WEBVTT 1 00:00:00.120 --> 00:00:05.000 Welcome to the deep dive. Today. We're going to be 2 00:00:05.040 --> 00:00:11.880 tackling something that affects everyone in some way, cybersecurity risk. Yeah. 3 00:00:11.919 --> 00:00:15.640 We've got a stack of insightful sources, really insightful stuff here, 4 00:00:15.960 --> 00:00:18.440 and we're going to extract the most important nuggets of 5 00:00:18.480 --> 00:00:21.800 knowledge to help you truly grasp this, how to understand it, 6 00:00:21.839 --> 00:00:24.120 how to manage it, and how to measure it. Right, 7 00:00:24.239 --> 00:00:27.039 so you're ready to build a strong cybersecurity program for 8 00:00:27.120 --> 00:00:30.239 your organization. Buckle up, we're diving deep. 9 00:00:30.559 --> 00:00:33.039 I think what's particularly interesting about this deep dive is 10 00:00:33.079 --> 00:00:36.560 the emphasis on practicality. It's not just about the theory, 11 00:00:36.840 --> 00:00:40.079 you know, it's about giving you actionable insights that you 12 00:00:40.119 --> 00:00:41.039 can actually use. 13 00:00:41.240 --> 00:00:44.039 Absolutely. One thing that really struck me in these sources 14 00:00:44.119 --> 00:00:46.880 was this idea that the cybersecurity problem it kind of 15 00:00:46.880 --> 00:00:49.399 begins with technology itself, right, you know, it's like we're 16 00:00:49.439 --> 00:00:52.840 building our digital world on a foundation that's inherently flawed. 17 00:00:53.359 --> 00:00:55.039 What are your thoughts on that you've hit the nail 18 00:00:55.039 --> 00:00:57.520 on the head. I mean, every piece of technology, from 19 00:00:57.600 --> 00:01:01.640 the simplest app to the most complex network, comes with 20 00:01:01.719 --> 00:01:07.079 its own set of imperfections vulnerabilities. Just waiting to be exploited. 21 00:01:07.239 --> 00:01:09.079 Yeah, it is. It's a bit unsettling when you think 22 00:01:09.079 --> 00:01:12.439 about it. We rely so heavily on technology, yet it 23 00:01:12.480 --> 00:01:14.959 seems like we're constantly playing catch up with security. 24 00:01:15.280 --> 00:01:19.480 And here's where it gets really interesting. Okay, those imperfections 25 00:01:19.680 --> 00:01:24.599 multiply as technology advances. Right, We're layering new technologies upon 26 00:01:24.760 --> 00:01:28.680 existing ones, each with their own vulnerabilities, creating, you know, 27 00:01:28.719 --> 00:01:32.319 this incredibly complex web of potential weak points. 28 00:01:32.560 --> 00:01:35.959 The sources. They bring up the Internet of Things as 29 00:01:35.959 --> 00:01:38.359 a prime example of this, like do we really need 30 00:01:38.400 --> 00:01:39.519 internet connected belts? 31 00:01:39.680 --> 00:01:39.799 Right? 32 00:01:40.159 --> 00:01:43.519 Or safe? It seems like we're adding connectivity just for 33 00:01:43.599 --> 00:01:47.200 the sake of it without fully considering the security implications. 34 00:01:47.400 --> 00:01:50.439 That's a great point. It's almost as if we're prioritizing 35 00:01:50.519 --> 00:01:51.920 novelty over security. 36 00:01:52.200 --> 00:01:52.400 Yeah. 37 00:01:52.560 --> 00:01:55.400 And you know, even hardware, which we used to consider 38 00:01:55.519 --> 00:01:58.879 hard and unchangeable, is becoming more soft with the rise 39 00:01:58.920 --> 00:02:04.079 of software defined network interesting and this shift it really 40 00:02:04.079 --> 00:02:07.439 blurs the lines makes securing these systems much more challenging. 41 00:02:07.519 --> 00:02:09.439 It's almost like the more connected we become, the more 42 00:02:09.560 --> 00:02:12.800 vulnerable we are. Even companies like Apple, who are known 43 00:02:12.879 --> 00:02:17.000 for their focus on security, they face constant challenges. 44 00:02:17.039 --> 00:02:19.719 That's right. The sources point out that even with Apple's 45 00:02:19.759 --> 00:02:24.960 tightly controlled ecosystem, the sheer complexity of modern technology makes 46 00:02:25.080 --> 00:02:30.159 achieving perfect security nearly impossible. There are just too many 47 00:02:30.199 --> 00:02:32.680 moving parts, too many potential points of failure. 48 00:02:33.800 --> 00:02:36.759 And to add another layer of complexity, the Internet itself. 49 00:02:37.120 --> 00:02:39.840 It was originally designed with the level of trust that's 50 00:02:39.919 --> 00:02:44.240 just simply not feasible in today's digital landscape. We're essentially 51 00:02:44.280 --> 00:02:46.439 trying to secure a system that was built on this 52 00:02:46.560 --> 00:02:49.319 foundation of inherent vulnerability. 