risk management and security in strategic planning
TRANSCRIPT
Risk Management and Security in Strategic Planning
SIM D/FW November Meeting
ContactKeyaan WilliamsSenior ConsultantRisk Management & Governance
• https://www.nccgroup.trust/us/
• @KeyaanWIlliams
Opening Thoughts
Strategic planning is a critical business activity that most businesses don’t do well.
Opening Thoughts
When businesses do conduct strategic planning, they often
overlook risk management and security concerns that affect the
plan’s outcome.
Opening Thoughts
Risk and security considerations often contribute to the way an
organization conducts its business.
Agenda
Strategic Planning
Strategy, Risk, and Security
The Long View
*Real* Security
Q&A
Strategic PlanningThe context of this discussion
Strategic Planning
Strategic planning is the process an organization uses to define its direction
(strategy) and make decisions about how to allocate resources to pursue this direction.
Strategic Planning
“Strategic planning produces fundamental decisions and actions that shape and guide what an organization is, who it serves, what it does, and why it does it, with a focus on
the future.”
~Balanced Scorecard
Five Steps to a strategic plan
Where are you?
What is important?
What must you achieve?
Who is accountable?
Review and measure performance
Strategic Planning
Strategy
Portfolio
Program
Projects and
Activities
Strategy, Risk, and SecurityHow do they work together?
Strategy, Risk, and Security
If strategy provides the context for where we are going, risk and security
tell us how to get there.
Risk• Big Picture• Strategic
Security• Tactics• Operational
Strategy, Risk, and Security
Risk management provides a systematic approach for identifying, understanding,
and controlling exposures.
Operational Financial Security Contractual Programmatic
Strategy, Risk, and Security
The ERM Perspective• What risks exist?• What impact will they cause?• What can I do about it? • How effective were my choices?
?
?
?
?
Strategy, Risk, and Security
Assessment Action
• Accept• Change• Transfer
Review
The Risk Management Cycle
Strategy, Risk, and Security
The Security Perspective• What threats exist?• What vulnerabilities exist?• How do I manage them?• What controls do I use?• How many layers of defense?
?
?
?
?
Strategy, Risk, and Security
CSC 20 OWASP 10
NIST RMF
ISO 27000
PCI DSS NERC FFIEC
The Security PerspectiveThe common focus is on applying controls from a specific standard or requirement.
The Long ViewHow do you develop long-term strategic planning for security?
The Long View
An organization’s culture and priorities make a difference – especially when incorporating
security into the long-term strategy.
The Long ViewThe Board Executives
Security
Business LeadersIT
Global Users
The root and flow of info is critical!
The Long View Strategic Plan
Goal
Objectives
strategies
Objectives
strategies
Goal
Objectives
Placement of security in the hierarchy affects the outcome.
The Long View
Placement:• Is security a strategic goal?• Is security strategic objective?• Is security a strategy activitythat supports an objective?
The lower something rests in the hierarchy, the less important it is.
*Real* SecurityHow do you manage risks beyond compliance?
*Real* Security
If security is a strategic goal, then compliance is simply an activity in the
strategic planning hierarchy.
*Real* Security
Compliance is a significant business driver, but compliance defines the bare minimum
that you must do to satisfy industry requirements.
*Real* Security
*Real* security considers business drivers beyond compliance and addresses these
drivers in the strategic plan.
*Real* Security
Produce Widgets
Sales Delivery
Support Maint.
End
Each phase in the process has a compliance concern and a security concern.
Q&A