What happened during this week’s webinar?
Check out the video if you missed the live session.
The recording doesn’t show the actual poll questions, but you’ll get the idea.
The Cyber Security Risk Management Self Assessment is available in our store
okay it is nine o’clock officially we have commenced.
Welcome to this webinar on cybersecurity risk management and welcome from Brisbane.
It is nine o’clock in Brisbane and it will be afternoon and evening wherever you are in the world like I said in the invitation, no longer than an hour we go through some slides there’s a checkbox that we’re going to use this Q&A that we’re going to go through and that’s basically the housekeeping because we’ve already established that you can you can hear me, you can see me you can see the slides, were good to go.
So today’s program is a cyber security past present and future, but we are going to talk about risk management and mainly the value of self assessments.
And when you signed up for this webinar we asked the question in the invitation and some of you have actually asked me a couple of questions.
Some questions were on the history of cyber security, some questions were on the practical application of cyber security risk management so as you can see I have incorporated some of that in the slides and some of that I will leave for Q&A.
I have a bonus so at the end of today’s presentation I’m going to ask you a question and the person who is able to answer that question FIRST is going to win $100 US voucher that you can spend in the Art-of-service store, just not for exams but anything else $100 for you so pay attention I’m going to ask you a question about today’s presentation and it will be the very last slide that we are going to share.
It will be a bit of a practical thing so get ready and there will be some polls I need you to be engaged, okay?
And for those of you who know me, I am a very big proponent of lifelong learning so I’m going to take you on a journey and the journey for most of us is that we go from unconsciously incompetent to consciously incompetent where you go like oh there’s so much I don’t know…
Then you go through your whole training, education and learning process then you become consciously competent, so you’ve learned new skills, you’ve learned new things, you’ve learned new theory new knowledge and then it becomes second nature so then you become unconsciously competent.
So I don’t know where you are on the spectrum but I am assuming that this journey will be somewhere in between unconsciously incompetent to consciously confident so let’s go on this journey.
Cybersecurity is something that a lot of people talk about these days and what we’ve done at the art of service we’ve developed some proprietary software to read all the questions that are in our self assessments.
So all the standard criteria around cybersecurity and that software just reads all the words, takes all the information out of the questions and it basically cuts through all the consultancy fluff.
You know, all those consultancy BS words?
It just cuts through it and these are the words that come out of that assessment, out of that analysis so what is really important around cybersecurity and irrespective of the type of technology you use or irrespective of the type of cybersecurity we’re talking about.
If the words that are important are from the left hand side you have new and smart and why so the why question is really important .
Why do we do things, why do we approach cybersecurity in this way.
Why should we do it now?
Those types of questions and in that same area you see a lot of words around grid and water and utility and the impact, so that was one of those understandings for me that even though we tend to think of cybersecurity from an IT and a data point of view, ’cause data is definitely in there as well grid utility and water like physical attacks or cyber attacks on physical plants is actually really important and that’s, that’s what’s happening all over the world at the moment.
So those are important words.
And then words like systems and standards and information so we need to have systems and standards and we need to manage information around cybersecurity, we need to manage the information we dissipate to people around cybersecurity.
And then on the right-hand side should…
and of course that’s a word that’s from quality management.
So of course standards criteria and assessment criteria will have the words should in there.
So not necessarily WOULD or COULD but SHOULD you should do this you have to do this you have to do this to prepare for cybersecurity you have to prepare you should approach it from this point of view.
So for me this was a really clear overview of what’s really important in the world of cybersecurity irrespective of technology.
So that’s my gift to you so that came out of our software.
So then the history and this was a bit of an interesting one..
Yeah I always do a trend analysis and I always go to Google Trends if I want to see what’s going on with a particular subject and even though cybersecurity has been slowly rising over the years or the interest in cybersecurity there was this one big peak in October 2009 and I actually looked it up.
Well what happened in cybersecurity world in October 2009 and that was actually the month where President Obama announced that it was cybersecurity Awareness Month so hence the big peak in the interest in cybersecurity.
It dropped off quite quickly after that but it’s still growing.
