PG - Convincing Your Management, Your Peers, And Yourself That Risk Management Doesn't Suck - Josh S

you know West Austin hello gentlemen um my name is Sarah and I am your friendly room monitor um there are some rules here we do not throw things at speakers please do not throw things at speakers if you do not have a press bad please do not take pictures photos whatever that's their job you know speakers don't like that we don't like that um and please be nice and do not Heckle the speaker because they're putting a whole lot out there to stand in front of us so we have to be nice to them because you know we can Heckle them later when they're not on stage um and I want to go ahead and

introduce Josh so um who I don't know at all but it's about to talk about one of my favorite subjects which is RIS management um so Josh please teach us cool stuff we don't know sure uh so like you said my name is Josh soal uh I'm happy to take pictures with you guys afterwards um so we can definitely do that uh if you guys want to talk risk we can certainly talk risk and if you think that anything that says that anything that I say uh isn't valid or want to challenge it I'm happy discuss it uh but don't call me names so uh my role I'm the information security program owner at National

instruments I basically handle anything having to do with security uh from an it or Enterprise perspective uh whether it's risk management vulnerability management uh architecture policy I do it all uh so that's kind of my background uh if you have other questions about that feel free to let me know um the the talk here is convincing your management your in yourself that risk management doesn't suck and it's kind of unfortunate that we even have to have a talk like this uh but but I think that there there are enough people in security that just don't understand risk management they don't understand the value of risk management uh and they don't understand how to communicate with

management about risk and so I put this talk together to to kind of uh address those things so I've seen quite a few risk management talks in the past most of them have been given by vendors uh from like Archer and nothing nothing against Archer it's an awesome tool that cost half a million dollars uh and people will buy it uh but they always focus on the process side of it uh which is really boring um you know a lot of us don't just we don't care about the processed stuff um proper risk management is about using risk to drive organizational Improvement and so everything that we do when it comes to risk should really be focused on what's

the end result how do we use this to improve the organization to drive the business to make more money uh and be successful um risk management can actually be interesting and extremely extremely valuable um you know I met Sarah a few minutes ago and she was like I love risk risk is awesome some people get it and I think risk absolutely can be interesting and it is extremely valuable so real quick show of hands who here has an existing risk management program all right who is interested in starting a risk management program hopefully everybody's hands go up right if not you're in the wrong place right um so let's start off and talk about personal risk management because I think

this kind of gets the idea across and I'm happy to share my notes with anybody if you want to copy of the slides we can talk afterwards um personal risk management this is something that you guys do without even realizing it um you have property you have car you have houses things like that and you have to make decisions uh in your daily lives about how you're going to protect those things what are the risks involved with owning those things and how do you mitigate those risks so when it comes to my house I have nice things I have a TV that I like very much I have pets that I love and those things are important to

me and I don't want somebody to come and take those things fortunately I live in a nice neighborhood so I don't have to put bars over the window windows I don't feel the need to put fences up and things like that but there's still a risk of somebody coming to my neighborhood and targeting me so I've made a risk assessment I've said that that there's a certain level of things that I need to do to mitigate the risks to my home to my property and so what I do I put an alarm system in I get a firearm right these are all things that I need to do to protect my things risk management in the air prise

is the exact same thing you are trying to figure out what are the things that could affect our Enterprise what are the things that could cause problems for us and how do I address those right so let's talk about threats and consequences risk is it covers all facets of the business it's not just security right um it covers all sorts of different things and because of that there are different types of threats and different consequences that create risk for us so up here we have things like Financial loss now Financial loss just means that some risk could result in losing money it might be that my company likes to play the stock market and we invest in

something that loses all of our Pension funds right that is a financial loss risk we could have things like reputation damage where let's say we lose credit cards right that could potentially affect the reputation of my company we also have levels of consquence when we're talking about risks so just because something happens doesn't mean that's extremely impactful it doesn't mean that's not so we have to look at each individual risk we have to figure out what's the likelihood of that thing happening and then if it does happen what's the consequence what's the impact to us some other things here regulatory non-compliance business Interruption safety hazards these are all different types of risk so in ideal risk