53 00:02:49.520 --> 00:02:53.400 Yeah, which brings us to the next crucial point why 54 00:02:53.520 --> 00:02:57.560 understanding cybersecurity risk is so complicated. The sources highlight that 55 00:02:57.599 --> 00:03:01.039 the fundamental risk isn't just about the technical flaws themselves, 56 00:03:01.360 --> 00:03:05.400 but the potential impact those flaws could have if they're exploited. 57 00:03:06.159 --> 00:03:09.759 And what's particularly concerning is that many organizations lack risk 58 00:03:09.879 --> 00:03:15.520 models right that actually connect those technical vulnerabilities to real 59 00:03:15.560 --> 00:03:16.319 business impact. 60 00:03:16.439 --> 00:03:19.560 So it's not just about preventing data breaches, it's about 61 00:03:19.719 --> 00:03:25.360 understanding how a cyber attack could cripple operations, damage reputation, 62 00:03:25.840 --> 00:03:27.439 or even lead to financial. 63 00:03:27.080 --> 00:03:30.240 Ruin precisely, and one of the biggest hurdles I see 64 00:03:30.360 --> 00:03:33.599 organizations facing is this lack of a common language when 65 00:03:33.599 --> 00:03:38.719 it comes to cybersecurity. Oh interesting, different departments, the board, management, engineers, 66 00:03:38.960 --> 00:03:41.080 you know, they all view it through these different lenses. 67 00:03:41.199 --> 00:03:44.879 So you've got engineers speaking in technical jargon, managers focused 68 00:03:44.919 --> 00:03:49.240 on operational impact, and boards concerned with financial implications. It's 69 00:03:49.240 --> 00:03:50.879 no wonder communication. 70 00:03:50.360 --> 00:03:53.599 Breaks down, exactly, and this disconnect often leads to a 71 00:03:53.639 --> 00:03:57.800 situation where organizations really struggle to articulate cyber risk to 72 00:03:57.919 --> 00:04:00.960 those who hold the purse strings executives and boards. And 73 00:04:01.039 --> 00:04:05.039 without clear, concise communication, you know, it's impossible to get 74 00:04:05.080 --> 00:04:08.159 buy in for the resources and support needed to build 75 00:04:08.199 --> 00:04:10.479 a robust cybersecurity program. 76 00:04:10.520 --> 00:04:13.159 And what I found fascinating in these sources is this 77 00:04:13.280 --> 00:04:18.319 idea that this communication breakdown often leads to organizations getting 78 00:04:18.319 --> 00:04:22.680 bogged down and like addressing immediate technical problems without truly 79 00:04:22.759 --> 00:04:27.160 understanding how those problems actually connect to the bigger picture 80 00:04:27.279 --> 00:04:31.319 of business risk. It's like constantly putting out fires without 81 00:04:31.319 --> 00:04:32.879 addressing the underlying cause. 82 00:04:33.000 --> 00:04:36.160 It's a classic case of being reactive instead of proactive. 83 00:04:36.639 --> 00:04:38.720 And that's where the sources offer, you know, a really 84 00:04:38.839 --> 00:04:42.720 valuable framework for tackling this challenge. They advocate for a 85 00:04:42.759 --> 00:04:46.199 three pronged approach understand, manage, and measure. 86 00:04:46.240 --> 00:04:48.959 It's like building a house, right, you need a solid foundation, 87 00:04:49.120 --> 00:04:52.120 strong walls, and a way to assess the overall structure. 88 00:04:52.240 --> 00:04:54.720 So let's start with understand what are the key things 89 00:04:54.800 --> 00:04:58.120 organizations need to grasp to truly wrap their heads around 90 00:04:58.120 --> 00:04:58.920 their cyber risks. 91 00:04:59.279 --> 00:05:03.519 Well, the source emphasize the importance of defining the problem clearing, 92 00:05:03.560 --> 00:05:06.879 and that means focusing on protecting critical assets. These are 93 00:05:06.920 --> 00:05:08.800 the things that would cause the most damage to the 94 00:05:08.879 --> 00:05:12.600 organization if they were compromised. You know, it's about identifying 95 00:05:12.639 --> 00:05:14.439 the crown jewels, so to speak. 96 00:05:14.920 --> 00:05:19.480 So it's not about protecting everything equally, it's about prioritizing 97 00:05:19.519 --> 00:05:23.279 those assets that truly matter. But how do you determine 98 00:05:23.439 --> 00:05:27.920 what's truly critical for a specific organization? What makes an 99 00:05:27.959 --> 00:05:29.079 asset a crown jewel? 100 00:05:29.839 --> 00:05:33.680 That's where it gets really interesting. Okay, The sources suggest 101 00:05:34.040 --> 00:05:38.079 kind of a rather intriguing approach. Take on the mindset 102 00:05:38.120 --> 00:05:41.720 of an attacker. Oh wow, think about what an attacker 103 00:05:41.759 --> 00:05:45.160 would find valuable, Okay, and target. It's a way to 104 00:05:45.279 --> 00:05:48.639 identify assets you might not have even realized we're critical 105 00:05:49.040 --> 00:05:50.879 from a purely internal perspective. 