Hosted by:ISACA, Austin Chapter

The Beauty of Risk: Effectively Communicating Risk Throughout Your Organization

Presented by:Tim VirtueChief Information Security OfficerTexas NICUSA

The Lawyers Made Me Do It Any references to specific organizations, people,

products, or services, are purely examples or learning opportunities and neither criticisms nor endorsements

The views presented are strictly my own and may or may not represent any organizations or affiliations I have (mostly because they have not seen the light yet )

It’s OK to agree to disagree, but anyone who gets that worked up over slides needs a vacation or drink

ABC Soup & Street Cred CISSP, HCISPP, CSM, CCSK, CISA, CIPP/G, CFE, ITIL V3,

CVE, QGVM, blah blah blah… Over 20 years experience in Security, Risk

Management and IT Executive Master of Science in Information Systems

from a top business school Cyber Security Instructor, Author & Speaker Not bragging – just showing perspective & credibility

05/07/2023 4

Since 2002, the Texas.gov program has grown to offer more than 1,000 online services that securely processed more than 214 million transactions — all worth over $31 billion.

The program's mission is two-fold: deliver the State's official website for constituents to access information and complete online services, and provide enterprise technology services to Texas government.

The Texas.gov portal provides hosted online applications and payment processing for many consumer-facing government services like driver license renewals, vital record orders, vehicle registration renewals, and more.

Who We Are

05/07/2023 5

Review strategies for easily and effectively communicating risk

Learn to identify the most relevant elements of risk, from an enterprise perspective

Utilize a community-building approach when communicating risk

Balance business objectives with security, privacy, & compliance objectives

Learning Objectives

05/07/2023 6

FUD Is Not Risk Management

Managing by Fear, Uncertainty & Doubt (FUD) does not drive change or manage risk

The same event means different things to different people – communicate the same risk in a different but meaningful way to each stakeholder.

05/07/2023 7

There are many types of risk.• Reputational, Operational, Compliance, Financial, etc.

Most stakeholders are only focused on risks directly related to their business unit.

They create silos that weaken the overall risk community.

When you take an organizational approach, to managing the numerous types of risk, the enterprise can be more successful.

Security Driven Risk Management

05/07/2023 8

Compliance with operational goalsIsolated reportingManagement reporting (productivity &

budgeting) Governance

Traditional Use of Metrics

Time For A Change

Something to be ignored

Something Security should try and stop

Something done in isolation

A tool or one time implementation

What Data Driven Enterprise Risk Management Is Not

Organizational collaboration

Avoid redundancy and wasted resources

Increased business value

Removal of FUD Factor Elimination of checkbox

focused risk management

Benefits – If Data Driven ERM Is Done Right

So Don’t Be This Guy

Security Says…

NO!!!

How Security Can Save The Day

Business Value

Organizational Alignment

Strategic Planning

Cross-Functional Communication

Creating a Security Conscious Culture

Data Driven Enterprise Risk Management

1405/07/2023

Collaboration • Work together so the output is

business focused and communicated across the enterprise

• Learn to speak the language of business but share data driven Security perspectives too

Innovation• Work across the enterprise to

support traditional Security & Compliance goals while supporting the business

How Do We Get There?

05/07/2023 16

Use a “What’s in it for me” approach, with stakeholders Simple, repeatable, visual, data driven, all while adding

business value Align with business goals or organizational mission (Are

you reading annual reports?) Use analogies – not geek speak Translate into financial or mission critical impact

• If the system is compromised, we will see a 15% decrease in revenue

• NOT – Dot you want to be on the cover of WSJ like XZY Company tomorrow?

Strategies For Communicating Risk

05/07/2023 17

Start with a baselineKISS (Keep It Simple Security)Develop metrics with receiving

stakeholdersFocus on outcomes & actionable itemsLess is moreAutomated, easy, repeatable, multi-use

Design & Deployment

Sharing Meaningful Metrics

Know your audiencePush vs. Pull

Static vs. Interactive

Frequency

Traditional vs. Mobile

Develop with actionable purpose

Develop metrics & delivery model with receiving stakeholders

We really only care about content – let them choose mechanics

05/07/2023 18

Focusing on technology and ignoring organizational culture

Lack of creativity Lack of executive support Loosing sight business goals and

desired outcomes

Cause of Failure

Proper training Starting small Alignment with business Creating a culture of agility Incremental improvement Focus on the intent of security

requirements Risk based approach

Cause of Success

More & improved collaboration and communication

More open minds and increased knowledge

Flexible solutions that address the intent of CIA while not getting hung up on “Old School” and we have always done it that way methodologies

Become change agents in the security community (including risk managers, auditors, compliance professionals)

What Needs To Change - Security

05/07/2023 22

• Percent effective to goal• Aging metrics• Aggregate risk• Risk by business unit• Policy exceptions over

time

• % of software bugs with security impact

• Cost/schedule variance from planned security activities

• % of budget allocated to security

• % of contracts that include security requirements

• % of recurring issues

Tim’s

05/07/2023 23

http://www.securitymetrics.org/ Security Metrics, A Beginner's Guide by Caroline Wong

(Oct 20, 2011) Security Metrics: Replacing Fear, Uncertainty, and Doubt

by Andrew Jaquith (Apr 5, 2007) SP 800-55 Rev. 1 Performance Measurement Guide for

Information Security (Jul 2008)

Additional Resources

Start today• You invested the time in this session –

take the next step Avoid overthinking

• You don’t need to rollout the perfect solution

Iterative approach• Crawl, Walk, Run

Be constructively dissatisfied• Deliver continuous improvement

Lead by example & and build business value into the process

Call to Action

05/07/2023 25

Q & A

Thank You! Help me spread the message to others Build data driven security & ERM into your

organizational culturePlease check me out on LinkedIn

http://www.linkedin.com/in/timvirtueOr follow me on Twitter

https://twitter.com/timvirtue

05/07/2023 27

For more information about Security, contact:

Tim VirtueChief Information Security OfficerTim.Virtue@egov.com

512-651-9420

For more information about Texas.gov solutions, contact:

Daniel MorenoOutreach Associatedmoreno@egov.com 512-651-9803

Contact Us