Tim McCreight: So, What's The Risk?

thanks for coming to the session today about so what's the risk uh my name is tim mcreight i'm the acting chief security officer for the city of calgary and it's my pleasure to attend the virtual session for b-sides calgary this year i want to take a couple of minutes and go through the session itself and i want to thank also before i get going i want to thank the organizing committee for putting together such a great uh format on on hop in i i really had a chance i had a chance to listen to some of the sessions yesterday and just to duck in and out awesome presentations such a terrific amount of talent that we have

within the b-sides calgary community so i want to thank you all for being part of this and taking time out of your day to listen to the sessions listen to the expertise that all the speakers have and i hope that all of us have a chance to take something out of the sessions that we've been sitting in on and bring it back to your workplace so what i'm going to do now shortly is i'm going to drop off video so i can save some of the bandwidth in the house and then i'm going to go through the presentation as if you see questions along the way i've got folks helping me out thank you for that and we're going to

have a question and answer session at the end as well so let me quickly drop off my video so i can keep the bandwidth rolling along here and we'll start up our presentation just one time great thanks everyone let's carry on i want to do a quick introduction of myself the role i have and some of the things that i've been fortunate to do in my career and how it relates to the topic about risk and presenting it to executives i also want to talk a little bit about the risks themselves and that there's so much of it out there things we can focus on and things that we worry about as information security professionals

next up let's talk about this whole presentation that you're gonna that you wanna give now because you found something really bad and i gotta get people excited about it i need people to see what's happening i gotta get people to look at the problems that we're dealing with but when we look at that let's also understand what the reaction is and our next pivot is to focus on risk i'm also going to give a couple of quick examples things that i've done really well or that seem to have gone really well and one particularly bad example of what happens when you don't take into account some of the things we're going to talk about during session today i'll open up

for question answers as well and if you have questions throughout the session please put them into the chat and i'll try to get to them near the end and i've got some really wicked smart people helping me out who are going to guide me along and make sure i answer all the questions too all right so let's begin just put that out there for a couple of minutes yeah it doesn't have the same uh impact that it does in person but yeah i am actually wearing pants so i think that's that's a plus for me today so i don't have the stretchy pants on i've actually got the good the good pants on so yeah there is going to be personal

opinion so i am not representing the city of calgary in this presentation and uh occasionally we are going to have some interesting language along the way so let's take a look and let's move past this and get into our first little bit introduction yeah so i've been doing this for year 39 now i started back in 1981 and i originally began my career as a security guard in a hotel in downtown winnipeg manitoba so i got out of the air force in 1981 and i definitely needed a job because i think my bar tap at the mess hall was far more than what it was making so i picked up a job as a security officer

in a hotel and then became the chief security officer as well so for the past 39 years i've held roles in both physical and cyber security in the late 90s i took myself out of the workforce for two years and went back to school in edmonton at nate to take computer systems technology and it wasn't because i wanted to program it's because i wanted to understand how computer systems worked how they could be broken and then how could i work to protect those systems for clients and for organizations so from early 2000 onward my focus has been mostly on the cyber security aspect as the chief information security officer or an executive responsible for information security

so for me it's an opportunity for me to start giving back right so i love dogs and you can see my girl hazel here sitting on the bed uh hazel is a rescue dog that i picked up from arcs last two years ago and uh i fell in love with her and the idea of having a dog again to the point where i just bought a house to make sure that she had a home so i'm sitting here in hazel's house and she's outside the door listening to me give this presentation i'm on the board of directors for asas international it's the oldest security association in the globe and it has yeah thanks derek it is

awesome and hazel's just a goofball she's about 120 pounds um she came from a reserve so she was a they called them you know she was a bait dog in a pit bull fighting ring so when she was first rescued she hated people didn't she wasn't supposed to be around anybody she was a huge bite risk but over time with a lot of love time care and attention she's now probably the biggest goofball i've ever seen she weighs more than lisa which is hilarious so when she gets on the bed and doesn't move yeah that's it she owns the bed so that's our girl hazel back to asis i've been on asas as a member since 1981 i'm now on