106 00:05:50.959 --> 00:05:53.519 That's a brilliant insight. Yeah, instead of just focusing on 107 00:05:53.560 --> 00:05:55.439 what we need to protect, we need to think about 108 00:05:55.600 --> 00:05:58.800 what someone else might want to exploit. It's like flipping 109 00:05:58.800 --> 00:06:02.560 the scripting your organization through the eyes of a thread. 110 00:06:02.360 --> 00:06:06.560 Actor precisely, and to understand how those attackers might operate. 111 00:06:07.319 --> 00:06:10.360 The sources highlight models like the cyber kill chain. This 112 00:06:10.439 --> 00:06:14.279 framework outlines the stages of a cyber attack, from reconnaissance 113 00:06:14.319 --> 00:06:18.600 to exfiltration. It helps organizations kind of anticipate attacker behavior 114 00:06:19.120 --> 00:06:20.600 and build defenses accordingly. 115 00:06:20.680 --> 00:06:24.120 So we've identified those critical assets, those crown jewels. What's 116 00:06:24.160 --> 00:06:26.959 the next step in truly understanding the risk? 117 00:06:27.240 --> 00:06:31.519 Well, simply saying this server is critical isn't enough, right. 118 00:06:31.720 --> 00:06:33.920 You need to go deeper. You need to inventory and 119 00:06:33.959 --> 00:06:39.360 categorize those assets. And you need to differentiate between individual 120 00:06:39.439 --> 00:06:44.560 perceptions of importance and the actual organizational impact of a. 121 00:06:44.519 --> 00:06:47.639 Compromise, because what one person thinks is critical might not 122 00:06:47.720 --> 00:06:49.720 be as crucial to the organization as a whole. 123 00:06:49.519 --> 00:06:55.079 Right exactly. The sources recommend taking a multifaceted approach to 124 00:06:55.480 --> 00:06:59.439 defining critical assets. They suggest considering it from an inside 125 00:06:59.480 --> 00:07:03.160 out per perspective. Okay, how assets contribute to the organization's 126 00:07:03.199 --> 00:07:06.839 core mission, as well as an outside in perspective what 127 00:07:07.000 --> 00:07:10.480 attackers would find valuable. Finally, it's crucial to look at 128 00:07:10.519 --> 00:07:14.360 it from an organizational perspective, you know, focusing on assets 129 00:07:14.439 --> 00:07:19.240 that would impact reputation, revenue, or costs if compromised. 130 00:07:19.519 --> 00:07:22.079 It's about painting a complete picture of what's at stake, 131 00:07:22.399 --> 00:07:24.120 considering all angles. 132 00:07:23.759 --> 00:07:27.439 And the sources you know, provide practical guidance on how 133 00:07:27.439 --> 00:07:31.079 to do this. They acknowledge that asset management can be challenging, 134 00:07:31.600 --> 00:07:34.439 but they emphasize the need for a strong business case. 135 00:07:34.920 --> 00:07:40.759 They recommend defining asset classes data, devices, applications, networks, users, 136 00:07:41.360 --> 00:07:45.959 and then meticulously collecting and inventoring all assets within each class. 137 00:07:46.120 --> 00:07:48.680 It sounds like a very detailed process it is, but 138 00:07:48.759 --> 00:07:51.800 it seems essential for truly grasping the scope of the risk. 139 00:07:51.959 --> 00:07:54.879 Absolutely and remember the tip about thinking like an attacker. 140 00:07:55.519 --> 00:07:58.839 The sources suggests applying that same mindset here. Think about 141 00:07:58.879 --> 00:08:02.600 how an attacker would approach which identifying and prioritizing your assets. 142 00:08:03.040 --> 00:08:05.759 It can reveal vulnerabilities you might otherwise overlook. 143 00:08:05.959 --> 00:08:10.079 That's a great reminder to stay vigilant and think outside 144 00:08:10.120 --> 00:08:14.079 the box. Now, the sources also mentioned a tool called 145 00:08:14.079 --> 00:08:17.639 a risk register as a helpful way to manage this information. 146 00:08:17.720 --> 00:08:19.000 What exactly is that. 147 00:08:19.639 --> 00:08:23.800 A risk register is essentially a centralized repository for tracking 148 00:08:23.839 --> 00:08:27.079 and managing risks to your critical assets. It's where you 149 00:08:27.199 --> 00:08:30.920 document potential threats, vulnerabilities, and the potential impact of those 150 00:08:31.000 --> 00:08:32.159 risks being realized. 151 00:08:32.279 --> 00:08:34.840 So it's like a master list of everything that could 152 00:08:34.879 --> 00:08:37.639 go wrong and the steps you're taking to either prevent 153 00:08:37.759 --> 00:08:39.600 or mitigate those risks precisely. 154 00:08:40.000 --> 00:08:42.720 And here's where things get even more layered. Okay, The 155 00:08:42.759 --> 00:08:46.200 sources emphasize that you can't just focus on the technical aspects. 156 00:08:46.399 --> 00:08:50.000 You also need to consider legal and regulatory requirements when 157 00:08:50.039 --> 00:08:52.360 identifying and protecting critical assets. 158 00:08:52.399 --> 00:08:55.000 So it's not just about protecting data from hackers. It's 159 00:08:55.000 --> 00:08:59.399 about ensuring compliance with privacy laws, industry regulations, and all 160 00:08:59.440 --> 00:09:01.080 those other legal complexities. 161 00:09:01.240 --> 00:09:05.559 Right. You need to approach cybersecurity holistically, ensuring you're addressing 162 00:09:05.679 --> 00:09:09.919 all aspects of risk, from technical vulnerabilities to legal liabilities. 163 00:09:10.120 --> 00:09:12.600 Okay, yeah, I'm starting to see how this all ties together. 164 00:09:12.679 --> 00:09:16.679 We've covered understand the first part of this three pronged approach. 165 00:09:17.200 --> 00:09:20.759 Let's move on to manage what do the sources say 166 00:09:20.799 --> 00:09:24.039 about managing cybersecurity risk effectively. 167 00:09:25.000 --> 00:09:26.639 The sources are pretty clear on this one. You need 168 00:09:26.679 --> 00:09:31.840 a structured cybersecurity program in place, and they strongly advise 169 00:09:31.919 --> 00:09:35.639 against trying to reinvent the wheel. Instead, they recommend selecting 170 00:09:35.720 --> 00:09:38.879 a single, well established framework as your guide. 171 00:09:39.080 --> 00:09:42.799 So instead of creating a program from scratch, leverage existing 172 00:09:42.840 --> 00:09:45.840 frameworks that have already beenbedded and proven effective. What are 173 00:09:45.840 --> 00:09:47.639 some examples of frameworks they recommend. 174 00:09:47.960 --> 00:09:50.000 Two of the most popular ones they highlight are the 175 00:09:50.120 --> 00:09:55.120 NIST Cybersecurity Framework or CSF and ISOIS two thousand, thousand 176 00:09:55.120 --> 00:09:55.440 and one. 177 00:09:55.639 --> 00:09:57.840 And what are the key differences between those two? 178 00:09:58.480 --> 00:10:02.000 The NIST CSF is incredibly versatile. It provides a common 179 00:10:02.080 --> 00:10:06.120 language and structure for cybersecurity across various industries and aligns 180 00:10:06.159 --> 00:10:10.879 well with regulatory requirements. ISOPIEC twenty seven thousand h one, 181 00:10:10.960 --> 00:10:14.320 on the other hand, is more focused on information security management. 182 00:10:15.000 --> 00:10:19.159 It provides a comprehensive set of controls for protecting sensitive information. 183 00:10:19.039 --> 00:10:22.120 So organizations can choose the framework that best aligns with 184 00:10:22.159 --> 00:10:25.799 their specific needs in industry. But what's particularly interesting is 185 00:10:25.799 --> 00:10:28.320 that using a recognized framework can also make it easier 186 00:10:28.480 --> 00:10:31.960 to demonstrate compliance with regulations right absolutely. 187 00:10:32.440 --> 00:10:35.480 By mapping your security controls to a framework like NIST 188 00:10:35.720 --> 00:10:38.879 CSF or ISO twenty seven through zero one, you can 189 00:10:38.919 --> 00:10:43.480 clearly demonstrate how you're meeting specific regulatory requirements. This not 190 00:10:43.519 --> 00:10:46.879 only simplifies compliance, but also strengthens your position in the 191 00:10:46.919 --> 00:10:50.320 event of an audit or investigation. And here's another crucial 192 00:10:50.320 --> 00:10:54.519 point the sources emphasize, don't neglect response and recovery. It's 193 00:10:54.559 --> 00:10:57.600 not enough to focus solely on preventing attacks. You need 194 00:10:57.639 --> 00:11:00.000 to be prepared to handle them when they inevitably occur. 195 00:11:00.279 --> 00:11:02.840 It's like having a fire skate plan. You hope you 196 00:11:02.919 --> 00:11:04.600 never have to use it, but you need to be 197 00:11:04.639 --> 00:11:06.679 ready in case of emergency exactly. 198 00:11:07.159 --> 00:11:12.360 And speaking of being prepared, the sources dive deep into 199 00:11:12.639 --> 00:11:16.960 the often overlooked area of third party risk management or TPRM. 200 00:11:17.200 --> 00:11:19.759 Now, this is where things get really interesting. We live 201 00:11:19.799 --> 00:11:23.080 in an interconnected world where businesses rely heavily on third 202 00:11:23.080 --> 00:11:27.559 party vendors for everything from software to cloud services. How 203 00:11:27.600 --> 00:11:32.360 do the sources recommend managing the inherent risks associated with 204 00:11:32.399 --> 00:11:33.240 these dependencies. 