Risk Management Insights in a World Gone Mad

August 28, 2019

Phil Richards | Chief Security Officer | Ivanti

Join Phil Richards, CISO for Ivanti, as we discuss key concepts and strategies for Risk Management.  A few of the questions to be addressed in this session include: 

  • Is risk always a bad thing? 
  • How do you categorize risk according to your company’s objectives? 
  • Do data breaches really impact the big companies? What are the steps to recognizing, assessing and managing risk? 

The answers to these and many other questions will be discussed in this very important and timely session. 

Transcript:

Erica:
Okay. Welcome, everyone, to our webinar. We are going to get started. My name's Eric, and I am going to help host the webinar today. I'm really excited for this session. Thank you for joining us, and we hope that you like it.

Erica:
Just a couple housekeeping items I wanted to get out of the way before we start. First off, with the audio on Webex, usually people receive better audio results if they dial in directly instead of using computer audio.

Erica:
If you have any questions about global call-in numbers or are experiencing any audio issues throughout the presentation, feel free to shoot me a message in the chat function. That's just on the right-hand panel of the Webex that you are seeing right now. You can use that chat function throughout the presentation. If you have questions or just want to communicate any comments you might have or would like some more information after the session's over, feel free to send me a message in the chat.

Erica:
Speaking of talking to us, definitely, as you have your questions throughout the presentation, please send those over. We will be covering those questions throughout the presentation. You can use that chat function or the Q&A feature. Either of those work. That's how to use this Webex platform.

Erica:
We are recording this session. We will send out the recording and the slides sometime within the next day, after the presentation ends, to everyone who registered. We'll also post it on our website. Those are the two places that you can find this recording and the slide deck after the presentation.

Erica:
Now this presentation is actually the final installment of a webinar series that we've run throughout the summer called IT Summer School. It's been a really fun series. We really focused this series on thought leadership. We're not going to be pushing Ivanti products today. We're going to be talking a more high-level strategic view of IT.

Erica:
Now our first presentation as part of this series was about The Five New Habits of the Successful IT Organization. We talked about some really practical takeaways that IT organizations can implement in order to be more successful.

Erica:
We followed that with a presentation about The Three Seismic Shifts in IT and How to Be Ready When They Come. That presentation was really focused on the future of IT and what I key departments can be doing to get ready. Those are two very popular sessions, and this has been a great series. Thank you, everyone, for joining us for this series.

Erica:
If you missed those two webinars, we will send links to those webinars in our follow-up email, along with the link to watch this webinar recording on demand. Don't worry if you missed those.

Erica:
With that, I think that covers our housekeeping. Our presentation today, the final part of our IT Summer School Series is called Risk Management Insights in a World Gone Mad. We're really excited for this presentation. I'm going to introduce our Chief Security Officer at Ivanti, Phil Richards. Phil, thanks for joining us.

Phil Richards:
Hey, Erica. Thanks. Really appreciate the time to be here with you and with everybody else. I hope everybody's having a good day so far. Let's just get right into it, I guess. This is my introduction slide. You'll see me, a middle-aged person trying to keep the weight off here on the left.

Phil Richards:
Some of the things that we have been trying to do at Ivanti, as well as in other companies, really has to do with some of these frameworks that I've got listed over here in terms of how we can incorporate security into our environment.

Phil Richards:
More and more often, those frameworks are actually being empowered by an overarching practice in the security world called risk management or enterprise risk management. That's going to be a little bit about what we're going to talk about today.

Phil Richards:
More and more of the requirements from oversight agencies and that kind of thing are telling organizations that they really need to have an enterprise risk management process or program that provides the authorization or the authority for all of the security practices that take place within an organization.

Phil Richards:
It's less and less about what frameworks are you compliant with and more about do you actively manage your risks within your organization and what does that lead to in terms of security infrastructure at your company.

Phil Richards:
With that, as a background, really the first question has to do with this: what is IT risk? What is risk? The things that make us what we are and unique in the industry, at Ivanti, are a result of organic work that we've done over the years, as well as the strategic acquisitions that we've made. They really include five areas of focus, and that's asset management, service management, operational security, endpoint management, and supply chain enablement.

Phil Richards:
Our strategy as a company is to become the leaders in these IT-enablement areas. And so the question of IT risk is really at the heart of our strategy as a company, and it's really at the heart of an IT organization's strategy, in terms of what are we doing, what are we allowed to do, and where are the pressure points and the areas that we need to be looking at and avoiding.

