LEGALLY DEFENSIBLE
CLEAR LINE OF DEFENSIBLE RISK
UNDERSTANDING KNOWN RISK
ROADMAP TO ACCEPTABLE LEVEL OF RISK
EXECUTIVE REPORTING
APPLYING IT and QUESTIONS
TRANSCRIPT OF JIM MIROCHNIK AT RSA 2024
Hello, everyone.
My name is Jim Mirochnik, and I’m the CEO of HALOCK Security Labs.
Welcome to our presentation on Techniques to Evolve Governance and Comply with the SEC Cybersecurity Rule. So where are we in the week? It’s Tuesday, second day of RSA. Most of you by now have been to a handful of presentations.
You’ve seen some very interesting industry issues and problems discussed.
And while it’s important to discuss problems, what I’m really excited about is talking about solutions. And so today, we’re gonna talk about the challenges and the problems on implementing governance. What I’m really charged up about i how we solve those problems. And to that end, at the end of the presentation, you’ll get exposed and access to a set of links, videos, tutorials, and templates on how to implement governance and how to solve that problem. So with that, let’s jump into it.
In the last year, major cybersecurity industry organizations have increased their requirements for us in one area.
We’ve seen the NIST CSF 2.0 get released in August of 2023, and now we have an entire module dedicated to governance. NIST is asking for increased governance. PCI DSS v4.0 now requires targeted risk analysis (TRA), and also is requiring increased governance.
The requirement we’ve all been faced with is the SEC cybersecurity rule. By the way, a link to the entire one hundred and eighty page one hundred and eighty six page document is provided here. It’s wonderful bedtime reading material if you’re having a hard time fall asleep, it’s this will do the job. I promise you.
And this the rule requires accountability, transparency, and communication between cybersecurity, management, and the board of directors. So it also is asking us to increase governance.
So what are all these authoritative bodies asking us to do? They’re all asking it in slightly different ways, but they’re all asking the same thing.
What do they mean by increased governance?
You know, for years, we’ve heard the phrase people, process, and technology. And, technology. And, honestly, oftentimes, it kinda gets overused over and over and over. But you know what? It actually applies here. Because if we look at people, process, and technology, and we look at Governance 1.0 to represent what we do today, and we look at Governance 2.0 to represent what we’re being asked to do, we can get a sense of what it is that is being asked of us.
So in 1.0, the old way, 2.0 is the new way. Let’s take a look at people.
In 1.0, we had no individual accountability, and we informed executive management in technical terms. In governance 2.0, we have a clear set of accountability, actions, and ownership. And we inform executive management in business terms.
As we look at the process path of people process and technology, in Governance 1.0, risk assessment methods were based on maturity scores in confidentiality, integrity, and availability.
In governance 2.0, our risk assessment methods are based on business impacts. And the focus is not just to ourselves, but it’s also to customers and our third party obligations.
And as we look at the technology portion, the technology lane of people process and technology, in 1.0, our risk registers lived in a single user spreadsheet which often makes the risk register unmanageable because you can’t report up out of it. You can’t collaborate, and it’s very difficult to link remediation plans to those risks.
In 1.0, we manually created presentations to executives with a lot of technical terms.
In Governance 2.0, our risk register lives in a multi user database, and our executive reporting is in real time and can happen at the press of a button. By the way, links to governance executive reporting platforms are provided to you at the end of this presentation on the last page, so you’ll have all that.
So at this point, you might be saying, that’s all fine and well. But I’m not even done implementing 1.0.
Well, guess what? The evolution does not require you to do things sequentially. You can go straight to Governance 2.0. As an example, China and India was rolling out their landline telephone. We’ll call that 1.0. They didn’t wait to roll out. They just stopped and went to 2.0. You can and should do the same and implement Governance 2.0 as soon as you are ready. So how do we put in place Governance 2.0? Well, we identify what elements of that program need to be in place, and then we talk about what capabilities does our department need to have to support those elements.
So if an element is to protect the organization, a capability could be to be legally defensible. If an element is to provide management oversight and accountability which is a big portion of what we’re being asked to do. An element could be to have really full fledged executive reporting.
So how does what you’re about to hear today allow you to implement 2.0? Well, each of the sections of this presentation is aligned with these five capabilities.
