Risk Management

Risk Management
What are your thoughts on SaaS management platforms (SMP)?

Top Answer :

Related Tags
Business Application Development
Architecture & Strategy
Requirements & Design
Testing, Deployment & QA
Mobile Development
Selection & Implementation
Business Analysis
Applications Vendor Landscapes
Data Center
Public and Hybrid Cloud
Business Applications
Crisis Management
Data & Business Intelligence
Artificial Intelligence
Business Intelligence Strategy
Data Management
Enterprise Integration
Machine Learning
Data Lake
Big Data
Data Warehouse
Disruptive & Emerging Technologies
Virtual Reality
Digital Innovation
Augmented Reality
End-User Services & Collaboration
Collaboration solutions
End User Equipment
End-User Computing Devices
Endpoint management
Productivity tools
Document Management
End-User Computing Applications
End-User Computing Strategy
Voice & Video Management
Continuous Integration
Technical Product Management
Continuous Deployment
Quality Assurance
Customer Relationship Management
Enterprise Content Management
Customer Success
Enterprise Information Management
Enterprise Resource Planning
Marketing Solutions
Human Resource Systems
Product Recommendation
Risk Management
SOX Compliance
Governance, Risk & Compliance
Infrastructure & Operations
Cloud Strategy
I&O Finance & Budgeting
Operations Management
Network Management
DR and Business Continuity
Server Optimization
Attract & Select
Cost & Budget Management
Manage Business Relationships
Organizational Design
Program & Project Management
Train & Develop
Talent management
Performance Measurement
Organization Structure
Manage & Coach
Availability Management
Financial and Vendor Management
Service Desk
Management Tools
Enterprise Service Management
People & Process
Process Management
Asset Management
Project & Portfolio Management
Portfolio Management
Project Management Office
Confidentiality, Integrity, Availability
Secure Cloud & Network Architecture
Endpoint Security
Data Privacy
Identity and Access Management
Security Operations Center
Security Strategy & Budgeting
Security Vendor Landscapes
Threat Intelligence & Incident Response
Threat & Vulnerability Management
Vendor Management
Infrastructure Vendor Landscapes
Strategy & Operating Model
Business Continuity
Architecture Domains
Tool Recommendation
Is phishing still a major focus at your organization?

Top Answer : We conduct phishing exercises throughout the year. There is a simulation running every day, hitting different people of course. I use these to draw metrics and see who is the least resilient to phishing, which tells me who the high-risk staff members in the organization are. If I want to go the route of taking backups then that is my driver because if I start taking backups for everyone, it is very difficult to manage.

Securing the Software Supply ChainSecuring the Software Supply Chain

With high profile software supply chain attacks increasingly in the news, how are leaders protecting their organization from vulnerabilities?

Has ransomware become more prevalent or just increasingly publicized?

Top Answer : There is a lot of debate about whether the rise of ransomware has happened because of cryptocurrency. Cryptocurrency has been here and the way I see it is, there's honey, so all the flies are coming for it. If there is money, crooks will come out. 51% of the companies hit by ransomware are hit again within 3 months because people noted that they paid and then didn't increase their protection. We need to figure out how to recognize it, how to protect against it and what we can do about it if it happens. But there are costs involved. For me as a business technology guy, I need to understand where I should put my dollars. There are 30-40 different security applications in an organization. That's too many.

How are you defending yourself against ransomware?

Top Answer : One of the things I've been working a lot with my clients is to plan for failure. Assume that you will be violated. What happens then? What sort of policies, what kind of steps should you have in place, what kind of technologies do you have? Design for failure. Design for fragility so that you can create a more robust environment. Fortunately, none of our customers have had ransomware incidents, but they are all very concerned about it. They’re looking at ways in which they can better manage their situation, including education. Technology's one solution, but they feel like the first thing they need to do is to educate their people to ensure that they understand the simple things. So it becomes a cohesive effort. Our organization is worried about ransomware and the first thing we're doing is educating everyone to take the right steps, like not opening emails of a suspicious nature, but also to plan for failure.

Is it dangerous to only quantify risk in dollars?

Top Answer : When you frame things in dollars and cents it makes it easier to accept the cost consequences and have insurance rather than framing it in terms of real harm that can hurt people. It’s like Ford shipping the Pinto for several years, when it quantified things financially rather than looking at the human impact of shipping that car. We need to start quantifying all cyber risks—not only the financial ones, which are risks to me as an organization, and risks to your customers. That has brand implications and potential financial implications. But if there is a human impact to a risk it should be framed in those terms. Think of JBS, the meat packing company. For a long time I've been saying that a meat industry cyber event was a risk where people are “asleep at the wheel”. The JBS attack wasn't ransomware. It was playing with the food safety data. Imagine if the attackers of that meat processing company, instead of just ransoming their systems, played with the integrity of that data. People could die.

Are there any tools that have helped ease your ransomware concerns?

Top Answer : I’m not worried about ransomware at my airport because I've air gapped, segmented certain things off. The portions and schedules that you can get from the internet are totally separate from anything dealing with the aircraft. Also for updating the aircraft themselves, everything is completely air gapped. Because I have it totally separated, it does make some things more difficult. People say, "I want access to take a look at whatever I did for timing on this," but that has to be done from the office. It’s at such a level that I can't make that kind of mistake.