management it's a prioritization process we want to go we want to look at the likelihood of the event happening we want to look at the impact when it does happen and then we basically calculate that and we say the things that fall to the extremes the things that are almost certain to happen and that are uh extremely impactful if they do happen those are the things that we likely want to address first there's another component here which is what's the level of eff is it going to cost a million dollars to address something that's you know a relatively small risk we have to take in that into consideration as well but if we do risk management right what

ends up happening is we get something like this where we're able to kind of rank our risk and say this is the most important thing or the the thing that has the most likelihood of happening and is going to be the most impactful and we chart those on graph and we're able to say number one we have to hit that first because it's way out there then we do number two then we do number three four five Etc there's lots of different risk management methodologies out there um my risk management practice is based a lot on the NIS 800-30 framework the problem is there there's lots of things out there right there's lots of different strategies everybody's

going to tell you you know do this do that the problem is there's somebody else's vision of what risk management should be and every organization is unique my organization is different from Nate's organization from Sarah's organization from Andy's organization so at best these risk management Frameworks out there are a guideline they give you examples of what others are doing at worse they end up making risk management look overly complicated they make it difficult to get started because the Frameworks are so heavy so starting out we need to Define risk right we've talked a little bit about this risk is the potential that a chosen action or activity including the choice of inaction will lead to a loss

or some undesirable outcome I think the important thing for us to understand as Security Professionals is that piece in parentheses there including the choice of inaction management can choose to do nothing about our risks they can say that risk exists we acknowledge that it's there but hey it's not worth our effort the impct Act is minimal they have that choice and I think as security practitioners we need to understand that that's a choice for management to make and I think far too often we go and we say the sky is falling or we have to address this because PCI says so or whatever we need to understand that that those are risks that management is

willing to take and we have to figure out how best to support those decisions risk can apply to all sorts of different areas you can have economic risks you going have health safety and environmental risks it and infosec insurance business finance security it's all over the place so when we're talking risk management what risk management is to me as an information security professional may be very different from the risk that uh somebody in the banking industry or the Securities industry is talking about or even within my organization we have guys who are in charge of health and safety they they've tracked OSHA compliance right those guys care about different risks than I care about ideally within your Enterprise you

want to figure out how do I standardize on a platform that can address everybody so when we're talking risk formula we already talked about likelihood and impact the way that you classically uh calculate risk is with a formula likelihood times impact so you get something like this you say the likelihood if the likelihood is remote I assign that value of a one and you go all the way up to almost certain which is a value of five and on the impact scale you say insignificant is a one and extreme or catastrophic is a five and now you go through and you say for this particular risk what is the likelihood what is the impact multiply

those two out you get a value now you can chart that value on the scale now you can actually compare one risk to another risk to another risk now now the interesting thing is while that's the classic risk formula and if you take your cissp remember that one it can change remember when I started out I said that risk is different for different organizations so make your risk formula fit you and what I mean by that is you can manipulate that formula you can weight impact you can say risk is actually a likelihood times impact plus impact what that does is it actually skews that scale it skews it more towards that impact so your impact

actually weights more into your r scale or you could go the other way you could wait likelihood and now it kind of flips the other way you can even do things like extreme impact waiting and you can say likelihood times impact plus impact plus impact make your formula fit you and that's important because if if you are able to make your formula fit you that's something that management can then kind of wrap their their arms around they can say well you know this old thing we that likelihood was uh you know it it just skewed the scale and you're like well we don't want likelihood to skew the scale so we had an impact an additional

impact be flexible so risk management needs to be a custom fit for your organization and your formula needs to reflect that right your formula can and likely will change and the interesting thing about this is a lot of the the people out there who are managing risk they're actually managing it with spreadsheets Excel spreadsheets and it's I mean Excel is somewhat flexible you can make it so that if I plug a new value in here then it does this you can kind change formulas but you need what whatever you're doing however your tracking where is you need to be you need to have that ability to dynamically change to modify the formula on the Fly and have that