Phil Richards:
The question of what is IT risk, I've wondered about that quite a bit and done quite a bit of research and looked in a lot of places. I particularly like this definition of IT risk from ISACA. They've provided this part of the risk IT framework.

Phil Richards:
It says, "IT risk is business risk, specifically the business risk associated with the use, ownership, operation, involvement, influence, and adoption of IT within an enterprise." I particularly like this last part. "IT risk always exists, whether or not it is detected or recognized by an organization."

Phil Richards:
I promise that's going to be the last slide that I read verbatim because this is an important component or concept that we have, and that is that IT risk exists whether you find out what they are or not. Obviously, if you don't identify that risk, then you're just subject to the downside of that risk. You lose some of the opportunity to mitigate or alleviate the risk from your organization.

Phil Richards:
That leads to the next big question, which is: is risk a bad thing? The answer is it depend. Some risk is definitely a bad thing, but there's a lot of risk that is not bad. As a matter of fact, our organizations exist oftentimes because they're willing to take risks on behalf of our customers. Sometimes they are willing to do things that our customers aren't willing to do themselves. Sometimes we, as organizations, take on risky ventures in support of our customers' desires and that kind of thing.

Phil Richards:
A good example of this is really a supermarket when you think about it. One of the things that a supermarket does is they buy perishable items. They buy fruits and vegetables and meat products. They purchase all these things, which is a risky investment ... I mean, obviously, these things perish over time ... for the benefit of their customers. When a grocery store looks to purchase fish, that is a risk that they need to take in order to stay in business. That's part of what they do.

Phil Richards:
I guess really the message here is that there are types of risks that an organization needs to consider as a normal part of doing business. Now here's the interesting question. If somebody were to walk into that grocery store and say, "I don't have any money today. I'll gladly pay you next week if you give me some vegetables today," the supermarket manager is going to say, "No, that's not a risk that we are willing to take. We don't loan money as part of our business model. We recommend that you go to a bank and have them loan you money. Then you bring that money back here and you can buy your vegetables."

Phil Richards:
Banks, a different type of industry, a different type of program, they take the risk of lending money to individuals in the prospect of having those individuals pay it back. The grocery store has one type of risk. The bank has another type of risk that are not necessarily bad. They're the kind of things that keep those organizations in business.

Phil Richards:
There's different types of risk. When we think about is risk bad, we like to categorize risk in a few different ways. The types of things we have just been talking about are called on-strategy risk, buying fruits and vegetables. For a grocery store, it's an on-strategy risk. But there's other kinds of risk. There's strategy neutral risks and then off-strategy risks. Let's walk through these a little bit.

Phil Richards:
Risks that are aligned with a business are those we intend to take on as a normal part of doing business, and these are called on-strategy risks. If your business is a grocery store, for example, purchasing okra is an on-strategy risk. If your company is a bank, then approving an individual for a home equity loan is an on-strategy risk. All risks have parameters within which operation is determined to be acceptable.

Phil Richards:
For example, if you're a grocery store, you might not want to buy all the okra that's available. You have a certain amount that you believe that you can sell before it starts to go bad, and that's how much you want to get. The same thing with a bank. You have parameters for approving loans as a bank. A person's financial situation needs to be considered before you decide to approve that loan.

Phil Richards:
Sometimes on-strategy risk also results from the need to innovate your product or your service in the marketplace. The risk associated with innovation is a major part of on-strategy risk for industries where consumers are willing to pay for that innovation, such as software development.

Phil Richards:
When we look at the software development industry, for example, customers pay a license or maintenance fee. This fee is frequently paid annually and provides customers with bug fixes. The customers pay that to the software developer in order for the software developer to be innovative.

Phil Richards:
As a result, software companies need to be particularly aware and open to the costs and risks associated with innovation, because for them, innovation is actually a thing that the customers are paying for directly, in support for your business to be aware of those kind of activities and the important on-strategy risk, because it relates directly to revenue or business goals.

Phil Richards:
The second category really isn't a list of risks, but it contains risk parameters or boundaries used to evaluate risk going forward. This is the largest group of risk, and it includes strategic and financial, operational and quality and other kinds of risks.