the executive board for ss global so that means i'm responsible as an executive to steer the organization and grow the organization across the globe i'm also the sponsor for enterprise security risk management globally so i am it's my duty now to in to spread as much as they can the word of esrm around the globe and help train security professionals about a focus of risk as opposed to this concept that we do security and for me this is a chance particularly through the b-sides organization and through others is to give back all the things and all the mistakes i've made which are quite a few it's a chance to learn from the things that i've done so you folks don't have

to do the same thing all right enough about me and hazel let's make sure we go on and carry on with our session here so first up this idea of there's just there's so much risk um you know i mean this whole idea that if there's a threat and you have an asset that's vulnerable to it and an opportunity for that vulnerability to be realized now we're looking at a risk so from that equation there is so much of it now out there in the world and things that we need to be worried about as information security professionals it's kind of hard to figure out where to start but i know you folks as you work

through your day-to-day and some of the amazing sessions that you saw during b-sides to yesterday that some deal with are getting more complex and some of the impacts that these vulnerabilities if they're realized if it's exploited and if that risk becomes real the difference between organizations surviving and expiring is getting smaller and smaller so we have to be as security professionals even more on our game when we're address addressing the risks that are facing our organizations but let's take a look at some of the ones that you know i've been looking at over the last year or so and see if they make sense to you folks as well all right targeted ransomware absolutely so we're

seeing this more and more and we're reading about it more and more in the news at least for those organizations that want to talk about it publicly but we do know that this concept of targeting ransomware to individuals within an organization is having huge payoffs for those who are on the other side of that line and you can't blame them with the amount of work that it takes to put together a ransomware package and send it off to somebody with the potential benefits of what that brings to that criminal organization it's amazing we're not seeing more of this coming through cloud jacking yeah this is all i mean sorry awesome that's not the right word

to use so from a security professional's perspective to see change now to credentials in the cloud being jacked and being used to impersonate the user it's something we didn't think about 10 years ago but it's something now as a risk that we have to look at from an information security perspective working from home absolutely i'm sitting here in my home office with my dogs outside the office and i am now another risk vector for an organization just because i'm not sitting on that network i don't have an opportunity to walk down the hallway and talk to somebody about hey should i click on this link or does this thing look fishy to you no now we're asking

you know thousands of workers at least within my organization thousands of workers who have never worked at home before to actually be at home now and to manage the security of their organization's device on a home network 10 years ago would would this have worked at this pandemic been here now 10 years ago would we have the same problems we're facing today no because we didn't have the technology but now that we do we're opening up more threat factors into an organization for all of these workers sitting at home insecure code jesus yeah this never ends right this idea of creating uh application development life cycle and including security in it pushing as far left as we can in the

life cycle of code some organizations some coding teams are still struggling with that idea or some are still facing so many hard deadlines to get something out the door that we're still looking at insecure code as one of the bigger reasons that we stay up at night social engineering yet this will never end human beings are always going to be looking at ways to take something from another human being and the principles of social engineering make this such an easy opportunity to get into an organization to gain knowledge about an organization and then to use it against that organization it's it's amazing that we haven't seen more of this again being advertised in the news or being in media

but it takes a certain skill set and those those criminal organizations or those individuals who are really good at this are seeing this as an amazing opportunity to get into an organization expose the vulnerabilities and then exfiltrate data or to you know to take advantage of the organization in different ways users yeah wow a user to me is still don't get me wrong we're here to to help users we're here to serve the user community but holy smokes the users are also some of our biggest problems and it's because they are our first line of defense and we rely so much on the users as they open an email as they gain access to a

piece of information as they get into an application we rely on users to be smart about this to have some understanding of what security really is and to apply some of the principles that we've probably been talking to them over the last x many years about the threats the vulnerabilities the risks etc that the cyber world faces but the problem is a typical user and you folks know this they have so many other things that they need to focus on during the day that we are probably one of the last things we focus on unless you've made that cultural impact in your organization and security is top of mind for every user in every activity that they do