And what are those? Well, the five must have capabilities for Governance 2.0 are 1.) ensure that your security program is legally defensible from litigators, regulators, or anyone else coming after you. 2.) define a clear line of acceptable risk above which you must remediate below which you can accept the risks.
3.) understand the known risk to your organization.
4.) providing a road map for your program that reduces risk to an acceptable level over time. And 5.) and this is where you put it all together, executive reporting to demonstrate your program is effective. Both inside the organization and outside the organization to interested parties.
So, let’s start taking a look at ensuring your security program is legally defensible.
Let’s spend a little bit of time here. And first, I’m gonna ask a question that’s gonna seem somewhat counterintuitive.
Have you ever heard of a company suing itself? No. Of course not. Because you get sued by customers, you get sued by regulators, you get sued by investors.
So if companies don’t sue themselves, why do companies assess risk in terms of harm only to themselves?
Don’t you wanna assess harm to the people that are potentially going to sue you?
Well, the reason we assess harm primarily to ourselves is because it’s the way we’ve always done it, and quite frankly it’s easier.
Litigators and regulators want to see that you assess harm to others, not just yourself. In fact, and we’ll get into this in a minute. If your risk register only has impacts to yourself, the kind of classic confidentiality, integrity, availability to technical assets, if your risk register only shows impacts to yourself, you are in essence documenting your negligence.
So let’s delve a little deeper into that. Over the last decade, we have done quite a bit of litigation support as expert witnesses. And what we have found is if your company enters into a lawsuit with litigator, regulator, whomever, they’re gonna ask you for two things.
1.) they’re gonna ask for your risk register, and they’re gonna look and see, are you assessing the risk to others? They’re gonna ask you questions like, did you think through the likelihood of potential harm to others? Did you think about the magnitude of that harm? Did you consider safeguards to reduce risk to an acceptable level? And have you even defined what is an acceptable level of risk? This is what you need to have if you have a breach. This is what you need to have if you get into litigation.
The second thing they’re going to ask you is they’re going to ask you for consistent risk management.
I’m gonna use an analogy here for a minute. We’ve all seen someone being asked to provide a project plan. They provide the project plan, they send it off to whoever requested it, and they never look at it again. They just go on their merry way. The project plan is a deliverable. It’s not a living, breathing document.
That’s opposite of what the legal system wants you to do with risk management.
They want you to be running that risk register, And every time you get a pen test and you create a set of risks, those risks make their way into your risk register. They get prioritized. They get remediation planned. And those that are above the line that allow you to actually focus on them get activity. The same happens with incidents and audits, and assessments.
Your risk register needs to be a living, breathing thing. They wanna see consistent risk management, not a a deliverable that you made one time after a risk assessment, and we’re done. So these are the things you need to think about if you want to be legally defensible.
So the question is, how do we strive towards legal defensibility in the context of the methodologies and frameworks available to us in the marketplace. There’s a lot of different frameworks for risk and audit. Right?
We’re gonna skip to the answer here, and then we’ll go back and kind of work our way back. So kind of to avoid a long lead, and I’m gonna give you the answer, and we’ll and we’ll work backwards. The answer is the important difference here is between the blue and green headers.
The blue headers represent common risk assessment methods.
The green headers evaluate something called due care. This is the care you must provide to others. This is your focus on understanding harm to others. Of all the frameworks we’re gonna talk about, there’s only one that assesses impacts inside and outside the organization. And this is necessary for the balancing test required by law. This is what the law is asking you to do.
So what is DoCRA? Well, duty of care is foundational for assessing liability in our legal system. It’s nothing new.
As an example, if you have a grocery store, and you have a walkway in front of that grocery store, you need to shovel that walkway when it snows. Now this is not a topic that’s very relevant for San Francisco. Doesn’t snow here very often, but the rest of the country experiences snow. So if it snows, you must perform your duty of care. The duty of care is the duty you have to protect others.
You need to shovel that walkway when it snows. That’s your duty of care. So duty of care is nothing new. It’s just now making its way into infosec, and it’s not going away. It’s getting broader. And we’ll talk about that in a minute.
Duty of Care Risk Analysis, otherwise known as DoCRA, is simply the implementation of duty of care in cybersecurity.
Now federal regulators and judges accept DoCRA to demonstrate reasonable security.
