Saturday, June 17, 2017

Risk Management, Compliance, Resilience. What's old is new again!

Three times this week a user or potential customer told me I'm not looking for more intelligence. I'm looking for compliance, risk management, resiliency.

Imagine that! Those are the three things that that we talk about most… well, may be not resiliency. Your failover is something completely out of my control, but for over 20 years I've had a copy of ISACA's Enterprise Risk Management framework documents either on, or very close to my desk. I'm a long time user of SEI'S OCTAVE Risk Modeling system —even though it's morphed, it's easy to explain, use, and train a team to implement. And compliance? That's pretty easy. If I see massive amounts of lost PII, intellectual property or outbound activities touching our sinkholes, it's pretty easy to know who's in compliance and who's not.  I don't see the systems, but I definitely see the outputs.

I have to laugh. I consider myself an expert in risk management. I have an MBA with a focus in risk, and have built and implemented risk models at some of the best companies, on three different occasions.

I've been interested in, and preaching risk management since 1998, first using OCTAVE as a Navy Officer, implementing risk management into Navy Networks through a visiting scientist partnership with SEI. This work lead into processes for building SiLK models (Suresh L Konda's network flow engine —a CMU PhD and good friend) —now Centaur and Einstein.

Later, after leaving the Navy and working for Cisco (2001-2005) I built a team and implemented hybrid OCTAVE, COSO, and ISO models to build risk processes. This hybrid model was used to evaluate M&A prospects, third party partners and suppliers, and remote offices. We used these models in dozens of locations and organizations in as many countries around the world. Risk is a common language transcending country borders.

At Northrop Grumman (2005-2008), I built on these processes using ISACA's early Enterprise Risk Management framework —a larger view designed to integrate IT Risk into larger organizational risk models —financial, operational, etc. We used it to evaluate (again) M&A candidates, third party partners and suppliers and remote offices. And when it came time to chase out bad guys, we already knew the issues with the infrastructure in which we were operating. This product evolved into full-out, large scale risk management and identification run by my second team hire.

Yep. This stuff works.

But guess what all three of these have in common?

Every one requires a deep understanding of external threats —to operations, to finance, and to IT. That information is called intelligence, and it's a linch-pin component of every risk management process. No matter which one you choose, they all require external inputs to understand and prioritize the threat, the strategy, and the spend that will go into mitigating, minimizing, transferring (through insurance), or accepting the risks identified.

Without intelligence, you can't have risk management, and therefore can not have either compliance or resilience. Intelligence is foundational.  And if you're relying on intelligence that comes in that sexy little silver UTM (we use one too!), you're missing the boat. Are you going to show your boss the UTM logs when you need budget for next year's threats? Probably not.

You need to think strategically, and that requires good intelligence —the story behind the threat, the motivation of the bad guys chasing you, maybe a picture of one or two of those guys, and an understanding of how they'll affect your business --not just a feed of IOCS.

An as is always the theme of my blog… we're here to help.

Wapack Labs Cyber Threat Analysis Center is a great way for companies of any size to be constantly aware of threats you face.  Whether it's monitoring threats to key personnel, stolen credentials, sinkhole analysis, or sentiment analysis, CTAC makes it easy to monitor your daily and ongoing threat picture. Look at five years worth of data and extrapolate that out into longer term planning. Request a deep dive on your company and use that in planning futures. We've published on everything from stolen credit cards to North Korean Nuclear and EMP options. We've covered Ukrainian | Russian geopolitical risk monitoring for our companies who do work in the area, and published lists and mitigations for cyber tools being hoarded by Iranian hackers during last year's nuclear talks. We publish indicators with confidence ratings, key logger dumps (not TOR captures with high false positives), and probably have one of the largest sinkhole collections going.

Risk Management, Compliance, Resilience. As you think through these processes and need to figure out who to call for intelligence inputs, call us first.

Want a demo? Drop us a note. We're hear to help.

No comments: