Understanding your business risks are key - Paul Holland

thank you so good morning everyone welcome please likes see it's I wanted to talk to you about kind of understanding risk and how it relates to each of your own kind of jobs and businesses but I just thought quick intro into myself so I can't look at his insurance company join them in September 2015 on their information security leader I've worked in many different industries across my career which is kind of where this information is born out from I'm a comedy certified sis and if you wish you can either tweet or follow me but all info sick as well so understanding risk so what does it mean why is it important so in security we have the CIA triad

so confidentiality integrity and availability essentially systems in your data so making sure it's it's safe and secure making sure that people can't mess with it so that you know that it is valid it's the correct information and that actually people can access the information when they need to get to it so that's what we tend to focus on that's what we concentrate on so different organizations have different profiles so each different industry will have different kind of focuses in that CIA try and so for example insurance he's a reasonably even split across the mall but confidentiality of the data insurance seems to be the the kind of the primary focus banking again very even split between them all if you go

back probably five years or so available 'ti wasn't quite so important to them but now with internet banking it's becoming much more important oil and gas for them really it's confidentiality of their data they have very very kind of monetary worth of intellectual property if they've got so and it found a new oil field where they can go and drill it's potentially worth billions of pounds so they need to make sure they keep that data safe and secure education so they have a very small footprint on the internet they may just have an informational website it's probably about it so for them it's keeping their systems up the availability side so that the teachers could teach the lessons

that the kids can do they're learning so that's really important to them gambling industry so that's very much about availability of their systems if they lose their systems during the World Cup that's coming up they're going to be using millions of pounds or seconds in bets people will just go somewhere else they need to really focus heavily on keeping their systems up and pharmaceuticals so there's quite a good split there between the confidentiality integrity so again you know they work on when they're working on new drugs that's worth a lot of money to them also the integrity of that data is really important if somebody gets in and changes the middle of the amount of

milligrams in one of their new drugs they could do you know they can potentially kill people so you know to them making sure that data is accurate is vitally important I would like to stress though this is my opinion on the splits you know from from I've worked in all of these industries at different times and this is from what I've seen so there's no actual stats to back this up but what you do get obviously within each industry you will have differences as well so you'll look at the kind of the company ethos brand and things like that and we'll make a difference so you know obviously out the insurance run a look at he's got specifically so I'll

know quite a bit about that about them as a work there and for us we're not a big retail insurer so we do have us we do have an online presence you can get some small business insurance to us but most of our stuff is done through brokers and direct with the underwriters someone like a direct line or Aviva they've got much bigger online presence so for us the availability is much less of a worry and because of our brand and the type of insurance we do a confidentiality of that data is much more important to us than it probably is so other insurers so we spend a lot more time focusing on those and what those

kind of things do when you look at the CIA triad you look at the focus is your industry your actual business it starts to give you and hopes to build a picture of your risk appetite so other things that you need to kind of think about is its what would your business theme materially damaging what systems and what data could you live without for a while and how long is that what information is vitally important to you a lot companies called it their crown jewels and then also what is it you're going to do to protect that protect that information you use all those factors and put them together and that starts to build you risk appetite statement for

your business that is your high-level statement of the level of risk your business is willing to take so you start to build up a picture so from your risk risk appetite you look at that you get your high-level statement you build up to your risk tolerances so these will make a difference so it can make a difference because of maybe the money that's available to spend it could be the different systems as well that you're looking at so for example you know we have we have systems where there's medical data so that our risk tolerance for that will be much lower than one of our brochure where websites where it's just kind of pictures and

words so that when you look at that you start to build a picture of where you can go to and again helps build that focus what is important and the things you need to look at protecting that's what you're actually trying to do is once you've got those statements he's actually driving that actual risk down and getting it as close to the risk appetite and within those risk tolerances that you've set as a business and and what you're trying to manage effectively is that residual risk the difference between the two there are things that can happen you know if you can't get that you wish down anywhere near your risk appetite then the chances are your risk appetite is wrong and you

need to go back and revisit it and kind of not literally start again but you need to work through it and work out whether it's resources money or just there's not the appetite to do it the other thing once you set that risk appetite and your risk tolerance ease it's an ongoing process this isn't just a one-shot you can't just do it once and leave it you need to monitor what else is going on so business decisions that are being made every day can affect the different you know where your behind of risk profile is and means you might need to change the tolerances or your risk appetite so if you have a changing markets it's quite extreme but

you know you start to try and do business in China the Chinese government are going to be very interested in your company new business areas so you know for example in insurance if we started to insure somebody that was maybe seen as morally wrong you know like animal testing companies or something like that could again change our risk profile changing leadership you get a change of board level could completely change your risk appetite because they've come in they've got a different idea about what they want to do and literally if the board decide they want to change the risk appetite also moving into new technologies so certainly things like cloud and DevOps atherton certainly changing the risk appetite in companies

now by pushing that data out into the cloud by with all the DevOps the kind of the agile the speed of processes you've got to make sure that you you're ready for it and you can join you can keep everything joined up the supply chain risks that come with it you you know you did most companies will deal with lots and lots of different third parties they've always affecting your risk appetite because the decisions they make taking on new third parties so it's all those things you need to monitor within your own business to see whether you need to change what you're doing and then you've got the external factors as well new vulnerabilities that come along

so we had spectrum meltdown not too long ago which completely changed the kind of risk profile that was out there were the different kind of vulnerabilities we could get hit by political changes so we've brexit coming up Donald Trump making wonderful decisions that he keeps making out in the u.s. also the poisoning with Russia recently it changes the whole aspect of what's going on in the world and we need to be mindful of those changes that they could be changing the risk profile and some of our companies could become more of a target regulatory changes but always interesting so I'm sure everybody in this room has had the four-letter word of GDP our recently and that's

definitely made changes to people attitudes to risk and attitudes to security and also moving forward again similar to the cloud endeavors all the new technology is coming on AI and all the other things like that that we're coming on we've got a monitor those and look at what risks will be coming from those as well so how are security people can we deal with this how do we make this effective so really my kind of big takeaways here it's about educating the board they've got to live and breathe this and understand it so they need to understand what obvious gap you tities what it really means and the risk appetite they're leaning towards they've got to understand that as well they need

to accept responsibility for that risk appetite because it's that top-down approach that's going to come but like I'd just be mentioning they need to be regularly discussing it it needs to come up at the board meetings because they need to be reviewing it they need to make sure they're still comfortable with the decisions they've made they need to support the risk appetite I need to support business reviews or C's we fund in and that top-down approach you know we can't do it without their support it's not going to work it will fail my probably one of the most important things out they need to be consistent you need to make sure the board are understanding it all in the same way to

the same level and that when they're talking to other people about it they're giving them the same messages about how important these so this does it needs to be led all the way from the top down yeah we can't do it without them so finally and probably the most important part of this whole presentation is you need to educate your board you need to get them bought in so that's it for my presentation so thank you very much for your time and listening and I'm happy to take any questions