Created with Sketch.
40 minutes | Oct 1, 2022
#14 Is Vertical Systemic Risk a One-Way Street?
If you've studied SABSA to foundation level, you may recall how systemic risk navigates the domain model. If a risk materialises in a domain, the impact it has can act on the superdomain causing a risk event to occur there. Ok, simples right? Well Maurice was recently asked if this effect can occur in the opposite direction, i.e. from a domain to its subdomain. The search for a concrete example or a contradiction started. In this episode we consider this question which leads to further questions about the nature of hierarchy in the domain model and co-existent parallel domain models – but no quantum entanglement (yet). Have a listen and then join the debate, or if you have the answer put an end to it.
37 minutes | Nov 8, 2021
#13 Blindsided by an Unknown Unknown
With hindsight, declaring a risk an unknown unknown is often no more than an admission of a lack of foresight, a lack of imagination. How many risks that are actually realised were really inconceivable in advance? Risk identification is a process that is resource constrained, and reasonably so. But with more time, more perspectives, more insights, more intelligence the chances are you'd have identified the risk. Perhaps to do so would have not been cost effective; or you may have decided to limit analysis and not successfully managed an outlier risk. But to declare it an unknown unknown (after the fact) is rejecting an opportunity to learn. Is it not fatalistic to shrug one's shoulders and say "How could I have known"? In this episode we discuss Unknown Unknowns, along with their bedfellows Known Knowns, Known Unknowns and Unknown Knowns, and their place in the identification and management of business risks.
40 minutes | Sep 21, 2021
#12 The World is in Flux, Are You Ready to Adapt?
The last two years have seen changes that few were prepared for. In the aftermath we can argue whether it was a black swan, grey rhino, or octarine unicorn event but ultimately once the overture is done what matters is your ability to adapt to the new world order. Even if you had a specific plan in place, as such events unfold the situation will likely evolve in unpredictable directions. Over time, change external to your sphere of control is inevitable. Some changes are large shocks that affect nations, regions or the entire world. Some only affect certain industries or a subset of business in an industry. While mitigating and planning response to known, but uncertain, events is important it is also important to avoid assumptions about future states and to build organisational structures and processes that can adapt no matter what comes over the horizon. In this episode, we discuss being Adaptable and Adaptive. Listen to our conversation to hear our thoughts on the maybe subtle but important differences between these very similar terms.
38 minutes | Jul 2, 2021
#11 Risk Management is a Game of Snakes AND Ladders
Is your risk management one-sided, designed to minimise the likelihood and negative impacts of uncertain events. How is the uncertainty of events with positive business impacts managed? Not by the security team or using the same risk management framework, right? Threats and opportunities both rely on uncertainty. Add factors including likelihood (or frequency) and impact to either and you derive a risk. A risk that can be influenced by actions you take and external factors you don't control. While some terminology will likely need to be revised (for example we don't want to mitigate upside risks, we want to promote them) can we not manage all risk using the same framework? In this episode we talk about Balanced Risk. A holistic view on risk and risk management. One that considers both threats and opportunities, with risk treatment driven by business goals and tempered by risk appetites. Risk treatments that are rarely simple and may affect multiple risks and themselves introduce new risks. Reimagine risk management not as minimising (downside) risk, but as gaining confidence in achieving business goals.
47 minutes | May 13, 2021
#10 Supply Chain Risk (with Vincent Thiele)
News of business impacts from the realisation of cyber risks is all around us. Many of the largest breaches in recent years have involved one or more suppliers in some way. Few will be unaware of Sunburst/Solorigate, and many will have been directly impacted or know people that have been. But it is not just your direct suppliers, or your technology supply chain, that can suffer from a cyber attack that impacts you, as is clear to many following the Colonial Pipeline attack. Do you know who your suppliers suppliers are? Are you gaining any assurance of the cyber security of your non-technology suppliers? Are you assessing during on-boarding only or monitoring over time? In this episode Martin and Maurice are joined by Vincent Thiele to discuss Supply Chain Risk. How can you identify threats and manage risks originating from the whole graph of your suppliers, their suppliers, ...? Where should you concentrate your efforts and what can you do to meaningfully measure the security posture of suppliers?
40 minutes | Apr 6, 2021
#9 Privacy: Security's New Clothes?
The desire for privacy is nothing new, but societal expectations have certainly come a long way since the middle ages. Over the last two decades many have seen additional rights enshrined in law. Businesses increasingly face sanctions for not respecting the privacy of those they associate with. Businesses have privacy related risks, they are required to protect personal data. But they also have security risks - are the approaches to mange these not broad enough to cover privacy, or could they not be readily expanded to do so? If you were asked to draw a Venn diagram of security and privacy on the back of a beer mat (remember those?), what would it look like? Is privacy a subset of security? Is there a large intersection, a small intersection, or maybe even none? In this episode Martin and Maurice discuss privacy and how it relates to security. Is privacy materially different to risk-driven security? Do you need different teams with different frameworks to deliver privacy and security?