DoCRA is used by state attorney generals to describe what they mean by reasonable security. Operating DoCRA demonstrates that your program is legally defensible.
So let’s talk a little bit about the history of DoCRA, so it gives you kind of a context of how this came to be.
The DoCRA standard was launched in 2018, and the DoCRA Council is a nonprofit organization. And we’ll provide links to all of these, all free links and and resources at the end of the presentation.
DoCRA donated risk assessment methodology to CIS, the Center of Internet Security.
And CIS published the risk assessment method 1.0.
They called it CIS RAM, the Center of Internet Security Risk Assessment Method. Many of you are already familiar with it, but wanted to point out that that entire risk assessment framework is based on DoCRA. And while DoCRA is this chosen risk engine for CIS, it could be used with any control set. NIST, CIS, ISO, PCI, you name it. It’s had significant adoption today. More than ten states are using DoCRA as a definition for reasonable security. And there have been over one hundred and forty thousand downloads to date.
So coming back to this matrix, now it’s really important that we really understand and cover how DoCRA compares to maturity assessments in order to understand where it fits.
Gap assessments and maturity assessments are the two rows at the very bottom, and gap assessments and maturity assessments do not allow you to provide your limited spend in the absence of any risk analysis. It does not allow you to prioritize how to spend that money.
Only true risk assessment analysis will help you determine the impacts from lack of controls. And there are six rows on this page that represent risk analysis methods.
Of those six rows, of those six risk analysis methods, there’s only one, which is the top row that covers all the bases and analyzes impacts inside and outside the organization.
This is what provides you legal defensibility. So I wanna stop for a minute. I can’t stress this enough. If you strive for legal defensibility, you must assess the harm to others. This is something new. This is something that I spent over a decade doing in the field, and I didn’t do it. But when you do litigation support as expert witnesses, you see over and over, this is what the law is asking of us.
Certainly, most of you have heard about this already.
The SEC rule requires accountability, transparency, communication to management, and the board, with regard to risks and incidents. And if your company is a public company or subject to the SEC rules, this is very important to you. But guess what?
Even if your company is not a public company, this is still very important to you. Because it’s just a matter of time before any of your customers or any of your vendors that are publicly traded companies come to you and ask you how you’re handling these as their third party business partner.
So let’s take a look at some of the highlights of the SEC cybersecurity rule, and how putting in place these five capabilities addresses difficult requirements.
For the first requirement is companies will need to describe how your risk management program will inform your investors about impacts that they would consider material.
So you’re asked to inform investors and management of impacts they would consider material. Well, all that CIA stuff goes right out the window, because investors and management don’t speak that language. How do you accomplish this?
This requirement could be easily delivered and achieved through DoCRA based on the calculated acceptable risk definition, which we’ll cover in the next section.
Two, companies will need to demonstrate a true risk based management system, not a maturity based system, but a risk based system. And by virtue of implementing DoCRA, you’ve already met this requirement.
Three, and this gets a little bit more interesting, companies that will need management to be informed in business terms of risks incidents and risk reduction.
Now this requirement is asking a lot.
Think about what they’re asking. Inform management in business terms, well how can you do that with traditional risk assessment methods? You can’t. But you can with DoCRA, and we’re gonna show you how in section five. And four, and this one’s my favorite.
Companies will need to convey risks and key decisions to board of directors in business terms.
I have a question. How many cybersecurity teams have you seen that can communicate to the board of directors in business terms?
Right?
I’m gonna go out on a limb here and say, not many.
Guess what? Governance 2.0 and the last section of this presentation will show you how to do that.
So let’s jump in and discuss at a high level creating a clear line of acceptable risk above which you must remediate, and below which you must accept the risk.
It’s worth noting that many executives don’t know that there is a line. Many executives believe that they have to just take whatever budget they have, spend it every year, and then do the same thing next year, and then do the same thing next year. That’s kind of like going to the grocery store and spending everything you have in your wallet, and then coming back next week and then spending everything you have in your wallet. Is that how you want to shop for groceries? Should be solving risks. And I’ll tell you that when executives find out that there is a line, below which they can just accept the risks, they find that very gratifying.
So let’s talk about how we define that line.
To establish a line of acceptable risk, we need to communicate in a way where cybersecurity and business understand one another.
We need to speak the same language.
And this part of the challenge is difficult because cybersecurity in business traditionally are not speaking the same language.
Cybersecurity, well we talk in terms of risks, cost, threats, vulnerabilities, likelihoods, and there’s nothing wrong with that. It’s our way to communicate risks. But guess what? This creates centered on fear.
What does the business talk about when we’re not with them?
Are they just talking the language of risks, vulnerabilities, and likelihoods? No. That’s not their entire language.
The business language also covers what you do for your customers. Are you achieving your business goals? Are you achieving your third party obligations?
So the business language is actually a superset, and technology and cybersecurity is speaking a subset.
So how does DoCRA create a common language between cybersecurity and the business?
Well, it starts by including the traditional cybersecurity language of risks and costs.
And then DOCRA includes the missing components.
The impacts to what your customers would experience if there was harm to them. The impacts to your business goals. The impacts to your third party obligations.
When you start communicating these terms, you start to speak the language of business.
Now, cyber security and business are speaking the same language by utilizing translator.
So to use an analogy, we’ve all had a paper dictionary.
And that paper dictionary worked fine to to look up a word. But how did that paper dictionary work when you want to have a real time conversation with someone that speaks another language?
It practically doesn’t work. And And then came out online, real time translators, like Google Translate. And now we’re able to cut and paste and actually have a conversation with someone in a different language virtually in real time.
Google Translate is a universal translator.
Docra can be used as a universal translator. And we’ll provide you some links on the last page where both free and paid links to how to use DoCRA as a universal translator. So very powerful, allowing you to bridge that gap and actually speak not only to the business, but also to the legal system.
So getting back to defining clear line of acceptable risk. We’re gonna cover this at a high level. And the first step is defining, the impacts across your customers, your business goals, and your third party obligations.
You define at what point business impacts are unacceptable.
This line is also going to help you with the SEC cybersecurity rules materiality likelihood levels to be meaningful to your organization a we’re certain this will eventually occur, but it may not be common. That’s the level at which they wish to remediate.
So by defining impact levels, we must prevent, paired with likelihood levels, we must prevent. We’re then defining your risk appetite. That is, what is the line at which we want to remediate?
In this example, this business has selected three for their likelihood that is foreseeable, acceptable risk, and a score of nine or greater, we will remediate.
And once we have this line, we can start to sort our risks by risk score and remediate things above the line.
So now we get into the third capability, which is understanding the known risk to your organization.
Now there’s a subtle point here, but it’s very important.
The known risk does not mean all risks. If you have fifty risks risks in your risk register, the known risk is, what do those fifty risks mean? Does that give you a eight hundred FICO or a six hundred FICO? It is not requiring you to know of all risks in the universe.
This is understanding what your known risk means to you and your organization.
And we can display that first with a big picture view of how many risks you have in each category.
You can start to see that our fifteen high and eight unacceptable in August have now reduced to three high and five unacceptable in May.
This graphic also shows your due diligence. You show that you’re seeing and fixing as you go. And this is a very important and powerful story, and exactly what regulators want to see. They want to see evidence that you are looking and fixing what you find.
Another view shows your controls organized by domains, and highlights that the hollow circles and hollow rectangles are showing where you are today, and the filled circles and filled rectangles are showing where you’re going to be once you remediate.
And this is not just about providing information, this is about knowing where we should be paying attention.
You’re able to demonstrate that. These two views really give you the ability to demonstrate, one, that your security program is headed in a very productive place in terms of what you accomplished. And two, as you’re getting there, where are you focusing?
The fourth capability is probably my favorite of all. And it’s my favorite because the road map can be one of the most powerful tools in your arsenal, and it could be the one thing that binds your relationship with executive management. And let’s talk about why.
Why is providing a roadmap so difficult?
You know, all of us have gotten the question, we’d like a multi-year road map. Can you give us a road map?
And it’s difficult to maintain risk models that change data over time. And you know what?
We’re all a little nervous that if they like it, they’re gonna make us do it all the time. That’s gonna be a lot of work. But this is where I’ve gotta just stop, and this is a very interesting behavioral science discussion. When your executive asks you for a roadmap, what are they asking you for? I mean, think about it. I’ll tell you what we usually give them. We give them a picture of a bunch of projects, start and end dates, and what we’re gonna do over the following year or two.