And in our journey of cybersecurity most of us tend to think about cybersecurity in the context of internet security so you talk about you know dark web and you talk about internet attacks and denial of service attacks yep it’s all it’s all around internet security but it’s a lot broader so we’re talking about cyber warfare you know that’s where the utilities come in as well you talk about computer security mobile security network security so there’s a lot more to it than meets the eye and it’s a lot wider subject and it’s a lot wider than what a lot of people think about so as specialists in this area or as IT professionals it’s up to us to educate people that cyber security is not just internet security there’s a lot more to it and that awareness is really important in the in the general population and then of course because we talk about security and security management we have to talk about threats and vulnerabilities and those of us that have gone through an ITIL Service Management style history or background we know that in availability management and information security management we used to talk about threats and vulnerabilities a lot so it’s all about external threats, internal threats so what’s what’s the stuff that can happen what are the threats that can happen to us but also how likely is it going to happen and the more prepared you are for certain threats the less likely that that threat will have a major impact and there’s why put this picture of the two glacier mountaineering people in this slide like you know a lot of things can happen in in this scenario so these people there are a lot of threats and they would have prepared for this for this walk, for this hike they would have prepared for that they would have identified the threats they would have identified their own vulnerabilities and prepared for that so for us within the IT industry and for us in relation to cyber security it’s really important that we identify the threats that we name them that we write them down that we that we work through them and you know what you don’t measure you can’t manage so at least have knowledge of what’s going on and then the type of threats of course is the attacks as technical failures and defects but more importantly even is things like human error and organizational weakness and force majeure and one of the things that always pops to mind for me in relation to human error is you know that the bomb alarm or the nuclear alarm that went off in Hawaii a couple of months ago?
Was that a technical failure or was that human error it’s still a bit up in the air we don’t really know so it’s it’s very very important that we take that into consideration as well and that’s why we’re not just thinking about threats and vulnerabilities from a technology point of view from an Internet point of view or a computer point of view but it’s beyond the technical failures what are we using the systems for what are we using the technology for and how can human error organizational weakness and force majeure have an impact on our business .
So I think for me from a cyber security point of view don’t just focus on the technology look at it from a bigger context and look at it from a bigger perspective.
And then of course you will always look at it against standards and compliance and these are the top three that most organizations we work with actually mentioned to us so there’s the NIST cybersecurity framework which is from the US and that framework..
We’re actually quite proud ’cause that’s a governance government organizational framework and our cybersecurity self-assessment guide has been assessed by NIST and they put it on their website as one of the resource as one of the you know they’re recommended or resources that they know of and that they have assessed as being you know worthy of being on my website there’s also ISO/IEC 27001 that was originally created in 2005 and then in 2013 there was an update to that standard so if you’re using ISO/IEC 27001 in your organization just make sure you’re using the 2013 version of that standard.
And then for Australian people there’s a couple of local standards and guidelines for example the Australian government cybersecurity Center and their ASIC cyber resilience health check so those are the two that jump out to us as standards and guidelines that are really good to use within your organization just to map it against so that you know what you’re doing within compliance and standards point of view but of course there’s many more and there will be many more coming in the future.
MIT Technology Review they wrote about the cyber security threats to really worry about in 2018 and one of the things that stood out to me was that they said that one big target for ransomware attacks in 2018 will be cloud computing businesses and I’ve thought about that.
I thought why a cloud computing businesses why not go for financial institutions or why not go for health institutions because when you think about cyber security attacks or cyber attacks it is often health-related data or financial related data are that is being leaked so why not use those type of organizations as your -you know- prime targets for ransomeware attacks but it’s it makes sense because where do all the organizations store their data?
I mean where do we store our data?
So then the big question I mean that’s a really high-level overview of cyber cyber security in relation to compliancy and and standards and big question is are you ready are you ready for service or your cybersecurity compliancy are you ready is your organization ready are you doing conscious stuff around cybersecurity or is it just something that goes into all the other processes so one of the things that a lot of organizations do is they perform a self-assessment and that is something that it’s recommended at the start of every project or maybe at the start of every year do an assessment put a line in the sand know where you are because again if you don’t measure you can’t manage so measure where you are measure what you do so that if you create an improvement project or you know you’re going to attack have a strategy of improvement then at least you know where you’re going and where you came from so you have you have that improvement Delta.
