Category Archives: Resource Hub

Cyber Security Risk Management – Are you Ready?

What happened during this week’s webinar?

Check out the video if you missed the live session.

The recording doesn’t show the actual poll questions, but you’ll get the idea.

The Cyber Security Risk Management Self Assessment is available in our store

okay it is nine o’clock officially we have commenced.

Welcome to this webinar on cybersecurity risk management and welcome from Brisbane.

It is nine o’clock in Brisbane and it will be afternoon and evening wherever you are in the world like I said in the invitation, no longer than an hour we go through some slides there’s a checkbox that we’re going to use this Q&A that we’re going to go through and that’s basically the housekeeping because we’ve already established that you can you can hear me, you can see me you can see the slides, were good to go.

So today’s program is a cyber security past present and future, but we are going to talk about risk management and mainly the value of self assessments.

And when you signed up for this webinar we asked the question in the invitation and some of you have actually asked me a couple of questions.

Some questions were on the history of cyber security, some questions were on the practical application of cyber security risk management so as you can see I have incorporated some of that in the slides and some of that I will leave for Q&A.

The bonus…

I have a bonus so at the end of today’s presentation I’m going to ask you a question and the person who is able to answer that question FIRST is going to win $100 US voucher that you can spend in the Art-of-service store, just not for exams but anything else $100 for you so pay attention I’m going to ask you a question about today’s presentation and it will be the very last slide that we are going to share.

It will be a bit of a practical thing so get ready and there will be some polls I need you to be engaged, okay?

And for those of you who know me, I am a very big proponent of lifelong learning so I’m going to take you on a journey and the journey for most of us is that we go from unconsciously incompetent to consciously incompetent where you go like oh there’s so much I don’t know…

Then you go through your whole training, education and learning process then you become consciously competent, so you’ve learned new skills, you’ve learned new things, you’ve learned new theory new knowledge and then it becomes second nature so then you become unconsciously competent.

So I don’t know where you are on the spectrum but I am assuming that this journey will be somewhere in between unconsciously incompetent to consciously confident so let’s go on this journey.

Cybersecurity is something that a lot of people talk about these days and what we’ve done at the art of service we’ve developed some proprietary software to read all the questions that are in our self assessments.

So all the standard criteria around cybersecurity and that software just reads all the words, takes all the information out of the questions and it basically cuts through all the consultancy fluff.

You know, all those consultancy BS words?

It just cuts through it and these are the words that come out of that assessment, out of that analysis so what is really important around cybersecurity and irrespective of the type of technology you use or irrespective of the type of cybersecurity we’re talking about.

If the words that are important are from the left hand side you have new and smart and why so the why question is really important .

Why do we do things, why do we approach cybersecurity in this way.

Why should we do it now?

Those types of questions and in that same area you see a lot of words around grid and water and utility and the impact, so that was one of those understandings for me that even though we tend to think of cybersecurity from an IT and a data point of view, ’cause data is definitely in there as well grid utility and water like physical attacks or cyber attacks on physical plants is actually really important and that’s, that’s what’s happening all over the world at the moment.

So those are important words.

And then words like systems and standards and information so we need to have systems and standards and we need to manage information around cybersecurity, we need to manage the information we dissipate to people around cybersecurity.

And then on the right-hand side should…

and of course that’s a word that’s from quality management.

So of course standards criteria and assessment criteria will have the words should in there.

So not necessarily WOULD or COULD but SHOULD you should do this you have to do this you have to do this to prepare for cybersecurity you have to prepare you should approach it from this point of view.

So for me this was a really clear overview of what’s really important in the world of cybersecurity irrespective of technology.

So that’s my gift to you so that came out of our software.

So then the history and this was a bit of an interesting one..

Yeah I always do a trend analysis and I always go to Google Trends if I want to see what’s going on with a particular subject and even though cybersecurity has been slowly rising over the years or the interest in cybersecurity there was this one big peak in October 2009 and I actually looked it up.

Well what happened in cybersecurity world in October 2009 and that was actually the month where President Obama announced that it was cybersecurity Awareness Month so hence the big peak in the interest in cybersecurity.

It dropped off quite quickly after that but it’s still growing.