205 00:11:33.799 --> 00:11:36.799 They stress the need for a robust and structured TPRM 206 00:11:36.919 --> 00:11:40.799 program with buy in from various departments across the organization. Okay, 207 00:11:40.960 --> 00:11:44.519 this isn't just an IT issue. It impacts procurement, legal finance, 208 00:11:44.639 --> 00:11:48.120 potentially even operations depending on the third party relationships involved. 209 00:11:48.120 --> 00:11:50.639 So it's about breaking down silos and approaching TPRM from 210 00:11:50.639 --> 00:11:51.639 a holistic perspective. 211 00:11:51.720 --> 00:11:55.679 Precisely, the sources suggest using comprehensive questionnaires to assess vendor 212 00:11:55.720 --> 00:11:59.440 security practices, ensuring that those you do business with meet 213 00:11:59.480 --> 00:12:03.720 your organizations security standards. They also recommend using software bills 214 00:12:03.720 --> 00:12:06.639 of materials or s bombs to get a deeper understanding 215 00:12:06.679 --> 00:12:08.840 of the components that make up the software you're using 216 00:12:08.840 --> 00:12:09.639 from third parties. 217 00:12:10.120 --> 00:12:12.720 S bombs. I've heard that term thrown around but never 218 00:12:12.799 --> 00:12:15.039 fully grasped what it meant. Can you break it down 219 00:12:15.039 --> 00:12:15.399 for us? 220 00:12:15.600 --> 00:12:17.720 Yeah? Think of an s bomb like an ingredient list 221 00:12:17.759 --> 00:12:18.399 for software. 222 00:12:18.600 --> 00:12:19.279 Oh okay. 223 00:12:19.360 --> 00:12:22.600 It lists all the components, libraries, and modules that went 224 00:12:22.639 --> 00:12:26.440 into building a particular piece of software, and this transparency 225 00:12:26.519 --> 00:12:31.039 allows organizations to identify potential vulnerabilities that might be lurking 226 00:12:31.120 --> 00:12:32.679 within third party software. 227 00:12:32.960 --> 00:12:36.039 So it's like a nutritional label for your software, helping 228 00:12:36.039 --> 00:12:39.320 you understand what's inside and make informed decisions about the 229 00:12:39.399 --> 00:12:40.159 risks involved. 230 00:12:40.200 --> 00:12:43.240 That's a great analogy. Yeah, and the sources go even further, 231 00:12:43.480 --> 00:12:48.440 emphasizing the importance of establishing a robust feedback mechanism with vendors. Okay, 232 00:12:48.759 --> 00:12:52.720 you know, you need to verify their claims, address any discrepancies, 233 00:12:53.120 --> 00:12:56.679 and ensure they're held accountable for meeting their security obligations. 234 00:12:56.960 --> 00:12:59.039 So it's not just about trusting what vendors tell you. 235 00:12:59.159 --> 00:13:02.159 It's about verify buying their practices, and holding them to 236 00:13:02.200 --> 00:13:05.639 the same security standards you uphold within your own organization. 237 00:13:06.120 --> 00:13:09.840 Exactly. It's a trust but verify approach. And the sources 238 00:13:09.879 --> 00:13:13.720 also recommend aligning your TPRM program with your procurement and 239 00:13:13.759 --> 00:13:15.799 purchasing processes, so. 240 00:13:15.759 --> 00:13:20.480 You're baking security considerations into every stage of vendor selection 241 00:13:20.559 --> 00:13:24.759 and management, from initial assessment to contract negotiation. 242 00:13:24.919 --> 00:13:28.039 Precisely, it's about ensuring that security is not an afterthought, 243 00:13:28.200 --> 00:13:30.720 but an integral part of your business operations. 244 00:13:30.799 --> 00:13:33.360 It makes perfect sense now with so many security vendors 245 00:13:33.399 --> 00:13:37.399 out there, How do the sources recommend navigating that landscape 246 00:13:37.440 --> 00:13:39.519 and choosing the right tools for your organization. 247 00:13:39.840 --> 00:13:43.600 They introduce a helpful tool called the Cyber Defense Matrix 248 00:13:43.759 --> 00:13:46.720 or CDM. Okay, think of it as a map that 249 00:13:46.799 --> 00:13:50.960 helps you visualize the security vendor landscape and choose tools 250 00:13:51.000 --> 00:13:56.200 that effectively address specific problems within your chosen cybersecurity framework. 251 00:13:56.320 --> 00:13:58.639 So it's about aligning your tools with your framework and 252 00:13:58.720 --> 00:14:01.360 ensuring you're addressing all the necessary security domains. 