CISO Series Newsletter
Posts
04-16-20 - Suffering a Breach Will Inform Me of My Risk Tolerance

04-16-20 - Suffering a Breach Will Inform Me of My Risk Tolerance

Suffering a Breach Will Inform Me of My Risk Tolerance

April 16, 2020

View this email in your browser

CISO | Security Vendor Relationship Series

This week's episode of Defense in Depth

Should Risk Lead GRC?

On this episode of Defense in Depth:

Co-host Allan Alford and guest Marnie Wilking, global head of security & technology risk management, Wayfair, discussed:

The model of risk = likelihood x impact doesn't take into account the value of assets. Assets have to be valued first before you calculate risk.
Is the reason risk isn't used to lead governance, risk, and compliance (GRC) because it's so darn hard to calculate? Many CISOs say their toughest job starting out is trying to understand what the crown jewels are and what the board's risk tolerance is.
Risk management allows the board to know when you have enough security. Some assets may require eight layers where others may only require one or two.
Determining likelihood of an attack involves a good amount of guesswork. We've discussed on a previous episode of CISO/Security Vendor Relationship Podcastthat we don't go back to see how good our risk predictions were. If you want to get better at it, you should. Otherwise, it will always be guesswork.
Even if you can get someone to agree what their risk tolerance is, or what asset is of importance, trying to get agreement among a group can be a blocker. Keep in mind that each person is going to have a different viewpoint and concerns.
Knowing risk appetite is critical. You can apply security controls without knowing it, but that's providing a unified security layer across all data, people, and applications when they are all not equal when it comes to asset valuation.

Thanks to this week's sponsor of Defense in Depth, Qualys.

Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.

Josh Corman, founder, I Am the Cavalry on our dependence on IoT

TWO CISO Series Video Chats TOMORROW [4-17-20] Hacking Zero Trust

Join us for "Hacking Zero Trust: An hour of critical thinking on what it means to always verify access to people, data, and networks”.Friday, 4-17-20 at 10 AM Pacific/1 PM EasternREGISTER

Next FRIDAY [4-24-20] Hacking the Modern Workforce

Join us for “Hacking the Modern Workforce: An hour of critical thinking about managing access in a dynamic workplace”.

Friday, 4-24-20 at 10 AM Pacific/1 PM EasternREGISTER

Israeli Cybersecurity Community Starts Very Young

Keren Elazari, co-founder, BsidesTLV on growing up with a cybersecurity mindset

We complain in the US about the lack of cybersecurity talent, but that’s not in short supply in Tel Aviv as they are training and pumping out cybersecurity professionals at a very young age. And not only that, they’re able to identify the best talent early on, said Keren Elazari, co-founder, BsidesTLV, in our conversation at Cybertech 2020 in Tel Aviv.Keren and I talked about her early cybersecurity training, and what she was learning as early as age 18 and how the army gave her a moral compass as a hacker.

Thanks to our video sponsor, Boardish

Boardish allows you to translate your information on threats and solutions into clear financial risk figures and full solution costs for decision-makers. Quantifying and simplifying the impact of threats, and solution combinations into a clear dashboard. Allowing for a quick breakdown of various threat vectors both on-prem and cloud.

Mike Johnson on redefining "insider threat"

SUBSCRIBE TO BOTH PODCASTS

Go ahead and click on any of these links to subscribe to the podcast feed of your favorite podcast catcher.

If you're already a subscriber, THANK YOU! If you like either or both shows, please tell all your friends on social media and write a review on iTunes.