And in our journey of cybersecurity most of us tend to think about cybersecurity in the context of internet security so you talk about you know dark web and you talk about internet attacks and denial of service attacks yep it’s all it’s all around internet security but it’s a lot broader so we’re talking about cyber warfare you know that’s where the utilities come in as well you talk about computer security mobile security network security so there’s a lot more to it than meets the eye and it’s a lot wider subject and it’s a lot wider than what a lot of people think about so as specialists in this area or as IT professionals it’s up to us to educate people that cyber security is not just internet security there’s a lot more to it and that awareness is really important in the in the general population and then of course because we talk about security and security management we have to talk about threats and vulnerabilities and those of us that have gone through an ITIL Service Management style history or background we know that in availability management and information security management we used to talk about threats and vulnerabilities a lot so it’s all about external threats, internal threats so what’s what’s the stuff that can happen what are the threats that can happen to us but also how likely is it going to happen and the more prepared you are for certain threats the less likely that that threat will have a major impact and there’s why put this picture of the two glacier mountaineering people in this slide like you know a lot of things can happen in in this scenario so these people there are a lot of threats and they would have prepared for this for this walk, for this hike they would have prepared for that they would have identified the threats they would have identified their own vulnerabilities and prepared for that so for us within the IT industry and for us in relation to cyber security it’s really important that we identify the threats that we name them that we write them down that we that we work through them and you know what you don’t measure you can’t manage so at least have knowledge of what’s going on and then the type of threats of course is the attacks as technical failures and defects but more importantly even is things like human error and organizational weakness and force majeure and one of the things that always pops to mind for me in relation to human error is you know that the bomb alarm or the nuclear alarm that went off in Hawaii a couple of months ago?

Was that a technical failure or was that human error it’s still a bit up in the air we don’t really know so it’s it’s very very important that we take that into consideration as well and that’s why we’re not just thinking about threats and vulnerabilities from a technology point of view from an Internet point of view or a computer point of view but it’s beyond the technical failures what are we using the systems for what are we using the technology for and how can human error organizational weakness and force majeure have an impact on our business .

So I think for me from a cyber security point of view don’t just focus on the technology look at it from a bigger context and look at it from a bigger perspective.

And then of course you will always look at it against standards and compliance and these are the top three that most organizations we work with actually mentioned to us so there’s the NIST cybersecurity framework which is from the US and that framework..

We’re actually quite proud ’cause that’s a governance government organizational framework and our cybersecurity self-assessment guide has been assessed by NIST and they put it on their website as one of the resource as one of the you know they’re recommended or resources that they know of and that they have assessed as being you know worthy of being on my website there’s also ISO/IEC 27001 that was originally created in 2005 and then in 2013 there was an update to that standard so if you’re using ISO/IEC 27001 in your organization just make sure you’re using the 2013 version of that standard.

And then for Australian people there’s a couple of local standards and guidelines for example the Australian government cybersecurity Center and their ASIC cyber resilience health check so those are the two that jump out to us as standards and guidelines that are really good to use within your organization just to map it against so that you know what you’re doing within compliance and standards point of view but of course there’s many more and there will be many more coming in the future.

MIT Technology Review they wrote about the cyber security threats to really worry about in 2018 and one of the things that stood out to me was that they said that one big target for ransomware attacks in 2018 will be cloud computing businesses and I’ve thought about that.

I thought why a cloud computing businesses why not go for financial institutions or why not go for health institutions because when you think about cyber security attacks or cyber attacks it is often health-related data or financial related data are that is being leaked so why not use those type of organizations as your -you know- prime targets for ransomeware attacks but it’s it makes sense because where do all the organizations store their data?

I mean where do we store our data?

That’s all in cloud-based storage so whether it’s Dropbox or its Amazon the the triple S storage or Rackpace or you know there’s all sorts of cloud computing businesses that offer storage services so that’s where the data goes so that’s where the gold is for ransomware attacks so if you want to read more about the the six cyber threats to really worry about in 2018 just do a google search for the MIT technology review article it’s really easy to read and it was a yeah it’s a bit of an eye-opener and it’s definitely ransomware attacks are on the up-and-up and I don’t think anybody has figured out how to have to break through that yet so yeah it’s another one and then of course talking about that our next week the 25th of May is a big day for Europe and for every organization that stores data about European citizens when the GD well that’s a typo GDPR it’s not GDRP its GDPR: the general data protection regulation comes into effect so that is a data protection regulation for all European citizens and it is all about personal data or data that can be personalised so it’s not just email addresses gender race/ethnicity that sort of stuff but it’s also IP addresses if you use cookies or pixels on your website and you store that data in order to analyze what the behavior is of those people you need to comply to the GDPR regulations so even though you are a company outside of Europe or the European Union be it in the US be it in Australia you may still be subject to the GDPR regulations so that is something else too to do some research on if you haven’t done so already and you know I’m sure you’ve already done research on it because every cloud-based service again because they store most of our data every cloud-based service has been updating the Terms of Service, have been updating their privacy statements but you know you still have a week so you can still look at it in your own organization what you need to do in order to be compliant.

