Manage Your Risk, Not Somebody Else's

Post on 16-Jan-2015

199 views 1 download

Preview:

Click to see full reader

Tags:

Report this document
SHARE

description

More than 99 percent of U.S. employer firms are in the small and midsize (SMB) space, and they’re getting crushed by countless regulations and standards. There must be a better way to manage the seemingly endless train of auditors and fire drills. Even more importantly, do any of these regulations reduce business risk and help improve business resilience? Just whose risk is really being managed? This presentation will discuss cost effective steps to regain control while simultaneously meeting regulatory obligations and achieving a legally defensible risk posture that helps ensure business survivability.

Transcript of Manage Your Risk, Not Somebody Else's

Manage Your Risk,Not Somebody Else’s

Ben Tomhave, MS, CISSP@falconsview

Society of Information Risk Analysts

SciTech Information Security Committee

Image: http://www.flickr.com/photos/gsfc/5940408282/sizes/l/in/photostream/

The Problem Space…

All these regulations and standards…– PCI: Arbitrary & Capricious?– HIPAA: Confusing & Misunderstood?– NERC CIPs

Limited resources

Being reactive – how’s that working out?

Image: http://www.flickr.com/photos/supersonicphotos/3999192675/sizes/l/in/photostream/

Define Your Profile

How does your business operate?

What is most important to survival?

3 key attributes:1. Business processes

2. Assets

3. Prioritization (via risk analysis)

Image: http://www.flickr.com/photos/juhansonin/4734829999/sizes/l/in/photostream/

Get Organized

Collaborate across the business

Formalize methods and policies

Identify strategic tools– Improve communication– Optimize quality– Improve overall performance

Image: http://commons.wikimedia.org/wiki/File:Lion_tamer_(LOC_pga.03749).jpg

Practical Application #1

1. “Right Size” your obligations (outsource!)

2. Optimize the proactive to reduce the reactive

3. Reduce complexity (KISS principle)

Taming the Compliance Beast

Image: http://www.flickr.com/photos/jdhancock/3562071888/sizes/l/in/photostream/

Practical Application #2

Appropriate LOE and resources?– Set a defensible definition of “good enough”

Insource vs. Outsource– When to own it?– When to transfer it out?– What about insurance / self-insurance?

If you can’t win, then change the rules.– Resilience, anti-fragile, survivability, rugged, etc.– The goal is not to stop all bad things from happening!

Scaling Risk Management Practices

Image: http://www.flickr.com/photos/27745117@N00/3845403469/sizes/l/in/photostream/

Practical Application #3DevOps, RM, and the 3 Ways

Images: http://itrevolution.com/

1. Context

2. Assessment3. Treatment

4. Monitor & Review

Communication

The Three Ways

The First Way: Systems Thinking

The Second Way: Amplifying Feedback Loops

The Third Way: Culture of Continual Experimentation & Learning

Holistic, No Silos, Understand Value Streams

Communication, Rapid Response, Embed Knowledge

Innovate, Fail Fast / Learn Fast, “Freedom & Responsibility”

Image: http://itrevolution.com/the-three-ways-principles-underpinning-devops/

Image: http://www.flickr.com/photos/dexxus/5820866907/sizes/l/in/photostream/

To Recap…

Understand the problem space

Define your risk profile

Get organized

Practical application1. Tame the compliance beast

2. Scale risk management practices

3. The DevOps revolution

Thank You!

Ben Tomhave, MS, CISSP@falconsviewwww.secureconsulting.net

Top related

Help! somebody wants_me_to_think!!
 Education
Tomoko Takagi · Takuya Yamashita: Someone Else's Sensibility
 Documents
DFSMS:Intermediate Understanding Someone Else's ACS …...Understanding Someone Else's ACS Routines Neal Bohling DFSMS Defect Support, IBM bohling@us.ibm.com August 14, 2013 Session#
 Documents
Depeche Mode - Somebody
 Documents
Somebody Score
 Documents
Prefix Hijacking Mitigation · Prefix Hijacking 101 • Announce someone else's prefix • Announce a more specific of a someone else's prefix NANOG 46 – June 2009 • Synopsis:
 Documents
Introduction: Somebody Else's Problem: Consumerism ... · now aspire to own a pair of Nike shoes or Rayban sunglasses, even if they must make considerable sacrifices to do so. Because
 Documents
Somebody saw something. Somebody knows something. Somebody ...resources.news.com.au/.../26/1227415/893537-william-tyrrell-poster.pdf · Our Kids Somebody saw something. Somebody knows
 Documents
Someone Else's Story
 Documents
Report 107 (2006) - Guaranteeing someone else's debts
 Documents
Ad Agency - 4A's tions. The in-house staff is busy executing somebody else's ideas, because no one islistening totheir ideas.Objectivity-the willingness to pitch the unusual, the unconventional,
 Documents
Build Your Dream Business, Not Someone Else's
 Business
Serverless - O'Reilly...The future is Serverless. On-Prem Cloud Serverless. Ride sharing Serverless Infrastructure Someone else's car Never manage servers Cost Pay per ride Pay per
 Documents
Insurance Tips To Drive Someone Else's Car
 Documents
Education for Life · Help somebody Heal somebody Free somebody Forgive somebody Love somebody June 2012 TODAY, through your generosity, Education for Life is able to touch many lives
 Documents
Mission isn't someone else's job...
 Documents
SOMEBODY CLOSE
 Education
Top40.nl · 039 3 8 4 8 3 6 8 3 2 2 26 2 1 2 1 1 titel - artiest ... I CAN'T SLEEP BABY - r (r kelly) idem - jive 410102 - zomba ... SOMEBODY ELSE'S LOVER - total touch (oosterhuis)
 Documents
Managing Someone Else's Money: Help for Trustees Under a ...
 Documents
Someone Else's Skin Sheet Music
 Documents

Copyright © 2022 FDOCUMENTS