253 00:14:02.159 --> 00:14:05.440 And finally, the sources stress the importance of regularly reviewing 254 00:14:05.440 --> 00:14:08.440 and updating your cybersecurity program to stay ahead of the 255 00:14:08.480 --> 00:14:10.399 constantly evolving threat landscape. 256 00:14:10.480 --> 00:14:12.960 Cybersecurity is not a set it and forget it kind 257 00:14:13.000 --> 00:14:16.399 of thing. It's an ongoing process of adaptation and improvement. 258 00:14:16.480 --> 00:14:21.000 Precisely, you need to be constantly learning, evolving and fine 259 00:14:21.000 --> 00:14:23.159 tuning your program to stay ahead of the curve. 260 00:14:23.679 --> 00:14:25.799 Well, we've covered a lot of ground when it comes 261 00:14:25.840 --> 00:14:30.320 to understanding and managing cyber risk. I'm really curious to 262 00:14:30.399 --> 00:14:33.399 delve into the final piece of the puzzle, measure. 263 00:14:33.639 --> 00:14:35.639 That's where we'll pick up in part two of this 264 00:14:35.720 --> 00:14:36.279 deep dive. 265 00:14:36.440 --> 00:14:42.080 Stay tuned, Welcome back to the deep dive. We've been 266 00:14:42.120 --> 00:14:46.120 exploring the complexities of cybersecurity risk, and now it's time 267 00:14:46.159 --> 00:14:49.360 to tackle the measure aspect of our three pronged approach. 268 00:14:49.960 --> 00:14:51.759 You know, one thing that struck me as I was 269 00:14:51.759 --> 00:14:55.120 going through these sources was this emphasis on meaningful metrics. 270 00:14:55.639 --> 00:14:58.559 It's not just about collecting data for the sake of it, 271 00:14:58.559 --> 00:15:01.519 It's about gathering insight that can actually drive action. 272 00:15:02.320 --> 00:15:04.440 I couldn't agree more. You know, I've seen so many 273 00:15:04.559 --> 00:15:07.919 organizations get bogged down in vanity metrics, numbers that look 274 00:15:07.960 --> 00:15:10.840 impressive on paper, yeah, but don't provide any real value. 275 00:15:10.919 --> 00:15:13.200 It's like counting the number of fire exting Christians you 276 00:15:13.240 --> 00:15:16.200 have without ever checking if they actually work exactly. 277 00:15:16.440 --> 00:15:19.240 So what do the sources say about ensuring that our 278 00:15:19.240 --> 00:15:21.840 cybersecurity metrics are actually useful? 279 00:15:22.279 --> 00:15:27.559 Well, they highlight three key characteristics of good cyber risk measures. First, 280 00:15:27.600 --> 00:15:30.399 they need to be actionable, meaning they should directly lead 281 00:15:30.440 --> 00:15:33.840 to concrete steps to mitigate risk right. Second, they need 282 00:15:33.879 --> 00:15:36.879 to be addressable okay, focusing on areas that you can 283 00:15:36.919 --> 00:15:41.279 actually influence. And third, they need to be insightful, providing 284 00:15:41.279 --> 00:15:43.600 a deeper understanding of the risk landscape. 285 00:15:43.679 --> 00:15:47.200 So instead of just tracking the number of phishing emails blocked, 286 00:15:47.759 --> 00:15:50.759 we should be looking at the percentage of employees who 287 00:15:50.879 --> 00:15:54.639 still click on suspicious links despite training exactly. That's a 288 00:15:54.679 --> 00:15:57.600 metric that can lead to actionable changes in our security 289 00:15:57.639 --> 00:15:58.440 awareness program. 290 00:15:58.480 --> 00:16:01.840 Precisely, and the sources suggests that organizations shouldn't try to 291 00:16:01.879 --> 00:16:05.919 reinvent the wheel when it comes to identifying relevant metrics. 292 00:16:06.320 --> 00:16:08.120 You know, there's a wealth of knowledge out there in 293 00:16:08.159 --> 00:16:11.879 the form of industry best practices and existing frameworks, So. 294 00:16:11.840 --> 00:16:14.320 It's about learning from others and adapting those tried and 295 00:16:14.360 --> 00:16:17.919 true approaches to our specific needs. Do they delve into 296 00:16:18.000 --> 00:16:21.440 any specific metrics or reporting techniques. 297 00:16:21.480 --> 00:16:24.639 Absolutely, they go beyond the basic metrics and dive into 298 00:16:24.639 --> 00:16:30.039 more advanced concepts like risk appetite, control effectiveness, and cyber resilience. 299 00:16:30.519 --> 00:16:33.879 Those sound intriguing, Can you break down what each of 300 00:16:33.919 --> 00:16:34.399 those means? 