roundtable presenter said, “[Senior executives] understand risk extremely well - they just don’t always understand the geek-speak that we use when we talk to them about IT-related risk, PCI risk, or compliance risk.” In these meetings, two mistakes often happen: IT professionals are too honest instead of diplomatic, and they only explain the risk without having a solution. The truth is, IT security teams have to learn about Business language; because Business doesn’t understand the geek-speak of security. Learning to communicate effectively with the C-suite can make IT professionals feel more confident answering questions (like “Are we safe?”) and, in turn, feel safer in their positions. Based on the roundtable discussions, led by O’Hara, we’ve put together a list of tips to help you communicate confidently with the C-Suite. Best of luck, Wisegate Dear “in a tough spot” Wisegate member, Dear Wisegate, I have an important board meeting approaching. I’ve been asked to provide a status update outlining the assessment of my company’s risks. How do I best communicate my risk assessment to the very nervous, and not very IT savvy, board while also shielding myself (and the future of my job here) from their resulting anger or nerves? Sincerely, Wisegate member in a tough spot
3GEEK SPEAK FOR THE C-SUITE WHERE DOES RISK ORIGINATE? Risks can come from uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well as a deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. WHAT ARE THE STANDARDS FOR MITIGATING RISK? Several risk management standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety. Understanding Risk Management risk man.age.ment noun (in business) is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
4GEEK SPEAK FOR THE C-SUITE Understanding the board’s risk tolerance is important to finding the right level for communication. This can, of course, be aggravated if the Board itself isn’t aware. Often, neither side understands that the company has a very high risk tolerance. WHAT IS RISK TOLERANCE? The degree of variability in investment returns that an individual is willing to withstand. Risk tolerance is an important component in investing. An individual should have a realistic understanding of his or her ability and willingness to stomach large swings in the value of his or her investments. Investors who take on too much risk may panic and sell at the wrong time. Step One: Understand Your Company’s Risk Tolerance The real answer is the board of directors. If there is no board, then it falls on the CEO. This board also owns the risk of subsidiaries. If a subsidiary is breached and sued, the lawyers will come after the part of the company with the deepest pockets - and that will be the parent company. Security is often the bearer of bad news, and how that bad news is presented is a critical part of whether the messenger gets shot or praised. Step Two: Identify Who Owns the Risk CATEGORIES OF RISK: • Operational/Transactional • Compliance • Financial • Reputational TYPES OF RISK: • Inherent • Identified • Unidentified • Acceptable • Unacceptable • Residual
5GEEK SPEAK FOR THE C-SUITE When talking to the C-suite, it is important to understand where their priorities stand. RISK MANAGEMENT Business may have a proprietorial attitude towards risk management. It originated in the financial world, which Business understands; but is now being explained by the security world, which Business does not understand. This is aggravated when the board is suddenly presented with a huge and expensive risk that they do not understand. Ultimately, the C-suite wants to ensure their name doesn’t appear on the news. Step Four: Identify Topics of Most Interest to Executives One of the hardest decisions for security professionals is selecting a risk management framework. Most executives don’t know or care about the differences of ISO or ISO 31000, NIST or COBIT. What business is interested in is the bottom line: what makes me money, what costs me money, and how scary is this? For security professionals, it is important to consider which framework is going to be the easiest to help you get the job done, and does it do a good job of it? Step Three: Explore Risk Management Frameworks RISK MANAGEMENT FRAMEWORKS: • NIST 800 - Federal • DHHS - Health Care • HiTrust – Healthcare and PCI • ISO 31000 – International • Risk Management Framework (FISMA) - Federal • COBIT 5 – Financials
6GEEK SPEAK FOR THE C-SUITE ARE WE PROTECTED? What the Board really wants to know is that the company is safe, which makes the answer to ‘Am I safe?’ very tricky. Ponder this in advance of being asked. Be mindful how you answer the question, as it can get you fired, or it can get you promoted. HOW DOES IT IMPACT THE BOTTOM LINE? Financial risk is easily quantified while security risk is almost impossible to quantify. In the example of BYOD, as a security professional, you understand the amount of devices connecting to your network. How do you quantify the risk associated with something like that? It’s extremely difficult, if even possible. At the end of the day it’s about money and operations, and executives are in business to make money. This provides a perfect opportunity to launch into a discussion about risk management strategies to reduce risks to acceptable levels. This is where the true hard work begins. Instead of sparking fear, uncertainty and doubt, earn respect through presenting a strong plan that aligns with the overall strategic business strategy. A successful pitch will highlight what you’ve been able to do with other projects. When you are able to show executives a track record of problems and solutions, it establishes trust with the team. Step Five: Create Solutions, Not Problems
7GEEK SPEAK FOR THE C-SUITE SEEK TO UNDERSTAND, THEN TO BE UNDERSTOOD People approach the C-suite with problems all day, often without solutions. Try to understand their problems before you try to get them to understand yours. BE PREPARED AND EXPLORE OPTIONS Do your homework and explore other options. Research three to five options and be ready to explain what the differences are, and the pros and cons of each. If you are only prepared to push your own cause, you won’t get very far. It’s a security professional’s job to stay focused on fixing the problem, and to remain open and flexible in considering multiple solutions. Don’t forget to: Summary The bottom line is that the board wants to know if it is safe. It neither understands nor cares about firewalls, data leak prevention, and zero-day threats - it just wants to be safe. Security needs to think long and hard about how it is going to answer that question. That requires understanding the Business; its risk tolerance levels, its commercial position, and the board’s business and personal motivations. Make the board’s problems your own problems and then solve them. Research and create solutions that will gain you your own job security. That’s what effective risk management is about.

