0:12 [Music]
0:14 hi my name is Ashan I'm a global Chief
0:16 Information Security Officer with over a
0:18 decade of experience in information
0:20 security across multinational
0:23 organizations and specifically focusing
0:25 on quantifying information risk in this
0:27 master class today we're going to
0:30 discuss how information risk management
0:36 wrong despite risk management being a
0:38 well trod discipline with effective
0:40 methods over a 100 years old cyber
0:42 information security and Technology
0:44 operations has failed to adopt these
0:47 methods instead we've adopted for
0:49 heavily consultative approaches which
0:51 have pedal traffic light scoring and
0:55 ordinal scales 1 2 3 fours and fives to
0:57 measure risk this has caused a multitude
0:59 of problems we have generic problem
1:01 statements control deficiencies and
1:04 vulnerabilities masquerading as risks
1:06 with ballooning risk registers which
1:09 expand and never shrink we have wasted
1:10 an unjustified investment and
1:14 expenditure on remediation efforts this
1:15 compliance Le approach that we have as
1:18 well fails to Target where loss is
1:20 actually occurring we have heavily
1:22 subjective value judgments and
1:25 ultimately guesswork for measuring
1:29 risk we have point- in time assessments
1:30 when risk is actually based on changing
1:34 variables constantly in flux we also
1:37 have false certainty over reflecting
1:39 meaningful uncertainty ultimately
1:41 organizations aren't getting value out
1:44 of their decision- making or any insight
1:45 into their Returns on investment on
1:48 their risk spend
1:51 efficiencies let's take a step back all
1:52 risk is probable loss exposure for the
1:54 business the business has strategic
1:56 objectives and achieving them inevitably
1:59 incurs loss almost all businesses
2:00 operate operate on technology in the
2:02 21st century which is why it's not
2:04 useful to designate cyber risk or
2:07 information security risk it's all
2:10 technology or actually operational risk
2:12 with this understanding organizations
2:14 can start to focus on identifying the
2:16 scenarios that are actually causing
2:18 their businesses harm part of the issue
2:20 with the traditional or indeed
2:22 qualitative approach to measuring risk
2:24 as I've just described is that it
2:27 ignores uncertainty it forces
2:28 professionals to make fixed but
2:31 ultimately vague claims about how the
2:33 status of How likely or probable a risk
2:37 is to occur and its Associated impact in
2:39 reality you could experience the same
2:41 incident multiple times over and suffer
2:43 a different loss or indeed impact each
2:46 time because risk is influenced by those random
2:47 random
2:49 variables we need to measure and model
2:52 risk in a way that reflects uncertainty
2:54 and helps professionals extract value
2:56 from it to inform decision- making
2:58 because all risk management is decision
3:01 management as as we forecast we first
3:03 need to establish a view of how often
3:05 bad things are happening things that
3:08 breach the confidentiality of data
3:10 affect the Integrity of data and indeed
3:13 render data and systems
3:15 unavailable we then want to stress test
3:17 our PRI assumptions with additional data
3:20 to help calibrate the probability of the
3:22 harmful event happening in the
3:25 future then we can land on an estimate
3:26 of how probable the event is to occur
3:29 based on our existing security posture
3:31 part of forecasting is also about
3:33 measuring loss this can be and indeed
3:36 must be Quantified in financial terms
3:38 since all harm to a business and
3:39 subsequent investment to reduce loss
3:42 exposure ultimately manifests in dollars
3:45 lost loss can be considered in two ways
3:47 first primary losses which are
3:48 experienced every time a type of
3:51 incident occurs think of the direct
3:53 impacts such as productivity downtime
3:55 response cost to the incident and cost
3:58 of replacing any people processes or
4:00 Technologies and then we have secondary
4:03 losses now these are experienced only
4:05 certain times given a type of incident
4:07 think of indirect impacts such as
4:09 reputational damage certain legal and
4:11 Regulatory fines and even the loss of
4:14 competitive Advantage each of these loss
4:16 categories reflect the varying types of
4:18 harm that could befall an organization
4:19 with every
4:22 incident focusing on these parameters of
4:25 probability and loss for measuring risk
4:28 is critical to help a reflect our
4:31 uncertainty B to capture the variables
4:35 influencing our true risk and C to
4:37 provide the necessary inputs to model
4:39 loss exposure and I've had Real World
4:42 experience of this I was brought in to
4:45 measure the risk of a public limited
4:47 company listed on the London Stock
4:50 Exchange previously information security
4:52 and information risk was reported purely
4:55 with risk matrices red Amber green
4:58 qualitative scoring CVSs scores and
5:01 other vague cyber criteria when I was
5:03 brought in I adopted those Concepts that
5:05 I've just spoken about focusing on
5:08 ascertaining where the most probable
5:11 loss exposure was for that business once
5:13 I began to get an understanding of where
5:15 it was most probable to lose money I
5:17 then looked at what mitigating measures
5:19 what control Investments that we could
5:21 potentially model to see how that loss
5:23 exposure could be reduced once I had
5:24 that understanding I was able to take
5:26 the differential between those two
5:28 scenarios and knowing the cost of the
5:30 control investment very quickly work out
5:32 the return on investment for the board
5:34 and the key Insight here is it didn't
5:36 just furnish the board with one example
5:39 it gave them the mechanism to understand
5:41 a plethora of investment decisions which
5:43 they could choose based on their
5:46 appetite so today this master class has
5:48 shown us that the methodological step
5:51 chain from ineffective practices is the
5:53 first step in transforming technology
5:55 risk practices in organizations and
5:57 begin focusing and capturing the
5:59 elements that truly help determine an