301 00:16:34.480 --> 00:16:38.360 Sure? Risk appetite is essentially how much risk an organization 302 00:16:38.480 --> 00:16:42.200 is willing to accept to achieve its objectives. It's about 303 00:16:42.240 --> 00:16:47.600 striking a balance between security and operational efficiency. Control effectiveness 304 00:16:47.639 --> 00:16:50.720 is all about evaluating how well your security controls are 305 00:16:50.759 --> 00:16:54.799 actually working. Are they preventing attacks? Are they detecting intrusions? 306 00:16:55.519 --> 00:16:58.840 And cyber resilience is the organization's ability to withstand and 307 00:16:58.919 --> 00:17:00.679 recover from cyber attacks. 308 00:17:00.720 --> 00:17:04.079 So it's not just about building impenetrable walls. It's about 309 00:17:04.079 --> 00:17:07.279 having the flexibility and agility to bounce back when those 310 00:17:07.319 --> 00:17:08.920 walls inevitably get. 311 00:17:08.759 --> 00:17:12.559 Breached precisely, and the sources acknowledge that one of the 312 00:17:12.559 --> 00:17:16.160 biggest challenges in cybersecurity measurement is quantifying risk. 313 00:17:16.359 --> 00:17:17.119 Yeah, it makes sense. 314 00:17:17.240 --> 00:17:20.759 Cyber risk is complex and multifaceted, making it difficult to 315 00:17:20.759 --> 00:17:22.039 put a precise number on it. 316 00:17:22.279 --> 00:17:24.519 So how do they recommend tackling that challenge. 317 00:17:24.559 --> 00:17:28.960 Well, they discuss various methodologies for quantifying cyber risk, ranging 318 00:17:29.000 --> 00:17:34.880 from qualitative assessments to sophisticated mathematical models. Okay, some organizations 319 00:17:34.960 --> 00:17:38.519 use scenario based analysis, where they model the potential impact 320 00:17:38.559 --> 00:17:43.240 of different attack scenarios. Others employ financial modeling techniques to 321 00:17:43.359 --> 00:17:46.240 estimate the financial losses associated with cyber incidents. 322 00:17:46.240 --> 00:17:48.359 It sounds like there's no one size fits all approach. 323 00:17:48.960 --> 00:17:52.279 Organizations need to choose the methodology that best aligns with 324 00:17:52.319 --> 00:17:54.039 their specific needs and risk. 325 00:17:53.880 --> 00:17:57.599 Profile exactly, and it's important to remember that measurement is 326 00:17:57.640 --> 00:18:01.599 an ongoing process. You need to can evaluate your metrics, 327 00:18:01.880 --> 00:18:05.839 refine your methodologies, and adapt to the evolving threat landscape. 328 00:18:06.000 --> 00:18:08.160 Yeah, I'm also curious about the human element of all 329 00:18:08.200 --> 00:18:11.400 of this. The sources mentioned the importance of building relationships 330 00:18:11.400 --> 00:18:16.000 with stakeholders across different departments and aligning incentives to promote 331 00:18:16.079 --> 00:18:19.119 cybersecurity awareness. Yeah, what are your thoughts on that? 332 00:18:19.119 --> 00:18:23.200 That's a crucial point. Cybersecurity can't be the sole responsibility 333 00:18:23.200 --> 00:18:25.759 of the IT department. It needs to be embedded in 334 00:18:25.799 --> 00:18:27.880 the culture of the entire organization. 335 00:18:28.440 --> 00:18:31.240 So instead of viewing security as an obstacle or a burden, 336 00:18:32.240 --> 00:18:35.880 we need to foster a sense of shared responsibility. 337 00:18:35.240 --> 00:18:39.039 Right, and that means engaging with stakeholders from different departments, 338 00:18:39.160 --> 00:18:43.119 understanding their needs and concerns, and building security into their workflows. 339 00:18:43.680 --> 00:18:47.279 Do they offer any specific strategies for achieving that kind 340 00:18:47.279 --> 00:18:48.759 of cross functional collaboration. 341 00:18:49.200 --> 00:18:53.240 Well, they recommend developing a consistent reporting structure okay, that 342 00:18:53.279 --> 00:18:57.119 provides clear and concise information on key risks, trends, and 343 00:18:57.160 --> 00:19:00.920 recommendations to different audiences. They also highlight the importance of 344 00:19:00.960 --> 00:19:03.880 aligning incentive so that everyone is working towards the same goal. 345 00:19:04.160 --> 00:19:07.480 So it's about finding ways to motivate and reward employees 346 00:19:07.519 --> 00:19:09.079 for embracing security. 347 00:19:08.640 --> 00:19:12.680 Best practices exactly. It's about creating a culture where security 348 00:19:13.079 --> 00:19:15.559 is seen as an asset, not a liability. 349 00:19:15.759 --> 00:19:19.200 Right. That makes a lot of sense. So we've covered understanding, 350 00:19:19.440 --> 00:19:22.680 managing and measuring cyber risk. What's next on our deep 351 00:19:22.720 --> 00:19:23.319 dive journey. 