WEBVTT 1 00:00:00.000 --> 00:00:03.879 All right, So this stack of security management stuff you sent, 2 00:00:04.440 --> 00:00:08.400 it's uh, we're going through excerpts from the official is 3 00:00:08.640 --> 00:00:14.279 C two Guide to the eec IS smp CBK, which 4 00:00:14.839 --> 00:00:16.760 I mean, this thing's huge. 5 00:00:17.039 --> 00:00:19.559 Yeah, it's a dense, a lot, it's a lot, It's 6 00:00:19.559 --> 00:00:20.359 packed with information. 7 00:00:20.399 --> 00:00:23.039 It's the ultimate guide for security pros it really is. 8 00:00:23.120 --> 00:00:26.239 Yeah. Our mission today is to kind of go through 9 00:00:26.280 --> 00:00:29.399 this and extract the gold. Okay, you know, like the 10 00:00:29.480 --> 00:00:30.399 actionable insights. 11 00:00:30.440 --> 00:00:32.399 Okay, so like, how do we you can actually use 12 00:00:32.520 --> 00:00:34.119 how do we make this? Yeah, how do we make 13 00:00:34.119 --> 00:00:36.600 this applicable to what people are doing out there? 14 00:00:36.759 --> 00:00:37.200 Exactly? 15 00:00:37.600 --> 00:00:40.280 So we're aiming to give everyone a framework for not 16 00:00:40.359 --> 00:00:42.719 just understanding security, but really living it. 17 00:00:42.799 --> 00:00:45.000 Absolutely. By the end of this, we're going to be 18 00:00:45.079 --> 00:00:50.439 covering how to build a really robust security framework, how 19 00:00:50.479 --> 00:00:54.159 to proactively spot those weaknesses okay before they become like 20 00:00:54.240 --> 00:00:57.920 big problems, and then also navigate the complex world of 21 00:00:57.960 --> 00:01:00.560 compliance and incident response. 22 00:01:00.759 --> 00:01:04.040 Okay, So let's unback this starting with the foundation security 23 00:01:04.079 --> 00:01:08.079 leadership and management. I mean, why is this even important? 24 00:01:08.319 --> 00:01:08.480 Sure? 25 00:01:08.519 --> 00:01:12.159 Does it really matter if like the CEO understands firewalls? 26 00:01:12.599 --> 00:01:16.120 It matters more than you think Okay, because you see 27 00:01:16.480 --> 00:01:20.560 senior management, they set the tone for the entire organization, 28 00:01:21.879 --> 00:01:28.480 so their understanding of risk it directly influences like budget decisions, 29 00:01:28.959 --> 00:01:33.159 resource allocation, and even like the overall culture of security awareness. 30 00:01:33.400 --> 00:01:36.200 So it's like a company can have all the latest 31 00:01:36.400 --> 00:01:39.359 security tech, but if the leaders don't get the why 32 00:01:39.560 --> 00:01:40.719 behind it, it's all. 33 00:01:40.640 --> 00:01:43.000 For show exactly. It's just checking a box at that point. 34 00:01:43.040 --> 00:01:43.319 Okay. 35 00:01:44.480 --> 00:01:47.879 A really great example is the Department of Homeland Security. 36 00:01:47.959 --> 00:01:51.920 If you look at their mission statement, it actually explicitly 37 00:01:51.959 --> 00:01:56.120 includes safeguarding cyberspace. Wow, so it's not just an IT 38 00:01:56.480 --> 00:01:58.640 thing for them. It's like, yeah, it's part breaked into 39 00:01:58.680 --> 00:02:00.519 their Yeah, it's like baked into their purpose. 40 00:02:00.959 --> 00:02:04.359 Okay, that makes sense for a government agency. But why 41 00:02:04.359 --> 00:02:07.359 should a regular business, Like, why should they care about 42 00:02:07.400 --> 00:02:08.919 this high level buy in? 43 00:02:09.759 --> 00:02:13.319 Because a security breach can have a really devastating impact 44 00:02:13.400 --> 00:02:18.360 on any business. Okay, imagine the financial costs of downtime, 45 00:02:19.479 --> 00:02:23.120 the hit to your reputation, the legal ramifications. 46 00:02:23.319 --> 00:02:25.120 Yeah, it's a nightmare. 47 00:02:25.199 --> 00:02:27.360 Yeah, a total nightmare that you want to avoid. Right. 48 00:02:27.400 --> 00:02:30.479 Prevention is key, But you know, I think a lot 49 00:02:30.520 --> 00:02:33.319 of people think of security as mostly an it department issue. 50 00:02:33.400 --> 00:02:35.639 Yeah, and while it is definitely at the forefront of 51 00:02:35.680 --> 00:02:39.879 a lot of these things, effective security leadership involves way 52 00:02:39.919 --> 00:02:44.840 more than just technical expertise. Okay, the soft skills they're 53 00:02:44.879 --> 00:02:46.000 actually just as critical. 