Of course I’m going to show you our self-assessment guide because I don’t have access to any other organization self-assessment guides but the idea behind self-assessment is the same irrespective of the product that you use I just wanted to give you an idea of the value of doing a self-assessment which self-assessment it is doesn’t really matter as long as you perform a self-assessment that provides the value to your company so this self-assessment goes through seven phases so goes from recognized to define measure analyze improve control and sustain so every participant and usually we work with companies where it’s up to ten participants so every participant answers the question to say: in my belief the answer to this question is clearly defined so it’s a personal approach it’s a personal assessment in my belief I can answer this question I believe that this question can be easily answered it’s clearly defined I know that we know what we’re doing so let’s have a look at the recommend [messy] I created a number of poll questions so we get a bit of an idea of where you would be.
See if you were my organisation then where would be we be in cybersecurity so from a recognised point of view be aware of the need for change recognize that there is an unfavorable variation problem or symptom so the sample question would be: think about the people you identified for your cybersecurity risk management project and the project responsibilities you would assign to them what kind of training do you think they would need to perform these responsibilities effectively.
So again your answer the question with: in my belief the answer is clearly defined so you should see a poll popping up on your on your screen now so in your belief can you clearly answer this question in your organisation just click I strongly disagree like I have no idea there’s no clarity on the type of training that people need to do or you disagree you know you’re not sure or you’re neutral or do you agree that it’s clearly defined where what kind of training people to do are you strongly agree like I know of a training they need to do and I’ve seen the training manuals and it’s all part of our HR processes we’re all over it.
So we have 40% of people have voted so far so I’m still waiting for the a hundred percent of people I told you it was going to be interactive 80 percent we’re nearly there I think there’s a couple of people sitting on the fence.
okay so this is really interesting so 36 percent of people say disagree and 36 percent of people say agree it’s in your belief the answer to this question is clearly defined strongly disagree 9 percent of people neutral 27 percent but see the difference between the answers?
so then we go to the next the next phase so we’ve moved on from we recognize that there’s a need for change now we’re going to formulate the business problem so we need to define the problem the needs and the objective so how how can the value of cybersecurity be defined?
so let’s see what comes out of this one so how can the value of cyber security risk management be defined can you clearly answer this question so in your belief the answer to this question is clearly defined we’re only 37% now 50 percent…
last time we had 80% of people so see how we go this time so this is about the value of cybersecurity so in your organization do we talk about the value of cybersecurity?
Is it defined in relation to the strategy of the organization is it defined in relation to our short medium and long term goals so for 33% of plus 8% rally, so for 41% people disagree with this statement like within your organization you cannot answer this question with in my belief it’s clearly defined so that’s a that’s a starting point to talk about the value of cybersecurity risk management to discuss it with your executive teams to discuss it with your team managers to include this into your strategic plans to include this into your annual goals and objectives to at least have this this value available so then the next phase is: Measure so we’ve gone from we recognize, we defined now we start to gather the data so we’re measuring current performance and the evolution of the situation so we’re gathering data were measuring the current performance so let me just find the question the question is our threats vulnerabilities likelihoods and impacts used to determine the risk and this is the specific risk for cyber security so are threats vulnerabilities likelihoods and impacts used to determine risk cyber security risk or do we just put finger up in the air and you know we’ll see we see what happens you know which is a strategy not sure it’s a good strategy but …
excellent so this one was a bit easier to answer for most people 79% say I agree we use threats vulnerabilities likelihoods and impacts to determine the risk and then 7% said I strongly agree in my belief this is clearly defined I know exactly how we determine cyber security risks.
so our next phase in the self-assessment would be analyse so we’ve collected all the data we started measuring the data and now you analyze it and that is part of your DKIW process you know you go from raw data to knowledge to information to wisdom so we have the raw data we’ve collected it we measured it now we turn that into information so it’s analyzing causes assumptions and hypotheses.
