Here is a highlights video from CISO Series Video Chat, “Hacking Acceptable Risk: An hour of critical thinking on when we should stop trying to reduce risk.”
Our guests from this discussion were:
- Ben Sapiro (@ironfog), head of technology risk and CISO, Canada Life
- Michael Roytman (@mroytman), chief data scientist, Kenna Security.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor Kenna Security
Best Bad Idea
Congrats to Michael Williams, director of product marketing, Prismo Systems for winning this week’s Best Bad Idea!
Other honorable mentions go to:
“Eliminate any policy 362 days or older.” – Sandor Slijderink, executive leader, GO! Residency
“Start accepting risk when you reach a threshold of 50.” – Richard Uhunmwagho, head, business information security, Emirates NBD
“Make all your users admins. Let them do whatever they want so it’s their fault and not yours if something happens.” – Neil Saltman, senior account executive, Anomali
“Set all risks at ‘OMG IT’S AWFUL!’ so that everyone has an appropriate sense of urgency.” – Ian Poynter, virtual CISO, Kalahari Security
Best Stratagies
“Quantify cyber risk through an evidence-based approach of measuring security control effectiveness + vulnerability data rather than asking SMEs (subject matter experts) the likelihood of something bad happening.” – Brian Stone, CRO, Cymulate
“Give all security risks to people in the business using plain language. We found <insert bad here>. It could be taken advantage of by <insert bad action here>. And the damage that it would cause is <insert bad result here>.” – Justin Mills, senior information security analyst, Canada Life
“Make use of a threat framework like MITRE ATT&CK aligning it to your business and solve those vulnerabilities which have the highest probability.” – Roland Mueller, self-employed
“All risk register entries must have an ‘alternates considered’ section that must be non-empty.” – Paul Lanzi, COO and co-founder, Remediant
“Avoid using internal security metrics when talking to the executives and the board. Instead, focus on the business impact analysis and business benefits of improving security infrastructure.” – Andrew Aken, CIO, Tweezzle Corp
Quotes from the chatroom
“All risk can be eliminated if you’re willing to accept the cost & consequences” – Andrew Aken, CIO, Tweezzle Corp
“If the vendor says, ‘Our product eliminates risk’ – run.” – Brian Colt, information security engineer, DASH Financial Technologies
“Any organization who is just getting a wake up call from Colonial breach, has definitely accepted a huge amount of risk before now.” – Richard Uhunmwagho, head, business information security, Emirates NBD