Empfohlen

Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security InvestmentRoger Johnston
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Diane Christina
 
CISO Case Study 2011 V2
CISO Case Study 2011 V2CISO Case Study 2011 V2
CISO Case Study 2011 V2candy_alexander
 
2007 CPM West Keynote Presentation
2007 CPM West Keynote Presentation2007 CPM West Keynote Presentation
2007 CPM West Keynote Presentationsirjem
 
PECB Webinar: Why every company needs a CISO?
PECB Webinar: Why every company needs a CISO?PECB Webinar: Why every company needs a CISO?
PECB Webinar: Why every company needs a CISO?PECB
 
Understanding Risk Management Basics for Business Owners (Series: Business Pr...
Understanding Risk Management Basics for Business Owners (Series: Business Pr...Understanding Risk Management Basics for Business Owners (Series: Business Pr...
Understanding Risk Management Basics for Business Owners (Series: Business Pr...Financial Poise
 
Not-For-Profit Risk Management & The 7 Deadly Sins
Not-For-Profit Risk Management & The 7 Deadly SinsNot-For-Profit Risk Management & The 7 Deadly Sins
Not-For-Profit Risk Management & The 7 Deadly SinsCBIZ, Inc.
 
Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Enterprising Non-Profits
 

Empfohlen

Making the Business Case for Security Investment
Making the Business Case for Security InvestmentMaking the Business Case for Security Investment
Making the Business Case for Security InvestmentRoger Johnston
 
Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Sharing Practice on Enterprise Risk Management (ERM)
Sharing Practice on Enterprise Risk Management (ERM)Diane Christina
 
CISO Case Study 2011 V2
CISO Case Study 2011 V2CISO Case Study 2011 V2
CISO Case Study 2011 V2candy_alexander
 
2007 CPM West Keynote Presentation
2007 CPM West Keynote Presentation2007 CPM West Keynote Presentation
2007 CPM West Keynote Presentationsirjem
 
PECB Webinar: Why every company needs a CISO?
PECB Webinar: Why every company needs a CISO?PECB Webinar: Why every company needs a CISO?
PECB Webinar: Why every company needs a CISO?PECB
 
Understanding Risk Management Basics for Business Owners (Series: Business Pr...
Understanding Risk Management Basics for Business Owners (Series: Business Pr...Understanding Risk Management Basics for Business Owners (Series: Business Pr...
Understanding Risk Management Basics for Business Owners (Series: Business Pr...Financial Poise
 
Not-For-Profit Risk Management & The 7 Deadly Sins
Not-For-Profit Risk Management & The 7 Deadly SinsNot-For-Profit Risk Management & The 7 Deadly Sins
Not-For-Profit Risk Management & The 7 Deadly SinsCBIZ, Inc.
 
Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Social Enterprise Learning Toolkit (Risk Management Module)
Social Enterprise Learning Toolkit (Risk Management Module)Enterprising Non-Profits
 
Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...
Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...
Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...Resolver Inc.
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover StoryTorrid Networks Private Limited
 
ERM: What's New & What's Next
ERM: What's New & What's NextERM: What's New & What's Next
ERM: What's New & What's NextWheelhouse Advisors LLC
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperBilha Diaz
 
T4 risk taking & resourcing skills-2013
T4 risk taking & resourcing skills-2013T4 risk taking & resourcing skills-2013
T4 risk taking & resourcing skills-2013Rione Drevale
 
Chief Information Security Officer - A Critical Leadership Role
Chief Information Security Officer - A Critical Leadership RoleChief Information Security Officer - A Critical Leadership Role
Chief Information Security Officer - A Critical Leadership RoleBrian Donovan
 
Integrated Risk Management 101
Integrated Risk Management 101Integrated Risk Management 101
Integrated Risk Management 101Resolver Inc.
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security RisksEnterprise Security Risk Management
 
Managing Risk in Perilous Times- Practical Steps to Accelerate Recovery
Managing Risk in Perilous Times- Practical Steps to Accelerate RecoveryManaging Risk in Perilous Times- Practical Steps to Accelerate Recovery
Managing Risk in Perilous Times- Practical Steps to Accelerate RecoveryFindWhitePapers
 
Common Objectives of the CRO and the CAE
Common Objectives of the CRO and the CAECommon Objectives of the CRO and the CAE
Common Objectives of the CRO and the CAEWheelhouse Advisors LLC
 
Organizational Resilience Forum 2012
Organizational Resilience Forum 2012Organizational Resilience Forum 2012
Organizational Resilience Forum 2012Abu Dhabi University Knowledge Group (ADUKG)
 
Leadership and Risk Management report
Leadership and Risk Management reportLeadership and Risk Management report
Leadership and Risk Management reportFERMA
 
Reputational Risk
Reputational RiskReputational Risk
Reputational RiskCapco
 
Ciso NYC
Ciso NYCCiso NYC
Ciso NYCBrianHouse
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
#Kdk At εεχμτ 2010 12 03 V10
#Kdk At εεχμτ 2010 12 03 V10#Kdk At εεχμτ 2010 12 03 V10
#Kdk At εεχμτ 2010 12 03 V10Konstantinos Karydias
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
ERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSMichel Rochette
 
Csi 2009 Main Brochure
Csi 2009 Main BrochureCsi 2009 Main Brochure
Csi 2009 Main Brochureguest24269d
 
Shared Services for Finance & Accounting - Wheelhouse Advisors 7.15.08
Shared Services for Finance & Accounting - Wheelhouse Advisors 7.15.08Shared Services for Finance & Accounting - Wheelhouse Advisors 7.15.08
Shared Services for Finance & Accounting - Wheelhouse Advisors 7.15.08Wheelhouse Advisors LLC
 
Uso de diapositivas
Uso de diapositivasUso de diapositivas
Uso de diapositivasPaulo Arieu
 
Story-driven Leadership, Bringing Story to Work
Story-driven Leadership, Bringing Story to WorkStory-driven Leadership, Bringing Story to Work
Story-driven Leadership, Bringing Story to WorkJude Cassel Williams
 

Weitere ähnliche Inhalte

Was ist angesagt?

Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...
Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...
Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...Resolver Inc.
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperBilha Diaz
 
T4 risk taking & resourcing skills-2013
T4 risk taking & resourcing skills-2013T4 risk taking & resourcing skills-2013
T4 risk taking & resourcing skills-2013Rione Drevale
 
Chief Information Security Officer - A Critical Leadership Role
Chief Information Security Officer - A Critical Leadership RoleChief Information Security Officer - A Critical Leadership Role
Chief Information Security Officer - A Critical Leadership RoleBrian Donovan
 
Integrated Risk Management 101
Integrated Risk Management 101Integrated Risk Management 101
Integrated Risk Management 101Resolver Inc.
 
Managing Risk in Perilous Times- Practical Steps to Accelerate Recovery
Managing Risk in Perilous Times- Practical Steps to Accelerate RecoveryManaging Risk in Perilous Times- Practical Steps to Accelerate Recovery
Managing Risk in Perilous Times- Practical Steps to Accelerate RecoveryFindWhitePapers
 
Common Objectives of the CRO and the CAE
Common Objectives of the CRO and the CAECommon Objectives of the CRO and the CAE
Common Objectives of the CRO and the CAEWheelhouse Advisors LLC
 
Leadership and Risk Management report
Leadership and Risk Management reportLeadership and Risk Management report
Leadership and Risk Management reportFERMA
 
Reputational Risk
Reputational RiskReputational Risk
Reputational RiskCapco
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015Scott Smith
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015John Budriss
 
ERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSMichel Rochette
 
Csi 2009 Main Brochure
Csi 2009 Main BrochureCsi 2009 Main Brochure
Csi 2009 Main Brochureguest24269d
 
Shared Services for Finance & Accounting - Wheelhouse Advisors 7.15.08
Shared Services for Finance & Accounting - Wheelhouse Advisors 7.15.08Shared Services for Finance & Accounting - Wheelhouse Advisors 7.15.08
Shared Services for Finance & Accounting - Wheelhouse Advisors 7.15.08Wheelhouse Advisors LLC
 

Was ist angesagt? (20)

Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...
Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...
Risk Reimagined! Series- The Importance of People and Culture to Effective Ri...
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover Story
 
ERM: What's New & What's Next
ERM: What's New & What's NextERM: What's New & What's Next
ERM: What's New & What's Next
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaper
 
T4 risk taking & resourcing skills-2013
T4 risk taking & resourcing skills-2013T4 risk taking & resourcing skills-2013
T4 risk taking & resourcing skills-2013
 
Chief Information Security Officer - A Critical Leadership Role
Chief Information Security Officer - A Critical Leadership RoleChief Information Security Officer - A Critical Leadership Role
Chief Information Security Officer - A Critical Leadership Role
 
Integrated Risk Management 101
Integrated Risk Management 101Integrated Risk Management 101
Integrated Risk Management 101
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
 
Managing Risk in Perilous Times- Practical Steps to Accelerate Recovery
Managing Risk in Perilous Times- Practical Steps to Accelerate RecoveryManaging Risk in Perilous Times- Practical Steps to Accelerate Recovery
Managing Risk in Perilous Times- Practical Steps to Accelerate Recovery
 
Common Objectives of the CRO and the CAE
Common Objectives of the CRO and the CAECommon Objectives of the CRO and the CAE
Common Objectives of the CRO and the CAE
 
Organizational Resilience Forum 2012
Organizational Resilience Forum 2012Organizational Resilience Forum 2012
Organizational Resilience Forum 2012
 
Leadership and Risk Management report
Leadership and Risk Management reportLeadership and Risk Management report
Leadership and Risk Management report
 