so the question is do governance and risk management processes address cybersecurity risks so think about your governance and risk management processes in your organization do you specifically address cybersecurity risks?
is there a clause within your policies and procedures and processes or is it just a blanket statement that we talk about security risks and not necessarily specifically about cybersecurity risks so we’re getting really specific now because we’re analyzing the data that we’ve been measuring I think everybody has put in their votes and the results are that 43% of people agree yes we use cybersecurity risks as part of our governance and risk management processes isn’t it interesting though that when we talked about the recognized and defined part of the self-assessment it was a lot more fluffy so from a strategy and an organizational context we weren’t too clear on how to answer this question but now we get into the operational side of data collection measurement and analysis we know a lot better how to answer this question and in a lot more organizations this is where cybersecurity actually comes to the surface although we still have 36% of answers to say disagree or strongly disagree so those are organizations where governance and risk management processes do not specifically address cybersecurity risks so our next phase would be improve so we’ve gone from measurement analyzing now we know where the improvement parts of the organization are in relation to cybersecurity so every question we answer in relation to cybersecurity so a self-assessment question would be what do we see as the greatest challenges in improving cybersecurity practices across critical infrastructure so what is the greatest challenge and it’s not really asking what it is but can you clearly answer this question do you know what the greatest challenges are have had cybersecurity risk management briefings on specific vulnerabilities in your infrastructure have you been talking to your third-party vendors about specific challenges in improving cybersecurity practices so this goes you know it’s all about improvement of the processes.
okay we’re at 70% now all the other questions were around that 80% of people placing their votes so we’re still waiting for one or two people…
okay let’s do this 85% agree they can answer clearly exactly what we see in would you see in your organization as the greatest challenge in improving cybersecurity practices.
okay and then we go to control the next phase so now that we know what we can control we create practical solutions and all those solutions are built to maintain the performance and the correct possible complications so it’s all about maintaining control while you implement your improvement processes so the question you could ask at this point in time is a vulnerability management plan is developed and implemented do we know if we have a vulnerability management plan can you answer that question do you know where it is do you know if it’s developed or do you know that it is implemented or if you don’t even know what a vulnerability management plan is then say I strongly disagree so this is where we go into controlling the improvement, controlling the processes around cybersecurity.
still waiting for two people to put their votes in just pick one and if you don’t know which one to pick pick neutral okay so a vulnerability management plan is developed and implemented the most answered response is disagree I cannot answer this question clearly in my belief it is not clearly defined I don’t know where our vulnerability management plan is and I don’t know if it’s implemented so this is where you get into a more mature organization that has a plan, knows how to improve knows how to implement and then the final phase is sustained so how do we sustain the benefits of our improvements how do we sustain the benefits of specifically focusing on cybersecurity so the type of question that you could ask is is the cyber security policy reviewed or audited so question one is do we have a cyber security policy and if we do or when we do is that policy reviewed or audited.
so this is really about sustaining the benefits of your cyber security risk management processes so it’s not just a fluke it’s not a one-off it’s part of your standard operating procedures it’s it’s part of doing business I think this is a harder question to answer for most people so in your belief the answer to this question is clearly defined yes or no.
Okay it’s interesting that nobody picked neutral in this one it’s either yep I disagree or strongly disagree or yes I agree or strongly agree so did you notice a trend?
Because I did when we went through all these phases of the self-assessment process so the original phases of recognizing define was a lot of disagree not so much agree so it wasn’t as clear the middle section which is more the operational part of it was a lot more clear for most people that the answers were a lot more towards agree and strongly agree now that we’re at the end again of improvement controlling and sustaining the improvement and sustaining and embedding the processes in the organization it moves back in to strongly disagree or disagree that means to me that it’s a lot more difficult to implement these parts of the process and it’s also part of the maturity of of your organization.
so that just gives you an idea of the type of questions that you would answer during a self-assessment.
