Read on Twitter
This is why I circled back to risk triage and scaling vs quantification. First we have to cull free-form fields. Normalise comparing apples to apples AND apples to kangaroos. Defend when we defer vs deep dive
Annual Loss Expectancy is great, but you have 600 assessments to do /1 https://twitter.com/swiftonsecurity/status/1319049166547550211
Annual Loss Expectancy is great, but you have 600 assessments to do /1 https://twitter.com/swiftonsecurity/status/1319049166547550211
Tail data to predict breaches, even as well as folk do for financial risk (debatable gold standard), ain’t gonna be available any time soon.
We pretend training will make 6 people consistently estimate impact and probability, or we spread our specialists inhumanly thin. /2
We pretend training will make 6 people consistently estimate impact and probability, or we spread our specialists inhumanly thin. /2
The majority of folk still lean on a 5 x 5 grid, with not much below the surface. Those at the other end can whip up great stuff, with more or less linked metrics and a reproducible relationship to costed output, but usually only after hours with a specialist in the room /3
So where did I settle my focus? I settled on inherent risk. Things about a supplier, change project, system, application, service, or site that typically expose us to more risk. Plus characteristics of data processed, or nature and location of processing, that do the same. /4
But how do we decide on those things? We use available data and experience. It’s about uptime, valued IP, personal data, card details, risky countries and a few other quickly knowable things. It’s tiered ratings and weighting based on pre-assessed exposure and threats /5
But isn’t that simplistic and a waste of time? Simple? Hopefully. Wasteful? Nope.
Tell me how you describe the fallout in the immediate aftermath of stuff going pop or bang, then ask that question again. /6
Tell me how you describe the fallout in the immediate aftermath of stuff going pop or bang, then ask that question again. /6
We talk about data at risk, people potentially impacted, time to recover, and local legal exposure.
We need to walk before we run. Create a common taxonomy for risk type and a common understanding of things that typically expose us to more risk. /7
We need to walk before we run. Create a common taxonomy for risk type and a common understanding of things that typically expose us to more risk. /7
We need to create communities who know how to ask and answer straightforward questions at earliest stages of having a bright idea. If you ask questions that have to wait for a detailed design and need a specialist in the room, the big red button crew will get you /8
It’s means to prioritise. Hooks, over time, for more sophisticated risk metrics. Because folk now get what’s risky and you delegated enough basic stuff to breathe
Or, by all means, pull another all-nighter. Reports for audit about an assessment backlog, or exploited system /9
Or, by all means, pull another all-nighter. Reports for audit about an assessment backlog, or exploited system /9
You don’t have to do all 600 assessments? Really? Why not? Some are less risky? How do you know? I should take your word for it? No? I should wait a few weeks, until you’ve dug into details? But aren’t 15 getting contracts signed, or going live next week? /10
If only you had delegated some up front work. A request to spend 15 minutes answering simple questions with standardised responses. Procurement, change, legal, architects, sys admins. Right now everyone has a different to do list. A different take on riskiest things /11
600 odd things x 1-2hrs tracking folk down, chatting, emailing, chasing, normalising data, and forming an inherent risk opinion.
And it’s the 5th time this month someone like you has asked for an hour of their 110% allocated time /12
And it’s the 5th time this month someone like you has asked for an hour of their 110% allocated time /12
It’s never just about the perfect risk assessment, it’s about optimising the chance you will have even close to enough time to get a defensible job done, while doing what triggered this thread: /13
Respecting the fact this stuff always, after scraping away one or more layers, boils down to a matter of opinion. Your priority is to ask the right questions, at the right time, using least specialist hours, to get the best available standardised risk opinion to prioritise /14
It is finding a way, that doesn’t kill you or anyone else, to visualise the whole risk, then doing the best number possible on priorities you have agreed and enough bodies to tackle. Collecting data to prove you need x more people if you have x more deep dives to do /15
TL;DR Specialist deep-dives on risk don’t scale. Delegating requires huge simplification. Be up front about how much best practice you can support, while building a business case for increasing capacity and capability. Simple, standardised, repeatable, delegated, triage FTW /fin
