The Simple Approach To Security Risk Management

uh morning everybody uh this is my first presentation so I'm qu quite new to this not had the best uh prep this week but I'm here today to give it a go the topic is C SC risk management the subtitle is simple approach to preliminary risk assessment uh we should all really know what risk management is and we should all know why because uh each year cyber security threats happen data breaches happen attack factors happen and new vulnerabilities occur at the start of all of this when you're doing appr risk management you will do a preliminary risk assessment first and there can be a tendency to over complicate based on the information provided or l or not

provided and this presentation will aim to sort of set the story about how I perceive it at the moment my background in Security started from being uh within databases for several years and then I moved across from infrastructure to security from towards data security and then I moved again into GRC so i' seen multiple sides of the fence so I understand why if I'm not getting context it's hard for me to translate that down the chain and the more reading I do when I joined GC I realized that it's not getting the message is not getting translated up up the levels that it should be and that's because risk starts fundamentally or I think it

starts fundamentally at a lower position which will be my next slide so um yeah I think I've covered that about about me presentation new challenge and journey so let's go on to the next slide so I I perceive and I could be wrong call me out it's not a problem it's just it's just an opinion there there's a possible disconnect between the non-technical and the technical teams with in security um particularly when I talk about non- technical Liv say GRC um and this perception maybe tick boox policy driven business focused and this potentially will stem from Cross training uh within security and the same happens on the other side within technical teams you'll have you at and

predominantly most of you here are will be from that size hence while I'm speaking to the audience application product security sock and it's back it all up with you've got an evolving threat landscape attack tree analysis heavily vulnerability focused which will be my next slide but again limited cross training so it's it's the same side of the coin terms of maybe not seeing but it is a generalization I'm not saying neither one or nor the other in terms can see it but it's just the cross training element is is is maybe the rationale why risks aren't maybe always getting easily translated in the form of insufficient context communication and missing

information there's also an element of bias which might come to later on but that that may explain why you're not getting the full information too um so stemming from technical teams is vulnerability management it's just a sort of segue into risk management but the point is you can't really go into particularly technical risk management if you don't have the context of vulnerability management because they have to come from somewhere so again just a few bullet points of TCH Frameworks C controls comprehensive scanning you got your cves lots of them it's there's a scoring system too and there those mostly derived from your vulnerability Management systems that will give you the relevant cves which then go pass up the chain

along so I have this slide in in this because when I checked on the CV website there are 218,000 and 39 CV records in theory that translates to a lot of risks um so it's just a case of how to make sense of that but then then it's the case of how do technical teams confer that risk to the non-technical team so it's that and what What Might Get Lost in Translation along the way or not said along the way so that's why it's it's relevant to talk about vulnerability management before you get into risk management M because they're they're obviously intertwined there are other risks out there I get that but this is cyber security and this

is a security event so we we we start with vulnerability management um okay I'm not going to go into detail of vulnerabilities themselves because it's it's it's accepted we know what they are it's just more that technical security teams highlight the security problem in the form of complex security vulnerabilities most of the time not all the time but most of the time and then it's the job or the remate of cycy risk management to sort of translate that down into into a readable risk that can go up up the chain so for uh this slide I should really talk about what is what is risk management won't go into too much detail because it it's accepted

that it's it's U an umbrella terminology it's framework based it's ongoing process there are there are multiple stakeholders it involves people process technology you have to align to your appetite tolerance that's the organizations and it fundamentally forms a process of identification analysis and evaluation leading towards acceptance or treatment and but within that there are multiple components and uh today I'm only really going to talk about the preliminary risk assessment which I probably should have said at the beginning but just one aspect of risk management so this topic in itself is is entirely separate slide sorry an entirely separate presentation could go on for another hour or so but I just wanted to have this in here to sort of set the

context for the next slide which is risk assessments but the premise of um cyber security management is that there is a process there to do risks basically and it and it can be as complex or as simple as you want it to be but it sometimes gets complicated because there are many Frameworks out there try to say to do this or that but what they do tend to either either Overlook is is the preliminary aspect to it which will lead me on to risk assessments I thought out a bit of color um just because uh so risk assessments generally what is the purpose what is the scope what are the priorities what are the constraints who is doing the

assessment everything you need to work with or need to ask the questions about will form the basis of your risk assessment it's essentially an ongoing activity that helps your business identify any threats or vulnerabilities and maintains compliance regulations this this is all very standard stuff it's not it's not particularly exciting but the point the point is it's a component of risk risk management you can't do one without the other and it's just naturally stems but the point is if you go into detail and risk assessment you there are multiple uh if I go down my side there are multiple aspects of risk assessments sorry components but the main one that I'm focusing on today will

be preliminary risk assessment and for these I have at a very high level just Outline Three that I felt were needed when doing a preliminary risk assessment and that's what I wanted to sort of focus on right now the business context The System Scope and the risk profile so the business context is key A lot of people talk about business context because it's about translating essentially a technical vulnerability into into the business what does it mean for the business up and down the chain System Scope whereabouts within the organization is it is it facing so when you're looking at it it's going well is this internal external is it this service or that service is it Li limited here or there

and risk profile what I what I what I was advised was to look at this triangle which inverts a CIA Triad into a very simple risk profile for three new and usually risks can be sort of based within that triangle in terms of disclosure alteration and denial obviously the deeper the deeper you go the more you can add more context but the point is without these three you kind of can't you can't really do a risk assessment um so and and ch the challenges that you can get Bally I face is that you get a lack of context a lack of communication and lack just a lack of information when when you're getting the information you need in

order to do your risk assessments but then the role of say the non-technical GC is to translate that to to get the information to translate it into into this value chains essentially are how you go up the up the way in the terms of the organization terms of explaining it so every business will have value Chains It's what makes a business but then it's about prior prioritizing that because not every risk needs to be needs to be perceived or not every vulnerability needs to be perceived as a risk not every risk needs to be prioritized in certain a certain way so it's just giving that taking the vulnerability or the technicality and putting a certain level of context

around it a story uh working example uh really simple cuz the whole thing in Theory been simple I try to keep it simple um so we're all familiar with end of life production servers so it's just taking those three concepts and saying look what does it mean when you're doing a preliminary risk assessment decision summary and in that summary in that your decision should be just your main your main title and your summary should be your business context your System Scope and your profile so um I think then got three minutes remaining we'll go to the last slide for takeaways um hopefully I've conveyed that between the technical and non-technical teams there should be a

shared vision and in in doing so we'll instill a risk management culture business context equal business value and I think according to certain people in 2024 if not already happening people will be asking why what does this mean how do I explain this to somebody to somebody else in order to get this risk treated looked at mitigated basically how do I get the money to resolve the problem and it's and it's without business context you won't infer that business value and for you won't maybe get the money to solve the risk itself so it's a balance between wanting to flag the risk but also wanting to resolve it from a security standpoint but also acknowledging the relevance to

the business itself uh I've talked through the methodology again simple I get that but uh it's only one aspect of a of a much bigger process but it has to start somewhere uh fundamentally it's repeatable uh and it has to be repeatable because uh there are lots of them and they won't stop and just be more so it's about uh filtering as well and the point the point of that repeatable process will allow you then to filter you start with your prelim assessment and you go you can basically say this is a risk this is not a risk this is a risk this is not a risk um few useful links in my in my uh research but

you're probably already familiar but if you're not and you're from maybe a non-technical it's worth considering particularly the uh T Frameworks and the controls uh because they help give added context to see it from the other side of the coin from the technical perspective um cool thank you very [Applause] much