and i don't know of too many organizations who've got that focus right now ai fuzzing and ml poisoning yeah wow these are so i mean so we've seen fuzzing before in the past right where you've you've taken so many different opportunities to try to break into an application or different vectors to get into it the advent of ai now and having that ai engine being available to the guys on the other side of the line makes that penetration or that opportunity to break into applications and systems and to find those vulnerabilities even more pronounced and we're going to see more of this in the future as we start seeing some of the more open concept ai engines running out there

and people using those toolkits to start probing testing we're going to see the launch of zero-day vulnerabilities coming faster now just because of the advent of new technologies and what it brings to us in our environment from the positive side but also on the negative side and the other one is ml poisoning this is relatively new as we looked at machine language and as it starts gaining a greater foothold in organizations and the reliance of machines to start looking at the different inputs that we have to make decisions what if i what if me as you know the person on the other side of that line took the opportunity to poison that training data pool

for your ml engine what if i was able to steer the direction that that ml engine is going to take now based on some of the changes slight or slight or subtle inside the training data pool scary concept right particularly when you're relying on that ml to do really really important work for your organization or to respond to events that could have impacts to users to citizens to clients or to people's safety so for me this stuff is getting really scary and as we see more risks that's coming up this is going to be difficult for us to present we're going to talk about some of these examples when you get further into this presentation

vulnerability management this never goes away right we've been dealing with vulnerability management since the 90s and we're still having problems managing this throughout an organization and it still provides risks to any enterprise that has to deal with information systems accessing cloud and dealing with users mobile malware yeah it's we keep hearing it 2019 was the year of mobile where 2020 is the year mobile it's yeah it's always going to be the year of mobile malware just because it's another entry point for for those on that other side of the line to gain access to data our personal or corporate data and use it against us or to capture those devices and use them for something else finally

fishing yeah it's getting more and more they're getting more sophisticated we no longer have those old nigerian style letters that came our way in phishing attacks they're getting more complicated now they're getting harder to detect now and we're relying on our users to be more vigilant than ever so again i link that whole phishing to the users and these are risks that we're always going to face and it's going to be more difficult us you know for us now to identify it to eradicate it more importantly to explain it to executives and the help that we're going to need right let's move on so let's see in the slide we just went through one of those was a particular issue that

you are very very concerned about that there's a credible threat to the organization that this risk can be realized so you have a threat you have a vulnerability to an asset there's an opportunity to compromise that asset and there's a direct impact now to the asset itself to the information that we're trying to protect to the systems that you operate within your organization or to the stakeholders that that organization serves whether they're in my you know in my example citizens or users within the organization or clients who purchase buy or interact with your organization for the services you provide so let's see you've gone through your theoretical exercise you've conducted a detailed technical threat risk assessment

you're worried now because you know if we looked at some of the things on the screen past one of those is really pressing and and this has to get presented up to the executives holy smokes something really bad is happening and i gotta get this in front of somebody and they gotta they gotta know that this is wrong okay awesome all those things are amazing so as you start to collect your information for the presentation as you build that binder of data that you believe you need to have to support your your presentation let's go through some of the steps that you may or may not have or i'm going to use myself in one past

example of the things that i tried to do to get ready for what i thought was an amazing technical presentation first up yeah i did i put on a suit and a tie you bet so now sadly i'm wearing glasses back in the day i wasn't but what i did do is i went through the steps i thought were really important from a technical perspective and i'm going to use this one example this is going to i'm going to date myself so my apologies for this but i am going to i am going to throw some kudos to me who's on your b sites committee and is actually running or ran the capture the five session

yesterday so years ago i was working in an organization and responsible for the security for all of the information assets including the telecom assets we had this great project where we were going to start now again i'm going to date myself we were going to start implementing as an alternative to the typical bandwidth we provided to our clients but more importantly we're going to use this platform this brand new platform for this amazing project that we had just won and it was going to have national prominence actually it was global so you can picture how excited the whole company was all right we go through this we did this risk asses holy crap you could actually intercept

