Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Risky Business:Managing Risk
Risky Business:Managing Risk Managing Risk
Across the Enterprise Managing Risk
Across the Enterprise
Greg Akers
Senior Vice President, Advanced Security Initiatives
Greg Akers
Senior Vice President, Advanced Security Initiatives
Businesses continuously seek to forecast tomorrowto make better decisions today
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 2
Risk ManagementRisk Management
is the process of dealingis the process of dealing
with uncertaintywith uncertainty
Effective Risk Management
� Identifying and recognizing sources of uncertainty
� Measuring and assessing the frequency of occurrence and severity
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 3
occurrence and severity of impact of an event
� Evaluating alternative approaches to mitigate or
take advantage of the risk
� Balancing risk, security, compliance
� Securing ubiquitous access across devices, BYOD
� Sharing information across COIs, collaboration
� Ensuring defense in depth and breadth
Governments and Enterprise Share Similar Security Priorities
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 4
� Enabling the business
� Balancing cost and productivity
Measuring Risk
High Probability
High Consequence
High Probability
Low Consequence
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 5
Probability
Consequence
High Consequence
Low Probability
Low Consequence
Low Probability
Infra-Infra-
BusinessBusiness
EnterpriseEnterprise
�Business Risk Monitoring
�Risk Responsiveness
�Tolerance�Risk Analysis
�Risk Assessment
�Business Continuity
Managing Risk
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 6
InnovationInnovation CommunityCommunity
Infra-structure
Infra-structure
EmployeesEmployees
EnterpriseRisk
Management
EnterpriseRisk
Management
�Risk Timing
�Disciplined Decision Making
�Business & Technology Innovation
Business Continuity Planning
�Business Resilience
� Insurance
� Risk tolerance
Cultural
Institutional
Individual
� Taking risk is temporal, circumstantial, contextual
Responsibility for Managing Risk
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 7
� Taking risk is temporal, circumstantial, contextual
� Leadership must set the tone
� IT implements technology to help manage risk
� We all play a part every day
Risk Management is what the culture allows, institution requires, and the individual does
– it’s our combined responsibility.
New Approach to Managing Risk
� Increasing business complexity, globalization, competition, innovation, technology
� Exposure to new types of risk
� Focus on shareholder value
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 8
� Focus on shareholder value protection and creation
� New regulatory requirements
� Hardening of traditional insurance markets
� Expanded set of sophisticated risk management tools
Your Role in Assessing Risk Capabilities
� What are the risks for your organization?
� Is your organization is taking the appropriate level of risk?
� Does management agree on the importance of the risks?
� Does management know the real level of impact and
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 9
� Does management know the real level of impact and likelihood for these risks?
� For undermanaged risks, does your organization have a plan in place to improve the management of these risks?
� For overmanaged risks, does your organization have a plan in place to improve the management of these risks?
� Does your organization take inconsistent levels of risks?
� Risk Assessments
� Risk Review Group
HR
QUALITY
LEGAL
SOX
INFO
SECURITY Risk Review
ERM
Integrated Approach to Risk Management
Coordinated approach to conduct interviews and use outcomes to drive initiatives and work flow
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 10
� Risk Review Group
� Risk Database
BrandProtection
IT
PLANNING
SECURITY Risk Review Group
SupplyChain
AUDIT
Oversight body composed of a cross-functional team to share information
Database that catalogs and categorizes risk to improve overall management and tracking of risk activities
�Enhanced
understanding of
risks affecting
performance and return and what
Improved Risk Knowledge
�Alignment of capacity with propensity to bear risk
�Improved capital and
Disciplined Decision Making
�Establishes
supportable rationale
for pricing of risks
inherent in transactions
EnhancedConfidence
Benefits of Managing Risk
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 11
return and what
drives them
�Ability to anticipate
and communicate
uncertainties inherent
in performance goals
�Ability to integrate
risk management with
line management processes
�Improved capital and resource allocation capability
�Systematically guiding risk management activities through a disciplined and continuous framework
transactions
�Integration of risk
management with
strategic planning
and decision-making
processes
�Improved
transparency of risks
for internal and external stakeholders
� What is on my network?
� Where is it on my network?
� How did it get on my network?
� What condition is it in?
� Who is/should be using it?
DataThe Key To Understanding Your Environment
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 12
� Who is/should be using it?
� Where does my network “go?”
� Who is really in control of my information?
� How do I manage security when no one is in control of my data?
� Do I design for compromised operations or try and assure clean operations?
Data Analytics Is The Future
Event / Behavior
Syste
m A
naly
sis
Netw
ork
An
aly
sis
Oth
er
Understanding / Strategy /
Action
Net Team OthersSecOpsHosting
INFORMATION
Secu
rity
Ven
do
r
“I have a series of
questions, and the data
gives the
answers.”
~ or ~
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 13
IdentityGeolocation
ProximitySCADA Home
Grown Apps.SensorLogs
OtherData
Event / BehaviorCorrelation
Syste
m A
naly
sis
Netw
ork
An
aly
sis
Oth
er
Secu
rity
Ven
do
r
“I don’t know the questions
yet; let’s look at the data.”
~ or ~
� We’d make better decisions
� We can make faster decisions
� We could know “the truth”
� We could…
If We Have Good Data…
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 14© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential
In Summary, and In Closing…
� Risk Management is the Process of Handling Uncertainty
It’s what the culture allows, institution requires, and individual does
� Recognize Challenges and Threats
Need to identify and recognize sources of uncertainty
Understand that taking risk is temporal, circumstantial, contextual
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 15
� Leadership Must set the Tone
But it’s our combined responsibility – we all play a part!
� Dynamic Business Requirements, Capabilities, Challenges
Require new approaches to mitigate or take advantage of the risk
� Data is Key to Understanding your Environment
Data analytics will help you reduce risk
“Organizations achieve success by taking risk…
© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 16
…then undermine their success by not effectively managing risk.””””