Reputational Risk
Reputational RiskReputational Risk
Reputational Risk
 
Ciso NYC
Ciso NYCCiso NYC
Ciso NYC
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
#Kdk At εεχμτ 2010 12 03 V10
#Kdk At εεχμτ 2010 12 03 V10#Kdk At εεχμτ 2010 12 03 V10
#Kdk At εεχμτ 2010 12 03 V10
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
ERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORSERM: DIFFERENCES BETWEEN SECTORS
ERM: DIFFERENCES BETWEEN SECTORS
 
Csi 2009 Main Brochure
Csi 2009 Main BrochureCsi 2009 Main Brochure
Csi 2009 Main Brochure
 
Shared Services for Finance & Accounting - Wheelhouse Advisors 7.15.08
Shared Services for Finance & Accounting - Wheelhouse Advisors 7.15.08Shared Services for Finance & Accounting - Wheelhouse Advisors 7.15.08
Shared Services for Finance & Accounting - Wheelhouse Advisors 7.15.08
 

Andere mochten auch

Uso de diapositivas
Uso de diapositivasUso de diapositivas
Uso de diapositivasPaulo Arieu
 
Story-driven Leadership, Bringing Story to Work
Story-driven Leadership, Bringing Story to WorkStory-driven Leadership, Bringing Story to Work
Story-driven Leadership, Bringing Story to WorkJude Cassel Williams
 
2. η παλαιά διαθήκη μια ολόκληρη βιβλιοθηκη
2. η παλαιά διαθήκη μια ολόκληρη βιβλιοθηκη2. η παλαιά διαθήκη μια ολόκληρη βιβλιοθηκη
2. η παλαιά διαθήκη μια ολόκληρη βιβλιοθηκηΕλενη Ζαχου
 
Agenda reunión 22 de abril de 2014
Agenda reunión 22 de abril de 2014Agenda reunión 22 de abril de 2014
Agenda reunión 22 de abril de 2014Emilio Vergne
 
Proyecto museo las casas
Proyecto museo las casasProyecto museo las casas
Proyecto museo las casascristina gloria
 
Rose kreider resume(3) (1)
Rose kreider resume(3) (1)Rose kreider resume(3) (1)
Rose kreider resume(3) (1)Rose Kreider
 
Resep puding batik yang enak
Resep puding batik yang enakResep puding batik yang enak
Resep puding batik yang enakResep Boga
 
Aspectos masónicos en la vida de C. Jung
Aspectos masónicos en la vida de C. JungAspectos masónicos en la vida de C. Jung
Aspectos masónicos en la vida de C. JungPaulo Arieu
 
Forensics training master class student registration form 2016-17
Forensics training master class student registration form 2016-17Forensics training master class student registration form 2016-17
Forensics training master class student registration form 2016-17William Masvinu
 
Terapia cognitiva conductual
Terapia cognitiva conductualTerapia cognitiva conductual
Terapia cognitiva conductualPaulo Arieu
 

Andere mochten auch (16)

Uso de diapositivas
Uso de diapositivasUso de diapositivas
Uso de diapositivas
 
Story-driven Leadership, Bringing Story to Work
Story-driven Leadership, Bringing Story to WorkStory-driven Leadership, Bringing Story to Work
Story-driven Leadership, Bringing Story to Work
 
17402
1740217402
17402
 
060505
060505060505
060505
 
2. η παλαιά διαθήκη μια ολόκληρη βιβλιοθηκη
2. η παλαιά διαθήκη μια ολόκληρη βιβλιοθηκη2. η παλαιά διαθήκη μια ολόκληρη βιβλιοθηκη
2. η παλαιά διαθήκη μια ολόκληρη βιβλιοθηκη
 
Agenda reunión 22 de abril de 2014
Agenda reunión 22 de abril de 2014Agenda reunión 22 de abril de 2014
Agenda reunión 22 de abril de 2014
 
Proyecto museo las casas
Proyecto museo las casasProyecto museo las casas
Proyecto museo las casas
 
Rose kreider resume(3) (1)
Rose kreider resume(3) (1)Rose kreider resume(3) (1)
Rose kreider resume(3) (1)
 