54 00:02:46.280 --> 00:02:48.639 Okay, I like that, So let's unpack that. Sure, what 55 00:02:48.719 --> 00:02:50.240 kind of soft skills are we talking about? 56 00:02:50.319 --> 00:02:56.360 So think about things like really understanding business processes, assigning 57 00:02:56.479 --> 00:02:59.240 roles and responsibilities appropriately. 58 00:02:59.520 --> 00:02:59.840 Okay. 59 00:03:00.439 --> 00:03:04.199 And then also this is a big one, communicating risk 60 00:03:04.919 --> 00:03:10.199 in a way that people who aren't technical can grasp. 61 00:03:10.319 --> 00:03:15.759 Okay, So like communication, collaboration, big picture thinking. 62 00:03:15.719 --> 00:03:16.240 Big time. 63 00:03:16.520 --> 00:03:20.080 It's almost like it's almost like being a security leader 64 00:03:20.120 --> 00:03:21.199 is a management role. 65 00:03:21.599 --> 00:03:24.919 It absolutely is a management role. You know, you can 66 00:03:24.960 --> 00:03:27.639 have the most advanced technology in the world, but if 67 00:03:27.719 --> 00:03:33.599 your employees don't understand the why behind security protocols, it's 68 00:03:33.639 --> 00:03:34.680 all for nothing. 69 00:03:34.599 --> 00:03:37.039 Right, Because a chain is only as strong as its 70 00:03:37.080 --> 00:03:40.280 weakest link, exactly, and sometimes that weakest link is human. 71 00:03:40.639 --> 00:03:43.800 Unfortunately, that's very often the case. So you need to 72 00:03:43.879 --> 00:03:47.639 build like a culture of security awareness that really does 73 00:03:47.680 --> 00:03:49.159 permeate the entire organization. 74 00:03:49.280 --> 00:03:52.319 Okay, So strong leadership sets the stage. Now, how do 75 00:03:52.360 --> 00:03:56.080 we actually translate that into a rock solid security structure, right, 76 00:03:56.479 --> 00:03:57.719 what are the building blocks? 77 00:03:57.719 --> 00:04:00.599 Okay? So that's where security life cycle managed comes in 78 00:04:00.919 --> 00:04:05.879 and staler alert. It's not just for software development anymore. 79 00:04:05.919 --> 00:04:08.840 Wait really yeah? Oh okay, So think of it like 80 00:04:08.960 --> 00:04:13.759 building a house. You wouldn't start construction without a blueprint, right. Well, 81 00:04:13.800 --> 00:04:18.560 you shouldn't launch any project without considering security at every 82 00:04:18.600 --> 00:04:22.160 single stage, from the initial planning phase all the way 83 00:04:22.160 --> 00:04:24.079 to deployment okay and beyond. 84 00:04:24.160 --> 00:04:26.639 So it's not just about like checking off boxes on 85 00:04:26.680 --> 00:04:30.680 a checklist, it's about baking security into like the DNA 86 00:04:30.879 --> 00:04:32.720 of every project from the get go. 87 00:04:32.720 --> 00:04:36.160 One hundred percent okay. And this is especially important when 88 00:04:36.160 --> 00:04:37.720 you're dealing with prototypes. 89 00:04:38.079 --> 00:04:41.319 Ah. Prototypes, Yes, fun, always exciting, yeah. 90 00:04:41.319 --> 00:04:45.319 Buggy, a little buggy, right, and often insecure because prototypes 91 00:04:45.439 --> 00:04:49.879 they're typically built for speed and functionality, not necessarily security. Okay. 92 00:04:50.279 --> 00:04:52.519 So that can create a lot of risks if you're 93 00:04:52.519 --> 00:04:53.079 not careful. 94 00:04:53.120 --> 00:04:56.160 So how do you balance that need to move quickly 95 00:04:56.680 --> 00:04:59.120 with need to protect sensitive data? 96 00:05:01.000 --> 00:05:05.079 You need to be acutely aware of the risks that 97 00:05:05.160 --> 00:05:08.399 are involved in prototype, and then you need to from 98 00:05:08.439 --> 00:05:13.920 the very beginning implement safeguards. Okay, So like strong access controls, 99 00:05:14.319 --> 00:05:18.680 data encryption, regular security assessments, like you need to treat 100 00:05:18.759 --> 00:05:22.000 that prototype with the same level of security that you 101 00:05:22.040 --> 00:05:22.959 would a live system. 