update all the R so static things like Word documents and whatnot I instantly throw those out the window they don't work wherever your tracking risk you should be able to dynamically update it based on your new form all right so now let's talk about convincing management because risk management will ultimately fail if you don't have management participation I had a long conversation last night about risk management with a couple different people and fortunately the the person I talked to extremely passionate about risk management we actually saw ey to eye on a lot of things one of the key things that kind of came out of that conversation is that management doesn't speak CV they don't speak attack

vectors they don't speak threat trees those are security professional tools to assess risks what management does speak is risk so if you can frame it in a context of risk was the likelihood of something happening was the impact if it does happen that is something that management can understand that's the the way that management communicates all this other stuff is ways that you assess the likelihood and impact your responsibility as a security professional is to collect and convey risk to management it's not your job to sign off on risk it's not your job to um go and and force people to do things right your job is to collect the issues assess what the likelihood and impact is

of that is happening and then pass that along to management and say here are the facts what would you like to do about this and use your expert opinion to guide management Management's responsibility is to evaluate how to respond to those risk do they accept the risk do they transfer the risk do they reduce the risk if you can get management involved in these decisions and make this a risk-based conversation with management they're going to feel empowered management will feel like you are giving them the ability to see all this information that they didn't have visibility in before and you're giving them the ability to actually make decisions on things that you kind of made for them

previously if you do a good job of guiding management through the risk analysis process the end result is a list of priorities based on those risks that you can then uh narrow down into a project and now you can feed this directly back to management and say Here's all of our projects that I think we should work on next year right we should plan for these in the budget and that's based on risk how can management say no to that these are projects that address these risks right it's very real convincing your peers often times security practitioners have trouble communicating with their peers and it almost becomes an adversarial relationship where these guys they're they're working tirelessly

our system administrators they're doing the best job they can with the resources that they have so if I go up to these guys and say you're not doing good enough you need to be doing this you need to be doing this it becomes a very adversarial relationship and if you don't have pure participation in the risk management process risk management will fail so your job is to get these guys on your side management can only be proactive in addressing risks if they're aware that the risk exists so you need to be friends with these guys you need to convince them that this is effectively a cover your own ass opportunity for them if they can convey their risk to you you

tell them I will document these risks I will make sure the management reviewed these risks it's a weight off of their shoulders these guys no longer have to carry that burden on their own and if that risk actually happens they can say look I told you I told you it was there we said was this likely to happen this was going to be the impact and you chose to accept the risk Mr manager right you did not allocate the funds to this get them on your side let them know that this is actually something that's going to help them not hurt them documented risk means that management acknowledges that the risk exists and any action or inaction is now

on their shoulders instead of the shoulders of your so when we're determining the risk we want to convince our peers that this is a CA approach and that you'll have you'll end up having more risk than you know what to do with if you get them bought in they will come to you with new stuff hey I just discovered this in my environment can you document it for me make sure that management reviews this you can also determine RIS other ways so we all have Network vulnerability scanners we have app vulnerability scanners um security mailing lists are a good way for this security blogs code reviews Twitter how many of you guys use Twitter to to track

yeah it's actually a fantastic source of information about what the latest wrists are what's the new threat if you're following Twitter right now and they're like hey just saw this presentation at blackhead crap I have to fix that right so lots of different ways that we can determine where our risks are now the question becomes what do we do with them once we collect them we have to evaluate so we look at that risk and we say is this something that we're willing to accept is the likely or impact low enough that I'm willing to just accept the consequences if it actually happens and like I said this is something that we as Security Professionals have to accept the fact

that management says I understand that that could happen but it's okay if it does happen we'll deal with the consequences that's a perfectly acceptable answer ask is the risk transferable unfortunately in security a lot of times it's not we can't buy insurance for this kind of stuff right if well you can buy like data breach insurance but it doesn't really fix that stuff it just covers some cost while you're down or you know for somebody to investigate but the idea is can I purchase insurance or something to measure uh some other measure to transfer impact of the risk to somebody else is the risk reducible is there some sort of mitigation that could be put in place

to reduce the impact or life of the risks and that's actually a what we should try and focus on as Security Professionals we have to be willing to to admit that the risk is acceptable but if we're doing our job right if we're convincing management that we have their best interests in mind if we're speaking their language we should be able to talk to management and say I feel like if if we do this if we install a web application firewall it'll address all these risks and I I think we'll be in a better position for that we can talk their language we can reduce those risks so when we're trying to determine the response we look at something like

