Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.
For the best experience please use the latest Chrome, Safari or Firefox browser.
Security from the C-Suite
Top-Down Risk Management
Copyright © 2020 Donald Edwards
Presented as part of The Lost Summer Project
Presented by Donald Edwards, CISSP
At the executive level, security is a high (and increasing) priority, but it remains a supporting function for the core business.
One way or another, security priorities must be balanced with priorities from other parts of the business.
Copyright © 2020 Donald Edwards
Agenda
Overview of typical
C-Suite roles and their priorities
Walk through of the risk management process
How to make it easy to prioritise your needs
(and make your bosses look good)
Copyright © 2020 Donald Edwards
Typical roles in the C-Suite
Every company is different, but someone usually has these responsibilities
Copyright © 2020 Donald Edwards
Deterrence is almost entirely focused on explaining to insiders why they should not do bad things.
Very few protective and detective controls work specifically against insider threat. Those that are focused on insider threat are very intrusive and seldom used in normal work settings.
Responding to an insider threat incident may require more or better documentation. HR and Legal departments will be engaged.
Recovery from insider incidents likely will result in process changes. In cases where data is held hostage, legal proceedings may be involved.
CISO and CFO are largely advisory roles
In most companies, "the business" (COO, CIO, CTO) makes decisions about:
Copyright © 2020 Donald Edwards
Success as a security professional depends on your ability to communicate in terms "the business" understands
Copyright © 2020 Donald Edwards
Risk evaluation
Everything starts with responsibility
Tying a specific risk to one or more responsibilities a company has undertaken helps to establish its importance in real terms
Copyright © 2020 Donald Edwards
Risk evaluation
Describe the threat in unjargoned terms
The people you need to convince, "the business", probably will not understand technical or security-specific terms. Donald't make them work to understand you!
Copyright © 2020 Donald Edwards
Options to deal with risks
Ways of dealing with risk
Copyright © 2020 Donald Edwards
Mitigating (reducing) risks
Reduce the likelihood of attempt or success
Copyright © 2020 Donald Edwards
Mitigating (reducing) risks
Reduce the impact
Copyright © 2020 Donald Edwards
Evaluating the cost of controls
All controls come at a cost in terms of:
Copyright © 2020 Donald Edwards
Use a spacebar or arrow keys to navigate.
Press 'P' to launch speaker console.