Phil Richards:
Under financial risk, for example, you might have parameters for investment limits, and those limits vary depending on the size of your business. For example, if you're a grocery store again, you might say that no single capital investment will be larger than $500,000, while a bank might say capital investments need to be sized so that the company is able to maintain their target cash flow volume. They need to be maintained at the size of $500 billion, something like that. The point is that there are different strategies and different types of parameters for the different companies.

Phil Richards:
By identifying boundaries, you help the business evaluate opportunities and challenges in a changing environment and still stay true to the appetite boundaries set by senior management. The whole idea behind these parameterized risks is that you are putting together an MO or a modus operandi for your business around how risk opportunities and that kind of thing are evaluated and assessed by executive management.

Phil Richards:
Then there's this category of off-strategy risks. These are risks that are never aligned with business objectives. These risks are deemed to be so dangerous to the ongoing nature of the organization that a company would never knowingly take on this risk.

Phil Richards:
For many organizations, reputation risk is an example of something that goes in the off-strategy area. As an example, a company would never want to do something intentionally that harms their own reputation in the marketplace.

Phil Richards:
A good example of this, a brand image impact would be associated with a data breach. We see many examples of companies that haven't approached data breaches properly and, as a result, have lost ground in the marketplace associated with it.

Phil Richards:
I have a few examples of ... A few good bad examples, I guess I would say, of off-strategy risk. In particular, I like this statement from the CEO of Uber. He said, "The truth is ... " This is after, by the way, Uber faced some fairly significant claims with respect to data privacy of customers and drivers. They were notified by some hackers that data had been compromised.

Phil Richards:
In order to try to keep the data breach quiet, they offered to pay the hackers a bribe to keep that information quiet. Of course, the hackers took the money and then made it public anyway. So lesson learned, right? Never try to deal honestly with criminals. But the CEO for Uber said, "The truth is there's a high cost to a bad reputation." There is a high cost to a bad reputation.

Phil Richards:
Since Uber, at the time, was privately held, we don't have any information about how that affected the value of their organization. But there's been a couple of other breaches where we do have some information about how a data breach affected the value of the organization.

Phil Richards:
The first example here is Facebook. I'm sure most of you remember from a couple years ago the Facebook breach. What happened was there's a point on this graph, just about the middle of March, which is where the data breach was actually discovered, and you can see the closing price of the stock went down precipitously over the course of about a week and a half or so.

Phil Richards:
Then it started to climb back up. It went up to a big high right in the middle of the graph. That day, by the way, happens to be the day when the earnings call, the quarterly earnings call, came out from Facebook, and Facebook acknowledged a of couple different things. They mentioned that their revenue was below expectations. They mentioned that their costs were higher than expected because they had to clean up from the privacy breach and that kind of thing. As a result of that earnings call, you see the big drop off.

Phil Richards:
Now what makes this really a reputation issue is because, if you remember right, this wasn't really a Facebook breach. It was a company called Cambridge Analytica who misused Facebook's terms of ... Their own data privacy terms.

Phil Richards:
That's what really caused this issue, this stock impact, which, by the way, is in the neighborhood of $110 billion of lost equity to shareholders over this course of six or seven months. It was a significant impact to the company, directly a result of a data issue, which ended up being a reputation issue for Facebook.

Phil Richards:
Similarly, I'm sure we all remember Equifax, which is a company that offers credit monitoring services, people who provide credit scores to individuals. It's pretty easy to see where the public notification of their data breach happened. This is their actual closing stock price over that period of time.

Phil Richards:
Equifax did a number of things, from a PR perspective, that cost a lot of problems. The reason why this is a PR or a reputation issue is because you've got to remember the data that was breached was actually not customer data that was breached. It was our data, individuals' data, but we are not customers of Equifax. The customer of Equifax are merchants who need to assess credit worthiness of individuals.

Phil Richards:
That's what makes this kind of interesting is because the data that was breached was not their customers, it was other individuals. That's what makes this a reputation issue that we can isolate because their stock price was not impacted by a customer data breach.

Phil Richards:
The fact is there's a lot of things that go on in terms of bad decision-making. The reason it's important for organizations to formally understand their own risk appetite is because individuals within your company are making risk-based decisions on a daily basis, everything from the guy who's stocking shelves at the grocery store to the software engineer to the bank loan officer. They make decisions on a daily basis that they believe are in the best interest of an organization.