So then the big question I mean that’s a really high-level overview of cyber cyber security in relation to compliancy and and standards and big question is are you ready are you ready for service or your cybersecurity compliancy are you ready is your organization ready are you doing conscious stuff around cybersecurity or is it just something that goes into all the other processes so one of the things that a lot of organizations do is they perform a self-assessment and that is something that it’s recommended at the start of every project or maybe at the start of every year do an assessment put a line in the sand know where you are because again if you don’t measure you can’t manage so measure where you are measure what you do so that if you create an improvement project or you know you’re going to attack have a strategy of improvement then at least you know where you’re going and where you came from so you have you have that improvement Delta.

Of course I’m going to show you our self-assessment guide because I don’t have access to any other organization self-assessment guides but the idea behind self-assessment is the same irrespective of the product that you use I just wanted to give you an idea of the value of doing a self-assessment which self-assessment it is doesn’t really matter as long as you perform a self-assessment that provides the value to your company so this self-assessment goes through seven phases so goes from recognized to define measure analyze improve control and sustain so every participant and usually we work with companies where it’s up to ten participants so every participant answers the question to say: in my belief the answer to this question is clearly defined so it’s a personal approach it’s a personal assessment in my belief I can answer this question I believe that this question can be easily answered it’s clearly defined I know that we know what we’re doing so let’s have a look at the recommend [messy] I created a number of poll questions so we get a bit of an idea of where you would be.

See if you were my organisation then where would be we be in cybersecurity so from a recognised point of view be aware of the need for change recognize that there is an unfavorable variation problem or symptom so the sample question would be: think about the people you identified for your cybersecurity risk management project and the project responsibilities you would assign to them what kind of training do you think they would need to perform these responsibilities effectively.

So again your answer the question with: in my belief the answer is clearly defined so you should see a poll popping up on your on your screen now so in your belief can you clearly answer this question in your organisation just click I strongly disagree like I have no idea there’s no clarity on the type of training that people need to do or you disagree you know you’re not sure or you’re neutral or do you agree that it’s clearly defined where what kind of training people to do are you strongly agree like I know of a training they need to do and I’ve seen the training manuals and it’s all part of our HR processes we’re all over it.

So we have 40% of people have voted so far so I’m still waiting for the a hundred percent of people I told you it was going to be interactive 80 percent we’re nearly there I think there’s a couple of people sitting on the fence.

okay so this is really interesting so 36 percent of people say disagree and 36 percent of people say agree it’s in your belief the answer to this question is clearly defined strongly disagree 9 percent of people neutral 27 percent but see the difference between the answers?

so then we go to the next the next phase so we’ve moved on from we recognize that there’s a need for change now we’re going to formulate the business problem so we need to define the problem the needs and the objective so how how can the value of cybersecurity be defined?

so let’s see what comes out of this one so how can the value of cyber security risk management be defined can you clearly answer this question so in your belief the answer to this question is clearly defined we’re only 37% now 50 percent…

last time we had 80% of people so see how we go this time so this is about the value of cybersecurity so in your organization do we talk about the value of cybersecurity?

Is it defined in relation to the strategy of the organization is it defined in relation to our short medium and long term goals so for 33% of plus 8% rally, so for 41% people disagree with this statement like within your organization you cannot answer this question with in my belief it’s clearly defined so that’s a that’s a starting point to talk about the value of cybersecurity risk management to discuss it with your executive teams to discuss it with your team managers to include this into your strategic plans to include this into your annual goals and objectives to at least have this this value available so then the next phase is: Measure so we’ve gone from we recognize, we defined now we start to gather the data so we’re measuring current performance and the evolution of the situation so we’re gathering data were measuring the current performance so let me just find the question the question is our threats vulnerabilities likelihoods and impacts used to determine the risk and this is the specific risk for cyber security so are threats vulnerabilities likelihoods and impacts used to determine risk cyber security risk or do we just put finger up in the air and you know we’ll see we see what happens you know which is a strategy not sure it’s a good strategy but …

excellent so this one was a bit easier to answer for most people 79% say I agree we use threats vulnerabilities likelihoods and impacts to determine the risk and then 7% said I strongly agree in my belief this is clearly defined I know exactly how we determine cyber security risks.

