30
www.onShore.com PANOPTIC CYBERDEFENSE™ Understanding Risk Appetite for Information Security Chris Johnson Chief Strategist, Cybersecurity Leadership

Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected] Your Risk Appetite and

  • Upload
    others

  • View
    3

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

www.onShore.com PANOPTIC CYBERDEFENSE™

Understanding Risk Appetite for Information Security

Chris Johnson Chief Strategist, Cybersecurity Leadership

Page 2: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

ABOUT Headquartered in Chicago In Business for over 25 Years

Managed Cybersecurity Founded in 1991, onShore Security is a leading provider of managed cybersecurity. Began as network consultants and software developers, launched managed cybersecurity in 1998.

What we do. Why We Do It. Our purpose remains enabling our clients. This is why we provide security.. We provide Guidance so you can make the best decisions pertaining to Governance, Risk and Compliance - Get Compliant, Stay Compliant.

Our Mission To protect the freedom of information by revolutionizing cyber defense and governance.

Who am I? 20 Years in IT Service Delivery Last 5 years focused exclusively on Cybersecurity and Regulatory Compliance Chief Strategist

FYI… I HATE POWERPOINT BULLETS… I have successfully removed them all!

Page 3: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

Your Risk Appetite and Your Risk Management May not be aligned.

The way that your risk is managed may reflect a risk Appetite that is

divergent from the risk appetite you have?

MY HYPOTHESIS

Page 4: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

I AM YOUR BABEL FISH

IS RISK APPETITE A TOWER OF BABEL?

Image from Hitchhiker’s guide to the galaxy

Page 5: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

Risk Appetite and Information Security

Risk Avoidance vs Risk Awareness vs Risk Appetite (relevance)

Who are Your Stakeholders?

What is Risk Appetite?

A Workable Plan

WHAT WE WILL COVER

Page 6: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

Is Is Not

Informs Your Risk Strategy Risk Management

Measurable Risk Assessment

Dynamic and Fluid Risk Tolerance

Decision Support Governance

A Threshold Compliance

Executive Stakeholders Department-Level Management

Required Optional

IS/IS NOT

Risk Appetite and Information Security

Page 7: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

Risk management comes from knowing risk appetite.

If we don’t know our appetite for risk

how can we possibly manage it?

RISK APPETITE IS KEY

Risk Appetite and Information Security

Page 8: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

Risk Capacity

Risk Appetite

Risk Tolerance

Risk Target

Risk Limit

RISK APPETITE TERMS

Risk Appetite and Information Security

Page 9: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

COMPONENTS TO DETERMINING RISK APPETITE

Risk Appetite and Information Security

Corporate Values – What Risks will we not accept?

Strategy – What are the risks we need to take?

Stakeholders – What risks are they willing to bear, and to what level?

Capacity – What resources are required to manage those risks?

There is no “One Size Fits All”!

Page 10: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

RISK APPETITE

Risk Appetite and Information Security

Page 11: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

RELEVANCE

Risk Avoidance vs Risk Awareness vs Risk Appetite

Page 12: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

RELEVANCE

Risk Avoidance vs Risk Awareness vs Risk Appetite

Page 13: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

RELEVANCE AND CONTEXT

Risk Avoidance vs Risk Awareness vs Risk Appetite

WHAT IS RELEVANT FOR YOU?

Page 14: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

Who Are Your Stakeholders?

RISK APPETITE DECISION MAKERS

Page 15: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

Who Are Your Stakeholders?

GEEKS + SUITS TDM + BDM

TECHNICAL DECISION MAKERS BUSINESS DECISION MAKERS

RISK APPETITE DECISION MAKERS

Page 16: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

CONSESUS IS HARDER THAN YOU THINK…

Who Are Your Stakeholders?

EVERY STAKEHOLDER’S APPETITE IS DIFFERENT…

Page 17: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

Formal Risk Appetite Study 70% had none 17% had one that was working 13% had one but nobody used it SURPRISED???

RISK APPETITE SURVEY

What Is Risk Appetite?

Page 18: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

MEASUREMENT STARTS WITH…

Corporate Values – What Risks will we not accept? Strategy – What are the Risks we need to take? Stakeholders – What are they willing to bear, and to what level? Capacity – What resources are required to manage?

What Is Risk Appetite?

Page 19: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

HOW DO WE DO IT?

A Workable Plan

Page 20: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

RISK APPETITE PROCESS

A Workable Plan

Identify

Measure Impact

Address

Page 21: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

To identify risk appetite you must do these 4 things in some fashion: Articulate Corporate Values Document Corporate Strategy Assess Stakeholder alignment with Corporate Strategy Survey Stakeholder Tolerance Levels Analyze Risk Management Resource Availability/Capacity

A Workable Plan

ELEMENTS OF THE “IDENTIFY” STEP

To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426

Page 22: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

A Workable Plan

ELEMENTS OF THE “MEASURE” STEP

To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426

To measure risk appetite you must classify your risks as ones you are willing to: Accept - High Mitigate - Medium Transfer - Low Avoid – None Your Risk Appetite is along this range.

Page 23: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

“We are a company that prefers to (accept, mitigate, transfer, avoid) risk. Overall we are willing/unwilling to stay at this level of risk appetite.” If unwilling you need to shift your risk appetite to your preferred level. This involves: 1. Review the impact of remaining in

place 2. Estimate the amount of effort required

to make the change

A Workable Plan

ELEMENTS OF THE ADDRESS PROCESS

Page 24: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

A Workable Plan

YOUR TWO TAKEAWAYS

To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426

If you take away nothing else, remember these two things: Risk Appetite involves stakeholders Because you built consensus with stakeholders for Risk Appetite, you are well positioned to optimize your Risk Management System

Page 25: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

A Workable Plan

BONUS 5 MIN WORKSHOP

To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426

Lets Play 4 Questions. You will have 1 minute to think about how your organizations cybersecurity stakeholders would answer. I will do a 15 second walk through of each question and the process you might take to address any deficiencies it may reveal.

Page 26: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

A Workable Plan

BONUS 5 MIN WORKSHOP

To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426

Question 1 of 4: What are our principal Cybersecurity risks that influence our risk appetite? (Top 3)

Page 27: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

A Workable Plan

BONUS 5 MIN WORKSHOP

To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426

Question 2 of 4: How does our risk appetite affect our process for identifying, assessing and managing our Cybersecurity risk? Watch this video itglue.com (it is the first video you can play on homepage)

Page 28: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

A Workable Plan

BONUS 5 MIN WORKSHOP

To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426

Question 3 of 4: How do we ensure that our recommendations stemming from our Cybersecurity risk appetite are communicated and followed?

Page 29: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]

A Workable Plan

BONUS 5 MIN WORKSHOP

To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426

Question 4 of 4: How do we help fellow stakeholders develop enough relevant knowledge and experience to address Cybersecurity risk appetite?

Page 30: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and

THANK YOU!

Thank you for your time today!

Text/email me if you want a consult. Use subject line “Risk Appetite” [email protected] (213) 400-9426