Phil Richards:
If you're a software developer, for example, you might be writing some code and you might be trying to decide whether or not a particular error routine is important. It takes some amount of time to write an error routine. A software developer decides whether or not that particular error is something that's going to ever happen in the real world, or what's the likelihood of that happening, and he's making that assessment based on his understanding of what the company's appetite for risk is.

Phil Richards:
Since we all make decisions, some of them, as you can see from the pictures, are bad decisions, on a daily basis, it's important to get some sort of view of that information to your employees.

Phil Richards:
I just put together here a sample risk tolerance statement here. These are the different types of risks. We talked about off-strategy risks, on-strategy risks, and parameterized risks. What this particular set of statements does is it really talks about what are on-strategy risks, what are really off-strategy risks, things that we want to try to avoid, and what are the parameters behind some of our parameterized risks.

Phil Richards:
This is just an example of some of those types of statements. This example, along with the presentation, will be made available after the webinar. But I really wanted to make sure that everybody had a view of what is risk management, what is the different categories or types of risks that are involved in there, and get an understanding of the fact that risk is something that we all live within our organization. It's not bad or good. What's important is to identify the risk that you have and be able to manage through those risks.

Phil Richards:
The next part of our process really is going to talk a little bit about risk management in general. In other words, now that we talked a little bit about risk, what are some of the risk management steps that are associated with that?

Phil Richards:
Move on, this walks through a ... What do you call that? A wheel or a process, I guess, for risk management. There's really four major steps there. There's identifying risk, doing an assessment of that risk, creating a risk response and mitigation, and then figuring out how to control and monitor and report on that risk. Understanding what risk is is the whole process of risk identification. There's a little bit of an example that I want to go through in terms of identifying what ... How do we identify risk.

Phil Richards:
In this particular scenario, I want you to first think about a bald tire. This is a tire that used to have treads. But that tread's completely worn off now, just like this picture here. It shows that there's no tread on the tire. The question is: is this bald tire a risk?

Phil Richards:
Well, what if I gave you a little bit more information? What if I said that bald tire is tied to a rope and it's hanging from a tree? Now you're thinking, "Oh, okay. I see now." Does that bald tire represent a risk at this point?

Phil Richards:
Well, what if I said a little bit ... The rope is frayed and it's about ready to break, and that tree [inaudible 00:23:27] and the tire is [inaudible 00:23:34] the cliff? Now with that much information, [inaudible 00:23:40] the risk?

Phil Richards:
The real answer is you still don't know because we don't know what we're using it for. There's a whole usage that's involved in the scenario, that's woven into the scenario, but it's not explicitly stated. The usage is really a core part of identifying [inaudible 00:23:59].

Phil Richards:
Part of the question is, well, what really is risk? Our friends at ISO have come up with a great definition for that. Risk is to the effect of uncertainty on your business objectives. What you're trying to do is identify components of uncertainty around your business processes, around what it is you do. That's what risk is and that's what you're trying to identify.

Phil Richards:
You're looking at business processes and trying to figure out how to identify, okay, [inaudible 00:24:31], this is my business process. Where are the areas of uncertainty associated with this particular risk?

Phil Richards:
After we've gone through risk identification, the next step is to figure out, okay, I've identified some risk, I've identified some areas of uncertainty in my business, how do I evaluate or how do I assess how big or small a risk is?

Phil Richards:
A couple of different things that you can do. You can assess risk either from a qualitative or a quantitative perspective, but essentially risk is a value. It's a score. It's based on ... You've probably heard risk is likelihood times magnitude. The way I measure likelihood is by thinking in terms of frequency, not how likely is [inaudible 00:25:33] to happen. [inaudible 00:25:34] 20% likely to happen or 80% likely to happen? That's a little squishy and it's really hard to get your head around.

Phil Richards:
What's a lot easier to figure out is how frequent can I expect this risk to occur? When you think about it, the weatherman, when they talk about a storm, they'll say that this is a 10-year storm or a 100-year storm or a 200-year storm, something like that. That really talks to the event frequency. That's what we want to try to get to when we're talking about risk. How frequent can I expect this particular thing to happen? Is this an event that happens once a year? Is it an event that happens three times a year, or once a decade, that kind of thing?

