DESCRIPTION

In today's environment, there is a strong need for companies to also base their decisions on solid risk estimations. There are many approaches, flavors and combinations of identification, estimation and leveling methods publicly available (and I will not add a new one to this list). Yet, an approach you can witness frequently is companies collecting identified risks (e.g. by audits, pentests or simply by someone reading news), measuring them based on a poorly implemented standards-based methodology (looking at you, Risk Matrix), and estimating the total of the Excel sheet horror that comes out of it again - this time completely based on gut feeling due to the lack of a good aggregation method. In the end, business gets a "low/medium/high" indicator that satisfies the auditor, but doesn't really help at making cautious decisions.

I want to share a combination of methods that worked better for me, together with some reasoning why I think this makes sense. I will walk you through a systematic approach for risk identification at a given abstraction level that worked for me (on company level that's in essence an entry point impact matrix combined with probability chaining). I'll also share a method of estimation that worked for me (which was partly borrowed from an environmental risk and safety estimation method). And I will discuss how to base estimations on facts to put it onto solid ground. As a side effect, reasonable KPIs that are measurable and directly influence the overall company risk level fall out of this approach. As - imo - goal of risk estimations should be to give valuable indicators to business decision makers, I also think there is value in meeting at a common language.

WHY THE COMMITTEE CHOSE THIS TALK

Being CISO is not an easy job. We are very glad that Martin shares his experience working in an SME. We look forward to interesting discussion what works and what does not.

SPEAKER

Martin Ruf