this is it acceptable is it transferable is it reducible so if the answer is no to all three of those things the answer should be clear don't do this if I can't accept it I can't trans for it I can't reduce it that's where you kind of put your foot down that's where you tell management I really feel like we shouldn't be doing this activity if it happens bad things happen we can't accept those bad things we can't buy insurance for it and there aren't any mitigations for it all the way down to if we can do all three of those things well we can balance them we can optimize so when we're looking at a risk

we have to kind of evaluate these things on a pro risk basis risk management is not a process for avoiding risk the idea is to catalog risks you want to figure out what the risks are and you want to manage them and you want to manage them in ways to maximize business opportunities and minimize adverse effects if those risks come true risk management is not the management of insurable risks it's a way of transferring risks but most risks are managed by other means reducing or accepting risk management should support strategic and business planning so if you as a security professional are talking risks but you're not asking business what they need what their goals are and your policies aren't in line

with that you're going to fail it should support the effective use of resources remember that our end goal is prioritization and we want to turn these into projects that we can justify VI of the risk it should promote continuous Improvement we want to explicitly address uncertainty and the idea idea there is that we get fewer shots if we tell management that this could happen even if it's a remote possibility that could happen they at least are aware of that possibility it allows us for a quick grasp of New Opportunities enhances communication between the business between it between Senior Management because we're finally communicating using the same language it gives reassurance to our stakeholders it helps us to focus

internal programs it should create value if security uh practitioners aren't seen as adding value to the organization if all you are in inhibiting the business that's a problem so we want to figure out as Security Professionals can we provide services can we we do things that make the business value what we're doing you want to be an integral part of organizational processes be a part of decision making systemic and structur based on best available information tailored Tak into account human factors transparent and inclusive Dynamic ER of and responsive to change now the interesting thing is this isn't a one andone kind of thing risk management needs to be cyclical and what I mean by that is that there's

different pieces to the risk management process and if you only do those ones what happens when that risk changes so take uh you know one of the the vulnerabilities one of the exploits that gets dropped at blackout this week that vulnerability today is pretty bad there's no fix for it um it's going to affect all these users data disclosure whatever now two weeks from now when the vendor goes oh and patches that does the risk go up or does it go down it goes down which means that there's actually a temporal component to risk what it is today it's not layer on so we have to learn how to address these on a regular basis so step one we

identify characteriz and assess the threats what are the threats facing us today step two assess the vulnerability of our critical assets to those specific threats if the threat is targeting windows but all of my systems are L are Linux based is that a risk probably not probably not something that I care as much about so we determine the risk and then we want to identify ways to reduce those risks how do we mitigate against these then we prioritize risk reduction based on a strategy and we take into consider business constraints and what I mean by business constraints is usually resource stuff do I have people's time to fix this do I have the money to do

it and then you go back you start talking to more people you get more threats you look at the whole thing again and you keep going year over year so risk review process may depend on how lean your organization is on management structure what I've done at National instruments is I've created a structure that allows me to elevate Elevate the visibility of RIS to the people I feel should have that visibility so in our case we have area managers and I've made those guys able to accept low-level risks these are things that are relatively unlikely happen and if they do happen impact is pretty low so giving them the ability to to sign off on that it doesn't remove visibility

from executive management it just puts accountability on those people now as we move up that risk level and we start getting to more medium I like those to go in my directors I like the directors to have the visibility I like them to be the ones who sign off on and they help to they're the guys who are going to create the budgets for the organization and make sure that's a that uh projects are being allocated so they should have that level visibility now if we get all the way up into that high level risk these are things that are extremely likely to happen if they do happen it's going to be really bad don't you think your

executive management wants to know about that I do so those are things that I hand off to my VP I say these are the things that have bubbled up of our risk management process as things that I think we should really care about you should really care about let's sit down let's talk about these let's talk about the likelihood let's talk about the impact and let's figure out ways to fix this now for me I also feel like Risk should be reviewed on a regular basis because as we talked about risk changes over time so a high risk because of the nature of being a high risk might be something that we want to review every month sit down

