SESSION ID: EZCL-R01 Maturing Cyber-Risk Management Practices: Framework and Next Steps Jack Freund, Ph.D. Director, Risk Science RiskLens @jackfreund3 #RSAC What does a mature risk management organization look like? Appropriate policies and procedures are clearly defined and documented Cost-effective security technologies are providing their intended value An effective education and awareness program exists Personnel roles and responsibilities are properly defined and staffed Board of directors are getting the information they need A risk register is used to track and report the most important risks A clearly defined risk appetite actively drives decision-making Meaningful metrics are leveraged to manage risk effectively 2 #RSAC Risk Management Landscape 1 3 2 3 #RSAC Execution Awareness The probability that personnel are aware of their risk management roles and responsibilities, and the specific expectations of organization leadership. © 2019 FAIR Institute, All rights reserved Capability The probability that personnel have the necessary skills and resources to successfully execute their roles and responsibilities. 4 #RSAC Motivation The probability that personnel are appropriately incentivized to fulfill their risk management responsibilities Objectives and Expectations Compliance Requirements The degree to which an organization is subject to meaningfully enforced external risk management expectations. Prioritization The probability that decision-makers are provided with the information needed to establish priorities and choose solutions, both at a strategic and operational level. 5 #RSAC Prioritization Compliance Requirements The degree to which an organization is subject to meaningfully enforced external risk management expectations. © 2019 FAIR Institute, All rights reserved Organizational Resources The probability that the organization has sufficient financial resources to meet its risk management needs and obligations given other organization imperatives. 6 #RSAC Risk Landscape Intelligence The probability that decision-makers are provided with the information needed to establish priorities and choose solutions, both at a strategic and operational level. Risk Mgmt Maturity Resource Requirements Tools • Spreadsheets • Home-Grown • Commercial Data • Telemetry • Reusable Libraries • SME Estimates Skills • Dedicated/ Not Dedicated • Scoping • Analytics 7 #RSAC Four Dimensions of Risk Mgmt Maturity Risk Landscape Clarity Standardized terminology Asset identification Business Process Mapping Top risk identification Risk register clarity Operational Decision Support Top risk measurement Cost-benefit analysis Audit finding prioritization Policy exception reviews Zero-day analysis Strategic Decision Support Risk aggregation & trending Risk appetite definition Portfolio analysis High value 3rd party analysis Board reporting M&A analysis 8 Automated Operational Decision Support Patch prioritization 3rd party landscape monitoring Near real-time risk landscape dashboard #RSAC Risk Management Maturity Evaluation 2 RISK LANDSCAPE CLARITY 3 OPERATIONAL DECISION SUPPORT 4 STRATEGIC DECISION SUPPORT 5 AUTOMATED OPERATIONAL DECISION SUPPORT  Standardized terminology  Top risk measurement  Risk aggregation & trending  Patch prioritization  Asset identification  Cost-benefit analysis  Risk appetite definition   Business Process Mapping  Audit finding prioritization  Portfolio analysis 3rd party landscape monitoring  Top risk identification  Policy exception reviews  Board reporting   Risk register clarity  Zero-day analysis  M&A analysis Near real-time risk landscape dashboard  High value 3rd party analysis Skills  Dedicated/Not Dedicated  Scoping  Analytics Data  Telemetry  Reusable Libraries  SME Estimates 1 RISK MGMT RESOURCES 9 Tools  Spreadsheets  Home-Grown  Commercial #RSAC #RSAC Q & A (10 mins) #RSAC Group-Based Discussion (15 mins) #RSAC Group Summaries (10 mins) Apply What You Have Learned Today #RSAC Next week you should: – Validate maturity evaluation with your organization In the first three months following this presentation you should: – Develop near term plans to shore up resource requirements Within six months you should: – Improve risk landscape clarity and move into operational decision support 13