Phil Richards:
Then when I multiply that by the expected loss magnitude, I actually have something that I can say on a yearly basis or on a monthly basis this is how much that risk is costing me over a period of time. It might only happen once every 10 years, but if it's a multimillion-dollar loss that happens once every 10 years, then that actually has real value in [inaudible 00:26:34] year that it doesn't happen, because you've got to build up to when it's going to happen, that kind of thing. That helps with the qualitative nature of being able to assess risk.

Phil Richards:
From a qualitative perspective, we think of loss event frequency as rare, unlikely, possible, likely, or almost certain. Then the magnitude is instead of it being in dollars or in money, it's how big of a factor is this to your business, insignificant all the way to catastrophic?

Phil Richards:
Then you can put your risks together in a heat map sort of thing like this. They're relative to one another. This is a relative risk assessment. Risk number one might be more risky or a bigger deal to the organization than risk number two when you think about them relative to one another.

Phil Richards:
For a lot of businesses, that's all you need to do, because you want to address the ones that have the highest relative score. Obviously, the idea behind this risk assessment is to address those risks that have the highest score earlier and quicker and more thoroughly than you address the ones that have a lower score.

Phil Richards:
One of the things that we do here at Ivanti is we actually create a quantitative risk register. We look at particular risks, how frequent we believe they're going to happen. Oftentimes I will use frequency [inaudible 00:28:05] that comes from industry examples or industry metrics. Sometimes I will use ... If I have actual [inaudible 00:28:17] the organization, we'll use that instead. But we'll find some sort of a mechanism that determines how frequently we can expect a particular loss to occur.

Phil Richards:
The loss magnitude is often the expected value of loss magnitude, so not the worst case scenario but also not the best case scenario. It's what we can expect to have happen. That turns into a value on a yearly basis. The value is not [inaudible 00:28:39] means that if it costs more than the risk value is to mitigate it, then the mitigation is actually more expensive than the risk is, than the exposure. It's important to know those things so that it gives you a high-end budget for assessing and evaluating those risks.

Phil Richards:
In my organizations, I've found that you find that these risks, the value actually piles up fairly quickly, and it's important to begin addressing the risk that have the highest annual value earlier in your process, I guess. That's risk assessment.

Phil Richards:
The next process is risk response and mitigation. I'm not going to go through a lot of detail around risk response and mitigation. What I want to do instead is show you a cartoon which I particularly like. These are the four main types of risk management, or the main activities under risk management that you can do.

Phil Richards:
You can avoid the risk. This is a guy who's looking over the edge of the cliff and avoiding. He's just walking away from the cliff. Mitigating, there's another person who's putting a trampoline at the bottom of the cliff. Transfer, I love this one. I will pay you money if you will jump off the cliff for me. Or accepting the risk, which is just jumping off the cliff.

Phil Richards:
All four of those are very valid types of risk response activities, the things that you can do. Those are the four main [inaudible 00:30:20]. You don't have to pick one strategy and live with it. You might avoid some of the risks and you might transfer some of the risks.

Phil Richards:
Typically, transferring risk involves an insurance, for example. If you have a lot of cybersecurity risk, you might transfer some of that by paying an insurance company to handle the financial components of a breach cleanup or something like that for you, that sort of thing. You mitigate risk by putting controls in place. We'll talk a little bit more about risk and controls and control frameworks here a little bit further into the presentation.

Phil Richards:
The last part of the risk management cycle is controlling, monitoring, and reporting. The risk process is not a once and done sort of thing. It's something that you need to be in fairly continuous assessment within your business, because the business changes, the world around you changes, your products change, and your services change. All of those changes bring together new opportunities, but also new risks that need to be identified and assessed as part of your continuing process.

Phil Richards:
Also, importantly, is reporting on this risk, on your risk management. Once you have identified, assessed, or graded the different risks and have come up with preliminary response strategies for your organization, it's important for the executives to get a view of what the plan is by creating reports.

Phil Richards:
Let's see, the risk management organization calls [inaudible 00:32:09] IT has identified seven components of reporting in terms of risk-oriented language that are important. I can tell you from personal experience, it's very important that you have a reporting process that actually includes all of these things.

Phil Richards:
Maybe one of the more difficult and important components is to have this ... Your risk report needs to be clear and balanced and understandable. What you're trying to do here is you're not trying to make things too big and you're not trying to undersell or oversell risk, which is why it's so important to have a standard assessment process, because you're trying to provide a clear and balanced report of what is the risks that your organization is facing. That's particularly important.