this is an example of the results of a real organisation…
not that we’re not real people but an organization that went through this and obviously I’ve deleted the names of the participants so all these participants walked through all these questions and even though there are 861 questions in total in the cybersecurity risk management self-assessment you don’t have to answer all of them so if you go and that happens in our example as well you know not everybody answered every question if you have no clue how to answer this question or you say then it’s just not applicable to our company it’s not applicable to our organization then don’t answer the question but it gives you a good overview of where you’re standing in your cybersecurity journey and in this organization as you can see and that happened here as well in the (actually no it was the reverse of what happened in our scenario) in the recognized part there was a lot of strongly agree whereas if you go in to sustain it moved in to strongly disagree so this organization was very heavily geared towards strategy and long-term planning and not so much in the improving control and sustained part of part of the process so these were at the beginning this organization was at the beginning of their journey of implementing cybersecurity risk management processes.
What rolls out of this assessment or one of the outcomes of this assessment is that you have this RACI matrix, a RACI diagram so for each of the seven phases you will have the top three questions with the biggest impact so for this organization it was in recognized do we use IT personnel directly use outsourcing or use both approaches to address IT issues in relation to cybersecurity risk management so that was one of the lowest scoring questions so that will also be one of the I really don’t like the term low-hanging fruit but it’s the most obvious starting point for an improvement process so that’s the result of you going through the entire self-assessment.
I just wanted to give you an idea of what it would be like to go through a self-assessment for cybersecurity risk management and obviously I hope you’ve seen that these results coming from the the assessment will give you a good overview of where your company is sitting where you know that there is room for improvement where there is engagement in the organization for improvement because that’s an important one as well because if no if everybody says like you know I’m neutral I don’t care then it’s really difficult to get a cybersecurity risk management improvement program happening in your organization because you don’t have that support you don’t have that engagement from from the teams so this so it’s not not just I mean I don’t have all the graphs in this slide deck this is the area responses across the entire process you also have all the responses of each individual participant so you know exactly where people are sitting so if you’re looking for for instance and vulnerability and risk management report then you pick the people that say I am definitely…
I’m clear, I totally agree I know where the plan is so you ask them because there’s a lot of people that have no clue where it is so it’s just easier to assign resources to your improvement program or project because you know who answered the question with in it’s my belief that I can clearly answer this question and you use them as your informants as your information providing people or maybe as team members in the project so what are we going to do next?
We have some Q&A and as I said earlier some people send in questions prior to today so that was really easy for me so thank you so much because they gave me an opportunity to prepare you also have your Q&A button on the top or maybe it’s on the bottom for you so if you do have a question pop that in the Q&A box and then after that there’s one more thing I wanted to share with you and then we have the winner for the hundred dollar voucher so the questions and I do have a prepared on paper the first question that came in was what produces the best value what produces the best value and I love that question because you don’t want to do a self-assessment just for the sake of doing a self-assessment it has to have value for your organization and I’m hoping that now that we’ve gone through the process of the self-assessment you you see the value you see the benefits of going through this this process and to me the easiest way to show the value is through that RACI diagram and that overview of the top three the top three questions in each of the phases that have the biggest impact on your organization.
Cyril says best value find the supporter yeah absolutely that’s the other benefit of doing the assessment as I said the results come in per process but also per person so if you have a person that scores really positively on on the questions you can use that person as a champion or a cheering squad for your for your assessment and for your subsequent projects that flow out of your assessment so yeah great great addition okay how often are risk assessments performed ?
(oh oh no you’re not supposed to see that yet) how often are risk assessments performed just like with any type of risk assessment or quality assessments at least once a year or when a major change is happening so if you have a major infrastructure upgrade or you’ve changed to an outsourcing provider or you’ve moved to a cloud computing provider that’s that’s the point in time where I would actually do another assessment because things may have changed and it’s important to be on the same page again and so yeah so that’s that’s what I would do.
the other question that came in is how can third parties improve risk assessments?
I actually had to think about that for a while because I wasn’t sure which kind of third parties you are you were talking about so a third party could be suppliers, vendors, your cloud computing provider a third party to me can also be your standards or compliancy organizations or an external auditor so to me to improve the risk assessment or the cybersecurity risk assessment as part of all this it can be beneficial to have external people involved have an external auditor or the internal auditor because they have a different point of view.
