Post on 16-Jan-2015
description
Manage Your Risk,Not Somebody Else’s
Ben Tomhave, MS, CISSP@falconsview
Society of Information Risk Analysts
SciTech Information Security Committee
Image: http://www.flickr.com/photos/gsfc/5940408282/sizes/l/in/photostream/
The Problem Space…
All these regulations and standards…– PCI: Arbitrary & Capricious?– HIPAA: Confusing & Misunderstood?– NERC CIPs
Limited resources
Being reactive – how’s that working out?
Image: http://www.flickr.com/photos/supersonicphotos/3999192675/sizes/l/in/photostream/
Define Your Profile
How does your business operate?
What is most important to survival?
3 key attributes:1. Business processes
2. Assets
3. Prioritization (via risk analysis)
Image: http://www.flickr.com/photos/juhansonin/4734829999/sizes/l/in/photostream/
Get Organized
Collaborate across the business
Formalize methods and policies
Identify strategic tools– Improve communication– Optimize quality– Improve overall performance
Image: http://commons.wikimedia.org/wiki/File:Lion_tamer_(LOC_pga.03749).jpg
Practical Application #1
1. “Right Size” your obligations (outsource!)
2. Optimize the proactive to reduce the reactive
3. Reduce complexity (KISS principle)
Taming the Compliance Beast
Image: http://www.flickr.com/photos/jdhancock/3562071888/sizes/l/in/photostream/
Practical Application #2
Appropriate LOE and resources?– Set a defensible definition of “good enough”
Insource vs. Outsource– When to own it?– When to transfer it out?– What about insurance / self-insurance?
If you can’t win, then change the rules.– Resilience, anti-fragile, survivability, rugged, etc.– The goal is not to stop all bad things from happening!
Scaling Risk Management Practices
Image: http://www.flickr.com/photos/27745117@N00/3845403469/sizes/l/in/photostream/
Practical Application #3DevOps, RM, and the 3 Ways
Images: http://itrevolution.com/
1. Context
2. Assessment3. Treatment
4. Monitor & Review
Communication
The Three Ways
The First Way: Systems Thinking
The Second Way: Amplifying Feedback Loops
The Third Way: Culture of Continual Experimentation & Learning
Holistic, No Silos, Understand Value Streams
Communication, Rapid Response, Embed Knowledge
Innovate, Fail Fast / Learn Fast, “Freedom & Responsibility”
Image: http://itrevolution.com/the-three-ways-principles-underpinning-devops/
Image: http://www.flickr.com/photos/dexxus/5820866907/sizes/l/in/photostream/
To Recap…
Understand the problem space
Define your risk profile
Get organized
Practical application1. Tame the compliance beast
2. Scale risk management practices
3. The DevOps revolution
Thank You!
Ben Tomhave, MS, CISSP@falconsviewwww.secureconsulting.net