the conversations they weren't encrypted and you could play back the information and you could actually hear what a lot just wow picture developed for this presentation we collected a series of we i did went full technica we even had a copy of the of the wave file for the conversation we had all of that and that's what i had what i was bringing to the table from a report perspective and from a presentation perspective all right so for the speak a language other than english now you can realize well oh my god you know from a russian portuguese greek and german perspective this is i mean you can understand the context of where we're trying to go with

some of the stuff because yeah we're in like this could really hurt us this is something like you know a professional this is really bad so now now you gotta look at dealing with this and and now i'm gonna get into this presentation so you get into and i'm looking for that reaction right i am

gonna be uncovered identified well i need that this is really bad this is something that we don't get on this right now this is crippling because i see the technical component know that this is right i didn't get into the

talking

and this is what

super frustrating i was prepared you know i mean as we all grow in the role secure we thinks of of determined that you know another presentation

or organism

back up not only benefit

is technically to your to your device to your network let's not screw anything up i'm just going to go right from here so a couple of different things hang on i started talking about this model that asas has built and it's when i look at this from my perspective this is something that really makes a lot of sense because i'm going to start on the right hand side of the diagram then we're going to work into the center so the first up is this idea that from my perspective as a security professional on the information side or the cyber side i need to understand from the context of the organization what's our mission and our vision

right so these are things that we need to worry about as information security professionals and things we should be taking to heart for the organizations we work in once i understand the mission and vision i need to focus on core values or what does the business require of us as employees but also what we require of the clients this the and the users and the citizens of our services we should all understand the operating environment whether we have regulatory or legislative requirements privacy requirements do we deal with credit card data or personal information those things we need to know because that impacts the way that we operate as information security professionals and finally who are the stakeholders so

who from that organization look at us require from us or interact with us that have a stake in the organization itself and it could be everything from those who buy our product those who invest in our services or those who request us to provide services to them so on that right hand side that context really important for us as security professionals to embrace and understand on the bottom this is how we operate within the security program we need to look at risk from a holistic perspective so that means that regardless of where that security risk is it's our it's our requirement to go find it to go hunt for it to look for those risks

objectively and without impediment we also need to make sure we develop partnerships with our stakeholders that could be the i.t department it could be facilities management it could be hr legal counsel etc but we as security professionals need to step outside of our box with just that little realm of cyber security and understand who the partners are that we need to interact with on a daily basis transparency is important everything we do as information security professionals needs to be presented back in a transparent way if we identify a risk or we identify a threat that could be exposed or a threat that could be realized in our environment we need to be able to present that to

executives so that they understand it and finally governance there needs to be a structure over top of the work that we do to make sure that we as security professionals fall within the lines and are applying the same principles that we have for conducting ourselves within the organization and the operating environment of that of our company inside the circle itself well this is where it gets interesting first up is identify and prioritize the assets that that business needs to be successful on the cyber side of the house that could be everything from the network itself the applications that run on it the services we provide that are web facing the mobile apps that we've designed for our clients etc but we need

to identify and prioritize those assets because those are those are the things that the organization needs to be successful every day once we have a really good understanding of what those assets are our job now is to identify and prioritize the risks that we see to those assets and we do that in a very collaborative fashion this isn't something we just identify on a whiteboard and call it a day we spend time with the clients we have to spend we do i mean we'll do phone calls interviews workshops etc to really get to know the clients themselves understand their business objectives and what are those risks that are facing the assets next step once we identify what the risks are well

now we've got to find ways to mitigate those risks that mitigation strategy is collaborative as well it's something where we need to spend time with the clients understand what's appropriate for them to put into place and what's practical as well when we design and develop those mitigation strategies it's our job to help the business unit present those to their executives and it's the business's job to accept or understand what those risks are so our job truly is let the business make the decision right it's the business that's there it's the business that sets the goals and objectives it needs to be the business that's going to conduct those risks accept that risk on behalf of the