Phil Richards:
If executives feel like the risk report is underselling the risks, then they get concerned that maybe risk management isn't well-handled. If risks appear larger to them, and they believe that they should, then the feeling is that the risk management is overly sensitive and that kind of thing. You get problems both ways, I guess, is the message there.

Phil Richards:
Again, reporting needs to be based on actionable intelligence. You're not trying to just report on risk, but you're trying to say, "Here's the mitigation process that we've got. Here's the steps that we want to take in order to fix this or to change it or to mitigate." You're not just reporting on a problem, you're reporting a problem, and here are the recommended actions to address that problem. So that's the discussion around risk management.

Erica:
Hey, we have a question around risk management that I thought might be interesting. They're asking, "How can our security team help other departments consider risk without looking like we're always shutting ideas down?"

Phil Richards:
That's a really good question. Risk management is actually an excellent way of doing it because the whole process is business operations need to take place, but we need to go into new business operations with our eyes wide open in terms of what are the possible downsides associated with that risk.

Phil Richards:
When you go through an assessment process that identifies the risk and quantifies that risk, say that this is something that will occur once every five years or whatever it is. You can come up with [inaudible 00:35:07] associated with that risk.

Phil Richards:
You don't need to necessarily kibosh an idea. You can say the risk associated with that idea has a specific value. Maybe it's $100,000 a year or whatever. That value is something that needs to be considered as part of the ongoing operation of this new project or program. It's important to go into these things with your eyes wide open.

Phil Richards:
The other part of this is it's really the executive management's responsibility to accept or to not accept that risk. If you're real clear on letting everybody understand what the risk is, the executives have the ability to respond to that and say, "Yeah, that's something that we recognize as a risk. Maybe we're going to take some steps to mitigate that risk. But, overall, we're going to accept it because we think the benefit to the business outweighs the risk, and that should be a perfectly fine outcome."

Phil Richards:
Where we get into trouble is oftentimes we don't alert either the departments or senior management about what those risks are. They're assuming acceptance of those risks without really understanding what they are.

Phil Richards:
That's the part that, as risk managers and as IT security folks and as IT folks, we need to make sure does not happen. We need to make sure that they're going into that decision with their eyes open in terms of what the risks are.

Erica:
Perfect. Thank you.

Phil Richards:
Yeah. Great, okay. With that, let's talk a little bit about ... I mentioned before that we're going to talk a little bit about some of the other terms around the risk management process. Specifically, we're going talk about controls, control frameworks, and that sort of thing, the process for risk management.

Phil Richards:
The way I like to think about this is when you think about our world, we typically think we got multiple problems and we have solutions to those problems. Problem one might have a single solution. Problem two might have a solution. Problem three might have a solution.

Phil Richards:
That's great. That's not usually how the world works. Usually what we see is something a little bit more like this. If I've got a particular problem, I might have two activities that participate in the solution of that. That solution number one, by the way, also solves part of problem number two, and similarly. Things get a little bit muddy.

Phil Richards:
The way we think about this from a risk management standpoint is we just want to flip the whole thing on its head, so we're going to turn it around. We're going to make it solutions first. We got solution one addresses part of problem one and part of problem two. Solution two addresses part of problem one and problem two, that kind of thing. We're thinking about more in a solution-oriented space.

Phil Richards:
Now we're just going to change our terms. Problems are called threats. Solutions are called controls. A whole set of solutions is called a control framework. When we think about [Mist 00:38:22] 800-53 of the control framework, what that really is is a list of 265 solutions to problems. It tells you what the solutions are. It even tells you, to some degree, what the problems are.

Phil Richards:
When we're doing a threat assessment, what we're trying to do is identify what problems in my business are actually fixed by some of these solutions, or what are the problems that I have in my business, and so, therefore, what framework of solutions is best going to fit my organization or my business. That's a little bit of insight into what those terms are [inaudible 00:39:02]. All right, let's move on to some final thoughts before we get to some additional questions [inaudible 00:39:13], if there are some.

Phil Richards:
When it comes to managing risk, there's three things that I really want to talk through a little bit. The first is impact over likelihood. As human beings, we are very good, or we think we're very good, at assessing the likelihood of something to happen.