so our next phase in the self-assessment would be analyse so we’ve collected all the data we started measuring the data and now you analyze it and that is part of your DKIW process you know you go from raw data to knowledge to information to wisdom so we have the raw data we’ve collected it we measured it now we turn that into information so it’s analyzing causes assumptions and hypotheses.

so the question is do governance and risk management processes address cybersecurity risks so think about your governance and risk management processes in your organization do you specifically address cybersecurity risks?

is there a clause within your policies and procedures and processes or is it just a blanket statement that we talk about security risks and not necessarily specifically about cybersecurity risks so we’re getting really specific now because we’re analyzing the data that we’ve been measuring I think everybody has put in their votes and the results are that 43% of people agree yes we use cybersecurity risks as part of our governance and risk management processes isn’t it interesting though that when we talked about the recognized and defined part of the self-assessment it was a lot more fluffy so from a strategy and an organizational context we weren’t too clear on how to answer this question but now we get into the operational side of data collection measurement and analysis we know a lot better how to answer this question and in a lot more organizations this is where cybersecurity actually comes to the surface although we still have 36% of answers to say disagree or strongly disagree so those are organizations where governance and risk management processes do not specifically address cybersecurity risks so our next phase would be improve so we’ve gone from measurement analyzing now we know where the improvement parts of the organization are in relation to cybersecurity so every question we answer in relation to cybersecurity so a self-assessment question would be what do we see as the greatest challenges in improving cybersecurity practices across critical infrastructure so what is the greatest challenge and it’s not really asking what it is but can you clearly answer this question do you know what the greatest challenges are have had cybersecurity risk management briefings on specific vulnerabilities in your infrastructure have you been talking to your third-party vendors about specific challenges in improving cybersecurity practices so this goes you know it’s all about improvement of the processes.

okay we’re at 70% now all the other questions were around that 80% of people placing their votes so we’re still waiting for one or two people…

okay let’s do this 85% agree they can answer clearly exactly what we see in would you see in your organization as the greatest challenge in improving cybersecurity practices.

okay and then we go to control the next phase so now that we know what we can control we create practical solutions and all those solutions are built to maintain the performance and the correct possible complications so it’s all about maintaining control while you implement your improvement processes so the question you could ask at this point in time is a vulnerability management plan is developed and implemented do we know if we have a vulnerability management plan can you answer that question do you know where it is do you know if it’s developed or do you know that it is implemented or if you don’t even know what a vulnerability management plan is then say I strongly disagree so this is where we go into controlling the improvement, controlling the processes around cybersecurity.

still waiting for two people to put their votes in just pick one and if you don’t know which one to pick pick neutral okay so a vulnerability management plan is developed and implemented the most answered response is disagree I cannot answer this question clearly in my belief it is not clearly defined I don’t know where our vulnerability management plan is and I don’t know if it’s implemented so this is where you get into a more mature organization that has a plan, knows how to improve knows how to implement and then the final phase is sustained so how do we sustain the benefits of our improvements how do we sustain the benefits of specifically focusing on cybersecurity so the type of question that you could ask is is the cyber security policy reviewed or audited so question one is do we have a cyber security policy and if we do or when we do is that policy reviewed or audited.

so this is really about sustaining the benefits of your cyber security risk management processes so it’s not just a fluke it’s not a one-off it’s part of your standard operating procedures it’s it’s part of doing business I think this is a harder question to answer for most people so in your belief the answer to this question is clearly defined yes or no.

Okay it’s interesting that nobody picked neutral in this one it’s either yep I disagree or strongly disagree or yes I agree or strongly agree so did you notice a trend?

Because I did when we went through all these phases of the self-assessment process so the original phases of recognizing define was a lot of disagree not so much agree so it wasn’t as clear the middle section which is more the operational part of it was a lot more clear for most people that the answers were a lot more towards agree and strongly agree now that we’re at the end again of improvement controlling and sustaining the improvement and sustaining and embedding the processes in the organization it moves back in to strongly disagree or disagree that means to me that it’s a lot more difficult to implement these parts of the process and it’s also part of the maturity of of your organization.

so that just gives you an idea of the type of questions that you would answer during a self-assessment.

this is an example of the results of a real organisation…

not that we’re not real people but an organization that went through this and obviously I’ve deleted the names of the participants so all these participants walked through all these questions and even though there are 861 questions in total in the cybersecurity risk management self-assessment you don’t have to answer all of them so if you go and that happens in our example as well you know not everybody answered every question if you have no clue how to answer this question or you say then it’s just not applicable to our company it’s not applicable to our organization then don’t answer the question but it gives you a good overview of where you’re standing in your cybersecurity journey and in this organization as you can see and that happened here as well in the (actually no it was the reverse of what happened in our scenario) in the recognized part there was a lot of strongly agree whereas if you go in to sustain it moved in to strongly disagree so this organization was very heavily geared towards strategy and long-term planning and not so much in the improving control and sustained part of part of the process so these were at the beginning this organization was at the beginning of their journey of implementing cybersecurity risk management processes.

What rolls out of this assessment or one of the outcomes of this assessment is that you have this RACI matrix, a RACI diagram so for each of the seven phases you will have the top three questions with the biggest impact so for this organization it was in recognized do we use IT personnel directly use outsourcing or use both approaches to address IT issues in relation to cybersecurity risk management so that was one of the lowest scoring questions so that will also be one of the I really don’t like the term low-hanging fruit but it’s the most obvious starting point for an improvement process so that’s the result of you going through the entire self-assessment.

I just wanted to give you an idea of what it would be like to go through a self-assessment for cybersecurity risk management and obviously I hope you’ve seen that these results coming from the the assessment will give you a good overview of where your company is sitting where you know that there is room for improvement where there is engagement in the organization for improvement because that’s an important one as well because if no if everybody says like you know I’m neutral I don’t care then it’s really difficult to get a cybersecurity risk management improvement program happening in your organization because you don’t have that support you don’t have that engagement from from the teams so this so it’s not not just I mean I don’t have all the graphs in this slide deck this is the area responses across the entire process you also have all the responses of each individual participant so you know exactly where people are sitting so if you’re looking for for instance and vulnerability and risk management report then you pick the people that say I am definitely…

I’m clear, I totally agree I know where the plan is so you ask them because there’s a lot of people that have no clue where it is so it’s just easier to assign resources to your improvement program or project because you know who answered the question with in it’s my belief that I can clearly answer this question and you use them as your informants as your information providing people or maybe as team members in the project so what are we going to do next?

We have some Q&A and as I said earlier some people send in questions prior to today so that was really easy for me so thank you so much because they gave me an opportunity to prepare you also have your Q&A button on the top or maybe it’s on the bottom for you so if you do have a question pop that in the Q&A box and then after that there’s one more thing I wanted to share with you and then we have the winner for the hundred dollar voucher so the questions and I do have a prepared on paper the first question that came in was what produces the best value what produces the best value and I love that question because you don’t want to do a self-assessment just for the sake of doing a self-assessment it has to have value for your organization and I’m hoping that now that we’ve gone through the process of the self-assessment you you see the value you see the benefits of going through this this process and to me the easiest way to show the value is through that RACI diagram and that overview of the top three the top three questions in each of the phases that have the biggest impact on your organization.

Cyril says best value find the supporter yeah absolutely that’s the other benefit of doing the assessment as I said the results come in per process but also per person so if you have a person that scores really positively on on the questions you can use that person as a champion or a cheering squad for your for your assessment and for your subsequent projects that flow out of your assessment so yeah great great addition okay how often are risk assessments performed ?

(oh oh no you’re not supposed to see that yet) how often are risk assessments performed just like with any type of risk assessment or quality assessments at least once a year or when a major change is happening so if you have a major infrastructure upgrade or you’ve changed to an outsourcing provider or you’ve moved to a cloud computing provider that’s that’s the point in time where I would actually do another assessment because things may have changed and it’s important to be on the same page again and so yeah so that’s that’s what I would do.

the other question that came in is how can third parties improve risk assessments?

I actually had to think about that for a while because I wasn’t sure which kind of third parties you are you were talking about so a third party could be suppliers, vendors, your cloud computing provider a third party to me can also be your standards or compliancy organizations or an external auditor so to me to improve the risk assessment or the cybersecurity risk assessment as part of all this it can be beneficial to have external people involved have an external auditor or the internal auditor because they have a different point of view.

They just look at it from a different angle so when you put your team together and like I said in this scenario you can have a maximum of 10 people doing the self-assessment it would be beneficial to have people from different sections of the company attending or participating in the assessment and if you can have a vendor or a third party supplier in there even better it’s all about transparency and it’s all about everybody understanding where we’re sitting in the process so I love that question so thank you for putting that in.

Question from the group here How big should the company be for this kind of assessments?

I don’t think there’s a size requirement for getting value out of it you would assume that if it’s a smaller company we’d say like 10 to 20 people most people would be on the same page having said that that’s an assumption and I’ve been working with a lot of smaller companies where everybody thought they were on the same page and they were not so it’s doing an assessment like this really brings out the differences in how people view certain parts of the process or how people view cybersecurity and like that one of the first slides was you know it’s not just computer security it’s not just internet security you know that there’s a lot more to it so doing an assessment like this you could use it as a communication starter or a conversation starter in a smaller smaller organization in a large organization I would use people from different disciplines or different teams so I hope that answered your question.

