Risky Business: Managing Risk Across the Enterprise · Risky Business: Managing Risk Across the Enterprise Greg Akers Senior Vice President, Advanced Security Initiatives

Risky Business:Managing Risk

Risky Business:Managing Risk Managing Risk

Across the Enterprise Managing Risk

Across the Enterprise

Greg Akers

Senior Vice President, Advanced Security Initiatives

Greg Akers

Senior Vice President, Advanced Security Initiatives

Businesses continuously seek to forecast tomorrowto make better decisions today

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 2

Risk ManagementRisk Management

is the process of dealingis the process of dealing

with uncertaintywith uncertainty

Effective Risk Management

� Identifying and recognizing sources of uncertainty

� Measuring and assessing the frequency of occurrence and severity


occurrence and severity of impact of an event

� Evaluating alternative approaches to mitigate or

take advantage of the risk

� Balancing risk, security, compliance

� Securing ubiquitous access across devices, BYOD

� Sharing information across COIs, collaboration

� Ensuring defense in depth and breadth

Governments and Enterprise Share Similar Security Priorities


� Enabling the business

� Balancing cost and productivity

Measuring Risk

High Probability

High Consequence

High Probability

Low Consequence


Probability

Consequence

High Consequence

Low Probability

Low Consequence

Low Probability

Infra-Infra-

BusinessBusiness

EnterpriseEnterprise

�Business Risk Monitoring

�Risk Responsiveness

�Tolerance�Risk Analysis

�Risk Assessment

�Business Continuity

Managing Risk


InnovationInnovation CommunityCommunity

Infra-structure

Infra-structure

EmployeesEmployees

EnterpriseRisk

Management

EnterpriseRisk

Management

�Risk Timing

�Disciplined Decision Making

�Business & Technology Innovation

Business Continuity Planning

�Business Resilience

� Insurance

� Risk tolerance

Cultural

Institutional

Individual

� Taking risk is temporal, circumstantial, contextual

Responsibility for Managing Risk


� Taking risk is temporal, circumstantial, contextual

� Leadership must set the tone

� IT implements technology to help manage risk

� We all play a part every day

Risk Management is what the culture allows, institution requires, and the individual does

– it’s our combined responsibility.

New Approach to Managing Risk

� Increasing business complexity, globalization, competition, innovation, technology

� Exposure to new types of risk

� Focus on shareholder value


� Focus on shareholder value protection and creation

� New regulatory requirements

� Hardening of traditional insurance markets

� Expanded set of sophisticated risk management tools

Your Role in Assessing Risk Capabilities

� What are the risks for your organization?

� Is your organization is taking the appropriate level of risk?

� Does management agree on the importance of the risks?

� Does management know the real level of impact and


� Does management know the real level of impact and likelihood for these risks?

� For undermanaged risks, does your organization have a plan in place to improve the management of these risks?

� For overmanaged risks, does your organization have a plan in place to improve the management of these risks?

� Does your organization take inconsistent levels of risks?

� Risk Assessments

� Risk Review Group

HR

QUALITY

LEGAL

SOX

INFO

SECURITY Risk Review

ERM

Integrated Approach to Risk Management

Coordinated approach to conduct interviews and use outcomes to drive initiatives and work flow


� Risk Review Group

� Risk Database

BrandProtection

IT

PLANNING

SECURITY Risk Review Group

SupplyChain

AUDIT

Oversight body composed of a cross-functional team to share information

Database that catalogs and categorizes risk to improve overall management and tracking of risk activities

�Enhanced

understanding of

risks affecting

performance and return and what

Improved Risk Knowledge

�Alignment of capacity with propensity to bear risk

�Improved capital and

Disciplined Decision Making

�Establishes

supportable rationale

for pricing of risks

inherent in transactions

EnhancedConfidence

Benefits of Managing Risk


return and what

drives them

�Ability to anticipate

and communicate

uncertainties inherent

in performance goals

�Ability to integrate

risk management with

line management processes

�Improved capital and resource allocation capability

�Systematically guiding risk management activities through a disciplined and continuous framework

transactions

�Integration of risk

management with

strategic planning

and decision-making

processes

�Improved

transparency of risks

for internal and external stakeholders

� What is on my network?

� Where is it on my network?

� How did it get on my network?

� What condition is it in?

� Who is/should be using it?

DataThe Key To Understanding Your Environment


� Who is/should be using it?

� Where does my network “go?”

� Who is really in control of my information?

� How do I manage security when no one is in control of my data?

� Do I design for compromised operations or try and assure clean operations?

Data Analytics Is The Future

Event / Behavior

Syste

m A

naly

sis

Netw

ork

An

aly

sis

Oth

er

Understanding / Strategy /

Action

Net Team OthersSecOpsHosting

INFORMATION

Secu

rity

Ven

do

r

“I have a series of

questions, and the data

gives the

answers.”

~ or ~


IdentityGeolocation

ProximitySCADA Home

Grown Apps.SensorLogs

OtherData

Event / BehaviorCorrelation

Syste

m A

naly

sis

Netw

ork

An

aly

sis

Oth

er

Secu

rity

Ven

do

r

“I don’t know the questions

yet; let’s look at the data.”

~ or ~

� We’d make better decisions

� We can make faster decisions

� We could know “the truth”

� We could…

If We Have Good Data…

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14© 2008 Cisco Systems, Inc. All rights reserved.CyberSpace 2009 14© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential

In Summary, and In Closing…

� Risk Management is the Process of Handling Uncertainty

It’s what the culture allows, institution requires, and individual does

� Recognize Challenges and Threats

Need to identify and recognize sources of uncertainty

Understand that taking risk is temporal, circumstantial, contextual


� Leadership Must set the Tone

But it’s our combined responsibility – we all play a part!

� Dynamic Business Requirements, Capabilities, Challenges

Require new approaches to mitigate or take advantage of the risk

� Data is Key to Understanding your Environment

Data analytics will help you reduce risk

“Organizations achieve success by taking risk…


…then undermine their success by not effectively managing risk.””””

Documents

Risky Business: Managing Risk Across the Enterprise · Risky Business: Managing Risk Across the Enterprise Greg Akers Senior Vice President, Advanced Security Initiatives