Phil Richards:
We might say this particular problem, somebody getting into our environment and stealing credit card numbers or something like that, would be very catastrophic to our business. You might hear somebody in management say, "Yeah, but that's not very likely to happen."

Phil Richards:
We need to, from a risk perspective, try to overcome that [inaudible 00:40:00]. We need to think about the impact of something happening a little bit more critically than we do the likelihood. Oftentimes, just because something is not very likely to occur, if it's going to crater our business, it's still something that we need to think about and still something we need to plan for.

Phil Richards:
Again, I tend to issue a likelihood in terms of how frequently that event is going to occur rather than it's likely or it's not likely. Then I can measure the impact over a smaller period of time.

Phil Richards:
If this is something that's going to occur once every 10 years, but when it does occur, it cost $10 million, well, I can simply do the math and say that means it's going to cost me $1 million a year for 10 years. Some time during that 10 year period, I'm going to have a $10 million event, that kind of thing. Here's a great comic that illustrates to the far edge the importance of pinpointing impact over likelihood. On a webinar, it's hard to get laughter as a feedback mechanism.

Phil Richards:
The next thing to think about is that it's important to identify clear decisions. When we're identifying risk and we're coming up with a risk management strategy, you want to be clear and very communicative of what that strategy is, how much of the risk is left, we call that residual risk, and how much of the risk has been mitigated.

Phil Richards:
Being real clear in terms of your decisions and making sure that the group of employees are real clear on what the decision parameters are is extremely important. That's why I really like that risk acceptance or the risk chart that we had previously, which shows the tolerance for risk within an organization.

Phil Richards:
The reason why that's so valuable is because it clearly provides to our employees an example of, "This is what the company does and this is what we think is acceptable and not acceptable risk," that kind of thing. Again, the point is that you want to make sure that you're providing very clear decisions to your employees.

Phil Richards:
The third thing to think about is reputation impact. Just about every one of our company's reputation looks like a balloon. It's great, but it's very easy to destroy if the wrong thing just happens to occur. Reputation is very important.

Phil Richards:
For most organization, it's something that you need to be safeguarding pretty tightly. For just about every organization, it needs to fall into the category of risk that we never want to expose the organization to, because the impact, as I showed earlier, is very real in terms of ... For a publicly held company, it shows up in shareholder equity. It can show up in terms of ...

Phil Richards:
For example, we talked about Cambridge Analytica. That company doesn't exist anymore. They're out of business because of the impact of the reputation as a result of the whole Facebook debacle. The importance of reputation cannot be overstated. It's something that needs to be safeguarded pretty tightly.

Phil Richards:
Erica, that is the set of things that I had to talk about. Do we have some additional questions from some of the webinar attendees?

Erica:
Yes, we have a couple of questions. Feel free, to all of our attendees, to keep sending your questions in. One question we have is, "Do you have any tips around how to avoid scaring business stakeholders into knee-jerk reactions, first ensuring that actions are taken to address these risks?"

Phil Richards:
Boy, that is so important. That really goes to what I was talking about earlier in terms of reporting very clearly and consistently. The way you help avoid disproportionate reactions from management is to have a very standard and repeatable process for assessing risk. You want to either assess risk relative to one another in a qualitative sort of way or provide a quantitative risk assessment.

Phil Richards:
But providing the same treatment to all the different kinds of risks that you identify will help even out or make sure that the correct measured response gets taken to those individual risks. That's a really good and important point.

Phil Richards:
When you first start to identify risks and escalate those to executive management, sometimes their initial response is going to be very knee-jerky and they're going to try to throw a lot of resources at risk that might not qualify as something that they need to throw a lot of resources at.

Phil Richards:
Have a discussion with them around the parameters of your risk. What's the event likelihood? What's the event frequency looking like? What's the impact to the business in terms of dollar or however you want to measure that? What does that actually look like? Having a discussion around some of those parameters will help to even out some of that knee-jerk reactions sometimes.

Erica:
Perfect. Another question that we have, they're asking, "Who would you say are the key stakeholders in IT for risk management?"

Phil Richards:
That's a great question. The answer is it depends. I mean sometimes IT is going to identify business risk within a department, so your key stakeholders might be some of the department folks. Depending on the type of risk, you can have stakeholders from legal, you can have stakeholders from senior IT individuals.

