Claim OwnershipCaffeinated Risk
Subscribed: 5Played: 47
Subscribe
© 2024 Caffeinated Risk
Description
The monthly podcast for security professionals, by security professionals.Two self proclaimed grumpy security professionals talk security risk, how they’ve managed it in the past and forward looking discussions with guests working in information security and risk management.
38 Episodes
Reverse
Regulatory frameworks from PCI-DSS to NERC-CIP to the newly minted NIST CSF 2.0 each require organizations of all sizes to have cyber incident response plans. Most of us who have spent any time in cubicle filled office towers are familiar with fire drills to clear the building and gather staff at muster points, and that is as close as we get to the real thing. Unfortunately that same lucky streak will Unlike a fire drill, recent research estimates 85% of businesses will expereince a cyber incident annually, and many will find short-comings in their incident response plan.This episode explores a couple of recent news-worthy Canadian Cyber incidents, challenges with incident response plans and as always, how to use ESRM principles to further your program, even in a time of crisis.
Those running a business today who have not experienced disruption due to cyber issues or attacks know it is only a matter of time. Even if their organization is not directly targeted, the modern marketplace comprised of multiple, interconnected supply chains, means impact is unavoidable but this episode's guest, Steven J Ross contends planning, design and clear priorities can provide mitigating resilience.Steven J Ross, executive principal of Risk Masters International, is a recognized cyber security expert, specializing cyber resilience, recovery and business continuity. His decades of experience come through loud and clear with a somewhat unflinching perspective on the current digital threat landscape and the impact on organizations and individuals. In addition to leading a boutique risk management practice helping Finance, Health care, Defense and more, Mr. Ross has been the author of one of ISACA Journal's most read columns since 1998.
The U.S. Security Exchange Commission defined new rules for cyber risk matters facing publicly traded corporations in July of 2023. Although the SEC's mandate is limited to publicly traded companies in the United States, where one regulator goes others are apt to follow. Brian Allen is the co-author of a brand new book putting form, structure and traceability around the SEC mandated requirement for a Cyber Risk Management Program. Mr. Allen was on of the original creators and advocates of the ESRM framework first published in 2013, and has been practicing security risk management throughout his career. Caffeinated Risk is very please to bring a very candid conversation with a true thought leader in the risk management field to our ever growing family of listeners.
The ISA 99 standards body is one of the most recognized authorities on cyber physical security covering many aspects of a cyber security management system for industrial control systems including risk management. This episode features John Cusimano, former chairman of the ISA subcommittee responsible for authoring the risk management portion of the standard 62443-3-2:2020 Mr. Cusimano takes us back to the origins of the OT specific risk assessment process, originally dubbed CyberPHA, we also explore how the methodology can be managed and percieved at different levels of the organization as well as how this approach can safely carry organizations into a future that includes cloud computing.John is currently the Vice President for Operational Technology Security at Armexa, more than 30 years experience in OT and one of the early thought leaders in this unique areas of cyber security and risk management.
Security and crime are often in close proximity but not always studied together. This month's episode features Martin Gill a criminologist who made the study of crime and security his life's work. After a decade as a lecturing professor at the University of Leichester, Mr. Gill started Perpetuity Research in 2002 and continues to provide very high quality research, both qualitiative and quantitiative, on what works -- and more importantly what does not -- on many different areas of the security field. In addition to leading the annual Security Research Initiative reports, Martin Gill is also the a contributing author and editor of many criminology and security textbooks including "The Handbook of Security" -- now in it's third edition.
Post GSX conference, which included an in-depth review of ESRM and an interview with former U.S. president George W Bush, this episode considers how enterprise security risk management has stood the test of time as well as how risk analysis will need to evolve . Financial receptors can be found in almost every organizational risk matrix but how do those decisions change with modern ransomware attacks? How does a threat intelligence program contribute to organizational defense and resilience?
The convergence buzzword has come and gone and some organizations have struggled to reap the benefits of physical and cyber security departments working in tandem toward common goals. Michael Lashlee, deputy Chief Security Officer at Mastercard, shares security insights from the US Marines, secret service and financial services tech giant Mastercard, illustrating how principles from very different missions overlap surprisingly often. Mr. Lashlee also discusses how technology supports the physical, intelligence and fraud specialists working to keep Mastercard customers client data safe as well as steps they are taking to resolve the cyber skills talent shortage.
Calgary was an ICS cyber hub before most knew such measures were necessary, Terry Freestone was one of the ICT specialists from those early days who now applies his decades of hard-won knowledge in the offices of the Canadian Energy Regulator. Speaking as a private citizen and cyber security expert rather than a government representative, Terry and the Caffeinated Risk team explore risk management from the energy producer's perspective and his four point strategy for risk mitigation prioritization that works for any size staff or budget.
Keeping up the accidental annual tradition Tim and Doug take a retrospective look at risk management as a mid-year pulse. The 10th annual Cyberthreat Defense report forms the underlying theme but digging under the statistics to analyze how these might pertain to ESRM. Communication also popped up as a topic, and Tim shares some lessons learned from the field as well as a professional development resource.