How is that information useful? How do they make any informed decision? How does that tell anything about where they are with regard to risk? It doesn’t.
It may be what they’re expecting, and that may maybe what we’ve been doing, but there’s a much better way, and I’m about to show you what that is. But before we do that, let’s talk about what what psychologically do they actually want? Well, your executive has ownership over part of the company, and you are presenting on the health of that ownership.
So let’s use as an analogy, what happens when you get a yearly physical? You have ownership over your body. And your doctor is presenting information on the health of something that you have ownership over. So really, what you want is the same thing that your executives want.
What do you really want to know when you go and get your yearly physical? Are you interested in five pages of printouts of ranges of hemoglobin and oxygen levels? No. You literally wanna know two things.
You wanna know, am I okay?
And if I’m not okay, how do I get to okay? Right? And that’s what your executives want. I’m sorry. They’re not that interested in the MFA rollout, or PAM, or anything else. They just want to know, am I okay? And if I’m not okay, how do I get to okay?
Well, how do we do that with current methods?
I’m about to show you how.
So I’m now going to get an opportunity to use a laser pointer, so this is exciting. Alright. So first, we start out with, are we okay?
In this construct, we have the line of acceptable risk, which is our teal line, and we’ve established in the previous section that this company has said eight is where they want to be.
So in a risk register of fifty risks, if you average all of those risks and your score was an eight, this is where you’d be. That’s your three point eight GPA. That’s your eight hundred FICO score.
The blue rectangles represent where you actually are. And if you notice, they stop in May. Why? We can’t have actuals in June because we haven’t gotten to June. So the blue rectangle is where we actually are. There’s only two other constructs.
The orange line represents plan that executive leadership approved from us for us in October.
That’s what they gave you money for. That’s what they’re expecting you to do. Well, guess what? How many plans turn out exactly as you planned? Very few. And so the purple is the plan you’re actually on.
So the first question, you remember there’s two questions. Are we okay? And if we’re not okay, how do we get to okay? If you can answer that for your executives, you’ll make them very happy. It’ll probably be the first time they felt quite this way. So are we okay? Well, let’s take a look.
Our current average risk level is fifteen point three. So we see that we started out in October, and our risk level was really high. It was fifteen point three. And our our acceptable risk level was eight. So, no, we were not okay in October.
So what happened?
Well, we fell behind schedule. Why? We were supposed to be at this risk level, but our actual risk level was higher. But guess what happened?
We caught up in February, and now in May, we’re one month ahead of schedule. Because our purple line is actually line that the executives approved. So in looking at this, can you figure out when are we gonna get to okay? When are we gonna get to what we’re expected to do?
Well, our purple line is gonna cross that line in two months. That’s about two months ahead of schedule.
So we can let them know we’re gonna achieve our goal in two months, and we’re gonna get there two months ahead of schedule.
So one view, you’re not giving them a lot of quantitative statistics.
You’re not giving them a per chart. You’re showing them what is an acceptable level of risk. What is okay? We weren’t okay, but we’re on path to get there. We’re ahead of schedule. We’ll be there in two months, and we’re gonna be there two months ahead of schedule.
When you show the business what you’ve committed months ago for risk reduction, how you’ve performed against those commitments, and what you’re committing going forward, you achieve a level of respect that fosters partnership and trust. Now some of you may be saying, wow. This is powerful. But this is kinda like Cirque du Soleil. I can’t do this. You can.
You can, and we’re gonna show you how, and we’re gonna provide you links to do to get there quickly.
We also note that every so often when we we’ve done this hundreds of times, this this road map view, Every so often, you get a statistically savvy executive that says, that’s a really powerful road map. Love it. However, you’re plotting averages, and averages can hide outliers. So in the spirit of transparency and to be proactive, we provide a list of all the risks that are above the acceptable level.
So if there are any outliers they want to discuss, they can. Because truth be told, you can have a three point eight GPA, but you could still have have a C in a class. That’s your outlier. We provide all the risks, so we could discuss them right away to to head off any any objections.
Okay. The fifth capability is communicating risks and justifying expenditures in business terms. And this is one of the key components of the SEC rule, and this is where, really, we put it all together, all the things we’ve covered so far.
So first, let’s kinda step back again and think about the the the the psychology behind providing information to executives. I don’t wanna just run off and start showing pictures. Let’s think about how this information is processed by your audience.