Phil Richards:
Some risks are best solved locally. IT risks that don't involve other departments are best solved within the IT organization. The IT organization is empowered to identify and mitigate risk within their own scope.

Phil Richards:
When executives need to be involved typically occurs when those risks bleed out into other areas, and a lot of risks do. As part of your assessment, you to need to figure out what groups are being impacted. Reputation risk, you're always going to want to involve executives and marketing and sometimes legal. Risk to employees, personal data risks are going to involve security and HR, and some of that kind of thing.

Phil Richards:
It really depends. There's a broad range, but part of that assessment process should be helping to identify who the key stakeholders are inside those risks.

Erica:
Perfect. Last question that we have so far, "Do you have any tips on how to best communicate risk management strategies internally?"

Phil Richards:
Yeah, a couple of things. One of the things that I found to be very effective has to do with the diagram that I showed earlier, which is your risk tolerance statement. That chart, if you can get that in front of senior executives there, that ends up kicking off a good amount of discussion and debate within your organization. Let me see if I can find it real quick.

Phil Richards:
That debate is good because it has the benefit of the organization discussing what their own tolerance for risk is. This ends up being a thing that provides a lot of discussion points, not just within the senior executive group but within the organization as a whole. That ends up being a really good thing to use to start that conversation flowing a little bit.

Erica:
Perfect. Then we have one other question that I think is really interesting. Obviously, in our day-to-day lives, when we're talking about risk, insurance is something that comes up. Someone asks if you could comment on the growth of importance in investing in cyber threat and reputation insurance. Generally, they'd be interested in your thoughts on those.

Phil Richards:
Yeah, absolutely. It is absolutely a growing component, and more and more organizations are not only taking advantage of having the insurance, but actually taking advantage of using it.

Phil Richards:
There has been a fairly large spate of ransomware attacks to public sector organizations over the past six months or so, and a lot of these organizations are actually using their cyber insurance to pay off or to pay for the ability to restore or, in some cases, actually to pay the ransoms of some of these ransomware activity.

Phil Richards:
I certainly would not recommend that you ever pay a ransom for a ransomware attack, but I'm telling you that there are organizations that are using their insurance dollars to actually make those ransom payments.

Phil Richards:
That is becoming a big and a pretty important part of an organization's overall risk mitigation strategy, is to provide the right level of insurance to mitigate through some of these risks. As many of you probably are aware, a breach of data can end up costing an awful lot of money. The Ponemon Institute has recently assessed that data breach in the United States costs about $130 per record that is breached in terms of the total cost from a cleanup perspective.

Phil Richards:
You look at some of these data breaches that are multimillion records, that turns into real money real fast. A lot of organizations are purchasing insurance programs to help defray a significant portion of that cost, if that were to happen your organization.

Erica:
Okay. We actually have one other question that's come in. They're wondering, "How do you see digitalization and cloud computing affecting the risk portfolios and assessment?"

Phil Richards:
How do I see cloud computing? A couple of different things. Like everything else, new technology will help defray or mitigate some of the existing or some of the older risks within an organization, but it also brings up new risks to an organization that either the organization hadn't thought about or needs to think about in a new way. Let me give you an example.

Phil Richards:
Earlier this month, it hit the news there was a breach that was centered around Capital One credit cards. That breach was actually a breach of an individual who had information about Capital One's Amazon AWS storage environment. There was some default configuration information that this person was able to exploit in order to get that information.

Phil Richards:
The fact that it was in a cloud infrastructure mitigated some risks, but it brought up new risks that the organization might not have considered, which is things like you need to harden that environment differently than you have done in the past. You need to look to an outside organization to provide some of those hardening guidelines that you need to follow and that sort of thing. There's a new set of risk associated with that.

Phil Richards:
That being said, it obviously mitigates some of the risk of storing that data on your local premise and things like that. There's a benefit, but there's also a cost associated with it. Most importantly, you need to reevaluate your risk portfolio in the context of those new projects when they come up.

Erica:
Okay. I think that covers us with all of the questions.

Phil Richards:
Okay. Let me just say thanks again to everybody. I appreciate your attendance. Erica, if you want to close this out, that's great.

Erica:
Yes. Thank you again for attending. We will send a follow-up email to all of our registrants after the presentation ends with the recording link and the slide deck, and the links to the other sessions in the series. Thanks for joining us and have a great day, everybody.