let's talk about this guy is it still valid did we put mitigation in place a medium level risk might be something that we review on a semiannual basis and a low risk because of its nature we might just say well let's review it every year let's take a look at that risk every year is it still valid yes or no do we care more today has it changed now in order to derve value out of this we order those Risk by risk level if the mitigations are the same so if all my risks bubble down to Identity and access management I group those together and then we take those risks and we pass them back to the various

teams and say the directors have reviewed these risks these all boil down to this project and that project is now beov for funding in our next budget cycle we've now added value directly back to the organization by giving up some of the goods our co-workers our peers by being a little bit uh giving with that we've now enabled them to have money and time to fix this stuff isn't that what we all want we want to fix this stuff all right the area that I feel like most security practitioners will fall down for risk management is in T and the reason being right now most of us use spreadsheets because they're free relatively they're extremely easy to

access but they suck how many of you guys are using spreadsheets for R I'm sorry the other side of the point here for risk management in the Enterprise is large platforms they call them governance risk and compliance and they address more than just the risk piece easily 100K I said that number I was uh deing with the webon guys the other night and I said 100K and they looked at me like I was crazy they said no no no that's easily half a million dollars these tools are extremely expensive they're extremely bulky they do way more than basic risk management needs them to do and that ends up being a problem any of you guys actually have a large

platform like that Archer yeah none of us can't afford it let's be honest if I if I told my management I actually did this I said I need Archer GR so that I can do proper risk management and they saw the the price tag on and they literally laughed at me they they laughed at me it didn't feel good but when that when that tool one tool comes out to about double my security spin that's bad they're not going to Green like that I tried I was like okay well if I can't justify this for me why don't I go and I'll get the trade compliance guys involved and I'll get the health and safety guys involved and I'll get all

these other stakeholders that care about risk I'll get them to buy into this and I did I sat them down we talked about risk management they're like yeah let's get a tool and then I handed them the number that it was going to take to buy this thing they're like we don't have budget to support that it just doesn't happen unless if you're a huge Fortune 100 Corporation you can't afford that is anybody using anything else for risk management spreadsheets large platforms does anybody have another solution yeah this is what I mean when I say that that it usually falls down around that tool set so we talked about that this is the point of my

presentation where hopefully you guys are getting it and uh angels are warming up their voices so I got I realized that this is a problem I don't want to deal with spreadsheets those suck I can't afford Archer I need a better way and so what I end up doing is I sat down uh my collegate background is computer science so I have some programming skills I've studied web application security so I know how to write a relatively secure application I sat down and started writing some PHP code and I maybe down for 8 hours 10 hours something like that and I wrote something where I could just click submit and submit a r I was like

this is cool all right that's already better than a spreadsheet if I can submit it into a database now I can track it via database cool so I started writing some reporting around this I was like okay well you know how many risks do I have there what's open you know what's closed how do I track this and then I started adding more and more pieces to this thing I was like wow I have something here this is extremely valuable for me at National instruments maybe this is valuable to other people too so what I've done is created something that I affectionately call Simple risk and simple risk is free it's open source uh it's PHP in my SQL so it's easy access

uh based on you know if you if you want to run on Windows you can run on Windows you want to run on links you can run on on Linux but it's extremely simple to use and it's not meant to be a huge GRC platform it's meant to catalog risk and it's meant to keep keep track of some of these things like mitigation and management reviews so I'm logging in with my admin account this is running on lamp stack this is a boont to I actually put uh together a how to install it on lamp staff manual that you can probably run through in 30 minutes and have an active simple risk install on a Linux

box this is running on my local system so this is a virtual machine but you can spin up anywhere in your environment you can put on existing stack it doesn't matter so the first thing you see here when I open it I only have one risk in there it's right here and I entered this guy earlier just so that I had something so that the graphs would show up but you can see already we got some reports here we can see the status of the risk and this will change as we do things like um Crea a mitigation or create a management review you can see where this risk is located it's located at Las Vegas you can see the