Let’s see if there’s any more questions here how are risk assessment and audit results communicated to executives that was the other question that came in prior prior to today so how are risk assessments and audit results communicated to executives to me if you don’t have the buy-in from executives it’s really difficult to do a process like this so you need to have that executive buy-in that’s why we started in recognized and define so recognize the need for change define what that means in the context of your organization that’s where you involve your executives at the end of the process after you’ve done an assessment like this you would brief your executive teams or your management teams you would do a presentation you would prepare a brief and yeah exactly feeding it into executive meetings and continual review processes David exactly that’s that’s the point I was trying to make so yeah collate all your data, collate information and present it in the context of the business.

present it in the context of the strategy of the organization so I hope that answer that question.

another question came in here do you think we could group smaller clients in one assessment or should we always do this per client?

my recommendation is to do it per client, purely because of the sensitivity and the confidentiality of data we had a lot of discussion with this with with customers about putting this in an online platform or discussing it with other organizations or or collate information from different companies together and we’ve got a lot of pushback on that especially when you talk about cybersecurity risk management that is in a lot of organizations promotional and confidence highly you know highly commercial type of situations so if you can do it anonymously and you want to collect information from different clients to give people sort of like a benchmark be very very careful that it is a private discussion that it is a hundred percent anonymous and that you’re not sharing information from one client with another client because I think that could do a lot more damage then and that is good for us so any more questions?

looking at it…

nope okay if you have any more questions after today feel free to email me all my data is on the last slide anyway so and you guys know how to how to reach out to me so feel free to contact me feel free to talk to me I’d love to get some follow-up from you guys so what I wanted to do to you and that’s the one more thing thing I’ve created a bonus package for you if you want to try out the cybersecurity risk assessment for yourself in your organization or for your clients if you are a consultant I’ve actually bundled it together with information security management and business continuity management so you get three of these self-assessment guides for the price of one so I thought that was a really really cool bonus for you guys 247 dollars for the set that’s a really long URL so I am going to copy that into an email which you will get after after today’s webinar.

I don’t expect you guys to copy that by hand because that’s not that’s not happening but yeah that was my that was my bonus because I really wanted to to make sure that if you want to do an assessment that you have know some data to go across the board with your business continuity and information security management as well as cybersecurity risk management so hope you enjoy that and then the very last one the last slide is when did President Obama announced cybersecurity Awareness Month okay go first person to answer this question wins $100 us voucher in the store so you have your chat awesome bonus got it Sam you’re the very first one October 2009 congratulations you won $100 u.s. voucher to spend in the store so well done sweet that’s the end of my presentation hopefully you enjoyed that you got something out of it and as I said contact me, email me talk to me if you have any follow-up questions and after today’s session I will email you all your link to that bonus which I will show you again to get the three assessment guides for 247 dollars in a single set so if there’s any final thoughts no that’s it and I am signing out thank you so much for your time I really appreciate you spending an hour with me or 50 minutes I tried to be a little bit earlier so you can go to your next meeting and you even have time to get a cup of tea or a cup of coffee so yeah so thank you and I will talk to you next time

What if you’re asking the wrong questions about Cyber Security?

Cyber Security is on everybody’s mind these days. Every day there is a news item about a breach or attack. It seems the most (if not all) businesses are vulnerable to cyber security risks.

Think about it: We spend a lot of time online, between personal activities on social media , internet banking and all the things we do online for our business.

In business we hire staff via online portals and engage with contractors and freelancers online. We do our business banking and bookkeeping online as well as our email communications with clients and suppliers.

When you add up our daily online presence and then include the fact that the Internet of Things is becoming more and more a reality, there is no denying anymore that the importance of cyber security is a real thing and that it impacts every business, large and small.

One of the things you need to be aware of is the GDPR regulation which starts on the 25th of May 2018.

GDPR is all about privacy protection and personal data and to make sure this personal data is protected from outside attacks.

Personal data.

The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.

What types of privacy data does the GDPR protect?

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

Does your company collect personally identifiable information electronically? If so, you may have to seriously look at your Cyber Security processes and procedures. Especially the ones around management and storage of private data. Every company that does business with a person in the EU is potentially subject to GDPR regulations and non compliance can be very expensive with fines of up to 4% of your global revenue.