352 00:19:23.359 --> 00:19:26.160 Well, we're going to shift our focus to the boardroom, okay, 353 00:19:26.200 --> 00:19:29.559 and explore the critical questions board members should be asking 354 00:19:29.640 --> 00:19:31.039 about cybersecurity. 355 00:19:31.880 --> 00:19:34.519 Stay tuned for Part three, where we'll uncover the board's 356 00:19:34.599 --> 00:19:39.119 role in shaping a strong cybersecurity culture. Welcome back to 357 00:19:39.160 --> 00:19:44.599 the deep dive. We've explored the intricacies of understanding, managing, 358 00:19:44.599 --> 00:19:48.039 and measuring cybersecurity risk, and now in this final part, 359 00:19:48.119 --> 00:19:50.119 we're kind of stepping into the boardroom, you know, where 360 00:19:50.160 --> 00:19:53.039 those strategic decisions are made right and the tone for 361 00:19:53.079 --> 00:19:57.200 cybersecurity culture is set. These sources have some really insightful 362 00:19:57.240 --> 00:20:00.119 guidance on what board members should be asking, yeah, to 363 00:20:00.200 --> 00:20:03.279 ensure that their organizations are truly on top of cyber risk. 364 00:20:03.680 --> 00:20:07.559 I'm particularly interested in this shift in perspective. You know, 365 00:20:07.599 --> 00:20:12.160 we've been focusing on the operational side of cybersecurity, but 366 00:20:13.200 --> 00:20:16.599 ultimately the board is responsible for oversight and setting that 367 00:20:16.680 --> 00:20:18.440 strategic direction exactly. 368 00:20:18.519 --> 00:20:22.039 And these sources they emphasize that board members they don't 369 00:20:22.039 --> 00:20:24.519 need to be technical experts to ask the right questions 370 00:20:24.519 --> 00:20:29.200 and hold management accountable. So what's the first question they 371 00:20:29.240 --> 00:20:30.720 suggest board members should. 372 00:20:30.519 --> 00:20:34.119 Be asking, well, it's a seemingly simple one, okay, but 373 00:20:34.200 --> 00:20:38.680 it's foundational. How does the organization define cybersecurity risk? 374 00:20:39.400 --> 00:20:41.640 You know, it's funny how often we kind of assume 375 00:20:41.720 --> 00:20:45.119 everyone is working from the same definition, when in reality 376 00:20:45.319 --> 00:20:49.079 there can be these significant variations. Yeah in understanding. 377 00:20:49.200 --> 00:20:52.559 Absolutely, Yeah, that's precisely the point the sources are driving 378 00:20:52.599 --> 00:20:55.200 at that. You know, they stress that the board needs 379 00:20:55.240 --> 00:20:57.519 to ensure everyone is on the same page when it 380 00:20:57.519 --> 00:21:01.680 comes to what cybersecurity risk true means for the organization, right, 381 00:21:01.880 --> 00:21:04.720 and the answer should go beyond, you know, just technical 382 00:21:04.839 --> 00:21:08.680 jargon and delve into the potential impact on the business 383 00:21:08.720 --> 00:21:09.240 as a whole. 384 00:21:09.319 --> 00:21:12.279 So instead of just talking about vulnerabilities and exploits, the 385 00:21:12.359 --> 00:21:17.279 definition should encompass like the potential for financial losses, reputational damage, 386 00:21:17.559 --> 00:21:22.400 regulatory fines, legal liabilities, even the disruption of critical operations. 387 00:21:22.480 --> 00:21:25.720 Exactly, It's about connecting cyber risk to the things the 388 00:21:25.759 --> 00:21:29.880 board cares about most, the long term health and sustainability 389 00:21:29.880 --> 00:21:30.640 of the organization. 390 00:21:31.079 --> 00:21:36.079 Right. Once that shared understanding of risk is established, what's 391 00:21:36.119 --> 00:21:38.680 the next crucial question the board should be asking, Well. 392 00:21:38.559 --> 00:21:42.319 The sources suggest focusing on those crown jewels. We discussed earlier, 393 00:21:42.720 --> 00:21:45.799 what are the organization's most critical assets? Right, you know, 394 00:21:45.839 --> 00:21:49.480 it's about understanding what truly matters most to the organization. Yeah, 395 00:21:49.559 --> 00:21:52.920 those assets that would cause the most significant damage if compromised. 396 00:21:53.480 --> 00:21:58.000 Right, And remember, identifying those critical assets requires that multifaceted approach, 397 00:21:58.400 --> 00:22:00.960 going beyond just the it percon exactly. 398 00:22:01.000 --> 00:22:04.440 You know, it's about considering the organization's core mission, what 399 00:22:04.559 --> 00:22:07.720 attackers might target, and which assets would have the most 400 00:22:07.759 --> 00:22:11.359 significant impact on reputation, revenue, or operational cost if they 401 00:22:11.400 --> 00:22:14.599