If you had a magic wand to make the ideal risk management framework for the industry, what would that look like?

To be honest, I don't know yet. I feel we're on the cusp of being able to say, we're getting a better comfort level with what we've looked at and done so far. I constantly challenged my team to say, "You got to prove it." You have all these concepts and we have all these ideas, but I haven't seen yet the math to address mitigations. I haven't seen yet the ability to apply the time window. But we say it all the time. We say things like, "This is a three-year problem because all of these assets or versions are going to age out. So we may run out of time because this stuff may just end up retiring. Can we live like that? For how long, and what percent of the population?” So if we say, "Listen, leave the last 5% alone, because it's isolated, you can't move laterally from it, and yes, we might have a bad day and lose 5% of our laptops and it would be terrible, but it's not the whole organization." So we’re making those decisions, not within that fantastic dashboard model, which would be awesome. Imagine being able to watch the red lights pop up when you just address those on a day. So I would love to get to that level.

13 views
2 comments
1 upvotes
Related Tags
Anonymous Author
To be honest, I don't know yet. I feel we're on the cusp of being able to say, we're getting a better comfort level with what we've looked at and done so far. I constantly challenged my team to say, "You got to prove it." You have all these concepts and we have all these ideas, but I haven't seen yet the math to address mitigations. I haven't seen yet the ability to apply the time window. But we say it all the time. We say things like, "This is a three-year problem because all of these assets or versions are going to age out. So we may run out of time because this stuff may just end up retiring. Can we live like that? For how long, and what percent of the population?” So if we say, "Listen, leave the last 5% alone, because it's isolated, you can't move laterally from it, and yes, we might have a bad day and lose 5% of our laptops and it would be terrible, but it's not the whole organization." So we’re making those decisions, not within that fantastic dashboard model, which would be awesome. Imagine being able to watch the red lights pop up when you just address those on a day. So I would love to get to that level.
1 upvotes
Anonymous Author
One of the things that comes to my mind, is when you want to pull in threat and vulnerability management information. When you think about the GRC tools today, they typically don't have anything to do with that. I think that there's a way where we should be able to pull info from the security operation centers into this matrix, and really be able to spin it and look at what we're talking about here. So I think there's a lot more info that we can pull in that will help us get to that point where we want to go.
0 upvotes