And let’s really delve into that psychology between you and the audience. When you’re presenting to executives they’re really assessing two factors.
Trust is the reputation you have before you walk in the room. It’s their view of how well you’ve managed your area of responsibility.
Confidence is their interpretation of the quality of information that you’ve provided today.
Does it give them what they need to make an informed decision? And it’s important that we think about these two different categories because they define the sequence of how you provide information. We’ll show you how.
In doing this hundreds of times, we found that the best way to convey information to executives is providing multiple views on how you manage your program, which are these four. And then multiple views of the detailed status of your program, which are these three. And we’ll go through them.
So let’s take a look at a sample executive status.
It always helps to start with a professional looking, you know, cover page. So that’s what this is. And we jump in and follow it up with a clear agenda. Notice we’ve got four views on how you’re managing the program, and then three detailed statuses, views on out with a big picture view of how many risks you’ve had in each category. You could see that our fifteen high and eight unacceptable have now reduced to three high and five unacceptable.
This graphic also shows your due diligence.
It shows that you are seeing and fixing as you go.
It’s very powerful story in exactly what regulators want to see. Evidence that you keep looking and fixing what you find.
It’s not just about providing information, it’s about knowing where we should be paying attention.
This next view is usually overlooked, but it’s very important.
This next view really baselines to the last time that you met with the executive team. So you met on February seventh. Today is May seventh. So in the last three months, what has happened?
We had nine highs. Now we have two. We had twelve accept unacceptable, now we have high. We’ve had a scope increase, an incident. We’re looking at m & a. We’ve had a pen test.
When you baseline back to a frame of reference that’s familiar with your audience, guess what you’re doing? You’re paying them respect, and you’re showing that you care. That’s how I’d want to be treated. And when you do that, you’re also demonstrating that you’re not just dropping some boiler plate presentation in front of them. You’re giving them a frame of reference.
This is rarely done, but really important and helps build a trusting relationship with you and the audience.
We will achieve our goal in two months, and we’re going to get to our goal two months ahead of schedule. And when you show the business what you’ve committed two months ago for risk reduction, and by the way, they approved that orange line.
How you’ve performed against those commitments, and what you’re committing to going forward, you achieve a level of respect that fosters partnership and trust.
And now we we jump into the actual detailed status.
So there’s a life cycle of risks, and it starts with audits and assessments. Now if we never did pen tests or scans or audits or assessments, our risk register would be pretty small.
It looked really good, but that’s not realistic. And that’s not the type of hygiene we need to practice in cybersecurity.
But we must do these things on a regular basis, and this is your view to report all the things that are regularly occurring and ask for support if any of them are under resourced or stalled.
The next stage in the life cycle is to understand, are we creating and approving remediation plans fast enough?
I have to say this view, is definitely the one that’s often overlooked.
But what this does is it forces you to look between the chasm of scans, tests, audits, and assessments, and what you’re implementing.
This is where many latent risks sit for months, if not years. So I’ll use an actual example.
It’s one of the most problematic areas that we’ve seen. If you just did a pen test and you’ve got ten risks, and those ten risks have eight risks that are high, You wanna do something about those. Where do they live? Do they live in a spreadsheet?
Are they still sitting in that PDF file from the pen test provider? And how long has that been there? And who knows about it? Those are the latent risks.
If you’re not tracking it in some way and reporting on it, you’ll find out about it if you if you have litigation, that’s for sure. But how are your executives seeing? Are you creating and approving remediation plans fast enough?
So in this example, this organization has chosen that any risk that is high, within forty five days, they want to remediation plan and start that for execution.
They want a remediation plan it and approve it. Well, guess what? Five of the five risks that they’ve identified in the last three months as high are ninety nine days over this SLA.
Now they know about it.
And why is that happening? What’s the reason for the delay? Our infrastructure team has been swamped and understaffed. They’re not able to meet.
I know this never never happens to any of you. Infrastructure is totally available for all of you, basically, like, on a whim. But in the event that this does happen, you can talk about it, and you you can have a productive action plan. We’re requesting assistance for a friendly escalation to either raise the priority or get them more resources.
Now you’re having a structured conversation, a productive conversation with your executive management team.