35 minutes | Feb 22, 2021
#8 Certifications - Value or Vanity
The information security field is awash with certifications. To an outsider many job adverts, in what is increasingly a sellers market, are full of impenetrable acronyms. But who do all these https://pauljerimy.com/security-certification-roadmap/ (certifications) serve? Is the content relevant and do they effectively demonstrate knowledge, capability, and desire to learn? Are they a part of the supposed skills gap rather than its solution? In this episode Martin and Maurice discuss the value of certifications and different ways in which we can assess and discover knowledge, skills and practitioner capability in our industry.
41 minutes | Dec 21, 2020
#7 Risk & Risk Appetite (with Jaco Jacobs)
Enlightened risk management frameworks say we should manage risks to the business within the risk appetite. But what is the risk appetite? Can anyone in the organisation articulate it beyond vague statements such as “medium risk appetite”, “prudent basis” or “risk adverse basis”? Risk appetite is dynamic, and we need to be able to change it and identify the impacts on our risk management this has when we do. Armed with an understanding of our risk appetite, what risk management challenges are we better equipped to address. Can we leverage it to identify areas where we might actually want to consciously take more risk? Can we improve risk decisions? In this episode regular hosts Martin and Maurice are joined by COSAC regular Jaco Jacobs to discuss cyber risk appetite.
45 minutes | Nov 26, 2020
#6 Zero Trust - Revolutionary, Evolutionary or Snake Oil? (with Chris Blunt)
Do you trust your network? Did you resist the lure of cloud services and network virtualisation, content with your on premise network security, only to suffer from attackers or malware able to move laterally at will? Did you have a perimeter based, network-centric security model when the COVID-19 pandemic hit and realise that your already porous perimeter was preventing your staff from being able to work from where they were forced to be? The traditional physical network cannot provide the security services we need. The shift from network-centric security to something more application and user focused is not new, but is growing in pace. Zero Trust enables you to remove binary access decisions based on being on the corporate network and instead lets you build confidence in devices, users and applications that enable risk based authorisation and access. Join us as we discuss Zero Trust with our guest Chris Blunt, who as a consulting enterprise security architect has first hand experience of guiding clients in their transformation and implementation of Zero Trust.
33 minutes | Oct 29, 2020
#5 SWOT - Context, Capability, Challenge & Course
What threats does your project, or business, face? What opportunities have you identified that you could pursue? What strengths do you have that you can leverage to achieve your goals? What weaknesses might hold you back or cause you to fail? Underlying all of these questions, is your situation and the external factors in play. The answers influence the direction you should take. In this episode Martin and Maurice explore the elements of SWOT analysis, provide some pointers to help you differentiate the different factors, and highlight why this is important in the planning and execution of the course you take. Informally they discuss: the context you're operating within; the capabilities you have, and those you don't have; and the challenges thrust upon you and those you choose to undertake. Only by understanding these can you set your course with confidence.
41 minutes | Sep 27, 2020
#4 Business Risk & Risk Ownership (with Bill Schultz)
Does the CISO own all cyber related risks to the business? It depends, but in many businesses that is the default position. Who is responsible for risk identification and analysis; identification, rating and selection of treatment options; and for managing residual risks within the defined risk appetite? Is it the security function, the business service owner, the application owner, the data owner, or is it potentially none of these? Should we not logically separate risk management responsibility and risk ownership? What about systemic risks? In this episode regular hosts Martin and Maurice are joined by Bill Schultz from Vanderbilt University Medical Center to discuss cyber risk management. We’ll discuss our ideas, VUMC’s architected approaches, and the realities of cyber risk management in a business where lives are at risk and privacy is paramount.
30 minutes | Sep 9, 2020
In our previous episode we referenced not being in business to be compliant. Of course, that doesn't mean that compliance is never important; in some instances, it is critical to maintaining a licence to operate in an industry or market. Compliance isn’t a mission, a purpose or a goal. Compliance provides some fenceposts, an approach to measurement, and in many cases a degree of reassurance. But is compliance alone sufficient to protect our organisations? How does a compliance led approach compare to a security led approach? In this episode we discuss compliance and how it relates to information security, whose interests it serves, and the value business driven security can deliver beyond compliance.
47 minutes | Aug 27, 2020
Ransomware does not appear to have fallen victim to the pandemic. On the contrary, successful attacks appear to have increased and the impacts are escalating too. Hardly a day goes by without news of another ransomware attack on a prominent organisation or further details of a previous attack are shared. Has the massive increase in remote working improved the success rate, have organised crime groups switched focus from other income streams that have been hit? Maybe, but answering those questions probably won't give you actionable insights into what you need to do to protect your assets. Join us as we discuss how you can prepare for a ransomware attack and whether paying should ever be considered.
47 minutes | Aug 17, 2020
In the light of recurring instances of security issues in foundational components of modern IT and software stacks, and the superfast world our businesses are operating in, Maurice and Martin talk about trust. What can it mean to say we trust a vendor or a partner? Can we ever really trust one of the Internet giants? Can we secure trust? Join us as we explore the role of trust in organisational cyber security.
Terms of Service
Do Not Sell My Personal Information
© Stitcher 2022