Information security and technology operations often fail to manage risk effectively due to a reliance on subjective, qualitative methods. A shift towards a quantitative, financially-focused approach is necessary to accurately measure risk, inform decision-making, and demonstrate return on investment for security controls.
Mind Map
Zum Vergrößern klicken
Klicke, um die vollständige interaktive Mind Map zu öffnen
[Music]
hi my name is Ashan I'm a global Chief
Information Security Officer with over a
decade of experience in information
security across multinational
organizations and specifically focusing
on quantifying information risk in this
master class today we're going to
discuss how information risk management
wrong despite risk management being a
well trod discipline with effective
methods over a 100 years old cyber
information security and Technology
operations has failed to adopt these
methods instead we've adopted for
heavily consultative approaches which
have pedal traffic light scoring and
ordinal scales 1 2 3 fours and fives to
measure risk this has caused a multitude
of problems we have generic problem
statements control deficiencies and
vulnerabilities masquerading as risks
with ballooning risk registers which
expand and never shrink we have wasted
an unjustified investment and
expenditure on remediation efforts this
compliance Le approach that we have as
well fails to Target where loss is
actually occurring we have heavily
subjective value judgments and
ultimately guesswork for measuring
risk we have point- in time assessments
when risk is actually based on changing
variables constantly in flux we also
have false certainty over reflecting
meaningful uncertainty ultimately
organizations aren't getting value out
of their decision- making or any insight
into their Returns on investment on
their risk spend
efficiencies let's take a step back all
risk is probable loss exposure for the
business the business has strategic
objectives and achieving them inevitably
incurs loss almost all businesses
operate operate on technology in the
21st century which is why it's not
useful to designate cyber risk or
information security risk it's all
technology or actually operational risk
with this understanding organizations
can start to focus on identifying the
scenarios that are actually causing
their businesses harm part of the issue
with the traditional or indeed
qualitative approach to measuring risk
as I've just described is that it
ignores uncertainty it forces
professionals to make fixed but
ultimately vague claims about how the
status of How likely or probable a risk
is to occur and its Associated impact in
reality you could experience the same
incident multiple times over and suffer
a different loss or indeed impact each
time because risk is influenced by those random
random
variables we need to measure and model
risk in a way that reflects uncertainty
and helps professionals extract value
from it to inform decision- making
because all risk management is decision
management as as we forecast we first
need to establish a view of how often
bad things are happening things that
breach the confidentiality of data
affect the Integrity of data and indeed
render data and systems
unavailable we then want to stress test
our PRI assumptions with additional data
to help calibrate the probability of the
harmful event happening in the
future then we can land on an estimate
of how probable the event is to occur
based on our existing security posture
part of forecasting is also about
measuring loss this can be and indeed
must be Quantified in financial terms
since all harm to a business and
subsequent investment to reduce loss
exposure ultimately manifests in dollars
lost loss can be considered in two ways
first primary losses which are
experienced every time a type of
incident occurs think of the direct
impacts such as productivity downtime
response cost to the incident and cost
of replacing any people processes or
Technologies and then we have secondary
losses now these are experienced only
certain times given a type of incident
think of indirect impacts such as
reputational damage certain legal and
Regulatory fines and even the loss of
competitive Advantage each of these loss
categories reflect the varying types of
harm that could befall an organization
with every
incident focusing on these parameters of
probability and loss for measuring risk
is critical to help a reflect our
uncertainty B to capture the variables
influencing our true risk and C to
provide the necessary inputs to model
loss exposure and I've had Real World
experience of this I was brought in to
measure the risk of a public limited
company listed on the London Stock
Exchange previously information security
and information risk was reported purely
with risk matrices red Amber green
qualitative scoring CVSs scores and
other vague cyber criteria when I was
brought in I adopted those Concepts that
I've just spoken about focusing on
ascertaining where the most probable
loss exposure was for that business once
I began to get an understanding of where
it was most probable to lose money I
then looked at what mitigating measures
what control Investments that we could
potentially model to see how that loss
exposure could be reduced once I had
that understanding I was able to take
the differential between those two
scenarios and knowing the cost of the
control investment very quickly work out
the return on investment for the board
and the key Insight here is it didn't
just furnish the board with one example
it gave them the mechanism to understand
a plethora of investment decisions which
they could choose based on their
appetite so today this master class has
shown us that the methodological step
chain from ineffective practices is the
first step in transforming technology
risk practices in organizations and
begin focusing and capturing the
elements that truly help determine an
Klicke auf einen beliebigen Text oder Zeitstempel, um direkt zu dieser Stelle im Video zu springen
Teilen:
Die meisten Transkripte sind in unter 5 Sekunden bereit
Mit einem Klick kopieren125+ SprachenInhalt durchsuchenZu Zeitstempeln springen
YouTube-URL einfügen
Gib den Link eines beliebigen YouTube-Videos ein und erhalte das vollständige Transkript
Transkript-Extraktionsformular
Die meisten Transkripte sind in unter 5 Sekunden bereit
Unsere Chrome-Erweiterung installieren
Transkripte abrufen, ohne YouTube zu verlassen. Installiere unsere Chrome-Erweiterung und greife mit einem Klick direkt auf der Wiedergabeseite auf das Transkript jedes Videos zu.
