manage your risk, not somebody else's
DESCRIPTION
More than 99 percent of U.S. employer firms are in the small and midsize (SMB) space, and they’re getting crushed by countless regulations and standards. There must be a better way to manage the seemingly endless train of auditors and fire drills. Even more importantly, do any of these regulations reduce business risk and help improve business resilience? Just whose risk is really being managed? This presentation will discuss cost effective steps to regain control while simultaneously meeting regulatory obligations and achieving a legally defensible risk posture that helps ensure business survivability.TRANSCRIPT
Manage Your Risk,Not Somebody Else’s
Ben Tomhave, MS, CISSP@falconsview
Society of Information Risk Analysts
SciTech Information Security Committee
Image: http://www.flickr.com/photos/gsfc/5940408282/sizes/l/in/photostream/
The Problem Space…
All these regulations and standards…– PCI: Arbitrary & Capricious?– HIPAA: Confusing & Misunderstood?– NERC CIPs
Limited resources
Being reactive – how’s that working out?
Image: http://www.flickr.com/photos/supersonicphotos/3999192675/sizes/l/in/photostream/
Define Your Profile
How does your business operate?
What is most important to survival?
3 key attributes:1. Business processes
2. Assets
3. Prioritization (via risk analysis)
Image: http://www.flickr.com/photos/juhansonin/4734829999/sizes/l/in/photostream/
Get Organized
Collaborate across the business
Formalize methods and policies
Identify strategic tools– Improve communication– Optimize quality– Improve overall performance
Image: http://commons.wikimedia.org/wiki/File:Lion_tamer_(LOC_pga.03749).jpg
Practical Application #1
1. “Right Size” your obligations (outsource!)
2. Optimize the proactive to reduce the reactive
3. Reduce complexity (KISS principle)
Taming the Compliance Beast
Image: http://www.flickr.com/photos/jdhancock/3562071888/sizes/l/in/photostream/
Practical Application #2
Appropriate LOE and resources?– Set a defensible definition of “good enough”
Insource vs. Outsource– When to own it?– When to transfer it out?– What about insurance / self-insurance?
If you can’t win, then change the rules.– Resilience, anti-fragile, survivability, rugged, etc.– The goal is not to stop all bad things from happening!
Scaling Risk Management Practices
Image: http://www.flickr.com/photos/27745117@N00/3845403469/sizes/l/in/photostream/
Practical Application #3DevOps, RM, and the 3 Ways
Images: http://itrevolution.com/
1. Context
2. Assessment3. Treatment
4. Monitor & Review
Communication
The Three Ways
The First Way: Systems Thinking
The Second Way: Amplifying Feedback Loops
The Third Way: Culture of Continual Experimentation & Learning
Holistic, No Silos, Understand Value Streams
Communication, Rapid Response, Embed Knowledge
Innovate, Fail Fast / Learn Fast, “Freedom & Responsibility”
Image: http://itrevolution.com/the-three-ways-principles-underpinning-devops/
Image: http://www.flickr.com/photos/dexxus/5820866907/sizes/l/in/photostream/
To Recap…
Understand the problem space
Define your risk profile
Get organized
Practical application1. Tame the compliance beast
2. Scale risk management practices
3. The DevOps revolution
Thank You!
Ben Tomhave, MS, [email protected]