Resep puding batik yang enak
Resep puding batik yang enakResep puding batik yang enak
Resep puding batik yang enak
 
KINUTHIA JAMES MWANGI
KINUTHIA JAMES MWANGIKINUTHIA JAMES MWANGI
KINUTHIA JAMES MWANGI
 
Law revision
Law revisionLaw revision
Law revision
 
Aspectos masónicos en la vida de C. Jung
Aspectos masónicos en la vida de C. JungAspectos masónicos en la vida de C. Jung
Aspectos masónicos en la vida de C. Jung
 
Forensics training master class student registration form 2016-17
Forensics training master class student registration form 2016-17Forensics training master class student registration form 2016-17
Forensics training master class student registration form 2016-17
 
La oratoria
La oratoriaLa oratoria
La oratoria
 
Terapia cognitiva conductual
Terapia cognitiva conductualTerapia cognitiva conductual
Terapia cognitiva conductual
 
Do it Best Corp. Techapalooza 2014 Presentation
Do it Best Corp. Techapalooza 2014 PresentationDo it Best Corp. Techapalooza 2014 Presentation
Do it Best Corp. Techapalooza 2014 Presentation
 

Ähnlich wie Wisegate_GeekSpeak_LG

Risk & Risk Management Ideas, Thoughts & Perspectives for new CEOs CIOs CTOs...
Risk & Risk Management Ideas, Thoughts & Perspectives for new CEOs CIOs CTOs...Risk & Risk Management Ideas, Thoughts & Perspectives for new CEOs CIOs CTOs...
Risk & Risk Management Ideas, Thoughts & Perspectives for new CEOs CIOs CTOs...Patrick A.
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Bala Guntipalli ♦ MBA
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber RiskMark Gibson
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementMighty Guides, Inc.
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyMighty Guides, Inc.
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityRahul Tyagi
 
Fortinet: The New CISO – From Technology to Business Focused Leadership
Fortinet: The New CISO – From Technology to Business Focused LeadershipFortinet: The New CISO – From Technology to Business Focused Leadership
Fortinet: The New CISO – From Technology to Business Focused LeadershipMighty Guides, Inc.
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxinfosec train
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Niren Thanky
 
What Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in CybersecurityWhat Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in CybersecurityReading Works Detroit
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationChris Ross
 
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...Berezha Security Group
 
The human factor
The human factorThe human factor
The human factorKoen Maris
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxjjvdneut
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxjjvdneut
 
Influential Business Leaders in Security services | CIO Look
Influential Business Leaders in Security services | CIO LookInfluential Business Leaders in Security services | CIO Look
Influential Business Leaders in Security services | CIO LookCIO Look Magazine
 

Ähnlich wie Wisegate_GeekSpeak_LG (20)

Risk & Risk Management Ideas, Thoughts & Perspectives for new CEOs CIOs CTOs...
Risk & Risk Management Ideas, Thoughts & Perspectives for new CEOs CIOs CTOs...Risk & Risk Management Ideas, Thoughts & Perspectives for new CEOs CIOs CTOs...
Risk & Risk Management Ideas, Thoughts & Perspectives for new CEOs CIOs CTOs...
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...
 
10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk10 Questions for the C-Suite in Assessing Cyber Risk
10 Questions for the C-Suite in Assessing Cyber Risk
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec
 
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response StrategyTrustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
Trustwave: 7 Experts on Transforming Your Threat Detection & Response Strategy
 
How close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe SecurityHow close is your organization to being breached | Safe Security
How close is your organization to being breached | Safe Security
 
Fortinet: The New CISO – From Technology to Business Focused Leadership
Fortinet: The New CISO – From Technology to Business Focused LeadershipFortinet: The New CISO – From Technology to Business Focused Leadership
Fortinet: The New CISO – From Technology to Business Focused Leadership
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptx
 
Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...Four mistakes to avoid when hiring your next security chief (print version ...
Four mistakes to avoid when hiring your next security chief (print version ...
 
Laedership for 2030
Laedership for 2030 Laedership for 2030
Laedership for 2030
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 
What Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in CybersecurityWhat Small Business Can Do To Protect Themselves Now in Cybersecurity
What Small Business Can Do To Protect Themselves Now in Cybersecurity
 
Metrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in CommunicationMetrics & Reporting - A Failure in Communication
Metrics & Reporting - A Failure in Communication
 
Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...Slides to the online event "Creating an effective cybersecurity strategy" by ...
Slides to the online event "Creating an effective cybersecurity strategy" by ...
 
The human factor
The human factorThe human factor
The human factor
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
 
Balbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptxBalbix-New-CISO-Board-Deck.pptx
Balbix-New-CISO-Board-Deck.pptx
 
Influential Business Leaders in Security services | CIO Look
Influential Business Leaders in Security services | CIO LookInfluential Business Leaders in Security services | CIO Look
Influential Business Leaders in Security services | CIO Look
 

Wisegate_GeekSpeak_LG

  • 1. WISEGATEIT.COM Geek Speak for the C-Suite HOW TO EFFECTIVELY COMMUNICATE SECURITY RISKS TO THE BOARD with insights from Brian O’Hara, ISO, Do It Best Corp
  • 2. 2GEEK SPEAK FOR THE C-SUITE This question is all too familiar. Wisegate member Brian O’Hara, ISO at Do It Best Corp, recently held a roundtable with senior IT professionals to address the difficulties of communicating with senior company executives. The driving force behind much of infosecurity today is risk management. But in order to manage risk, CISOs need to explain that risk to Business management - and that is not easy. “Believe me,” O’Hara said, the roundtable presenter said, “[Senior executives] understand risk extremely well - they just don’t always understand the geek-speak that we use when we talk to them about IT-related risk, PCI risk, or compliance risk.” In these meetings, two mistakes often happen: IT professionals are too honest instead of diplomatic, and they only explain the risk without having a solution. The truth is, IT security teams have to learn about Business language; because Business doesn’t understand the geek-speak of security. Learning to communicate effectively with the C-suite can make IT professionals feel more confident answering questions (like “Are we safe?”) and, in turn, feel safer in their positions. Based on the roundtable discussions, led by O’Hara, we’ve put together a list of tips to help you communicate confidently with the C-Suite. Best of luck, Wisegate Dear “in a tough spot” Wisegate member, Dear Wisegate, I have an important board meeting approaching. I’ve been asked to provide a status update outlining the assessment of my company’s risks. How do I best communicate my risk assessment to the very nervous, and not very IT savvy, board while also shielding myself (and the future of my job here) from their resulting anger or nerves? Sincerely, Wisegate member in a tough spot
  • 3. 3GEEK SPEAK FOR THE C-SUITE WHERE DOES RISK ORIGINATE? Risks can come from uncertainty in financial markets, threats from project failures (at any phase in design, development, production, or sustainment life-cycles), legal liabilities, credit risk, accidents, natural causes and disasters as well as a deliberate attack from an adversary, or events of uncertain or unpredictable root-cause. WHAT ARE THE STANDARDS FOR MITIGATING RISK? Several risk management standards have been developed including the Project Management Institute, the National Institute of Standards and Technology, actuarial societies, and ISO standards. Methods, definitions and goals vary widely according to whether the risk management method is in the context of project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety. Understanding Risk Management risk man.age.ment noun (in business) is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
