Ever wondered how top universities protect their cutting-edge research from prying eyes while ensuring seamless access for their scholars? Join us as Michael Spaling, Principal Security Architect at the University of Alberta, takes us behind the scenes of this high-stakes balancing act. Just like any other large organization, research universities have many different stakeholder, operational and regulatory requirements, thousands of employees and tens of thousands of customers. In a strange ...
The practice of engineering dates back thousands of years, incorporating science and mathematics to solve problems in the ancient world, and remains a key requirement for developing the complex digital systems controlling the physical systems core to our modern way of life. Unfortunately connectivity and complexity have created a vulnerability we must now engineer our way out of, and just like risk management, engineering is about balancing constraints.Andrew Ginter is a recognized thought le...
Technological change is inevitable and often one of the aspects that attracts people toward careers in information and operational technology. Although risk management is a part of navigating advancement in any area, the fundamental flaw in any management system is our human tendencies. This episode explores how organizations can make slow, steady migration from first principles to risky undertakings without noticing. Marco Ayala, an operational technology cybersecurity expert and current Hou...
Whether it's the NIST CSF, 8276 or the new European Cyber Resilience Act there is no denying the expectation that supply chain management (SCM) is a risk management area no organization can ignore. While SolarWinds is recent common reference in many SCM discussions, this episode's guest takes us back to Target's major data breach that resulted in significant changes to the PCI-DSS standard. Darren Gallop, a serially successful Canadian tech entrepreneur, recounts the early journey...
Long before the Matrix captured peoples imaginations, Winn Schwartau was steadily offering red pills for those reading his many books on information warfare. A scholastic level researcher without the pretense, Mr. Schwartau has been recognized internationally as one of the leading security thinkers of our time and has a special capability for distilling complex security concepts into every day language and metaphor. In this episode Tim and Doug talk with Winn about the battle big ...
Almost all incident response plans include a "lessons learned" step, and in the post adrenalin phase that follows many breaches, reviewing what worked and what needs improving doesn't excite a lot of people. Adam McMath is clearly the exception, leading incident response activities in both the cyber realm and physical. How do resilience and incident response lessons learned while literally fighting fires translate into risk management practices within cyber security, is a go...
Amongst the industry verticals classified as critical infrastructure, few would argue that telecommunications belongs in the top that list, placing even more weight on a risk management program due to cascading impacts. Consequently, safe reliable operations are essential for success while continuing to grow in a highly competitive marketplace. A security risk management challenge across many dimensions that has become an ESRM success story. This episode features Radek Havlis, Vice...
Regulatory frameworks from PCI-DSS to NERC-CIP to the newly minted NIST CSF 2.0 each require organizations of all sizes to have cyber incident response plans. Most of us who have spent any time in cubicle filled office towers are familiar with fire drills to clear the building and gather staff at muster points, and that is as close as we get to the real thing. Unfortunately that same lucky streak will Unlike a fire drill, recent research estimates 85% of b...
Those running a business today who have not experienced disruption due to cyber issues or attacks know it is only a matter of time. Even if their organization is not directly targeted, the modern marketplace comprised of multiple, interconnected supply chains, means impact is unavoidable but this episode's guest, Steven J Ross contends planning, design and clear priorities can provide mitigating resilience.Steven J Ross, executive principal of Risk Masters International, is a reco...
The U.S. Security Exchange Commission defined new rules for cyber risk matters facing publicly traded corporations in July of 2023. Although the SEC's mandate is limited to publicly traded companies in the United States, where one regulator goes others are apt to follow. Brian Allen is the co-author of a brand new book putting form, structure and traceability around the SEC mandated requirement for a Cyber Risk Management Program. Mr. Allen was on of the original creators a...
The ISA 99 standards body is one of the most recognized authorities on cyber physical security covering many aspects of a cyber security management system for industrial control systems including risk management. This episode features John Cusimano, former chairman of the ISA subcommittee responsible for authoring the risk management portion of the standard 62443-3-2:2020 Mr. Cusimano takes us back to the origins of the OT specific risk assessment process, originally dubbed ...
Security and crime are often in close proximity but not always studied together. This month's episode features Martin Gill a criminologist who made the study of crime and security his life's work. After a decade as a lecturing professor at the University of Leichester, Mr. Gill started Perpetuity Research in 2002 and continues to provide very high quality research, both qualitiative and quantitiative, on what works -- and more importantly what does not -- on many diffe...
Post GSX conference, which included an in-depth review of ESRM and an interview with former U.S. president George W Bush, this episode considers how enterprise security risk management has stood the test of time as well as how risk analysis will need to evolve . Financial receptors can be found in almost every organizational risk matrix but how do those decisions change with modern ransomware attacks? How does a threat intelligence program contribute to organizational defense and r...
The convergence buzzword has come and gone and some organizations have struggled to reap the benefits of physical and cyber security departments working in tandem toward common goals. Michael Lashlee, deputy Chief Security Officer at Mastercard, shares security insights from the US Marines, secret service and financial services tech giant Mastercard, illustrating how principles from very different missions overlap surprisingly often. Mr. Lashlee also discusses how technology...
Calgary was an ICS cyber hub before most knew such measures were necessary, Terry Freestone was one of the ICT specialists from those early days who now applies his decades of hard-won knowledge in the offices of the Canadian Energy Regulator. Speaking as a private citizen and cyber security expert rather than a government representative, Terry and the Caffeinated Risk team explore risk management from the energy producer's perspective and his four point strategy for r...
Keeping up the accidental annual tradition Tim and Doug take a retrospective look at risk management as a mid-year pulse. The 10th annual Cyberthreat Defense report forms the underlying theme but digging under the statistics to analyze how these might pertain to ESRM. Communication also popped up as a topic, and Tim shares some lessons learned from the field as well as a professional development resource.
One of the original authors of the ESRM framework, now in it's tenth year, and Caffeinated Risk's first guest returns to discuss how data science is changing security and risk management. While alchemy may be a bit of a stretch, Ms. Loyear ongoing focus of including human behaviour in the risk equation is leading to the development of data science based detection capabilities that would have appeared magical even 5-10 years ago. Rachelle Loyear is the Vice President of Integrated ...
Threat modeling expert and inventor of one of the world's first attack tree modeling products talks about how to integrate subject matter expertise into the risk equation, the answer may be surprising.Bonus content not included in the original interview with Terry which dove deep into the history of attack trees, modern applications and exploring why there is no AI magic when it comes to identifying events that could end your organization. Well worth a listen if you mis...
Factor Analysis of Information Risk (FAIR) and Enterprise Security Risk Management (ESRM) took different evolutionary paths yet share a lot more commonality than catchy 4 letter acronyms and mainstream adoption by notable organizations like NIST, The Open Group and ASIS international. Jack Freund personifies the term "risk management thought leader" with professional qualifications and public recognitions too long to list, but co-author of Measuring and Managing Information Risk c...
In addition to hybrid work and regular time in the office being the new normal, 2023 marks the year Caffeinated Risk's co-host Tim McCreight serves as the president of ASIS international. ASIS has long been a proponent of both physical and cyber security professionalism and one of the first organizations to explore and embrace Enterprise Security Risk Management (ESRM) as an integral element of security.Scholarly articles on cyber-physical security convergence started appearing in...