understanding risk appetite for information security...chris johnson, chief strategist,...
TRANSCRIPT
![Page 1: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/1.jpg)
www.onShore.com PANOPTIC CYBERDEFENSE™
Understanding Risk Appetite for Information Security
Chris Johnson Chief Strategist, Cybersecurity Leadership
![Page 2: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/2.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
ABOUT Headquartered in Chicago In Business for over 25 Years
Managed Cybersecurity Founded in 1991, onShore Security is a leading provider of managed cybersecurity. Began as network consultants and software developers, launched managed cybersecurity in 1998.
What we do. Why We Do It. Our purpose remains enabling our clients. This is why we provide security.. We provide Guidance so you can make the best decisions pertaining to Governance, Risk and Compliance - Get Compliant, Stay Compliant.
Our Mission To protect the freedom of information by revolutionizing cyber defense and governance.
Who am I? 20 Years in IT Service Delivery Last 5 years focused exclusively on Cybersecurity and Regulatory Compliance Chief Strategist
FYI… I HATE POWERPOINT BULLETS… I have successfully removed them all!
![Page 3: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/3.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
Your Risk Appetite and Your Risk Management May not be aligned.
The way that your risk is managed may reflect a risk Appetite that is
divergent from the risk appetite you have?
MY HYPOTHESIS
![Page 4: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/4.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
I AM YOUR BABEL FISH
IS RISK APPETITE A TOWER OF BABEL?
Image from Hitchhiker’s guide to the galaxy
![Page 5: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/5.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
Risk Appetite and Information Security
Risk Avoidance vs Risk Awareness vs Risk Appetite (relevance)
Who are Your Stakeholders?
What is Risk Appetite?
A Workable Plan
WHAT WE WILL COVER
![Page 6: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/6.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
Is Is Not
Informs Your Risk Strategy Risk Management
Measurable Risk Assessment
Dynamic and Fluid Risk Tolerance
Decision Support Governance
A Threshold Compliance
Executive Stakeholders Department-Level Management
Required Optional
IS/IS NOT
Risk Appetite and Information Security
![Page 7: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/7.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
Risk management comes from knowing risk appetite.
If we don’t know our appetite for risk
how can we possibly manage it?
RISK APPETITE IS KEY
Risk Appetite and Information Security
![Page 8: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/8.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
Risk Capacity
Risk Appetite
Risk Tolerance
Risk Target
Risk Limit
RISK APPETITE TERMS
Risk Appetite and Information Security
![Page 9: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/9.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
COMPONENTS TO DETERMINING RISK APPETITE
Risk Appetite and Information Security
Corporate Values – What Risks will we not accept?
Strategy – What are the risks we need to take?
Stakeholders – What risks are they willing to bear, and to what level?
Capacity – What resources are required to manage those risks?
There is no “One Size Fits All”!
![Page 10: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/10.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
RISK APPETITE
Risk Appetite and Information Security
![Page 11: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/11.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
RELEVANCE
Risk Avoidance vs Risk Awareness vs Risk Appetite
![Page 12: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/12.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
RELEVANCE
Risk Avoidance vs Risk Awareness vs Risk Appetite
![Page 13: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/13.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
RELEVANCE AND CONTEXT
Risk Avoidance vs Risk Awareness vs Risk Appetite
WHAT IS RELEVANT FOR YOU?
![Page 14: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/14.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
Who Are Your Stakeholders?
RISK APPETITE DECISION MAKERS
![Page 15: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/15.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
Who Are Your Stakeholders?
GEEKS + SUITS TDM + BDM
TECHNICAL DECISION MAKERS BUSINESS DECISION MAKERS
RISK APPETITE DECISION MAKERS
![Page 16: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/16.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
CONSESUS IS HARDER THAN YOU THINK…
Who Are Your Stakeholders?
