I was lucky enough to get to talk at the Diana Initiative 2020 conference. One particularly bright side to complement all the compromises we have been making this year. I have wanted to speak there since friends of mine took the original diversity friendly offshoot of the Las Vegas mega cons and evolved it into the fabulous institution it’s become today.
Here I am communicating my very personal perspective on what I think governance, risk, and compliance takes to work in a big organisation. It focuses on my own way of weaving accountability through every part of ISO27001, NIST, COBIT or any other more general governance framework. It focuses hard on effectively scoping and scaling the work, usability and sharing the burden with all security and data protection stakeholders in an organisation. Plus, in the process, dramatically uplifting awareness of what the cybersecurity and data protection day job entails and the nature of the risks under management.
WARNING: Very slightly NSFW, but only during questions at the end
Note to self and apologies to those who view: That bump, bump, bump sound is me unconsciously tapping the desk to emphasise points (what can I say, I talk with my hands!), which is more or less distracting depending on how much bass you have on your audio – I usually have the mic on a boom arm. Lesson learned for next time.
Also, no prizes for spotting where I said “Percentage probability and dollar likelihood”. I think it was just the once. No matter how many creative and downright nonsensical ways I say it, we usually can’t estimate it.
Here, for all those trying and failing to squint at more detailed slides, is a better view of the ones presented on the day
Other content and resources mentioned in the talk
That tweet about the Horizon IT scandal
Some of the standards talked about that cover end to end risk management ground. As mentioned, my talk focuses on specific parts where I’ve found opportunities to make processes more sustainable and user friendly, but all of the biggest programmes will contain hooks related hooks as part of the bigger whole. The main part I excluded was specifics of control assessment. I have some strong thoughts on the relative value of monster questionnaires I can talk about another day.
- The CSA STAR Program – To improve transparency about cloud vendor security, the CSA launched their STAR (Security Trust & Assurance Registry) program in 2011. Suppliers voluntarily publicise information about their security controls and practices, so more and less risk averse firms can locate a provider matching their regulatory and local control requirements.
- FedRAMP – FedRAMP is the US government run security assessment and accreditation program for cloud vendors, based on NIST security benchmarks
- NIST Special Publications 800-37 (the Risk Management Framework). The RMF is familiar to most US cybersecurity pros. It is a risk management wrapper to compliment the control sets and various standards for cybersecurity assessment and governance gathered together under the government FISMA implementation project here
- ISO27001/22301 Certification – Certification against ISO standards is a good indicator that people have a mature approach to security risk management. However, it’s no guarantee that security controls are working. They may diligently and cyclically assess controls, find many are broken, but get all the right security management documents and processes in place to make the certification grade. By the same token, their ISMS scope might just cover a showcase site, or only include physical security controls. Always ask for evidence of control effectiveness and check that services you plan to use and controls you want to rely on, are in scope. If not, it can come as a nasty post-audit surprise.
- COBIT Governance programme for IT from ISACA. Covers more general IT ground, but can be adapted for security
A couple of the blog posts that cover similar ground to the presentation: