CG - Minimum Viable Risk Management Program - Rachael Lininger

hi everybody i'm rachel indra and i'm here to talk to you about risk and here is sort of the obligatory bit about why you should listen to me i'm a risk enthusiast i get really happy about talking about risk roman can tell you he didn't even he came from or i don't understand i'm not a risk expert I've been working in information security for 14 years and nine of them have been in risk I've got the usual alphabet soup of certifications I'm currently working as a security strategist at Leviathan security group which is pretty great because it means I get to talk about risk all day so here's what we'll be doing and here's sort of like how long

stuff will take hopefully so cools here really likes risk I know right and who really hates it or thinks it's stupid or whatever come on sometimes ok good this talk is really for that because I think that most of the reason people really hate risk is that is so often so dumb it's often done pretty badly have you ever seen the thing where say Opstal refuse to patch a server and then it'll get owned and then they're like information security why didn't you fix that they're like we told them it was a risk but we're left holding the bag on the risk effectively we're the ones signing off on all the risks whether we want to or not how many

of you have seen this yeah yeah isn't that the best part of Metro suck yeah I get a lot of nods I think you're all being sarcastic what do you think you know this whole talk is about stopping that after this talk hopefully you'll know what risk is good for know what a decent risk management program which would actually look like be able to set up a good enough program cheap which is kind of important when you're really small be able to do a pretty simple risk assessment and now what documentation will get you through and on it the goal here is to your auditors drowned them in documentation in here the lamentations of your regulators right now everything

is risk-based it's this sort of fairy dust that we sprinkle over everything whether or not it has anything to do with actual risk the auditors wanted the regulator's run it the frameworks wanted the customers wanted the fake will don't want it marketing wants it employers want it I see so many resumes that talk about how much risk stuff they've done it is like I'm looking at this and like you're a mid-level Tivoli administrator you have never touched risk sorry you know I honestly think this is one of the unsolved problems in information security we can't do risk at small-scale we can't figure things we can't identify problems cleanly and get them fixed before they get really

entrenched this is like super technical debt a Minimum Viable Product getting something working really includes security or risk and all these invisible risks just add up part of the problem is we have a lot of confusion about terms as three people in security about what risk is you will get five answers if you're lucky you might get more here are the terms I'm gonna use there straight out of fair which we'll talk about later it's possible if not likely that I will mess this up myself in them even though I've been living and breathing this stuff for ten years it's actually pretty hard to keep it straight because the way the language works is sloppy a risk is a

threat is evolve is a whatever so what's risk in this talk we're gonna go with probable frequency and probable magnitude of future loss an asset something of value frequency is how often aloft may occur with any different within a given time frame and that's a little bit different from likelihood because likelihood what does that mean is that is it likely in the next ten years with a little likely in the next millennium qualitative risk is expressed in words like rare medium and well done gotcha quantitative risk is expressed in numbers dollars per timeframe in our case a threat is something that may act to cause a loss a threat event is the thing the threat does that may cause

that loss a vulnerability is a weakness that may allow a threat to cause a loss and in this case our backup generator has escaped into the wild you know it's making a break for it we don't have backup here's a loss event the specific loss and here is a secondary loss event which is the reputation damaged after our specific laws so why have a risk management program for most places the answer is compliance is necessary but it's not sufficient your program won't work if nobody cares binders full of auditor Bane do not excite anyone or at least not anyone I know they don't really help the business so what are real reasons for this your customers vendor security

questionnaires are probably gonna ask about risk do you have a risk management program that makes for easier sales if you can say yes and mean it you know the whole point is being able to make better decisions it helps enable long term planning it helps you decide which risks to outsource like say you know your core business has nothing to do with payment processing so maybe you want to just skip the whole PCI thing and send it to stripe or Square or whoever and finally you can fix the really dumb thing the co-founder legs and it's gonna cause problems later but they really like it but let's fix it early the usual risk management advice assumes

that you've got a lot of staff and I'm telling you we're not cheap you've got some expertise you may or may not have some expensive tools and you have lots and lots and lots of time and then there's the thing where they don't actually list this is something you need but you trying to do its the organizational maturity I don't mean just in the capability maturity model sense of you know you have a process you're aware of the process and the process works and stuff happens there's also the not having the same freakin conversation about what is risk over and over and over again in the same conversation about whether you can do information risk and information security with an

intelligent adversary have you all heard this conversation yeah I'm friggin tired of it you know give up please you know and then there's the problem where those who are responsible for the risks are also accountable for them if you don't have all of those your risk management program is gonna have a hard time the current all options for small and immature organizations are hire consultants we like this option we think that you should do it there's Chad over there my boss was at hacker pyramid you know we would love to help you if you get other consultants you might get something that looks a lot like the lots of time and stuff and expertise and

maybe it's too much for your organization you may get a control deficiency audit risk assessment this is not a risk assessment it's just a list of all the controls that think you ought to do that you aren't and maybe there's a good reason you aren't but you're still gonna get dinged for it this is also the other best thing about InfoSec right yeah and sometimes you get these like 800-page risk assessment so anyone never seen an 800-page risk assessment you know and you had like thousands of low risks and a few medium ones and one high one and that was like super actionable and super helpful right yeah if you're in HIPAA there's health IT gov

security risk assessment tool and the only reason I mentioned this is I do recommend taking a look at it so you can see what would an auditor have to pass the bar is low my friends you know and then there's what most of us do we kind of give up we need something better we need something that passes the island okay that's necessary but it's not sufficient we need something that's actually useful we need something that's inexpensive if we're in a small scale because we're not gonna have a ton of money to throw at this necessarily and it would be nice to have something that scales all the way up and all the way down because changing

how you handle risk in an organization is basically a pretty big deal or in the organizational transformation project how good is information security at spearheading organizational transformation projects yeah and maybe not so much so this is all my boss's idea you might have heard of James Muriel Arlen he does hacker Perriman it's really great I'm the minion that built it out we're using a hodgepodge of different resources don't worry about writing it down because there's a handout soonish and the big players are factor analysis of information risk binary a risk assessment the Canadian harmonized threat and risk assessment methodology because the Canadians are the best and Australian risk management standard the basic plan and we're going

to go through in detail in a minute this side on scope inventory assets and donors sort the inventory by granularity perform a binary risk assessment asset owners decide on the treatment for low and medium risks senior leadership reviews all the risks and decides on the highest and then you document document document and now for our actual program and you guys I totally nailed that timing I totally did I'm very excited so our first step is deciding on the scope are you gonna be on it ed that's your scope are you subject to some kind of regulation or have you signed contracts that's your scope do your customers want you to protect their stuff that's your

scope do you want to protect your stuff might be your scope but we do recommend that you kind of start small and grow it would be nice to do everything eventually you'll do everything but get things running before you try to do everything if you can if everything's in scope then you know you're just gonna have to cope then your inventory the assets and the owners all I can say is that yes this is heart this is something that we have been yelling about for a really long time you need to know what you have anyway this is one of those things where I'm kind of hoping that an extra reason for doing this you know

more compliancy more whatever will help get it done but this is something where I you know leadership skills have them the next thing you do is you start the inventory by granularity and this is a bit that we're stealing from The Canadian threat and risk assessment methodology appendix feed by the Royal Canadian Mounted Police that's what makes it great and why are we doing this we're doing this because you don't want to do that thing where you're complaining all of your servers to that one desktop running XP or whatever that you have to have because you've got you know in million-year-old MRI that doesn't work with anything else or I don't know sometimes you gotta have it a

number of risk management programs are going to have you classify your assets by confidentiality integrity availability sensitivity that gets really hard to do other ones start talking about classifying your assets by business continuity criticality or maybe sort of a presumed impact and I think that's a bad idea because impact is also something you consider in your risk assessment and then you're sorting your assets by that and you get really good recursive and really confused really fast we're going with scale because it's pretty it's a lot easier and it also changes a lot less you know if you're doing a database you know suddenly your database can go from having not very high impact to all of your PCI data that

would kind of suck but the it's still database sized you know in here some granularities I literally just took them from the back of that appendix it's all written out there you can adjust it for your organization we're not saying you have to do it this way but it's just start with so he tangible assets on a high level and then break it down and to you know you've got your data you've got your hardware you've got your software you've got your facilities and then you break it down a little more and you're looking for that the personal data or your network components or you know your buildings and you break it down more and you've

got data centers or all your Windows 10 operating systems or all your firewalls and you break it down more and you've got specific credit card data the specific iOS tablets that all your doctors are using or you know whatever all your execs are using specific buildings and just if you break stuff down that helps you so you don't do that thing where you can pet comparing a data center to you know some handwritten notes that someone's likely to take and then you do something called binary risk assessment it was made by Ben Sapiro it's online at binary dot protectio is Creative Commons Licence it's free you can use it commercially it's fast it's transparent it's pretty compatible with

other stuff and it doesn't okay so no training required will be done by the end of this talk so it's minimal training is required so using binary risk assessment as part of a program can be a little weird cuz there's not a lot of talk about this which was really just discussed as a point kind of thing to do a point assessment but if you start at that subgroup level like Windows 10 or your tablets and just sort of work out you pick an asset you think of a probable scenario not your movie plot threats you know probable submit scenario around some winter fishing something like that you need to do multiple assessments per assets and because you can do them so

fast seriously they take like five to ten minutes you can get in a lot of practice and you can do multiple assessments per asset and the reason for this is binary really only focuses on one narrow scenario at a time that's also part of the reason when I first encountered risk stuff my brain kind of exploded because it's like well this thing is really vulnerable to fishing but it's not really vulnerable to viruses or whatever you know and so you consider multiple assessments when threats don't have the same objectives nation-states are going to have a different objective from criminals or from hacktivists or whoever the threats don't have the same capabilities nation-states versus kiddies versus

squirrels you know or the threat events differ ransom wherever sufficient can yield very different effects and so here's a little philosophical segue it's important for doing risk what's the purpose of doing all this risk assessment I have opinion on this and so does a program I'm outlining so if you've got a different opinion you want to use this program you need to like just agree they disagree when you're doing a lot of risk assessment you probably are not the person who actually gets to be the decider I cannot force people to patch their servers I can encourage it very strongly you know if needed I can run it up the chain and make sure their management

knows they're not patching their servers and what that problem is but I cannot make them do it it's also not terribly helpful to think that the only purpose for this is convincing other people that were right people get to disagree you know if you're really really invested in being right all the time you probably are going to get much done so that's my little philosophical discussion the next step is the asset owners decide what to do about the low and medium risks you've got all your assets with their owners these are the people responsible from these are the people who can patch or not make them sign off that they're doing it make them sign off that they

understand hey this is a risk if it's lower immediate risk you have to let them make the wrong decisions you know if it's a real problem run it up the chain but you have to let them make the wrong decisions you cannot force them to do stuff they don't want to you know stand by those decisions but we don't want to let them go either and that's why we end up with this really awful tug-of-war with them saying no not gonna patch and now saying well you have to and I'm saying no not and then everybody else saying well information security why'd you let that happen you know we never gave it up this is another thing that you know you

want leadership skills and it's probably the hardest part of any risk management program so there are four basic ways to treat risk you can avoid it we're not saving that data in the first place so we're not saving those pictures of the internal map of your house anywhere so there's no chance we're going to sell them to anyone who wants that map of your house if you've all heard about the Roomba yeah yeah don't save it you can mitigate it you can add controls that reduce the possibility of something happened good examples of that are two-factor authentication Network segmentation stuff like that you can transfer it by outsourcing to square stripe like I talked about before or

buying cyber insurance read your contract really carefully if you do that kids you know and then there's accept by having someone at the right level agree that the organization is okay covering any losses that's what it means to accept a risk so what's the right level to sign off on a risk it's kind of best to think of it like purchasing power I can sign off on $200 you can sign off on 2,000,000 and anyone can sign off on what $2,000 meetings something like that you know this is actually really hard to figure out when you're just starting if you don't already know what risks you have or what they look like or what they

feel like I mean honestly most people go by feel after a while you know you don't know where to draw that line a lot of programs want you to do it ahead of time they call it risk appetite that's the amount of loss exposure you're willing to run as a cost of doing business it's really hard to figure out and it's also something that if you try to figure it out in advance you get really kind of wrapped up in abstractions and you get really bored with the topic before you've even gotten to any useful decisions so what I'm saying is just draw a line change it later when you need to because even if you figured out

something beforehand you'd get annoyed and you'd still have to change it later the next step is you get a batch of these low and medium risks that have been signed off on at the appropriate level and you get any high risks that you found and you bring them all to senior leadership and throw them out them and say here you deal with it that's how it works right now the senior leadership will review the low and medium risk decisions to know the context this means that they can talk with people about the quality of their risk decisions although it this is also something to be careful of because you really still have to work with people

later you know crazy talk you know and then the senior leaders decide on the high bar the high risk you still have to let them make wrong decisions your a your role here in this particular program is to identify problems and persuade another thing to keep in mind is that more high risks doesn't necessarily mean riskier assets that's kind of a factor of how we've broken down our assets in the granularity step and how many scenarios we thought up and risk aggregation is kind of a next level thing that almost no risk management program does well and this doesn't do well until the end when you've got a lot of trained people who have learned to do

it and are spending money and then the last step is document all the things so you can drown your auditors in artifacts so this is a point where please pass around the handouts we are going to do a risk assessment are you excited you're not sounding very excited [Laughter] ya know if we're out please share make friends talk to people I know it's hard

so at 2:40 sharp we're gonna end because I have to finish it but I'm pretty sure I can finish from them because I have Neil the timing twice now it's a very exciting all right so the thing about binary risk assessment it's a series of ten questions about a given asset and scenario you don't necessarily need to be a risk expert or a security expert in order to answer them it's fast enough that you can do more than one for each asset what you need to do since you usually think of more than one reasonable scenario what asset do we want to accept we've actually got enough time that we can do several I'll take

suggestions or we can assess a windows 7 user desktop okay I'm not seeing any burning suggestion so let's just go with it and what kind of scenario do we want to assess again suggestions or way we can talk about ransomware sounds good all right I can do um wait for the microphone sorry I can't hear you at all

okay so for the windows seven my wife is a controller at a company so she accesses the bank information for the company I think how would that fit into this um can we work through it first Thanks would that be part of this risk assessment it let's work through it okay so if you look at your little binary work card it's a very colorful side you know stop reading Alec's sentence blog post so Windows 7 ransomware cannae ransomware attack be completed on windows 7 with common skills yes no I'm not hearing any news it's up to you personally I mean they think the thing is is these questions will help you argue with the business okay they're

like what what's a common skill why is this common or why is it not this gives you a framework for talking about things so you get decide for yourself what it is you know so and that's a perfectly reasonable thing to say and if you notice most of the people in security said yes I think because you can download it from exploit dB yeah and if you look Michael Reutemann from Kenna I Oh has talked about how the likelihood of and exploit being actually used in the wild and actual causing problems CBS s has nothing to do with it whether it's in Metasploit an exploit DB does so when you go back to your team you can talk

with them and say hey yeah I know that your guys can't do this but anyone in the world who can download this can do it does that make sense alright then can the attack be completed without significant resources yes and he knows all right then is the asset undefended it's a Windows 7 desktop but it's it's on a little company network and we've got a DMZ and we've got a firewall and so is it undefended and that's another one where you would have this discussion and your line of business is probably gonna look at you and say then what am I paying you for if money laptop is undefended and there's something to have an answer

about yeah awesome that will go over really well you know are there known weaknesses in the current defenses yes because I like my tunes I've got a Sonos and Jonas required for Windows requires SMB one yes it does you have a so no stone you can the attack it's a vulnerability in the answer always present its Windows seven I'd go with yes anyone know can they attack we perform without meeting preconditions do you need something special to do that do you need to be there in a particular time do you know

you know I would say that there's not a lot of those preconditions here you know the the Windows 7 machine needs to be turned on people tend to leave them all all the time I'm not sure that you know I would say yes some without meeting preconditions but that's also something that you can have a discussion about and you can actually talk about it alright so like if you followed along where'd that land hi yeah so we're high on the likelihood here let's talk about magnitude and this is where your question about the bank goes will there make consequences from internal sources we've got ransomware inside yes will there be consequences from external sources are you sure maybe yeah

and this is a yes new thing this is another thing where you can have a really good discussion with the business how likely is there to be a problem that gets out yeah it it would depend like maybe if your company has ever had a rat ransomware attack that got into the news that's gonna be yes because people will have been burned if you haven't you may have to argue you may need to discuss it on the basis of other companies you may need to sit on you know like your friends companies what whatever just the history you know it's this is a framework for having discussion it's it's not going to be all the answers you

know does the asset have or create significant business value it's one it's it's it's somebody's desktop is one it's a rental or is this work significant necessarily you know right yeah so maybe not you know on the other hand if it's the one connecting to Bank stuff and then ransomware travels maybe it depends on your individual circumstances and again this is something you and have a conversation about well the repair and replacement costs be significant now

depending yeah yeah one laptop now the other not but huh only a Syrian baby I have none of them but so how did that one land and your handy little work colored and we are getting a little more about some of them so it might have been meaning my been high but you're probably coming out with a high risk around somewhere on a Windows 7 7 desktop yeah and then you can have you know your you know your ops people are like yeah but we don't want to upgrade this works this works for us we don't need to upgrade it costs money besides the Windows 10 is spying on you and it totally is you know and and we

don't want to we don't want to make this change you know isn't microsoft keeping us updated we're not end-of-life yet but now you have a framework for talking about the issues and working your way through it so is this perfect no is this good enough to start a conversation okay that's good because I did kind of feel like I was talking to myself a lot I do that you know but me myself and I had a great conversation hopefully you enjoyed it as well we have seven minutes to try and do another one you want to do another one yeah okay

as we're doing this next one so item three and four on here I see there's like three categories of three sets of low medium high how do you get between the low low low low medium low I if it's talked to me later because I kind of need to point at the picture sorry it's just I'm not sure that'll be I'm not going to pretend just I understand your question when we need to point at the picture and it gets confusing and and stuff so to the more complex matrix under 3 & 4 like how do you interpret that okay there's determine likelihood and so yep you get all the way to buy them after six and you determine likelihood

sorry and then there's if I'm understanding you I'm talking you talking about the moving from 2 to 3 under determined likelihood okay so 3 okay I get 3 3 & 4 it's more complex how do we interpret that alright let's talk more about the original scenario instead of trying to do a new one can the attack be completed without common skills yes can the attack be completed without significant resources yes if I miss remembering anybody what we decided just yell you know so yes and yes as a high is the asset undefended yes are there known weaknesses in the current defenses yes so that's also high so yeah yes yeah so Yuki so you've done

the high and then you're in that column with the high and if it's no no you can go down to medium but if it's yes no where yes yes you can you stay in high and then for the next two questions you know the same thing it's a vulnerability in the asset Oh is present yes can the attack be performed without meeting preconditions yes is that making a lot more sense to people and then you do the same thing on the impact side and then you your likelihood and impact and put him and swish them together and create Voltron you got it alright so I'm not yeah just to make sure I'm understanding you correctly so for underdetermined

impact for the external sources would you say that if you have requirements to disclose any sort of information security incident that would fall under a consequence of external sources personally I would go for that yeah but it could be that whatever disclosure you're doing just isn't gonna go anywhere you don't care that much so maybe not you know it's your personal determination of what is significant and you get to argue about what's significant that makes sense yeah thank you awesome so don't know that we're gonna have time to do another one but if there's time at the end and there aren't questions there's gonna be questions never mind forget that all right so we've done this

and we had a nice conversation but there were obvious weaknesses here right it doesn't actually meet the definition of risk then I talked about probable frequency and probable magnitude of future loss not quite there it's kind of close but it's not quite there the questions are pretty technology-focused not people or processes you know you can do petcock obviously but you know really talking about administrative processes is gonna be pretty hard with this it's kind of hard to answer for the non malicious threats it's gonna be really ambiguous regarding those secondary losses like reporting requirements if there's a breach whether or not let's say you've got a lost laptop that's not supposed to have personal data on it but

maybe it does so the second there those secondary losses only happen some of the time but when they do happen they can greatly outstrip the cost of any primary losses from losing something you know and it's kind of weirdly ambiguous between low frequency high magnitude risks and we picked a high frequency high magnitude risk so it wasn't quite as obvious but if you pick something that's low frequency and high magnitude like say you know your rogue DBA you know that almost never happens because we've done other processes supposedly to take care of it and also to be honest most people are reasonably honest and stuff so that's a low frequency risk but high magnitude very nothing you're going

to do if your DBA is decides to you know decides to flip so it's kind of ambiguous but I did say that this was going to scale and what you do is you add factor analysis of information risk it's made by Jack Jones the open group standard for risk management it's free to read all about it or you know you can like buy the book for 40 bucks or whatever it is that's essentially free there's a sliding scale for commercial use and it's not completely unlikely that an organization would already have it because open group also does TOGAF and some other stuff that's pretty established the training is pretty inexpensive it's way cheaper than sans

and if you're in ISC squared you get at 50% off so it's even cheaper than that you can do it qualitative or quantitative lis it doesn't require special vendor tools although you can get them they're kind of cool and it's not as fast as binary but one assessment takes about two hours how many of you have done a work a risk assessment in your organization that involves answering like 200 million questions yeah they did only take two hours no no

that's a question so fair is the best framework for risk management and the best methodology for risk assessment I'm not going to argue about it let's take it outside so here's how you I'd fair the amazing thing about fair is that the way you scope a fair scenario is the exact same way you would scope a binary scenario they have to be pretty narrow you need one asset and one not just one thread event but one thread event model you know one type of thread event what that means is that fair can be a drop-in replacement for a single binary assessment you can still binary all the things and only do fair when you need more information more rigor more

usefulness that means you're only doing extra work when you have to that's pretty cool so how do you start with fair the analyst training really helps I have been doing risk for years and years and years and I needed the actual training you know I had all the books and stuff I read it I'm like this is awesome I get it I don't get it I needed the training it helps it's pretty cheap just do it or send somebody everything is all in the open fair body of knowledge qualitative assessments only need pen and paper if you want to do quantitative assessments they can be done with Excel you can do them with R you can do them

with Python or risk lens which is the commercial end of the fair stuff they do have a tool it's really cool you can use it but you don't have to because one of the things where we're going for is this would be at least start really inexpensive the thing here is you keep doing binary on everything and then you do fare as well and a few things you need it and there's a still reason to do binary first first of all that was really fast right it's not a hardship to do it it also helps you make sure that you've got your scope and what you're thinking about nailed down you know so just do binary for everything and then

add fare as you need it so how far can you go with fare how far do you want to go in your risk management it will support pretty much the highest levels of risk management complexity and maturity I know insurance companies who they're using fare you know it can be fully quantitative you can do all the numbers all the time and they're actually like reasonable numbers instead of like that kind of numbers and one of the really really difficult questions in risk management is well how do I know the risk for the whole organization how much risks do I have you can aggregate it and it'll work in the tool here's the book it's noted on

the handout the reference for it and finally we have to document the external documentation that you'll need is the binary risk assessment from binary protected I Oh again that's free harmonized threat and risk assessment methodology from Royal Canadian Mounted Police appendix B that's also free fair standards from the okema group free to read sliding scale for commercial use ferret training way way cheaper than sands or that's the main risk management training I know of you know it's cheaper than most stuff you know risk lens platform I have no idea what that cost ask them if you want it but it's like it's way far in the future you've got to maintain some on in artifacts I know

you're super excited about this yeah you're going to need a system of work of record some kind of workflow to or maybe just a conscientious assistant you know an office suite you need a policy you need a process you need some templates for storing the risk assessment you need some forms or templates or whatever for the risk decisions you need a risk register because everybody wants a risk register and you need meeting minutes from those review meetings your risk management policy you're gonna want to have what the purpose of the program is the actual scope so the auditors don't say hey why didn't you review this and you're like that's out of scope didn't tell me what the scope is you know

here's a finding statement that you'll actually treat the risks to reduce them to an acceptable level statement on asset owners are the ones that accept the risk that decide on the risk treatments what the documentation czar requirements are for your organization how often to perform risk assessments and how often to review the risks and their treatment decisions your risk management process we just walk through that whole thing the only change is performed binary risk assessment and maybe fair if you wants more cool stuff yeah you'll also want to document whatever the process is for making and signing off on risk treatment decisions both at the asset owner level and at the more senior level you know

process for reviewing risk decisions because like every year you got to review your risk decision that kind of stuff and it helps to have a racing matrix you know responsible accountable consultant inform on who's supposed to be doing what so your policy does and processes don't read as if invisible fairies aren't performing all these tasks because that's a really common failure mode for policies and processes the risk management process owner would be the person who's accountable for the risk management process not the risks unless they happen to own the asset sometimes they do but now usually you know and then the process manager or whatever you want to call them is the minion that does all the work and the

target acid owner is a person who owns the asset and the target asset manager is the system and who does all the work and then finally you want to name the executive person senior leader whatever who's accountable for information risk in your organization you know who gets the orange jumpsuit or who is responsible for the organization not just completely including due to an information security problem you need some kind of consistent way to store a risk assessment you know it can be Excel it can be Word it can be in your JIRA workflow tool whatever you know but some consistent way to store it so you know you can keep track as standard ways standardized way to document an

assessment you also need a standardized way to document the risk treatment decision template planted plans and you know what was the asset what was the scenario we were talking about what risk did we find you know here's what the decision is here's the people who are going to do stuff here's the project plan whatever and then you also get some kind of signature some kind of I'm accountable for this no you need a risk register because every auditors gonna ask for that probably by name it's just a list of all your risks and all the decisions made and then for those exciting fun review meetings you know you need minutes to prove that you had the meeting prove

that you did the review and document any decisions made we made it does this work yeah no really this is route we've implemented this a client it helps them teach themselves about risk it helps them teach themselves how to talk to each other about risk and how to make decisions it's really really cool it gets accountability and authority actually aligned instead of we didn't pass but it's your problem you know unless decision-makers drive the depth of analysis and the amount of work based on what information they need and want to make decisions instead of trying to run this huge to two million question program or whatever and everybody's like what do you do with this I don't care

and it keeps the investment of time resources personnel in line with the value does it work without Leviathan we hope so if you would like to talk with us again we'd love to talk with you and help we are gonna be really seeing white paper and blog posts all more about how to do this it was just let's get the talk and see if people what questions we're missing and stuff like that but you all probably know my boss James Harlan he does hacker pyramid you know talk to him and that's it [Applause] any exciting questions yes

why is risk register important I can't get a straight answer on this because the auditors want it and sometimes you just need to do the auditor babe aren't you shedding light on like you're creating exposure to the auditors on what your issues are I'm not sure I understand the question is that are you asking if it's cheating for the auditors to ask you where all your weaknesses are exactly it is cheating there are the doors you kind of stuck with sure that's kind of how it is one of the things with auditing is consider what kind of fines people have gone for the most part there's slap on the wrist the point of auditing has been mostly to ensure that

you're doing processes if you get a finding it's probably not that big a deal with auditing they want to you to they would rather know that you are aware of particular issues and I mean if it's properly accepted then a lot of times they'll go over and say you know you did that it's very rare for auditors to start talking about your decision quality unless you've had a big problem or unless you're PCI and you have a breach and therefore you were clearly never PCI compliant even though you were certified every year for the past ten years yes did that answer your question it's it's it's kind of the way things are you do need to tell them where your problems

are you just have to it's not fair that's how it is yeah when we when we do our risk assessments one of the things we find is that our business owners once we've extrapolated the the impact and the likelihood it kind of gets into that you know that stoplight that high medium low kind of area and at the end of the day we say this whatever is high-risk say back to them and they go okay now so one thing we have found that is all run is disabled there's really understanding dollars they understand it you know well how will this affect me but we not I've not found an easy way to t extrapolate it back down to what that

really would that real impact isn't a dollar value but the reputational risk or whether it's a you know cost per breach or something do you have any tips on that that's where that's where the fair can I talk now okay so that's where the fair analysis comes in that will give you dollar values now will help part of the reason for this is the the quick and dirty version is to get people talking about issues and why you're having this issue why it's a problem like I said it's not perfect this is supposed to be a good enough one of the problems with us risk people and I've been as guilty as anyone else is

like the perfect is the enemy of the just getting by and at least with this you'll have broken down things more to talk about where the issues are well part of the this risk is coming from the fact that the they there are no weaknesses and the current defenses let's change that so there aren't any no one weaknesses and look it's go down so it goes down too low they're like oh I can accept that how expensive is that change whoa you turn on Windows Update alright then you know thanks to the help yeah so um to add a little bit to my wife is the accountant and controller thing thanks to her relationship with me she

knows all about phishing emails to get someone to do a transfer overseas kind of thing so she's very cognizant aware of that with the binary risk assessment example that used it was assuming evil hackers as opposed to just good social engineering so I'm struggling a little bit with how do you apply it for assessing the risk that my wife as a human being gets hacked as opposed to a technical asset that is part of the weakness of binary risk assessment is it's not as good with people although you know with the phishing example I mean who does fish ape non evil hackers you know I mean it's still evil hackers you know it's just a different vector and you know

that's one of the weaknesses of binary you can go and say okay can the attack be completed with common skills it's a good phishing attempt to call them a skill yes no I mean this is a hard hard thing to think through you know can a good phishing attempt be completed without significant resources that one I'd say yeah you know is the asset undefended well we have security awareness every year and we have fake phishing attempts and the rate of clicks has gone down so the acid is not in defense undefended are there no weaknesses well yeah they're people you know is a vulnerability in the asset always present you know you can actually make an argument that that's no because

a lot of the times with phishing attempts people do catch them and it's just occasionally they get through because you know you get the dfl or the FedEx phishing attempt right when you're expecting a package that's kind of luck so maybe for that you say the vulnerability is not always present you know can the attack be performed without meeting preconditions you know and phishing yeah they're kind of our precondition so you know you you you can still think it through it's kind of a proxy it's kind of approximate it's not perfect but it's good enough to do a risk assessment and be able to talk about stuff does that make sense awesome oh no okay

[Applause]