organization it's not security's role to do that that has to be done by the business finally we have a continuous improvement cycle that we're always going to follow through and those are things that we're going to worry about on a regular basis so it's not just we're we don't just do one risk assessment and it's one and done no this needs to be continuous because it's our our opportunity right now to con to take those recommendations take those controls take that acceptance bring it back into our systems and then continually monitor if we put a control into place is it operating effectively conduct analysis and assessments ongoing of the assets that we've identified in that very first bubble

and finally continually develop mitigation strategies put them into place and then make sure that they're actually operating effectively so all of these things work together in this model what i love about it is that it begins and ends with the business the business is responsible for its goals objectives and success and more importantly we support that by identifying risks and letting the business make the business decision it's not our job to accept risk on behalf of the organization i am the last guy you want to accept risk had i been the one who was providing or accepting risks when i was working at the province they never would have had iphones or ipads ever you're going to get a notepad but

it's a piece of paper and a crayon and i want it back at the end of the day most security professionals that i know of are risk averse we are so focused on protecting the assets of our organizations that we don't want risks to impact it but the problem is it's the business that runs it the business pays the bills sets goals and objectives more importantly it's the business that has to make that decision so if this entire presentation the only thing we get out of this is it's the business that has to make the decision it's upon us to provide the data and provide a presentation that they can understand the risks and we're going to lead to that now

i'm going to look at a couple of things i'm going to kill my camera just one sec perfect still good hang on folks

so let's identify the assets and link it to the business goals what are the potential impacts to the assets that we just looked at what are the impacts to the business right and that means that we need to take time to understand if the business is an online business and providing a service online if that service is unavailable for any amount of time what's the impact to the business to the brand of the business to the clients who rely on or require that business up and running are they going to go find somebody else if your website down or you or you can't get to that app these are things that we as information security professionals need to

understand and take into account when we're designing our remediation strategy for the business but more importantly when i'm providing that presentation back to the executives is there a way that i can i can actually reduce the risk and how practical are the options to reduce that risk no organization in hell is ever going to take a million dollar solution for a hundred thousand dollar problem it's just not going to happen so from our perspective particularly now in the economic climate that almost all of us are facing is that we need to understand this is a practical approach to reducing the risk thanks folks for letting me know i'm going to keep going through this session

and see if we can get to the end of this my apologies for the the the traffic itself and for the network bandwidth issues so my apologies for that and finally who makes this business decision and have they been involved in the risk assessment process but more importantly are do we know who to provide that decision back to at the end of our assessment process in that presentation the person who's going to make this decision are they sitting there are they engaged and are we speaking to them in a language they understand which is risk and business okay let's move on here's a quick example so remember we talked about that whole approach where we were dealing with a

voice over ip issue that it was holy smokes it's really bad we had this massive technical presentation and then everyone went to sleep all right so let's step back and take a better look at this let's go over this issue from what we did in our approach so we did understand that there was this massive vulnerability and we had to get rid of the problem we were really concerned and upset about it when we were writing our report it was a huge like this was a massive technical report and but at the very beginning of it we took one page and we created this page that was going to be the premise and the basis for

presentations to the board of directors and it was that if you continue down the path with the current structuration the potential for having these conversations intercepted is not only like the question is how much damage to the reputation and brand do you wish to that's all we had for the first paragraph um we submitted we submitted the report the presentation it took all of about 30 seconds for the first phone call to come in from headquarters asking tim i don't understand this is this this is really bad how are we going to fix this well i mean here's the example that we have and here's how we can fix it now we can't do that

okay thanks and i kept waiting for the next phone call the next phone call throughout the day i must have had about a dozen phone calls one i got was really interesting it was from our chief security officer and they were wondering if we would be willing to change the presentation itself and change the structure of the report to soften the edge of the recommendation no no i wasn't and nor was my team so that led to a phone call from this ceo's office letting me know that there is uh there will be an airplane ticket uh in your email we require you to fly out to headquarters tomorrow morning awesome so on that note i got