102 00:05:23.040 --> 00:05:26.160 Okay, that makes sense because I mean a data breach 103 00:05:26.279 --> 00:05:29.759 during the prototype phase could be just as damaging as 104 00:05:29.800 --> 00:05:31.079 a breach and a finished product. 105 00:05:31.279 --> 00:05:31.439 Yeah. 106 00:05:31.600 --> 00:05:36.560 Sure, But you know, how do we future proof security? 107 00:05:36.879 --> 00:05:37.079 Yeah? 108 00:05:37.160 --> 00:05:39.560 I mean technology changes so quickly it does. 109 00:05:39.600 --> 00:05:42.199 It changes so fast it does, and that's where it 110 00:05:42.199 --> 00:05:50.360 becomes really critical to understand how those emerging technologies impact security. Okay, 111 00:05:50.480 --> 00:05:54.800 So like cloud computing, virtualization, these things, they bring a 112 00:05:54.800 --> 00:05:57.120 lot of great opportunities I do, but they also bring 113 00:05:57.160 --> 00:05:59.079 new vulnerabilities. 114 00:05:58.480 --> 00:06:01.879 Right, because with new technology comes new ways to exploit 115 00:06:01.920 --> 00:06:05.519 it exactly. So we need to be proactive, not reactive, one. 116 00:06:05.439 --> 00:06:08.240 Hundred percent before you jump on the bandwagon of the 117 00:06:08.560 --> 00:06:11.720 latest tech trend. Yeah, you need to really thoroughly assess 118 00:06:12.240 --> 00:06:16.120 the security implications. And it's a continuous learning curve in 119 00:06:16.160 --> 00:06:16.639 this field. 120 00:06:16.720 --> 00:06:19.959 Okay, I'm already seeing that security management is way more 121 00:06:20.000 --> 00:06:23.000 than just an IT issue. This is a company wide 122 00:06:23.120 --> 00:06:26.279 it is endeavor. Okay. And speaking of company wide endeavors, 123 00:06:26.319 --> 00:06:28.040 let's talk about compliance. 124 00:06:28.240 --> 00:06:28.399 Right. 125 00:06:28.439 --> 00:06:32.439 Compliance the word that strikes fear into the hearts. 126 00:06:32.160 --> 00:06:34.079 Of many A lot of people don't like that word. 127 00:06:34.279 --> 00:06:36.319 But honestly, where do we even begin with that? 128 00:06:36.519 --> 00:06:39.879 Okay? Let let's kind of demystify compliance a little bit. 129 00:06:39.920 --> 00:06:40.199 Okay. 130 00:06:40.600 --> 00:06:44.079 You mentioned nissed SP eight hundred and fifty three, which 131 00:06:44.120 --> 00:06:47.319 is a fantastic framework. Okay, especially if you're operating in 132 00:06:47.360 --> 00:06:49.920 the US. Okay, but remember it's not the only game 133 00:06:49.959 --> 00:06:50.319 in town. 134 00:06:50.519 --> 00:06:52.920 So there are other options out there. Oh absolutely, Yeah, 135 00:06:52.959 --> 00:06:53.759 what are some examples? 136 00:06:54.040 --> 00:06:57.480 So, for instance, there's ISO twenty seven zero two point 137 00:06:57.480 --> 00:07:00.199 two zero one team okay, which offers more more of 138 00:07:00.240 --> 00:07:04.600 a global perspective, and it provides guidelines for implementing and 139 00:07:04.720 --> 00:07:07.680 maintaining information security management systems. 140 00:07:07.759 --> 00:07:12.639 Gotcha. Okay, So we've got these frameworks, but honestly, I'm 141 00:07:12.680 --> 00:07:14.959 looking at them. They feel pretty dense. 142 00:07:15.439 --> 00:07:18.720 Yeah, they can be a bit overwhelming. Yeah, and overwhelming 143 00:07:18.879 --> 00:07:19.319 for sure. 144 00:07:19.399 --> 00:07:21.240 So how do we actually use them in like a 145 00:07:21.319 --> 00:07:22.240 practical way. 146 00:07:22.680 --> 00:07:25.680 Think of them as blueprints, not like rigid rule books. 147 00:07:26.319 --> 00:07:30.519 You can leverage these external frameworks to actually create your 148 00:07:30.600 --> 00:07:37.439 own internal standard guidelines, procedures, ones that actually align with 149 00:07:37.519 --> 00:07:40.959 your organization's specific needs and risk profile. 150 00:07:41.120 --> 00:07:43.680 So it's kind of like taking inspiration from a recipe 151 00:07:43.720 --> 00:07:45.759 but adapting it exactly to your own taste. 152 00:07:45.800 --> 00:07:47.920 That's a great way to put it. Yeah, the key 153 00:07:48.439 --> 00:07:52.519 is to understand the underlying principles of these frameworks and 154 00:07:52.560 --> 00:07:55.720 then tailor them to fit your unique operational context. 