And the third piece in the life cycle is really a view that many of us are familiar with. This is, are we executing as planned and approved? And in the areas of schedule, scope, and resources, this view highlights that if we’re having trouble, we can involve executive management in a planned way.
So we’ve seen how it can work. Now let’s talk about how do we implement this.
The decision in the industry has already been made. NIST is requiring a governance program. PCI is requiring a governance program. SEC is requiring a governance program. If you don’t implement the program, you’re really kinda choosing to go in a different direction.
So here’s the choice you have. Why should you go to Governance 2.0? Well, there’s at least three very strong reasons. One, we’ve already covered. The industry’s requiring it, so there’s a compliance driver. Two, it’s better for your company. And it’s better for your company because you can prioritize better, and you can communicate with your executives better.
Three, it’s much better for you. If you have the ability to be proactive instead of reactive, don’t you wanna take it? When you have a strong governance mechanism, and someone comes to you with a squeaky wheel, or an initiative they want you to take, you could say, well hold on a minute. Let me run it through my risk register engine and see where it lands. Because if it’s not in the top five things we’re working on, it’s not a now activity.
You have the ability, and the discipline, and the rigor to be proactive instead of reactive. That’s what Governance 2.0 affords you.
So really, the choice is not if you should implement governance two dot o. The choice is how and when. You’ve got to decide. Do you want to do it on your timeline?
Or when you’re forced to do it on someone else’s timeline?
Now you can easily implement and be operating Governance 2.0 by the end of the year. I just want to stop here and say, each and every one one of you in this room, and we’ve helped many clients do this, anybody can implement this by the end of the year. And the most important link on this whole page, and you’re about to see the rest of it, is that first link, the www.halock.com/rsa2024
That link gives you everything you need right there, including templates, videos, helpful links. Some of these resources are absolutely free, such as CIS RAM and the DoCRA standards website. Some of these resources are paid resources like a turnkey governance application, Reasonable Risk www.reasonablerisk.com, which was used to generate pretty much all of these graphics.
Just remember, you can get this done by the end of the year. You can turn your program from proactive from reactive to proactive.
And you can start seeing the benefits right away. With that, I thank you for your time, and I’d like to open up the floor for questions.
Yes, sir. Hi.
Maybe this is too big a question.
Sometimes we jump from a risk, something bad that can happen to us, to, deficiency, something that we aren’t doing as well as we should. And to me, at least, that language gets all mixed up. You know, we aren’t doing this thing we should isn’t the same thing as this might happen to us.
I wonder if you could just say a couple words about how we jump from a to b.
Sure. That’s a great question. So let’s really back up. So the question is sometimes we jump from a risk right into a deficiency.
And I think what we need to really think about is what is a risk? A risk, whether you’re using DOCRA, NIST, PCI, any framework, is defined by impact times likelihood. Likelihood times impact is the definition of risk. So first, you need to understand what is that risk, what is that business impact, and what is that likelihood of that happening.
Once you understand the problem, the deficiency, as you mentioned, could be the root cause, but there may be other ways to achieve that problem. So once you understand the risk, the next step is to create the remediation, which could indeed be to address the deficiency, or there might be another way. The key is to my father always said this. All good problem solvers first understand the problem before they jump to the solution.
The deficiency is the solution. If you really understand the problem, you can look at multiple solutions, one of them being a deficiency.
So which one goes in your risk register?
The risk.
The the risk goes so what goes in your risk register business terms in business terms, again, ideally against impacts to your customers, your business goals, and your third party obligations.
Your likelihood now this gets a little bit more, technical, but your likelihood if you think about it for years, we’ve been guessing at likelihoods.
Many times have we done a risk assessment or any kind of assessment and someone says, hey, how often do you think that’s gonna happen? Once a week, once a month, once a year? And you kind of have this dreadful dreadful feeling like, oh, gosh. I’m I’m guessing because it’s it’s you can ask me in a month.
I’m probably gonna give you a different answer. So what you really want to do is get to a point where you’re not guessing at likelihoods, but you’re deriving likelihoods. And there’s a way to do that both in CIS RAM and in one of the links that we provide here. If you go to this page, you can derive likelihoods in the following way, by pairing the the frequency of that particular threat in your industry with the maturity of your control.
