1 / 28

The Beauty of Risk: Effectively Communicating Risk Throughout Your Organization

Learn strategies for communicating risk, identify relevant elements of risk, build a risk community, and balance business objectives with security, privacy, and compliance. Presented by Tim Virtue, Chief Information Security Officer at Texas.gov/Texas.NICUSA.

micaht
Download Presentation

The Beauty of Risk: Effectively Communicating Risk Throughout Your Organization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Beauty of Risk: Effectively Communicating Risk Throughout Your Organization Presented by: Tim Virtue Chief Information Security Officer Texas.gov / Texas NICUSA

  2. Who We Are • Since 2002, the Texas.gov program has securely processed over 254 million online transactions worth more than $33 billion on behalf of our government partners.  • The program's mission is two-fold: deliver the State's official website for constituents to access information and complete online services, and provide enterprise technology services to Texas government.   • The Texas.gov portal provides hosted online applications and payment processing for many consumer-facing government services like driver license renewals, vital record orders, vehicle registration renewals, and more.

  3. The Lawyers Made Me Do It • Any references to specific organizations, people, products, or services, are purely examples or learning opportunities and neither criticisms nor endorsements • The views presented are strictly my own and may or may not represent any organizations or affiliationsI have (mostly because they have not seen the light yet ) • It’s OK to agree to disagree, but anyone who gets that worked up over slides needs a vacation or drink

  4. ABC Soup & Street Cred • CISSP, HCISPP, CSM, CCSK, CISA, CIPP/G, CFE, ITIL V3, CVE, QGVM, blah blah blah… • Over 20 years experience in Security, Risk Management and IT • Executive Master of Science in Information Systems from a top business school • Cyber Security Instructor, Author & Speaker • Not bragging – just showing perspective & credibility

  5. Learning Objectives • Review strategies for easily and effectively communicating risk • Learn to identify the most relevant elements of risk, from an enterprise perspective • Utilize a community-building approach when communicating risk • Balance business objectives with security, privacy, & compliance objectives

  6. FUD Is Not Risk Management Managing by Fear, Uncertainty & Doubt (FUD) does not drive change or manage risk The same event means different things to different people – communicate the same risk in a different but meaningful way to each stakeholder.

  7. Security Driven Risk Management • There are many types of risk. • Reputational, Operational, Compliance, Financial, etc. • Most stakeholders are only focused on risks directly related to their business unit. • They create silos that weaken the overall risk community. • When you take an organizational approach, to managing the numerous types of risk, the enterprise can be more successful.

  8. Traditional Use of Metrics • Compliance with operational goals • Isolated reporting • Management reporting (productivity & budgeting) • Governance

  9. Time For A Change

  10. What Data Driven Enterprise Risk Management Is Not • Something to be ignored • Something Security should try and stop • Something done in isolation • A tool or one time implementation

  11. Benefits – If Data Driven ERM Is Done Right • Organizational collaboration • Avoid redundancy and wasted resources • Increased business value • Removal of FUD Factor • Elimination of checkbox focused risk management

  12. So Don’t Be This Guy Security Says… NO!!!

  13. How Security Can Save The Day

  14. Data Driven Enterprise Risk Management Business Value Strategic Planning Organizational Alignment Creating a Security Conscious Culture Cross-Functional Communication

  15. How Do We Get There? • Collaboration • Work together so the output is business focused and communicated across the enterprise • Learn to speak the language of business but share data driven Security perspectives too • Innovation • Work across the enterprise to support traditional Security & Compliance goals while supporting the business

  16. Strategies For Communicating Risk • Use a “What’s in it for me” approach, with stakeholders • Simple, repeatable, visual, data driven, all while adding business value • Align with business goals or organizational mission (Are you reading annual reports?) • Use analogies – not geek speak • Translate into financial or mission critical impact • If the system is compromised, we will see a 15% decrease in revenue • NOT – Do you want to be on the cover of WSJ like XZY Company tomorrow?

  17. Design & Deployment • KISS (Keep It Simple Security) • Develop metrics with receiving stakeholders • Focus on outcomes & actionable items • Less is more • Automated, easy, repeatable, multi-use • Start with a baseline

  18. Sharing Meaningful Metrics Know your audience Push vs. Pull Static vs. Interactive Frequency Traditional vs. Mobile Develop with actionable purpose Develop metrics & delivery model with receiving stakeholders • We really only care about content – let them choose mechanics

  19. Cause of Focusing on technology and ignoring organizational culture Lack of creativity Lack of executive support Loosing sight business goals and desired outcomes

  20. Cause of Success Proper training Starting small Alignment with business Creating a culture of agility Incremental improvement Focus on the intent of security requirements Risk based approach

  21. What Needs To Change - Security More & improved collaboration and communication More open minds and increased knowledge Flexible solutions that address the intent of CIA while not getting hung up on “Old School” and we have always done it that way methodologies Become change agents in the security community (including risk managers, auditors, compliance professionals)

  22. Tim’s • % of software bugs with security impact • Cost/schedule variance from planned security activities • % of budget allocated to security • % of contracts that include security requirements • % of recurring issues • Percent effective to goal • Aging metrics • Aggregate risk • Risk by business unit • Policy exceptions over time

  23. Additional Resources • http://www.securitymetrics.org/ • Security Metrics, A Beginner's Guide by Caroline Wong (Oct 20, 2011) • Security Metrics: Replacing Fear, Uncertainty, and Doubt by Andrew Jaquith (Apr 5, 2007) • SP 800-55 Rev. 1Performance Measurement Guide for Information Security (Jul 2008)

  24. Call to Action • Start today • You invested the time in this session – take the next step • Avoid overthinking • You don’t need to rollout the perfect solution • Iterative approach • Crawl, Walk, Run • Be constructively dissatisfied • Deliver continuous improvement • Lead by example & and build business value into the process

  25. Q& A

  26. Thank You! • Help me spread the message to others • Build data driven security & ERM into your organizational culture Please check me out on LinkedIn http://www.linkedin.com/in/timvirtue Or follow me on Twitter https://twitter.com/timvirtue

  27. Contact Us For more information about Security, contact: Tim Virtue Chief Information Security Officer Tim.Virtue@egov.com 512-651-9420 For more information about Texas.gov solutions, contact: Daniel Moreno Outreach Associate dmoreno@egov.com 512-651-9803

More Related