Hang tight while we fetch the video data and transcripts. This only takes a moment.
Connecting to YouTube player…
Fetching transcript data…
We’ll display the transcript, summary, and all view options as soon as everything loads.
Next steps
Loading transcript tools…
Diligent Master Class for IT Risk Management: The evolution of technology risk management | Diligent | YouTubeToText
YouTube Transcript: Diligent Master Class for IT Risk Management: The evolution of technology risk management
Skip watching entire videos - get the full transcript, search for keywords, and copy with one click.
Share:
Video Transcript
Video Summary
Summary
Core Theme
Information security and technology operations often fail to manage risk effectively due to a reliance on subjective, qualitative methods. A shift towards a quantitative, financially-focused approach is necessary to accurately measure risk, inform decision-making, and demonstrate return on investment for security controls.
Mind Map
Click to expand
Click to explore the full interactive mind map • Zoom, pan, and navigate
[Music]
hi my name is Ashan I'm a global Chief
Information Security Officer with over a
decade of experience in information
security across multinational
organizations and specifically focusing
on quantifying information risk in this
master class today we're going to
discuss how information risk management
wrong despite risk management being a
well trod discipline with effective
methods over a 100 years old cyber
information security and Technology
operations has failed to adopt these
methods instead we've adopted for
heavily consultative approaches which
have pedal traffic light scoring and
ordinal scales 1 2 3 fours and fives to
measure risk this has caused a multitude
of problems we have generic problem
statements control deficiencies and
vulnerabilities masquerading as risks
with ballooning risk registers which
expand and never shrink we have wasted
an unjustified investment and
expenditure on remediation efforts this
compliance Le approach that we have as
well fails to Target where loss is
actually occurring we have heavily
subjective value judgments and
ultimately guesswork for measuring
risk we have point- in time assessments
when risk is actually based on changing
variables constantly in flux we also
have false certainty over reflecting
meaningful uncertainty ultimately
organizations aren't getting value out
of their decision- making or any insight
into their Returns on investment on
their risk spend
efficiencies let's take a step back all
risk is probable loss exposure for the
business the business has strategic
objectives and achieving them inevitably
incurs loss almost all businesses
operate operate on technology in the
21st century which is why it's not
useful to designate cyber risk or
information security risk it's all
technology or actually operational risk
with this understanding organizations
can start to focus on identifying the
scenarios that are actually causing
their businesses harm part of the issue
with the traditional or indeed
qualitative approach to measuring risk
as I've just described is that it
ignores uncertainty it forces
professionals to make fixed but
ultimately vague claims about how the
status of How likely or probable a risk
is to occur and its Associated impact in
reality you could experience the same
incident multiple times over and suffer
a different loss or indeed impact each
time because risk is influenced by those random
random
variables we need to measure and model
risk in a way that reflects uncertainty
and helps professionals extract value
from it to inform decision- making
because all risk management is decision
management as as we forecast we first
need to establish a view of how often
bad things are happening things that
breach the confidentiality of data
affect the Integrity of data and indeed
render data and systems
unavailable we then want to stress test
our PRI assumptions with additional data
to help calibrate the probability of the
harmful event happening in the
future then we can land on an estimate
of how probable the event is to occur
based on our existing security posture
part of forecasting is also about
measuring loss this can be and indeed
must be Quantified in financial terms
since all harm to a business and
subsequent investment to reduce loss
exposure ultimately manifests in dollars
lost loss can be considered in two ways
first primary losses which are
experienced every time a type of
incident occurs think of the direct
impacts such as productivity downtime
response cost to the incident and cost
of replacing any people processes or
Technologies and then we have secondary
losses now these are experienced only
certain times given a type of incident
think of indirect impacts such as
reputational damage certain legal and
Regulatory fines and even the loss of
competitive Advantage each of these loss
categories reflect the varying types of
harm that could befall an organization
with every
incident focusing on these parameters of
probability and loss for measuring risk
is critical to help a reflect our
uncertainty B to capture the variables
influencing our true risk and C to
provide the necessary inputs to model
loss exposure and I've had Real World
experience of this I was brought in to
measure the risk of a public limited
company listed on the London Stock
Exchange previously information security
and information risk was reported purely
with risk matrices red Amber green
qualitative scoring CVSs scores and
other vague cyber criteria when I was
brought in I adopted those Concepts that
I've just spoken about focusing on
ascertaining where the most probable
loss exposure was for that business once
I began to get an understanding of where
it was most probable to lose money I
then looked at what mitigating measures
what control Investments that we could
potentially model to see how that loss
exposure could be reduced once I had
that understanding I was able to take
the differential between those two
scenarios and knowing the cost of the
control investment very quickly work out
the return on investment for the board
and the key Insight here is it didn't
just furnish the board with one example
it gave them the mechanism to understand
a plethora of investment decisions which
they could choose based on their
appetite so today this master class has
shown us that the methodological step
chain from ineffective practices is the
first step in transforming technology
risk practices in organizations and
begin focusing and capturing the
elements that truly help determine an
Click on any text or timestamp to jump to that moment in the video
Share:
Most transcripts ready in under 5 seconds
One-Click Copy125+ LanguagesSearch ContentJump to Timestamps
Paste YouTube URL
Enter any YouTube video link to get the full transcript
Transcript Extraction Form
Most transcripts ready in under 5 seconds
Get Our Chrome Extension
Get transcripts instantly without leaving YouTube. Install our Chrome extension for one-click access to any video's transcript directly on the watch page.
