Should Risk Lead GRC?

04/16/20 • 24 min

1 Listener

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-should-risk-lead-grc/)

Defining risk for the business. Is that where a governance, risk, and compliance effort should begin? How does risk inform the other two, or does calculating risk take too long that you can't start with it?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Allan Alford (@AllanAlfordinTX). Our guest is Marnie Wilking (@mhwilking), global head of security & technology risk management, Wayfair.

Thanks to this week’s podcast sponsor, Qualys.

Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.

On this episode of Defense in Depth, you’ll learn:

The model of risk = likelihood x impact doesn't take into account the value of assets. Assets have to be valued first before you calculate risk.
Is the reason risk isn't used to lead governance, risk, and compliance (GRC) because it's so darn hard to calculate? Many CISOs say their toughest job starting out is trying to understand what the crown jewels are and what the board's risk tolerance is.
Risk management allows the board to know when you have enough security. Some assets may require eight layers where others may only require one or two.
Determining likelihood of an attack involves a good amount of guesswork. We've discussed on a previous episode of CISO/Security Vendor Relationship Podcastthat we don't go back to see how good our risk predictions were. If you want to get better at it, you should. Otherwise, it will always be guesswork.
Even if you can get someone to agree what their risk tolerance is, or what asset is of importance, trying to get agreement among a group can be a blocker. Keep in mind that each person is going to have a different viewpoint and concerns.
Knowing risk appetite is critical. You can apply security controls without knowing it, but that's providing a unified security layer across all data, people, and applications when they are all not equal when it comes to asset valuation.

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-should-risk-lead-grc/)

Thanks to this week’s podcast sponsor, Qualys.

Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.

On this episode of Defense in Depth, you’ll learn:

The model of risk = likelihood x impact doesn't take into account the value of assets. Assets have to be valued first before you calculate risk.
Is the reason risk isn't used to lead governance, risk, and compliance (GRC) because it's so darn hard to calculate? Many CISOs say their toughest job starting out is trying to understand what the crown jewels are and what the board's risk tolerance is.
Risk management allows the board to know when you have enough security. Some assets may require eight layers where others may only require one or two.
Determining likelihood of an attack involves a good amount of guesswork. We've discussed on a previous episode of CISO/Security Vendor Relationship Podcastthat we don't go back to see how good our risk predictions were. If you want to get better at it, you should. Otherwise, it will always be guesswork.
Even if you can get someone to agree what their risk tolerance is, or what asset is of importance, trying to get agreement among a group can be a blocker. Keep in mind that each person is going to have a different viewpoint and concerns.
Knowing risk appetite is critical. You can apply security controls without knowing it, but that's providing a unified security layer across all data, people, and applications when they are all not equal when it comes to asset valuation.

Previous Episode

Responsible Disclosure

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-responsible-disclosure/)

Security researchers and hackers find vulnerabilities. What's their responsibility in disclosure? What about the vendors when they hear the vulnerabilities? And do journalists have to adhere to the same timelines?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series and Allan Alford (@AllanAlfordinTX). Our guest is Tom Merritt (@acedtect), host, Daily Tech News Show.

Thanks to this week’s podcast sponsor, Qualys.

Qualys is a pioneer and leading provider of cloud-based security and compliance solutions.

On this episode of Defense in Depth, you’ll learn:

Manufacturers, software companies, researchers, hackers, and journalists all play a role in responsible disclosure.
Vulnerabilities will exist, they will be found, and how companies want to be alerted about those issues and inform their public are key elements in the process of responsible disclosure.
While there are CERT guidelines for responsible disclosure, there are no real hard and fast rules. There will always be judgement calls involved. But like the doctor's Hippocratic Oath, the goal is to minimize harm.
You can't announce a vulnerability without offering a fix. It's opening the door to the bad guys to come in and cause havoc.
There is a long history of how vulnerabilities have been disclosed. It often was a surprise and malicious. The trend of responsible disclosure and bug bounties has given rise to the legitimacy of white hat hackers and the process of exposing vulnerabilities.
One listener argued that the term "responsible disclosure" implies a moral judgement. He argued that it should be referred to as "coordinated disclosure."
There is still frustration on multiple sides with how responsible disclosure should be handled. Researchers sometimes argue they're not getting recognized or paid. Companies often feel extorted by researchers who want answers on their timelines. And journalists have to weigh the importance and criticality of a vulnerability. Should they let people know about it even if there really isn't a good fix yet.

Next Episode

Fix Security Problems with What You've Got

All links and images for this episode can be found on CISO Series (https://cisoseries.com/defense-in-depth-fix-security-problems-with-what-youve-got/)

Stop buying security products. You probably have enough. You're just not using them to their full potential. Dig into what you've got and build your security program.

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and guest Brent Williams (@brentawilliams), CISO, SurveyMonkey.

Thanks to this week's podcast sponsor, Deep Instinct.

Deep Instinct is changing cybersecurity by harnessing the power of Deep Learning to prevent threats in zero time. Deep Instinct’s on-device, solution protects against zero-day, APT, ransomware attacks, and against both known and unknown malware with unmatched accuracy and speed. Find out more about the solution’s wide covering platform play.

On this episode of Defense in Depth, you’ll learn:

It's very possible you're not using the tools you've purchased to their full potential. What would happen if you completely stopped buying security products and tried to fix your problems with the tools you've already purchased?
The reason this is such a popular discussion is that as an industry we're still struggling with managing the fundamentals of security.
Shelfware happens because we buy before we're ready. Purchase decisions should be made in conjunction with knowing if you have the staff and understand the integration points to implement the solution.
Tooling for the few layers must be dealt with first. You don't need a solution selling a higher layer of security if you don't have the foundation built.
Much of this argument is based on the messaging we hear from vendors. They're understandably in the business of selling product. Be cognizant of how you're absorbing information.
We need to also focus on the people who unfortunately are fallible and can make non-malicious, but poor decisions.
If there was going to be any additional spending, the argument was to invest in your people - from the entire staff to specific training for your security staff.