155 00:07:56.319 --> 00:07:59.240 Okay, that makes sense. Nobody wants to surprise audit. 156 00:08:00.240 --> 00:08:01.399 He likes the surprise audit. 157 00:08:01.560 --> 00:08:04.439 No, how can we proactively prepare for those? 158 00:08:05.120 --> 00:08:08.680 Yeah, So audits can definitely be nerve wracking, but if 159 00:08:08.720 --> 00:08:11.800 you understand what auditors are looking for, it becomes way 160 00:08:11.879 --> 00:08:17.079 less daunting. Okay, So they're primarily looking for evidence that 161 00:08:17.160 --> 00:08:23.000 you're following establish best practices and meeting those compliance requirements. 162 00:08:23.480 --> 00:08:28.120 So having things like really clearly documented policies, conducting regular 163 00:08:28.160 --> 00:08:34.919 security assessments, implementing a solid vulnerability management program, those are 164 00:08:34.960 --> 00:08:36.519 all like key pieces of the puzzle. 165 00:08:36.639 --> 00:08:40.519 Yeah, and don't forget about like those annual contingency plan exercises. 166 00:08:40.519 --> 00:08:44.039 Those are always oh yeah, fun, those are crucial demonstrated 167 00:08:44.120 --> 00:08:44.360 to make. 168 00:08:44.320 --> 00:08:46.279 Sure that your plans are more than just words on 169 00:08:46.360 --> 00:08:49.720 paper exactly. Yeah, oh yeah, those exercises not exactly my 170 00:08:49.720 --> 00:08:52.039 favorite part of the job, but I get why they're important. 171 00:08:52.120 --> 00:08:56.159 They're not the most exciting thing in the world. But yeah, 172 00:08:56.360 --> 00:09:00.200 you know, the type of exercise you conduct should really 173 00:09:00.240 --> 00:09:03.120 align with the impact level of the systems that you're 174 00:09:03.120 --> 00:09:06.600 trying to protect, right, Okay, So for low impact systems, ye, 175 00:09:06.840 --> 00:09:10.320 like a tabletop exercise might be enough, but for high 176 00:09:10.399 --> 00:09:14.120 impact like mission critical systems, you need to be doing 177 00:09:14.519 --> 00:09:19.399 more comprehensive, like full scale deployment exercise. 178 00:09:19.840 --> 00:09:23.399 So it's all about aligning, like the intensity of your testing, yes, 179 00:09:23.440 --> 00:09:26.799 with the potential consequences of a failure exactly. 180 00:09:26.879 --> 00:09:30.679 Okay, And here's a pro tip, use those test results, Yeah, 181 00:09:30.720 --> 00:09:36.000 to continuously improve your preparedness. Every single exercise is a 182 00:09:36.120 --> 00:09:39.039 chance to learn and refine your processes. 183 00:09:39.120 --> 00:09:43.519 So it's a cycle of like plan, test, adjust, repeat, 184 00:09:44.519 --> 00:09:45.440 Never let those. 185 00:09:45.279 --> 00:09:46.919 Plans, never let them get stale. 186 00:09:46.960 --> 00:09:48.120 It's at stale. Yeah. 187 00:09:48.200 --> 00:09:51.919 Security is a very dynamic process. It requires constant vigilance 188 00:09:51.919 --> 00:09:55.080 and adit patient. And remember it's not just about your 189 00:09:55.120 --> 00:09:57.639 internal team. You also need to consider. 190 00:09:57.360 --> 00:10:01.360 It third party vendors, yes, and con your extended network 191 00:10:01.480 --> 00:10:04.600 all that they need to be part of the equation too. Yeah, right, 192 00:10:04.639 --> 00:10:07.840 because a weak link in your supply chain can undermine 193 00:10:07.879 --> 00:10:10.679 your whole security posture. For sure, Yeah, so you need 194 00:10:10.720 --> 00:10:14.440 to ensure that any third party you work with meets 195 00:10:14.480 --> 00:10:19.200 your security standards absolutely, and that's where those service level agreements, 196 00:10:19.200 --> 00:10:21.720 the slas, becomes so critical. 197 00:10:21.840 --> 00:10:24.799 They are critical. Yeah, the slas, they're your way of 198 00:10:24.840 --> 00:10:30.440 defining expectations and holding vendors accountable. So don't just blindly 199 00:10:30.559 --> 00:10:33.440 sign on the dotted line. Make sure that that contract 200 00:10:33.440 --> 00:10:37.240 clearly spells out the services that are being provided, the 201 00:10:37.279 --> 00:10:41.200 performance metrics, and importantly the penalties for non compliance. 