  • 4. 4GEEK SPEAK FOR THE C-SUITE Understanding the board’s risk tolerance is important to finding the right level for communication. This can, of course, be aggravated if the Board itself isn’t aware. Often, neither side understands that the company has a very high risk tolerance. WHAT IS RISK TOLERANCE? The degree of variability in investment returns that an individual is willing to withstand. Risk tolerance is an important component in investing. An individual should have a realistic understanding of his or her ability and willingness to stomach large swings in the value of his or her investments. Investors who take on too much risk may panic and sell at the wrong time. Step One: Understand Your Company’s Risk Tolerance The real answer is the board of directors. If there is no board, then it falls on the CEO. This board also owns the risk of subsidiaries. If a subsidiary is breached and sued, the lawyers will come after the part of the company with the deepest pockets - and that will be the parent company. Security is often the bearer of bad news, and how that bad news is presented is a critical part of whether the messenger gets shot or praised. Step Two: Identify Who Owns the Risk CATEGORIES OF RISK: • Operational/Transactional • Compliance • Financial • Reputational TYPES OF RISK: • Inherent • Identified • Unidentified • Acceptable • Unacceptable • Residual
  • 5. 5GEEK SPEAK FOR THE C-SUITE When talking to the C-suite, it is important to understand where their priorities stand. RISK MANAGEMENT Business may have a proprietorial attitude towards risk management. It originated in the financial world, which Business understands; but is now being explained by the security world, which Business does not understand. This is aggravated when the board is suddenly presented with a huge and expensive risk that they do not understand. Ultimately, the C-suite wants to ensure their name doesn’t appear on the news. Step Four: Identify Topics of Most Interest to Executives One of the hardest decisions for security professionals is selecting a risk management framework. Most executives don’t know or care about the differences of ISO or ISO 31000, NIST or COBIT. What business is interested in is the bottom line: what makes me money, what costs me money, and how scary is this? For security professionals, it is important to consider which framework is going to be the easiest to help you get the job done, and does it do a good job of it? Step Three: Explore Risk Management Frameworks RISK MANAGEMENT FRAMEWORKS: • NIST 800 - Federal • DHHS - Health Care • HiTrust – Healthcare and PCI • ISO 31000 – International • Risk Management Framework (FISMA) - Federal • COBIT 5 – Financials
  • 6. 6GEEK SPEAK FOR THE C-SUITE ARE WE PROTECTED? What the Board really wants to know is that the company is safe, which makes the answer to ‘Am I safe?’ very tricky. Ponder this in advance of being asked. Be mindful how you answer the question, as it can get you fired, or it can get you promoted. HOW DOES IT IMPACT THE BOTTOM LINE? Financial risk is easily quantified while security risk is almost impossible to quantify. In the example of BYOD, as a security professional, you understand the amount of devices connecting to your network. How do you quantify the risk associated with something like that? It’s extremely difficult, if even possible. At the end of the day it’s about money and operations, and executives are in business to make money. This provides a perfect opportunity to launch into a discussion about risk management strategies to reduce risks to acceptable levels. This is where the true hard work begins. Instead of sparking fear, uncertainty and doubt, earn respect through presenting a strong plan that aligns with the overall strategic business strategy. A successful pitch will highlight what you’ve been able to do with other projects. When you are able to show executives a track record of problems and solutions, it establishes trust with the team. Step Five: Create Solutions, Not Problems
  • 7. 7GEEK SPEAK FOR THE C-SUITE SEEK TO UNDERSTAND, THEN TO BE UNDERSTOOD People approach the C-suite with problems all day, often without solutions. Try to understand their problems before you try to get them to understand yours. BE PREPARED AND EXPLORE OPTIONS Do your homework and explore other options. Research three to five options and be ready to explain what the differences are, and the pros and cons of each. If you are only prepared to push your own cause, you won’t get very far. It’s a security professional’s job to stay focused on fixing the problem, and to remain open and flexible in considering multiple solutions. Don’t forget to: Summary The bottom line is that the board wants to know if it is safe. It neither understands nor cares about firewalls, data leak prevention, and zero-day threats - it just wants to be safe. Security needs to think long and hard about how it is going to answer that question. That requires understanding the Business; its risk tolerance levels, its commercial position, and the board’s business and personal motivations. Make the board’s problems your own problems and then solve them. Research and create solutions that will gain you your own job security. That’s what effective risk management is about.