They just look at it from a different angle so when you put your team together and like I said in this scenario you can have a maximum of 10 people doing the self-assessment it would be beneficial to have people from different sections of the company attending or participating in the assessment and if you can have a vendor or a third party supplier in there even better it’s all about transparency and it’s all about everybody understanding where we’re sitting in the process so I love that question so thank you for putting that in.
Question from the group here How big should the company be for this kind of assessments?
I don’t think there’s a size requirement for getting value out of it you would assume that if it’s a smaller company we’d say like 10 to 20 people most people would be on the same page having said that that’s an assumption and I’ve been working with a lot of smaller companies where everybody thought they were on the same page and they were not so it’s doing an assessment like this really brings out the differences in how people view certain parts of the process or how people view cybersecurity and like that one of the first slides was you know it’s not just computer security it’s not just internet security you know that there’s a lot more to it so doing an assessment like this you could use it as a communication starter or a conversation starter in a smaller smaller organization in a large organization I would use people from different disciplines or different teams so I hope that answered your question.
Let’s see if there’s any more questions here how are risk assessment and audit results communicated to executives that was the other question that came in prior prior to today so how are risk assessments and audit results communicated to executives to me if you don’t have the buy-in from executives it’s really difficult to do a process like this so you need to have that executive buy-in that’s why we started in recognized and define so recognize the need for change define what that means in the context of your organization that’s where you involve your executives at the end of the process after you’ve done an assessment like this you would brief your executive teams or your management teams you would do a presentation you would prepare a brief and yeah exactly feeding it into executive meetings and continual review processes David exactly that’s that’s the point I was trying to make so yeah collate all your data, collate information and present it in the context of the business.
present it in the context of the strategy of the organization so I hope that answer that question.
another question came in here do you think we could group smaller clients in one assessment or should we always do this per client?
my recommendation is to do it per client, purely because of the sensitivity and the confidentiality of data we had a lot of discussion with this with with customers about putting this in an online platform or discussing it with other organizations or or collate information from different companies together and we’ve got a lot of pushback on that especially when you talk about cybersecurity risk management that is in a lot of organizations promotional and confidence highly you know highly commercial type of situations so if you can do it anonymously and you want to collect information from different clients to give people sort of like a benchmark be very very careful that it is a private discussion that it is a hundred percent anonymous and that you’re not sharing information from one client with another client because I think that could do a lot more damage then and that is good for us so any more questions?
looking at it…
nope okay if you have any more questions after today feel free to email me all my data is on the last slide anyway so and you guys know how to how to reach out to me so feel free to contact me feel free to talk to me I’d love to get some follow-up from you guys so what I wanted to do to you and that’s the one more thing thing I’ve created a bonus package for you if you want to try out the cybersecurity risk assessment for yourself in your organization or for your clients if you are a consultant I’ve actually bundled it together with information security management and business continuity management so you get three of these self-assessment guides for the price of one so I thought that was a really really cool bonus for you guys 247 dollars for the set that’s a really long URL so I am going to copy that into an email which you will get after after today’s webinar.
I don’t expect you guys to copy that by hand because that’s not that’s not happening but yeah that was my that was my bonus because I really wanted to to make sure that if you want to do an assessment that you have know some data to go across the board with your business continuity and information security management as well as cybersecurity risk management so hope you enjoy that and then the very last one the last slide is when did President Obama announced cybersecurity Awareness Month okay go first person to answer this question wins $100 us voucher in the store so you have your chat awesome bonus got it Sam you’re the very first one October 2009 congratulations you won $100 u.s. voucher to spend in the store so well done sweet that’s the end of my presentation hopefully you enjoyed that you got something out of it and as I said contact me, email me talk to me if you have any follow-up questions and after today’s session I will email you all your link to that bonus which I will show you again to get the three assessment guides for 247 dollars in a single set so if there’s any final thoughts no that’s it and I am signing out thank you so much for your time I really appreciate you spending an hour with me or 50 minutes I tried to be a little bit earlier so you can go to your next meeting and you even have time to get a cup of tea or a cup of coffee so yeah so thank you and I will talk to you next time