packed up all my stuff from the office because i figured well i'm gonna get fired for this one so i even brought my badge brought my laptop everything and i waited for that flight out to hit that was a that was an ugly day but here's what i had done i had taken the time to understand the technical vulnerability and it appalled me right my team had done such an amazing job technically to show me what the problem was so what i then did was i stitched together from the technical to the business and opportunity for the business to understand your goal and objective of growing in this marketplace building out this technology and acquiring new customers is now at risk

not only at risk if it's realized you will lose market share and the embarrassment to your brand will probably be to the point where you're not the back of the market so that's what we had designed and developed and it was all objective it was based on the data the way they accumulated and we knew that with the penetration of the market that these folks wanted to get to this was the issue that we're going to have to face so loaded up myself got ready for the flight over there and because it was so last minute i got to go first class which was terrific the problem is that yeah you're not going to drink on the plane early in the

morning flying out east because you've got a presentation to give so i get to headquarters i get ushered in to see this the ceo i had my you know walked through my presentation and i remember him i just two things great presentation thanks for this you really made it clear i understand our path i also needed to look at you and just see if you were actually if if you were going to stick behind your report i said yeah absolutely and i said is this what's this going to cost me he said nothing can you go back and fix it awesome thank you and that was it i put my badge back on my pocket got the

hell out of the building as quick as i could get to the airport and because again it was a first-class ticket sat in the lounge and and congratulated myself uh regularly for the great presentation i did and then determined that yeah that that that congratulations ceremony's going to carry on on the first class on the plane on the way home so i think i was my head was killing me the next what that really cemented for me was the approach that you need to be objective in your review you need to take away the technical jargon and the technical components of your risk assessment and translate those into the business impact right so that's what was really

successful in this one particular instance was the idea that the business although it was a very technical problem that we had identified and the vulnerability was one that could truly kill this platform it it had to become something from a business perspective and that was the issue that saved us is we took away those components that were truly technical we had them in our back pocket and you always need to keep them it shows that you have demonstrated and done your homework it provides the recognition that your teams from a technical perspective have done the work but what it does for you as that security professional stepping into the business realm now i have the opportunity to speak to

business terms had we gone with a full and complete technical presentation to the ceo and potentially the board members we would have saw exactly what we had on the presentation a bunch of people falling asleep because they don't give a damn technology and the technical components of a risk executives don't care about right i've held executive positions as a security professional in a number of organizations and i i love don't get me wrong i i love the dedication and and the emphasis people have on the technical problems the issues that they're finding more importantly the vulnerabilities they've discovered and how bad this is within the organization i absolutely agree i love seeing that kind of passion

appreciate the skill and and just the tenacity of the people that that have worked for me and work for me today these folks are just wicked smart folks and i rely on all of them to come up with those technical vulnerabilities or tell me really where the problem is but i can't take that into a boardroom i can't take that in front of a group of executives and if you as a security professional with a technical component to your to your position or requirement to conduct technical reviews and provide that detail upward if you come in with that technical report you're going to get exactly the response that i've had in my past lives the executive's eyes cloud over we used

to call it this is i'm going to date myself we used to call it the blackberry prayer i had about 30 seconds to get the attention of executives i had about two minutes to keep it but as soon as i saw that first executive duck down into his lap and look at his blackberry i was buggered that was it i lost their attention span because if it was too technical a presentation it wasn't linking back to business objectives and it didn't identify the risk i lost the audience i don't know if you folks see this but every time i give presentations or every time i talk to executives that's the first thing i look for have i

captured their attention by focusing on risk have i been able to link what i have found to the business objectives and to let them know that they are at risk if this threat is realized and here are some opportunities that you need to work on or i can work with you to reduce that risk but the decision is entirely yours so i've also joked i made these conversations years ago to executives particularly in the government but i've done it in other organizations as well it's at two o'clock in the morning phone call after providing the risk assessment and the process that we went through and linking it back to business terms if the organization decides they still