202 00:10:41.360 --> 00:10:44.960 Right, so no surprises down the line exactly. But with contracts, 203 00:10:45.000 --> 00:10:47.440 I always feel like the devil's in the details. 204 00:10:47.519 --> 00:10:48.360 Oh, it always is. 205 00:10:48.919 --> 00:10:52.440 So what specific things should we be paying really close 206 00:10:52.480 --> 00:10:53.039 attention to? 207 00:10:55.679 --> 00:10:59.919 I would say, always pay close attention to the resolution 208 00:11:00.159 --> 00:11:03.879 processes that are outlined in the contract. Okay, so what 209 00:11:03.960 --> 00:11:07.159 happens if there's a dispute? What are those escalation procedures? 210 00:11:07.639 --> 00:11:11.240 You need a clear path to resolution in case things go. 211 00:11:11.240 --> 00:11:13.799 Wrong, and we need to make sure those service levels 212 00:11:14.360 --> 00:11:18.080 actually meet our needs, especially when dealing with mission critical systems. 213 00:11:18.159 --> 00:11:21.080 Yeah, I mean a delayed response from a vendor in 214 00:11:21.120 --> 00:11:24.200 a crisis that could have disastrous consequences. 215 00:11:24.360 --> 00:11:25.559 Yeah, it could be really bad. 216 00:11:25.679 --> 00:11:29.480 So it all comes back to due diligence, don't just 217 00:11:29.519 --> 00:11:33.799 take their word for it, like, really scrutinize those contracts. Yeah, 218 00:11:33.840 --> 00:11:36.720 and make sure they're actually aligning with your security requirements. 219 00:11:36.759 --> 00:11:38.440 Okay. I think we've covered a lot of ground on 220 00:11:38.480 --> 00:11:42.879 compliance we have. Is it time to finally tackle risk management? 221 00:11:43.240 --> 00:11:44.759 I think it is. Yeah, all right, let's do it. 222 00:11:44.799 --> 00:11:48.799 And we're talking risk management. It's really crucial to first 223 00:11:48.919 --> 00:11:52.000 understand your organization's risk appetite. 224 00:11:52.519 --> 00:11:56.200 Risk appetite, So like, how much risk are we comfortable with? 225 00:11:56.519 --> 00:12:00.000 Yeah, exactly how much risk are we okay with access 226 00:12:01.080 --> 00:12:02.879 in pursuit of our business objectives? 227 00:12:03.159 --> 00:12:05.720 Right, So it's like we don't want to be too reckless, 228 00:12:06.240 --> 00:12:09.679 but we also don't want to stifle innovation exactly. 229 00:12:09.679 --> 00:12:11.440 You don't want to be so cautious that you're not 230 00:12:11.440 --> 00:12:12.279 actually getting. 231 00:12:12.000 --> 00:12:13.759 Anything done, right exactly. 232 00:12:13.799 --> 00:12:16.600 So it's about striking that balance, that delicate balance. 233 00:12:16.759 --> 00:12:18.399 That's a tightrope block. That's tough. 234 00:12:18.720 --> 00:12:20.120 It is. It is a tightrope block. 235 00:12:20.399 --> 00:12:23.200 And that's where a formal risk management program comes in. 236 00:12:23.159 --> 00:12:26.120 Right, Yes, a well defined program. It provides you with 237 00:12:26.159 --> 00:12:33.279 a really structured approach to identifying, assessing, and prioritizing risks. 238 00:12:33.720 --> 00:12:35.960 Okay, so break it down. How do we actually do that? 239 00:12:36.480 --> 00:12:40.000 So it's a multi step process. The first thing you 240 00:12:40.039 --> 00:12:42.399 have to do is identify the assets that you're trying 241 00:12:42.399 --> 00:12:47.600 to protect. Okay, so think data, systems, intellectual property, even 242 00:12:47.639 --> 00:12:48.080 your people. 243 00:12:48.159 --> 00:12:50.639 Okay, so those are like the crown jewels, right exactly. 244 00:12:50.679 --> 00:12:53.399 You need to keep those the things you absolutely need 245 00:12:53.399 --> 00:12:57.120 to protect safe. Yes, Next, you need to identify the 246 00:12:57.159 --> 00:12:58.639 potential threats. 247 00:12:58.639 --> 00:13:01.759 To those assets natural disasters. 248 00:13:01.240 --> 00:13:05.559 Natural disasters, yes, cyber attacks. Cyber attacks big one these days, 249 00:13:05.679 --> 00:13:09.240 big time, human error, even like a disgruntled employee. 250 00:13:09.320 --> 00:13:11.039 Okay, so think broadly, think. 