category it falls to which is physical security I categorized my team as information security and Technology was all I don't have any closed risk in here right now so the process for risk management well let me go into here so just like I talked about in the presentation I wanted this to be flexible I wanted it to be something where when I went in there and I decide all of a sudden that I didn't like my likelihood times impact model I could change it so I've actually built in a couple of other models as well likelihood times impact plus impact plus likelihood you can do the waiting stuff and if you select one of these

things like if I do two times impact and I hit update it changes it actually changes my model there I can also do things here like change what I consider to be low medium and highle RIS so if I decide that a lowle risk is actually something greater than two and anything below that is insignificant I don't care about those things I change that to two and my wrist model changes on the fly all of my wrists updated with my new model so we can go through and we can very easily customize this to ourselves and it changes that model on the review settings we talked a little bit about this I want like I this is what I

do for my organization but what fits me doesn't fit you so you can set these things to whever you want you can say I review highrisk every week I review low RIS every five years right so it's flexible I wanted to to be customizable I wanted you to be able to create your own categories add your own teams into there your own technology there's user management features in here so you can actually create users for it and then you can say well this guy is able to submit risks but he can't review high medium and L lowle risk all he can do is submit or this guy is able to submit risk and modify risk and plan

mitigations oh this other person he just has access to the configure menu he's able to make these changes Ro based access controls and you can go in and you can look at different users you you can assign them to different teams you can change their responsibilities you can update passwords things like that you can change my naming conventions so I got insignificant minor moderate major and extreme or catastrophic for my impact you don't like those those terminologies if uh insignificant is really I don't care done insignificant is now I don't care right so super easy to change things I've created an audit Trail this actually one of my bu is an auditor and he saw this he's like Josh that's great

how do I know who did what he like you're right as Security Professionals we need to be able to track who's doing these things so there's a full aut Trail in there each individual risk tracks its aut Trail and then as an administrator you're able to go into here and see what everybody on the system is doing it even has an about thing that'll actually go through it's not going to work right now because I'm not connected the internet they'll connect out and say what's the latest version of simple risk am I up to date so the risk management piece is meant to be as simple as possible you submit your rist you go in here and you can say um

give me a good risk wait you guys are PCI auditor is PMSing PCI auditor I don't know PMSing works for me we give it a location and these you can Define in that configure section so we're going to say at bsides Las Vegas we give it a category so is this access management environmental it's probably policy and procedure technology where does this live we're going to just say you define Technologies yeah you can change all that stuff absolutely owner so right now I didn't create any other user we're just going to say admin if you want to leave it blank you can do that risk scoring so we talked about classic likely times impact classic risk

and you can Rite it based on that but I had a buddy who's like what about application vulnerabilities what about technical vulnerabilities I use CVSs I was like all right let's build in CVSs scoring so actually built in CVSs scoring for simple and you can go through and it asks the same questions that you would do for a CBS escore what's my attack Vector is it local is it adjacent network is it network based what's my complexity high medium low so you can take these things you can enter them and when you submit it you get a CVS score instead of the classic ver model so it's almost certain that PCI Auditors if it's female that's men you

know what honestly I do have more male qsas I know like two female qsas yeah yeah but they PS they do you're absolutely right so it's almost certain I I I I think so and then we're looking at the impact it's we give it an assessment this makes makes your assessment my job unbearable right we can put additional notes in here we hit smid we're smid done that easy so what we what we do next mitigations so we go we go in here here's our list of things we were talking earlier about you know no throwing things at people so I put a risk in there I said what happens if someone throws something that knocks me

out suck right we got our PC aitor in here based on our classification our likelihood and our impact this came out as a six and we can see a as orange that's medium level risk and in this menu we see anything that needs mitigation so we click on mitigation plan no and now we get a planning strategy we want to research it accept it mitigate it or watch it well in this case let's mitigate and what's our mitigation effort trivial minor considerable it's probably trivial current solution you don't really have that but my security recommendations are a new