want to move forward with the path that they're going to take that could still put us into into a risk terrific we're with you we'll stand behind you we'll respond to the incense but understand at two in the morning you are the guy and that means when happens and this thing goes because it probably will you will be the one who takes that very first phone call i will be the guy standing beside you similarly to what you see in the u.s with those congressional hearings i'm going to lean in and tell you to shop because you don't want to answer that question but you are the guy in front of the cameras and understand what that means

because from a business perspective you own the risk not me you and if i've done my job well provided you the data that you need and the business rationale for reducing the risk and you still either want to need to move forward with the activity that's causing the risk terrific awesome you can run down your hand i'm going to be behind you with a first aid kit not beside you behind you because our job then is to play clean we will continually monitor the environment we're going to look for cracks in our defenses we're going to respond as quickly as we can to detect identify eradicate and remove the threat and then move on and get back into

current or normal operating state but if you've made that decision my job now is to document that decision identify who from the executive approved the risk stored in my risk assessment fault with my ongoing risk register and then make sure that as i get through it and something does happen i go back realize oh yeah bob's a guy who has to answer to the press or bob's the guy's going to make response yep bob this is yours off you go and when i say that to think that i'm kidding no not at all because i've done that in my life i operate as if i don't need the job and that gives me a bit of clarity

my perspective that as a security professional when i'm brief i focus on the business risk and that make the business decision and that's the because when we go back to the content of that technical presentation if all you bring forward is that truly deep understanding of the technical problem and how you found it validated it how it matched up to the cves etc except they don't see that that's not something they care about now let's say within that server or within that application i found a massive vulnerability and we knew that it's only a matter of time before that that while out in the wild becomes not only a zero day but an exploit that's

going to impact us my goal information i need to understand what business units require that server that application to be up and running what's the impact of that a tomorrow a week from now a month from now what happens if the data in that application is gone obfuscated deleted ransomed altered what's the impact to my clients my customers my citizens my employees i'm going to put those all into business terms and then what i'm going to do is i'm going to make sure that the executives understand that in your realm as the business owner or business leader this application is important to you here's the risk that if this threat is realized and this risk actually becomes

to deal with here's to your clients the employees the data we maintain the reputation of their we have some opportunities to reduce it it could be patching swapping out all technology putting in different layers of controls additional monitoring or retiring the program the last option could be you know what we don't have any money we don't have any opportunities to replace we haven't got the time cycles tim we got to keep those are good answers to the question what do you want to do but understand at two in the morning you're the guy and when you have those conversations with people be clear focus all right let's kick this out of questions and see if anybody has any questions that i

haven't caught in the chat any other questions folks or anything else i've missed so far

so brett asked the question do i ever struggle with situations where the impact may be massive but the likelihood of intent to cause the impact could be quite low yeah but you still know that you should have some transparency yeah absolutely pretty much every risk assessment i we've i've done or worked with my teams in the last 10 years we always find those you know those potential black swans right if this thing ever happened mother of god we're taking out the company but the opportunity for it to occur is really low we still have to present it right it still has to be presented to the individual organization members itself is presented to the executives or

the business leaders and there's a couple reasons why one as security professionals it's upon us to be diligent in our work open and transparent in the approach that we take we've identified something that is that potential black swan that could wipe out the entire organization but the potent but that likelihood of it occurring is really small we still have to express that we still have to provide that as a risk and we still have to look at what are the opportunities to at least look at a reaction or response to it is there something we can do to reduce the impact of that with our organization so yeah brett you still have to go through that

process it's more it's a it's more of a theoretical exercise in some cases absolutely but that discussion that whole bringing forward a very technical approach in a business aspect and talking about something that if it does occur could be really bad but the likelihood is really small it still gives you the security professional an opportunity to talk about that issue and go through the whole cycle that we just did with the enterprise security risk management uh nick asks question do i have a preferred method for quantifying risk or or has a quality assumption often insufficient yeah i mean so the quality assessment does work what i like is standardization in or consistent approach to conducting