251 00:13:10.919 --> 00:13:12.679 Broadly, and consider all angles. 252 00:13:12.759 --> 00:13:13.080 Got it. 253 00:13:13.159 --> 00:13:16.639 Okay, So we've got our assets and our threats. Right now, 254 00:13:16.679 --> 00:13:20.840 you need to assess the vulnerabilities that could allow those 255 00:13:20.960 --> 00:13:23.639 threats to exploit your assets. 256 00:13:23.799 --> 00:13:27.759 So these are the weaknesses in our defenses exactly. Okay, 257 00:13:27.799 --> 00:13:28.720 give me some examples. 258 00:13:28.759 --> 00:13:34.200 So like weak passwords, unpatched software, lack of physical security. 259 00:13:34.519 --> 00:13:35.960 Those are the cracks in the fortress wall. 260 00:13:36.039 --> 00:13:37.559 Yeah, tho are the cracks that we need to seal up. 261 00:13:37.720 --> 00:13:38.440 We need to seal up. 262 00:13:38.480 --> 00:13:42.519 Yeah. So once you've identified those vulnerabilities, you need to 263 00:13:42.559 --> 00:13:46.279 kind of evaluate two things. The likelihood of each threat 264 00:13:46.559 --> 00:13:49.759 actually occurring, and then the potential impact if it does. 265 00:13:50.120 --> 00:13:53.519 So that's where we assign a risk rating. 266 00:13:53.759 --> 00:13:55.039 To each one, exactly. 267 00:13:55.159 --> 00:13:58.600 Yeah, but how do we do that in like a 268 00:13:58.679 --> 00:13:59.600 systematic way? 269 00:14:00.000 --> 00:14:02.600 The risk matrix comes in. It's a visual tool actually, 270 00:14:02.679 --> 00:14:06.679 like a grid, and it helps you assess both the 271 00:14:06.879 --> 00:14:10.679 likelihood and impact of each risk and then helps you 272 00:14:10.799 --> 00:14:13.039 categorize them based on their severity. 273 00:14:13.159 --> 00:14:16.320 So you can visually see like which risks are low 274 00:14:16.440 --> 00:14:21.039 level annoyances and which ones are like potential company killers exactly. 275 00:14:21.279 --> 00:14:25.559 Exactly. So by plotting your risks on the matrix, you 276 00:14:25.600 --> 00:14:29.600 get a really clear picture of which ones pose the 277 00:14:29.600 --> 00:14:32.559 biggest threat right and require immediate attention. 278 00:14:33.120 --> 00:14:35.399 Okay, So those are the ones that we prioritize when 279 00:14:35.399 --> 00:14:37.159 it comes to mitigation strategies. 280 00:14:37.240 --> 00:14:37.559 Exactly. 281 00:14:37.639 --> 00:14:40.440 Okay, So what does risk mitigation actually look like? 282 00:14:40.639 --> 00:14:44.600 So, risk mitigation is all about reducing the likelihood and 283 00:14:44.799 --> 00:14:47.399 or impact of those high priority risks. 284 00:14:47.480 --> 00:14:53.120 So we're talking about like implementing safeguards controls to protect 285 00:14:53.120 --> 00:14:59.519 those vulnerable assets exactly. So things like strong passwords, multi 286 00:14:59.519 --> 00:15:05.720 factor authentication, encryption, regular security awareness training for our employees. 287 00:15:06.200 --> 00:15:09.120 You nailed it, okay, So it's all about layering those 288 00:15:09.159 --> 00:15:12.960 defenses to create a really robust security posture. 289 00:15:13.080 --> 00:15:15.240 I like that. This is like building a medieval castle. 290 00:15:15.480 --> 00:15:16.759 That's a great way to think about it. 291 00:15:16.840 --> 00:15:20.759 Multiple layers of protection, I get that much harder to breach. 292 00:15:21.039 --> 00:15:22.159 Yeah, good analogy. 293 00:15:23.159 --> 00:15:26.519 But even the best built castle needs constant upkeep right 294 00:15:26.679 --> 00:15:29.320 it does. So, how do we make sure our risk 295 00:15:29.399 --> 00:15:35.440 management efforts, yes, stay relevant in this ever changing threat landscape. 296 00:15:35.639 --> 00:15:38.919 That's where the ongoing part of risk management comes in. Okay, 297 00:15:39.080 --> 00:15:41.799 so you need to regularly reassess your risks, you know, 298 00:15:41.879 --> 00:15:46.399 taking into account new technologies, yeah, emerging threats, right, and 299 00:15:46.559 --> 00:15:48.360 changes within your own organization. 