One of the original authors of the ESRM framework, now in it's tenth year, and Caffeinated Risk's first guest returns to discuss how data science is changing security and risk management. While alchemy may be a bit of a stretch, Ms. Loyear ongoing focus of including human behaviour in the risk equation is leading to the development of data science based detection capabilities that would have appeared magical even 5-10 years ago. Rachelle Loyear is the Vice President of Integrated Security Solutions for Allied Universal and co-author of The Manager's Guide to Enterprise Security Risk Management.
Threat modeling expert and inventor of one of the world's first attack tree modeling products talks about how to integrate subject matter expertise into the risk equation, the answer may be surprising.Bonus content not included in the original interview with Terry which dove deep into the history of attack trees, modern applications and exploring why there is no AI magic when it comes to identifying events that could end your organization. Well worth a listen if you missed it.
Factor Analysis of Information Risk (FAIR) and Enterprise Security Risk Management (ESRM) took different evolutionary paths yet share a lot more commonality than catchy 4 letter acronyms and mainstream adoption by notable organizations like NIST, The Open Group and ASIS international. Jack Freund personifies the term "risk management thought leader" with professional qualifications and public recognitions too long to list, but co-author of Measuring and Managing Information Risk can't go unmentioned since industry peers inducted this seminal title into the Cybersecurity Cannon. With risk management discussions ranging from banking to defeating door locks, Dr. Freund was consistently insightful, humorous, and a delightful guest.
In addition to hybrid work and regular time in the office being the new normal, 2023 marks the year Caffeinated Risk's co-host Tim McCreight serves as the president of ASIS international. ASIS has long been a proponent of both physical and cyber security professionalism and one of the first organizations to explore and embrace Enterprise Security Risk Management (ESRM) as an integral element of security.Scholarly articles on cyber-physical security convergence started appearing in the late 1990s, more than 25 years later the convergence buzz has ebbed and flowed but silo's remain. In this episode Tim shares his insights from the past 40 years, the benefits to a converged approach as well as some of the paths toward success.
Realtors have long advocated "location, location, location" as a path to investment success. Fast forwarding a few generations, location intelligence applied to risk management is paying dividends well beyond real-estate and Esri is a world leader in this fascinating application of geo-spatial information. Esri business solutions leader Alex Martonik shares examples of businesses making improvements to resilience and the bottom line by combining GIS, financial, technological and political data into risk calculations. Mr. Martonik also shares Esri's approach to "democratizing risk insights", helping solve the all to common problem of procuring buy-in.
A great discussion point that didn't make it to air from the original 2021. Not all data is of equal value to the organization and the viable shelf life is seldom tracked or even discussed. This espresso shot takes a humorous look at a serious question about privacy considerations during the development cycle and check out the original full episode with privacy thought leader Michelle Finneran Dennedy.
Communication isn't effective until the receiver understands the message well enough to take action. That pretty much sums up the challenge facing many risk professionals today, something Paul Mercer resolved, out of necessity, by building risk management software that is proving to be a welcome solution for many notable customers. Mr. Mercer is no stranger to the front lines of risk management, starting with the Royal Navy then extensive risk & crisis consulting for international clients. Well known ESRM practitioners are also recognizing the value of Mercer's approach to digital safety and security risk management.
Co-author of the original book on Enterprise Security Risk Management, it only made sense to have Rachelle be the first Caffeinated Risk guest. Like many guests, there was just too much material for a 30 minute episode. This espresso shot encore digs into that nuanced topic of truly partnering with business stakeholders.
Anyone with a bit of time in the security industry is well acquainted with Murphy's law but crisis management specialists are who you call when things suddenly get very real. While common security guidance advocates protection, readying your organization to weather the inevitable failure in prevention measures starts with resilience.international crisis management thought leader Alexandra Hoffman and 2022 IFSEC Global Influencer and Meta's head of Global Security Protective Intelligence Tim Wenzel dive deep into what resilience really means at the organizational level.Security folks are fond of saying "it's not if but when ...", listen in to learn more about how to prepare your organization for that eventuality from those who have been there with some of the biggest companies in the world.
Recorded two days after the July 2022 nationwide telecom outage, co-hosts Tim and Doug explore the deeper ramifications of losing access to the very services that are so tightly integrated into our lifestyle. While the complete root cause of the Rogers' outage may never be publicly shared, most organizations face similar constraints, leading to a discussion about ethics and our shared commitment to the common good. Documents referenced in the show:ACM Code of Ethics Energy sector asset management
Sooner or later every risk management professional faces the hard reality that comprehensive risk management programs can't be implemented on spreadsheets. A corporate vice president mandate, minus the funding, started Josh Sokol on a journey that turned his initial platform solution into an opensource project that morphed into a commercial venture. While meeting the risk management and compliance needs of organizations large and small, the Simple Risk founder remains committed to a practical approach for stewarding cyber security issues and mentoring the next generation of security professionals. This episode explores the true GRC platform needs -- not the marketing -- and the cyber security executive's role in enterprise risk management.
Comments
Download from Google Play
Download from App Store
United States