How to Present Cyber Security Risk to Senior Leadership | SANS Webcast
HTML-код
- Опубликовано: 6 июн 2024
- In an age when data breaches are a daily occurrence, senior leadership teams and boards of directors want assurances that their cyber security programs are doing what is required to defend their organization. But at the same time security teams are struggling to quantify risk or find effective strategies for presenting risk to leadership in a way that clearly communicates the reality of the risk an organization is accepting. Even security professionals are struggling to agree how to define or measure risk effectively.
In this presentation, James Tarala will share lessons learned from research into risk management and his experiences communicating about risk to boards of directors and C-Suite leadership teams. He will present specific strategies to consider when measuring risk, communicating risk, and helping security teams realistically setting expectations with business stakeholders. While this topic traditionally has been a nebulous, vague conversation, in this presentation, listeners will learn actionable steps to communicating risk in more effective ways.
Speaker Bio
James Tarala is a principal consultant with Enclave Security based out of Venice, Florida, and a SANS Senior Instructor. As a consultant, he has spent the past several years designing large enterprise security and infrastructure architectures, helping organizations to perform security assessments, and communicating enterprise risk to senior leadership teams. He is the author and an instructor for SEC566: Implementing and Auditing the Critical Security Controls, SEC440: Critical Security Controls: Planning, Implementing, and Auditing, and a co-author and instructor for MGT415: A Practical Introduction to Cyber Security Risk Management.
Read James’s full bio at www.sans.org/profiles/james-t...
About SANS
SANS is the most trusted and by far the largest source for information security training and security certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - the Internet Storm Center. 
Наука
Excellent presentation, drawing a line between Consulting and Senior Management is a great point myself to remember all ways.
Excellent and helpful presentation. The bits in red are the golden nuggets.
very informative and a fairly deep dive. Appreciate it.
Great information shared! This aligns to our experiences and challenges as well. I began listening in the background as I worked but wound up completely focused on your presentation. I'll need to watch a second time to sketch out some notes to help us remember and action on what you highlighted.
⁰⁰⁰⁰
This was a AWESOME presentation! The content and delivery was focused and effective! Thank you!
Great presentation, valuable information, and amazing speaker! 👏 seriously, your voice and performance is remarkable! Thank you! 😊
A very good instructor wow :) Very clear explanation
VERY well presented, excellent content.
great video, very informative!
Great job James!!
Love this so much
yes This was a AWESOME presentation!
I enjoyed this. Thanks a lot
Can you share please an internal report for the Risks to include the points you mentioned in the video :) Like a structure
Great presentation by James. However, as security practitioners, isn't it our job to sell security to stakeholders. Security is already a cost center so in most cases, we need to convince management to allocate resources to it, buy in into our strategy which is all about selling. Am i missing something?
If we dont sell, arent we just pushing reports, a bit of effort to sell and reverting to not my problem?
Security is already sold to senior management by nature of regulations, fines or worst case imprisonments.
If a company already has a IS policy mandate, we have to simply present them of what we are doing today to protect their assets and what we aren’t doing at all from a policy and industry frameworks point of view.
Present them the threat and consequences for not getting it done. Show some security index, be prepared to share the cost of not doing vs. doing, so they cam make informed decisions of allocating resources.
@@basictalent1 That might be true on paper, but not all fields are regulated and smaller business can sometimes be exempt from certain regulations (like in the EU, If your company falls within one of the designated branches but has less than 10m revenue and/or less than 50 employees, you are still exempted from the NIS directive). I'm of the opinion that security is sold to a senior management when it actively engages with the topic. Just having a policy because everybody has one is not my definition of a management sold on security. A large part of the job as a practitioner in every rank (security engineer, information security officer, ciso, whatever) is creating awareness and educating people. So security is sold to management when it is a point on the agenda and decisions are actively and consciously being made (and that can include the decision to find other things higher priority than working on security). Because it is a human tendency to prioritise instant gratification on tangible things, security does need to be sold on a continuous basis.
Now I do agree that you simply have to present what it is the company is doing and is not doing, what this means for their business in a fairly and accurate way (or at least as accurate as the information you have allows you for). And what the consequences for not getting it done can be within the context of the risk appetite. But management needs to understand that they are responsible for security, you are just the messenger and facilitator. Depending on the maturity of your management in question, you need to educate them and "sell security". It is up to management to make the calls and sign off on things. As a practitioner that is what you have to live with.
Good point!
Beastly work you have here
Great presentation but I would argue that you miss a couple key process elements upfront: 1) documenting/deriving the systems architecture, and 2) determining critical assets. Also, I think the BIA process should be brought forward to help prioritize system protection requirements.
Good stuff
Whenever I see a girl making video at the gym, I take my phone and take pictures of them when they are in unflattering positions, which makes them go crazy! They come and start at me, and I simply reply, “If you are going to record me in a public gym and put me in your video, then I’m gonna do the same thing to you, and I’ll be the editor of my video.”
Ååååååååå1
45:20 Listen. You seem to be a decent man and a very good teacher, however…
If their stupid incompetence affects me, I can’t be chilled about it, can I? If I were just an external consultant, it would be probably easier. But if my job in that company is at risk and/or if my data is at risk because an idiot up there can’t be bothered…Huston, we have a big problem.
And, by the way, this typical Western type of mentality is one of the main causes for the demise of the West.
You guys need better microphones.
I’m sorry but I have to disagree with his definition of risk and his entire methodology! If you have threats but no vulnerabilities for the threats to expose… you don’t have a risk and you don’t need to implement controls!
Well done on totally missing the point. The video is about talking to senior leadership. You can stroke yourself all you like to the industry definitions of risk in your technical team meetings, but when you have 10 minutes with the board, if you waste 5 minutes explaining the threat * vulnerability * asset value formulas or whatever - game over. You've lost. You'll have bored them to death and they'll get their cyber security advice from their CEO buddies on the golf course based on what that guy's company is doing.
At 6:32, the SANS webcast at www.sans.org/webcasts/influencing-effectively-communicating-ceos-boards-directors-103927/ that was presented on 18 April 2017 by Alan Paller and John Pescatore is entitled "Influencing and Effectively Communicating to CEOs and Boards of Directors."