300 00:15:48.639 --> 00:15:50.679 So it's not like set it and forget it. 301 00:15:50.840 --> 00:15:52.639 No, it's definitely not a set it and forget it. 302 00:15:52.960 --> 00:15:56.399 You need to be constantly evaluating in evolving your. 303 00:15:56.320 --> 00:15:59.480 Approach, right, because new threats emerge all the time, all 304 00:15:59.519 --> 00:16:02.840 the time, and old threats can resurface in new and 305 00:16:02.919 --> 00:16:03.720 creative ways. 306 00:16:03.879 --> 00:16:04.519 Oh for sure. 307 00:16:04.639 --> 00:16:07.200 So this brings us back to the importance of security 308 00:16:07.240 --> 00:16:09.639 awareness training absolutely for our employees. 309 00:16:09.879 --> 00:16:13.399 Yeah, because even with the best technology in place, human 310 00:16:13.600 --> 00:16:15.879 error can still be a major vulnerability. 311 00:16:16.279 --> 00:16:20.159 Yeah. I mean people click on phishing links, they do, 312 00:16:20.320 --> 00:16:26.720 they fall for social engineering scams, they inadvertently expose sensitive data. 313 00:16:27.080 --> 00:16:28.399 It happens all the time. 314 00:16:28.279 --> 00:16:30.559 And those mistakes can have huge. 315 00:16:30.240 --> 00:16:37.320 Consequences, huge consequences. That's why regular engaging relevant security awareness 316 00:16:37.320 --> 00:16:39.240 training is so crucial. 317 00:16:39.360 --> 00:16:43.679 It's about making security everyone's responsibility. Yes, not just the 318 00:16:43.720 --> 00:16:46.960 IT department's burden exactly. But how do we make sure 319 00:16:47.000 --> 00:16:48.399 the training actually sticks. 320 00:16:48.519 --> 00:16:50.919 That's a great question and one that will dive into 321 00:16:50.960 --> 00:16:53.320 more in part three. Okay, but for now, let's maybe 322 00:16:53.320 --> 00:16:53.919 take a pause. 323 00:16:54.039 --> 00:16:55.480 Yeah, this is a good place to stop. 324 00:16:55.559 --> 00:16:57.799 Give our listener a chance to absorb all this information. 325 00:16:57.879 --> 00:17:00.919 Yeah, this is dense stuff, it is, but it's fascinating 326 00:17:01.000 --> 00:17:04.559 how all these pieces fit together to create a holistic 327 00:17:04.640 --> 00:17:05.799 security strategy. 328 00:17:06.400 --> 00:17:07.039 It really is. 329 00:17:07.160 --> 00:17:09.000 I'm starting to feel like I could actually pass a 330 00:17:09.039 --> 00:17:09.920 security audit. 331 00:17:10.000 --> 00:17:13.000 Now, don't get ahead of yourself. There's still more to learn. Okay, 332 00:17:13.000 --> 00:17:14.599 but you're definitely on the right track. 333 00:17:14.720 --> 00:17:17.359 Okay, So to our listener, if you're feeling a bit overwhelmed, 334 00:17:17.680 --> 00:17:18.519 take a deep breath. 335 00:17:18.640 --> 00:17:19.240 Yeah. 336 00:17:19.480 --> 00:17:21.400 We'll be back soon with the final part of our 337 00:17:21.400 --> 00:17:25.359 deep dive, where we'll tackle contingency planning and incident response. 338 00:17:25.519 --> 00:17:28.920 That's right, Yeah, those what if scenarios. Yeah, nobody wants 339 00:17:29.000 --> 00:17:29.799 to think about them. 340 00:17:29.920 --> 00:17:31.559 No, but you have to be prepared. 341 00:17:31.680 --> 00:17:34.440 But you have to be prepared exactly exactly. 342 00:17:35.000 --> 00:17:38.839 Okay, So we're back back for more part two of 343 00:17:38.839 --> 00:17:43.759 our deep dive into security management. We left off talking 344 00:17:43.759 --> 00:17:48.000 about compliance, right, and honestly, I'm still a little fuzzy 345 00:17:48.039 --> 00:17:50.680 on what that actually means like in practice. 346 00:17:51.039 --> 00:17:53.640 Okay, Yeah, so let's try to break it down a 347 00:17:53.680 --> 00:17:57.279 little bit. Okay. So you know, we were talking about 348 00:17:57.319 --> 00:18:01.599 those frameworks like NISSED SP eight hundred fifty three, which is, 349 00:18:01.839 --> 00:18:04.240 like I said, a great framework, particularly if you're operating 350 00:18:04.279 --> 00:18:06.640 in the US, but it's not the only one out there. 351 00:18:07.599 --> 00:18:09.559 Okay, so what are some other options? 