the risk assessment so from a quantifying risk perspective i will look at data points that we have but i'm also following standard structures like the iso 31000 framework 31010 for conducting the risk assessment and then presenting back the data remember we talked about this practical and pragmatic approach in in my world if the threat has no impact to my organization and i don't have any resources that can be impacted i'm not going to include those factors inside my risk assessment so i need to be very mindful of understanding all of the assets in my organization and then applying standardized methodologies like iso 31000 and conducting like the 31010 framework to complete that risk assessment uh let's take a look here

i don't see any other questions so i'm gonna ask the moderators did i miss anything or have i cut all the sessions all the questions so far we only have about five minutes left so what's my opinion on taking a crown jewel approach perspective to risk assessments yeah i mean that does work too mitchell i mean what i look at from my my perspective is i try to consider and conduct the risk assessments from a consistent perspective and don't get me wrong the crown jewels are always there as well right so in every organization there's about three or four things that you absolutely have to have to be successful and if any one of those fails

is you know is compromised or gone the impact to the organization is crippling yeah you bet so that works what i like to do though is when i conduct risk assessments and my teams do this now is that we take the same consistent approach across all of our asset base and there's reasons why you want to do that is that this way when you're developing that it's a standardized approach where i look from from one asset class to another regardless of the criticality of it we're still going to conduct the risk assessment the same what's going to change though is when we do the presentations to executives and talk about what's the impact to that

asset the higher the criticality of the asset those are the ones i'm going to want to present first those are the ones i'm going to absolutely want to get executives to agree upon a plan and a reduction of risk strategy lower ass lower lower criticality assets those that we we consider or we review on a more regular basis are those that we have vulnerability management programs in place as an example those ones i'll deal with the next year but that first tier approach it's similar to what the crown jewel approaches but that first year is where i'm going to go with once i understand the criticality asset and then i get the business leaders to

understand what the risks are to that merging technical business risk skills to become a great so that's a hard one i made a conscious decision years ago in my career that look i'm not i have some just wizards on my crew right now here in the city and other organizations we've worked at that are so far beyond me technically i rely on their skills and their knowledge to make me look really good seriously so i made that decision to move away from a technical background to be more managerial so i focused the last 20 some years of my career on on that managerial leadership aspect always going back to and appreciating every skill set that

i've ever seen from the technical side of the house so what i would do um my my recommendation to you folks if you are looking at heading down that managerial path is is understand what's the skills you're going to bring and then do an inventory of yourself you know do you like doing presentations do you like dealing with executives are you okay with hearing no all right on a regular basis are you okay with having to discuss your point and be objective about it and not take things personally because in a managerial role the thickness of your skin has to increase with every level you go up so there is a point in time where you

cannot take this stuff personally this is just business right so from my perspective that business skill set more than anything else is important in a leadership role in the security world whether you're a ciso or cso you need to have that thickness of skin you need to understand that you're presenting an objective perspective based on the expertise of your team if the executives want to go down a path that you don't agree to you have to take that swallow it move on and let them make that decision these are grown adults they run a business let they are going to have to make mistakes sometimes too and it's our job to give them the opportunity to make those mistakes

but to be there when things fail uh just a quick question here how important what are important considerations with aligning it risk with enterprise risk so the way i look at enterprise security risk management remember that diagram that we had from asis esrm is a subset of the overall enterprise risk management program so everything that we identify and assess with the esrm framework is really a subset of the enterprise risk management framework and aligns directly with that purpose so everything we find just falls in as a pillar that supports the overall erm program fair yeah absolutely nick thanks for that yeah you bet the fair i like fair as well i've used that over time

um uh and i've we've incorporated some of those principles when you take a look at what enterprise security risk management is as well right so i don't know if i have any other questions but i know we have just a few more minutes left so i want to take a quick moment to thank everybody here who attended the session and thank you so much for living through the few technical difficulties i'm going to blame the dogs now for being online and taking away some of my bandwidth thank you to all of you for attending the session today for being here throughout it and for spending time with me this morning