For years security vendors have been able to play off the general fears of malware and cyber attacks. They’ve advised that if we
just bought this product we’d be more secure. As the scope of protecting data has become more complex, we’ve slowly learned that
deploying more security controls alone is not a risk management solution.
At Travelers adjusted workers compensation claims primarily questionable and complex. Expanded knowledge by adjusting Longshore
claims. Additionally, adjusted catastrophic property claims (in season). Next Patrice N Hall , joined a national staffing
company, Snelling Staffing, as the Safety and Risk Analyst for all states. There managed a TPA, and coordinated safety training.
In 2013 found employ at DFW International Airport as Claims Manager. While at DFW selected a new risk information system (RMIS),
Origami Risk. Currently implementing a RMIS for the airport inclusive of claims management, safety and enterprise risk management
components. Additionally manages insurance requirements and certificates of insurance compliance.
For mroe details :- http://patricenhall.blogspot.com/
2. Realize The Need For Risk
Management
For years security vendors have been able to
play off the general fears of malware and cyber
attacks. They’ve advised that if we just bought
this product we’d be more secure. As the scope
of protecting data has become more complex,
we’ve slowly learned that deploying more
security controls alone is not a risk management
solution.
“We could spend tons and tons of money and not know if we had improved
security at all or if we had done the right things,” said Eric Cowperthwaite, (
@e_cowperthwaite), CISO at Providence Health & Services in Seattle. “We
needed a better way than just installing all the technology you can buy to figure
out what we should be doing in our security program.”
For Kirk Herath, VP, CPO, Associate General Counsel, Privacy, Technology &
Contract Services at Nationwide Mutual Insurance Company, building a risk
management practice is a requirement in their heavily regulated industry.
3. Risk Management Is What You Do
Beyond Basic Controls
“There is a basic set of security controls that
must exist from an ‘I have done the right things
in a due diligence perspective,’” noted
Cowperthwaite.
For example, said Cowperthwaite, with physical security you put locks on doors,
add alarm systems, and closed circuit TV. Although there isn’t a full consensus
on information security of what that basic set of security controls should be, most
know to include anti-virus, firewalls, intrusion protection systems, and spam
filtering.
“This is not risk management at all. This is equivalent to putting a lock on the
door,” said Cowperthwaite.
4. Patrice N Hall - Assessing Your
Assets Is Table Stakes
“If you don’t know what your crown jewels are
you can’t do risk management,” said
Cowperthwaite. “If I don’t know what it is that I
need to protect on behalf of my organization I
can’t possibly be successful in going beyond
foundational due diligence security.”
“You need to understand as a security practitioner what data is important to your
board if it gets out and what data is important to just the functionality of the
organization,” said Erin Jacobs (@SecBarbie), CIO/CSO for UCB, Inc.
“Understand how data moves in and out of the organization.”
After doing a data map, Jacobs learned, “What’s important to the board is not
necessarily what’s important to the business units. And what’s important to the
business units might be different to what’s important to security teams.”
5. Patrice N Hall - Find The Business’ Risk
Tolerance
“You can write rules that are risk-averse and
risk-absolute. We have found that is a recipe for
disaster,” said Herath who advised instead that
you have discussions with the business about
their risk tolerance.
“We assess the risk appetite of our organization
and the organizations we serve and apply
controls around that.”
Be wary that even though security controls can reduce risk, it may cause the
business to act more risky therefore not reducing damages. This phenomenon is a
function of risk compensation or the Peltzman effect, introduced by Sam Peltzman,
who noticed that safety restrictions on cars, such as seatbelts, don’t reduce
fatalities. It just makes people more dangerous drivers, said Andy Ellis
(@CSOAndy), CSO for Akamai.
“People have a set point of risk tolerance. There is so much risk that they will
tolerate and every time you take risk away, they accept more,” said Ellis.
6. Patrice N Hall - Risk Can Be Determined
By Regulators
While compliance does not equal security, falling
out of compliance can be financially damaging
and therefore highly risky.
“We exist because of GLBA ,” admitted Herath of
how regulators often manage his risk. “It’s hard
in a highly regulated industry to make what
academics might think is a perfect risk
calculation.”
While Nationwide has had an practice prior to GLBA, Herath confessed that it
changed dramatically as a result of this regulation.
Cowperthwaite agrees and points out that HIPAA security rules dictate that his
health organization must have access management. It’s not an addressable
specification, it’s a requirement. Referring to “TIP 2,” it’s not risk management at
all, but rather a basic foundational thing that he has to do.
7. Patrice N Hall - Get Input On How Well
You’re Doing
While Cowperthwaite’s team surveys
business leaders on what information they
think is important, they also ask how well
they think the team is doing to protect it.
Answers to that question can greatly change the risk profile, said Cowperthwaite.
For example, when they asked how important cybercrime was, it was listed, by
importance, in the middle of the pack of 40 issues.
But when they asked the business how well they thought they were doing to protect
against cybercrime, they didn’t think it was going so well so the issue moved up in
importance.
8. Patrice N Hall - Use the Simple Principle
Don’t try to numerically quantify risk-based
security management. There’s a belief that
risk-based security management can be
boiled down to numbers and that you can
quantify the risk and compute the
annualized loss, said Ellis.
“Well, I expect I could lose this much
money. So if I spend this much resources
then I can mitigate it by this percentage
and that was a good investment,”
While Ellis thinks this might work for fraud and petty theft, he doesn’t believe it will
ever work for general information security because of the qualitative variables.
The desire to quantify is understandable since a lot of risk speakers at conferences
are from the financial services area, noted Taylor.