352 00:18:10.440 --> 00:18:13.000 So there's you know, like ISO twoty seven thousand and 353 00:18:13.119 --> 00:18:16.920 two point two zero one team, which offers more of 354 00:18:16.920 --> 00:18:22.119 a global perspective, okay, and it basically provides guidelines for 355 00:18:22.200 --> 00:18:26.279 implementing and maintaining information security management systems. 356 00:18:26.359 --> 00:18:29.079 Gotcha. Okay, So we've got these frameworks. Yeah, they can 357 00:18:29.119 --> 00:18:32.279 feel really dense and overwhelming. They can, So how do 358 00:18:32.319 --> 00:18:34.839 we actually use them in a practical way? 359 00:18:35.279 --> 00:18:36.920 Right? So, I think the best way to think about 360 00:18:36.920 --> 00:18:40.279 it is like they're blueprints okay, not rigid rule. 361 00:18:40.119 --> 00:18:43.319 Books, right, So it's not just about checking boxes exactly. 362 00:18:43.480 --> 00:18:47.440 Yeah. So you can leverage these like external frameworks to 363 00:18:47.519 --> 00:18:51.960 create your own internal standards, guidelines, and procedures. Okay, and 364 00:18:52.000 --> 00:18:55.119 you want these to really align with your organization's needs 365 00:18:55.160 --> 00:18:56.279 and its risk profile. 366 00:18:56.359 --> 00:18:59.519 Okay. So it's like taking inspiration from a recipe, yes, 367 00:18:59.799 --> 00:19:02.160 adapting it to your own taste exactly. 368 00:19:02.240 --> 00:19:04.480 That's a great analogy. The key is to understand the 369 00:19:04.519 --> 00:19:09.079 underlying principles and then tailor them to fit your unique 370 00:19:09.079 --> 00:19:10.319 operational context. 371 00:19:10.599 --> 00:19:14.720 That makes sense. Okay, So nobody wants to surprise. 372 00:19:14.400 --> 00:19:15.960 Audit, No, nobody does. 373 00:19:16.119 --> 00:19:19.839 How can we proactively prepare for those and avoid any 374 00:19:20.079 --> 00:19:20.960 major headaches? 375 00:19:21.119 --> 00:19:24.039 Audits can definitely be nerve wracking, yeah for sure, but 376 00:19:25.519 --> 00:19:28.640 if you understand what the auditors are actually looking for, 377 00:19:29.559 --> 00:19:34.079 it becomes much less daunting. So they're primarily looking for 378 00:19:34.119 --> 00:19:38.279 evidence that you are following establish best practices and meeting 379 00:19:38.319 --> 00:19:42.279 those compliance requirements. So things like you know, having really 380 00:19:42.440 --> 00:19:48.599 clearly documented policies, conducting regular security assessments, implementing a solid 381 00:19:48.720 --> 00:19:51.480 vulnerability management program. Yeah, those are all key. 382 00:19:51.599 --> 00:19:54.799 And don't forget about those annual contingency plan exercises. 383 00:19:54.839 --> 00:19:57.720 Oh yeah, those are crucial too. They're really important for 384 00:19:57.759 --> 00:20:00.359 demonstrating that your plans are more than just work it's. 385 00:20:00.200 --> 00:20:03.640 On paper, right, Yeah, those exercises not exactly my favorite 386 00:20:03.640 --> 00:20:04.279 part of the job. 387 00:20:04.599 --> 00:20:06.759 Not always the most exciting though, but I get why 388 00:20:06.759 --> 00:20:09.480 they're important. Yeah. And you know, the type of exercise 389 00:20:09.519 --> 00:20:13.799 you conduct should really align with the impact level of 390 00:20:13.839 --> 00:20:16.200 the systems that you're protecting, right right, So for low 391 00:20:16.240 --> 00:20:20.400 impact systems, a tabletop exercise might be enough, but for 392 00:20:20.519 --> 00:20:23.720 high impact, like mission critical systems, you really need to 393 00:20:23.759 --> 00:20:28.200 be doing those more comprehensive, full scale deployment exercises. 394 00:20:28.200 --> 00:20:31.799 Okay. So it's about aligning, like the intensity of your testing, yes, 395 00:20:31.880 --> 00:20:35.240 with the potential consequences of a failure exactly exactly. 396 00:20:35.599 --> 00:20:39.079 And here's a pro tip, use those test results, yeah, 397 00:20:39.119 --> 00:20:44.240 to continuously improve your preparedness. Okay, So every exercise is 398 00:20:44.279 --> 00:20:47.400 an opportunity to learn and refine your processes. 399 00:20:47.480 --> 00:20:52.599 So it's that cycle, plan, test A, just repeat. Never 400 00:20:52.680 --> 00:20:53.640 let those plans. 401 00:20:53.319 --> 00:20:54.720