audit who is cute yes we like that we can tolerate a we're stuck with them in a room for an entire week they have to be Scenic I'm sorry that's what I'm saying yeah yeah absolutely so at least we can deal with their PMS for yes yes okay so we hit submit done now if we go back into this mitigation menu it's gone why because we put a mitigation in it easy management reviews here's everything that needs management review we can already see mitigation was plan for this I'm a manager let's review it you want to approve this risk or reject it seems valid to me let's approve it now that we've approved it what we do we

accept it until next review this is kind of the yeah that's a risk but I don't want to do anything right now do we consider it for a project we need a new project to uh to hire a new auditor Maybe or do we submit as a production issue seems like a production issue to me we can put some comments in there or not we hit submit again disappeared from our view now if we go in here I didn't do it but if when we're doing our management review we say approve we say consider for project what ends up happening is we get in our un assigned risk bucket so now someone throw something that knocks me

out um we're going to create a bodyguard project I'm going to have somebody stand right here and he's going to take the bullet for me so we add that we've got a new bodyguard project we take that guy we drag it into the body guard bucket we save it bam no more unassigned risks we have our bodyguard project we're good we can prioritize so if I have multiple things I can drag and drop it'll actually change the the organization there I'm building in another component that will let me categorize the projects what's active what's inactive that kind of thing so now we review our risk and based on my settings you know how often do I want to review these based on the

risk level it automatically gives the next review date so medium level risk this is every six months so it gave us a date of January 2014 my lowle risk that's every year so it gave me July stre makes sense that's how easy risk management is or at least how it should be we've got some additional reporting in here so we've got nice little dashboards we can turn little sections off we can see what our breakdown is in terms of Technology things like that you can have uh reporting on open level risks closed level risk all sorts of things um if you go into any of these guys I look at my open wrist you can actually click on one of

these guys and now you see all the information about that what's the details of this what's my mitigation when's my last review you can view all reviews because you have to do reviews on a regular basis you can edit any of these guys assuming you have the permission you can perform a new review you can add a comment so there's comments on the bottom here and you can close rist if it's something we fix so in this case let's close this RIS it's fully mated new HTI acquired done so now if we look back at our open risk report that guy is no longer there we can look at our closed risks there it is so hopefully as a result of simple

risk risk management no longer becomes a tool problem and as secur your practitioners we can go we're no longer worried about our tool set so we can actually do risk we can focus our efforts on that instead of trying to find a tool that fits us so with that I'm done I have some simpler stickers up here if you guys like stickers when are you going to make it to J you need to make it to J I do need to make it totally need to make it to J that project so much better there are a lot of things that I think need to get built into it yes you also need to make a tax confidence I I am a

father four okay I don't have a lot of time if there are other people out there who would like to help with this initiative I'm more than willing to take on some other people to help out you know PHP code um I think that there's other ideas too which is importing from Rapid 7 Expos importing from white hat right these are all risks to our environment and if we can use something like this to manage them all the better um in any case I have stickers I have some business cards that that all say simple on them um are questions yeah do you go to the level of inputting every single vulnerability or would you just

say the risk is box is going to get popped by vulnerability so if it were me doing risk management like I said this is different for everybody but if it were me I wouldn't categorize every crite scripting vulnerability on my website no point in that um what I would do is say that cross-site scripting or or rather um the impact of the user procet scripting is a significant risk right and that uh those code deficiencies poor input validation whatever those could result in compromises of our user base which ultimate ultimately means bad PR for us or stolen user accounts or whatever that's the risk those are the things that I would put in there not the

individual vulnerability does that make sense other questions all right can you icon customization I'm sorry I don't code at all so brand it I want to be able to put a pony on it actually I wanted to talk to J and I want to be able to put a pony up yeah so it's PHP code okay it's open source it's easy um I would say that that so oh the other thing I forgot to mention Milla public license 2.0 which basically means that you can take my code and you can rewrite it build it turn it into your own product uh whatever you want to do with it I've got no issues with that there are some

additional things that I'm going to be doing here that probably will be more Enterprise focused like active directory authentication for example um I might charge a little bit of money to help support feeding my kids right support the effort but I wanted to make sure that the basic risk management every single thing that I've shown you here free open source in the thing right now if you go to simpler r.org you can download it today and have it up and rain tonight I promise you right so with that I'm open for questions afterwards but thank you guys so much