As professionals it pays to understand how we can help our organisation to be better prepared. But what are the questions to ask? What conversation is required without going too deep into the technical aspects of Cyber Security.

The challenge is to ask the right questions without going too deep into the technology as this may be the wrong focus at this point of the risk management journey.

It is all about Risk Management.

Earlier this week I was listening to a podcast about rock climbing and the interviewer mentioned that rock climbing is a risky sport. The answer was very appropriate, as the interviewee [his name is Alex Honnold] said.. no it’s not – it’s of high consequence.

[ Alex Honnold – Free Climbing El Capitan at Yosemite National Park ]

His definition of risk is something that you can plan for, something that you can manage and mitigate. Part of that risk management is that you also have to understand the consequence of your actions if something goes wrong.

In his case, being a free climber the consequence of even the slightest oversight, omission or mistake is imminent death. That’s different from big wave surfing (the example he used).. there are many more variables in surfing so while the risk level may be higher, the consequence level is lower because not every mistake ends in death. Maybe a bruised ego or a broken leg but you’ll survive.

What does free climbing have to do with Cyber Security?

It struck me during this interview that this is exactly what we want to bring across in our Self Assessments. Especially when we are talking about Cyber Security Risk Management. Understand the exact path you need to take with the company, and have a clear vision of what you need to do to make it to the destination safely. Manage your risk and understand the consequences of not being aware of the things that are important to the business. This is a great way to prioritise the use of assets and resources within your company.

It also means that you need to be clear on what we know and what we don’t know. What we have considered and dismissed and what we never even thought of in the first place. Every step towards Cyber Security is about consciously taken decisions en educated choices.

The Cyber Security Risk Management Self Assessment helps you to mark a clear path for your company and to prepare for effective and efficient implementation of the required processes, procedures and technical measures.

7 Sample Requirements:

Not all cyber-connected assets are essential to protect at all cost. Some assets, however, are “crown jewels” – worth protecting at all costs. Other assets may be more like “paperclips” where the expense of protection exceeds the benefit. How do you tell the difference?

Do we support the certified Cybersecurity professional and cyber-informed operations and engineering professionals with advanced problem-solving tools, communities of practice, canonical knowledge bases, and other performance support tools?

Does your organization perform vulnerability assessment activities as part of the acquisition cycle for products in each of the following areas: Cybersecurity, SCADA, smart grid, internet connectivity, and website hosting?

Describe the company’s current practices that are used to protect proprietary information and customer privacy and personal information. Does the company have an information classification and handling policy?

Can we describe our organization’s policies and procedures governing risk generally and Cybersecurity risk specifically. How does senior management communicate and oversee these policies and procedures?

What domains of knowledge and types of Cybersecurity-associated skills and abilities are necessary for engineers involved in operating industrial processes to achieve safe and reliable operating goals?

Does your company provide end-user training to all employees on Cybersecurity, either as part of general staff training or specifically on the topic of computer security and company policy?

[part of this article was previously published on Linkedin]

 

GDPR is coming – do you know what to do?

The EU General Data Protection Regulation (GDPR for short) will be active from the 25th of May 2018. Irrespective of where you are located in the world, if you collect client data from persons in the EU the GDPR regulations are now part of your new standard operating procedures. You will have noticed many SaaS and app providers sending you updates to their privacy terms and conditions. In the past few weeks I’ve also noticed many more websites now showing the banner to notify you of the use of cookies and pixels. This must be related to the implementation of GDPR as well.

What is GDPR?

GDPR is all about personal data and to make sure this personal data is protected from outside attacks. The onus is on the company to proof that they do every reasonable thing to protect their customer’s personal data against misuse. Irrespective of how you process this data: you process and store all the data internally, or by engaging a third party supplier or SaaS provider.

What types of privacy data does the GDPR protect?

  • Basic identity information such as name, address and ID numbers
  • Web data such as location, IP address, cookie data and RFID tags
  • Health and genetic data
  • Biometric data
  • Racial or ethnic data
  • Political opinions
  • Sexual orientation

It pays to understand the compliance criteria in such a way that you will be able to understand and manage the ongoing compliance requirements beyond May 25th. Every business that uses data from citizens of the European Union will be impacted by this new regulation. This can be customer data, prospect data or cookie data and information you collect because they are on the mailing list.

This date of the 25th of May only marks the starting point from which we need to be more vigilant in how we manage, store and process our customer’s personal information.

Looking at GDPR from this point of view means that the management requirements for GDPR can be split up across 5 different phases. These phases coincide with the general life cycle of a business process. These phases loosely align with Deming’s Quality cycle: Plan – Do – Check – Act (PDCA for short).

  • Plan what you are going to do
  • Do what you planned for
  • Check / study and analyze the results of what you did in the previous step
  • Act accordingly – improve the activities, measurements and expected outcomes.

The planning phase can be split up in Recognising the need of change (in this case changes to your processes and procedures to safeguard people’s personal data) and defining what GDPR means to you and for your organisation.

The DO phase includes measuring and monitoring your performance during the active and productive part of the processes.

The Check phase includes a thorough ongoing analysis of the data that came from the previous phase. This is where you use your KPIs and metrics to identify areas for improvement and areas the celebrate.

The Act phase is all about control of and sustaining the ongoing improvement that you started implementing in the previous phase. Once you have these four phases working together you will see process improvement happening in your business. Especially for GDPR this is of critical importance as you need to show best effort to protect your customers personal data. Ongoing improvement of these processes is at the heart of this and will strengthen your case.

Why do we still teach ITIL after 20 years?


Yes – just saying it out loud is scary, but it has been 20 years since I received my ITIL® Foundation certificate. It has been 16 years since I started teaching the principles and concepts of the ITIL Service Management methodology.

ITIL is old news

These days you hear more and more people complain about ITIL – how it’s old and not sexy anymore…. how it’s ancient and not applicable to today’s agile ways of running IT shops and departments.

To be honest, for a long time (years actually) this question  had me stumped… why didn’t I move onto bigger and newer and flashier courses? There were many reasons for me to stop – and turn away from it. However the truth is:  I don’t want to.

I believe in the principles of the ITIL Service Management Methodology of connecting the people to the processes, products and partners. I love the fact that over the years the ITIL methodology has made IT people stop and think about their ‘why’. WHY do we create apps? Why do we manage or maintain that system? Why do we need to add double security levels on that data?

I’m not saying that without the ITIL framework these questions would never be asked… but it does mean that because of this framework the questions were not being forgotten.

It’s not about me

Also – good business practices tell you to listen to your client and to create a product or service people really want. Our clients love us for our ITIL training programs and the value for money it gives. Why deny them this opportunity by trying so hard to deliver different things and offer different courses that they really don’t want.

Listening to my clients doesn’t mean being stuck in the ’90s and doing the same thing over and over again. It means adding new angles and new ways of delivering the message.
At it’s heart though, it does mean that in the past 20 years I’ve created a business that specialises in IT Service Management training and education and that’s what we do. With love and passion.

 

With regards,

Ivanka Menken

How to oversee Systems Security management by competencies

USE CASE:
Meet Michael Mullen, Lead Systems Programmer in Computer Software, Greater New York City Area.

He needs to oversee Systems Security management by competencies.

He likes to revise his understanding of Systems Security Management. That’s why he needs to keep an eye out on technologies and frameworks in the fringes of his expertise and knowledge. It’s important that he has a basic understanding of many subjects to do with Systems Security Management.

This is the reason why Michael signed up for The Art of Service LAB Accelerator. As part of his membership he has full and unrestricted access to all the documents in the library. He can search and download as many documents as he needs. He also has access to Analyst Research Reports – and this really helps him to understand the current trends in Systems Security Management. Every month he downloads the Analyst Research Reports to quickly read through them.

But this time he’s more interested in a generic view of what other companies are doing around Systems Security Management.

Michael points his browser to The Art of Service LAB, a quick search in LAB for ‘Systems Security’ comes up with 1315 documents that cover the Systems Security topic.

Michael finds 428 powerpoint presentations, 435 PDF documents and 452 Word Documents that cover Systems Security in-depth.

Michael hones in on the following actionable documents and quickly scrolls through each document using the built-in viewer, downloading several of them:

– Iss Program Goals And Objectives.ppt
– To Identify Management And Technical Issues As Early As Possible.doc
– Security Roles And Responsibilities.doc
– Data Backup And Recovery Including Volume Mirroring And Tape Archiving.ppt
– Prevention.pdf
– 01-Novak-Standards.ppt

Michael now feels confident about his Systems Security knowledge and has the practical input and examples he needs to oversee Systems Security management by competencies in minutes.

On top of that, one of the documents also gave him input on how to inform on and uncover unspoken needs and breakthrough Systems Security results.

You can get these benefits and results today with the Art of Service LAB: a comprehensive document library designed to help professionals achieve tangible business results. You receive instant access to the world’s foremost repository of expert and practical analysis and opinion on everything important in IT with the searchable database of cutting-edge research.