EVERY STAKEHOLDER’S APPETITE IS DIFFERENT…
![Page 17: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/17.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
Formal Risk Appetite Study 70% had none 17% had one that was working 13% had one but nobody used it SURPRISED???
RISK APPETITE SURVEY
What Is Risk Appetite?
![Page 18: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/18.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
MEASUREMENT STARTS WITH…
Corporate Values – What Risks will we not accept? Strategy – What are the Risks we need to take? Stakeholders – What are they willing to bear, and to what level? Capacity – What resources are required to manage?
What Is Risk Appetite?
![Page 19: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/19.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
HOW DO WE DO IT?
A Workable Plan
![Page 20: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/20.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
RISK APPETITE PROCESS
A Workable Plan
Identify
Measure Impact
Address
![Page 21: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/21.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
To identify risk appetite you must do these 4 things in some fashion: Articulate Corporate Values Document Corporate Strategy Assess Stakeholder alignment with Corporate Strategy Survey Stakeholder Tolerance Levels Analyze Risk Management Resource Availability/Capacity
A Workable Plan
ELEMENTS OF THE “IDENTIFY” STEP
To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426
![Page 22: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/22.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
A Workable Plan
ELEMENTS OF THE “MEASURE” STEP
To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426
To measure risk appetite you must classify your risks as ones you are willing to: Accept - High Mitigate - Medium Transfer - Low Avoid – None Your Risk Appetite is along this range.
![Page 23: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/23.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
“We are a company that prefers to (accept, mitigate, transfer, avoid) risk. Overall we are willing/unwilling to stay at this level of risk appetite.” If unwilling you need to shift your risk appetite to your preferred level. This involves: 1. Review the impact of remaining in
place 2. Estimate the amount of effort required
to make the change
A Workable Plan
ELEMENTS OF THE ADDRESS PROCESS
![Page 24: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/24.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
A Workable Plan
YOUR TWO TAKEAWAYS
To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426
If you take away nothing else, remember these two things: Risk Appetite involves stakeholders Because you built consensus with stakeholders for Risk Appetite, you are well positioned to optimize your Risk Management System
![Page 25: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/25.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
A Workable Plan
BONUS 5 MIN WORKSHOP
To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426
Lets Play 4 Questions. You will have 1 minute to think about how your organizations cybersecurity stakeholders would answer. I will do a 15 second walk through of each question and the process you might take to address any deficiencies it may reveal.
![Page 26: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/26.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
A Workable Plan
BONUS 5 MIN WORKSHOP
To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426
Question 1 of 4: What are our principal Cybersecurity risks that influence our risk appetite? (Top 3)
![Page 27: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/27.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
A Workable Plan
BONUS 5 MIN WORKSHOP
To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426
Question 2 of 4: How does our risk appetite affect our process for identifying, assessing and managing our Cybersecurity risk? Watch this video itglue.com (it is the first video you can play on homepage)
![Page 28: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/28.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
A Workable Plan
BONUS 5 MIN WORKSHOP
To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426
Question 3 of 4: How do we ensure that our recommendations stemming from our Cybersecurity risk appetite are communicated and followed?
![Page 29: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/29.jpg)
Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 [email protected]
A Workable Plan
BONUS 5 MIN WORKSHOP
To Get the resources that go with this preso: TXT “IIA” With Your Name and Email to 213-400-9426
Question 4 of 4: How do we help fellow stakeholders develop enough relevant knowledge and experience to address Cybersecurity risk appetite?
![Page 30: Understanding Risk Appetite for Information Security...Chris Johnson, Chief Strategist, Cybersecurity Leadership (312) 850-5200 x112 chris.johson@onshore.com Your Risk Appetite and](https://reader036.vdocuments.site/reader036/viewer/2022070717/5eddb3c8ad6a402d6668ddbc/html5/thumbnails/30.jpg)
THANK YOU!
Thank you for your time today!
Text/email me if you want a consult. Use subject line “Risk Appetite” [email protected] (213) 400-9426