So if in your industry, business email compromise happens a lot, and you get that on the Verizon Data Breach Report, and you have immature controls such as, you know, you have no MFA, it’s gonna be high likelihood.
Anyone that’s, received the Verizon Data Breach Incident Report (DBIR) that came out last week, pages ninety free resource. You can look at it, but it helps you derive likelihood, which is really important because likelihood is half of the definition of risk, which drives what you work on. So long answer to your question. Yes, sir.
Hi. Thank you. Quick question. If you work for a company that already has an enterprise risk methodology, can you talk about how we could take something like this, which is slightly different than an established risk methodology? And can it plug into that?
Or is it going to be a separate type short answer is duty of care care risk analysis, and we we’ve seen this many times, can plug into any enterprise risk management methodology.
By taking a look at what your what criteria your enterprise risk mess methodology has, they will very nicely fit into what you’re doing for your customers. What are your business goals? Is it profit? Is it scale?
Is it, cost reduction? Is it brand? And what are your third party obligations? So you define your calculated acceptable risk definitions, those impact levels, to be perfectly in line with your And then that actually provides you continuity between and what you’re doing.
So what we’ve seen is cybersecurity teams that have implemented DoCRA have a much better cohesive integrated relationship with because they’re not running with different definitions. There’s no reason you need to reinvent the wheel, map your into elements of DoCRA, and now you’re congruent.
Very open to questions, criticisms, compliments, whatever you want.
Well, I’ll start with the compliment then. That was it’s really very, very interesting stuff. Okay.
I have a question about, the idea of assessing the risk to others.
So because so that would be that’s quite a new, cons well, it’s not totally new concept, but I think here we’ve got to take a look at it in a different way. How do you get your arm or any advice on getting your arms around scope of that? Because how how can we determine scope of the harm to others? I mean, you could really that could run away with itself. Do we work with our legal department?
Do we work with how do, you know, how do we approach Alright.
So I’ll give you the technical answer and then the practical answer. So the technical answer is Duty of Care Risk Analysis (DoCRA) focuses on your mission, your impact to your customers, your objectives, your business goals, and then your third party and public obligation. So that’s the category it’s in. Practically speaking, how do you achieve that?
There’s a free way, and there’s a paid way. The free way and when you go to www.halock.com/rsa2024, you will get links to the, CIS Risk Assessment Method (CIS RAM). Now we actually invented that method and donated to them, but it’s free. It’s a series of spreadsheets, and organizations have gone out there and implemented this themselves for free.
It’s a lot more work, but it could be done. And there’s instructions to answer exactly what you’re saying. Other organizations say that we want to get theirs faster, and they can hire a consultancy to help them. What we’ve seen works very effectively is a facilitator led session that comes in and identifies what are your third party obligations?
What are what are your public obligations? They’ll work with legal. They’ll work with others. But that’s the easy part.
The hard part is getting everyone in a room, and I I’ll tell you, I would be lying if I if I said I wasn’t stressed every time I got into one of these meetings, because I’m always thinking, oh my God. What if they don’t agree?
They’ve never not agreed. But you have a expert facilitator that leads business, legal, whomever are the stakeholders, and we go through and identify what are the constituents, what are the business impact levels, and then they define five different levels, draw a line. Sometimes it takes two meetings, but I’ve never seen it not done. So there’s a freeway. There’s a link there. There’s a paid way. There’s a link there, But that’s the the the long and short of it.
Sorry.
Does it require the board of directors to also agree with them?
It doesn’t require it. In fact, usually, what we see organizations do is they don’t bring in the board of directors for the first round. They this process that that I’m describing is called the Calculated Acceptable Risk Definition. The acronym is CARD.
Once you define your impacts across those three categories, one through five, you have a draft version. That can then be shared with the board. But, typically, I have not seen board members included in the actual facilitator led session, but but they can be. But there’s a way to involve them.
You get them to validate. So you’ve done all the heavy lifting in another session or two, and they validate as one of these meetings. In fact, it’s very common that when we’re presenting this to the board, there’s a slide that just shows here’s your your card, your calculated acceptable risk definition with your it’s that picture that we showed with the line across three different columns of customers, business objectives, third party obligations.
I know we’re coming up on time. Any other questions, comments?
Alright. Thank you all for your time.
Schedule Your Demo of Reasonble Risk – The Governance 2.0 SaaS Application