CRISC

Course
Time
6 hours 30 minutes
Difficulty
Advanced
CEU/CPE
7

Video Transcription

00:01
now, the next tool we're gonna use is called the Calls and effect diagram, and this cause and effect diagram is for route calls analysis. What we're trying to do is getting in the bottom of why, perhaps a defect or, ah, flaw in design, perhaps
00:20
why I would ever risk that's materializing
00:23
what's at the root of it.
00:24
So this can also be called a call so you can hear it called cause and effect. You can hear it called the Fish Bone Diagram, and you can kind of see why in this diagram it can also be called in Ishikawa diagram. I kind of in my mind call it official Kawa because that combines the two and I can kind of keep them together.
00:43
But anyway, what you concede E
00:44
is, let's say we're doing software development and we're trying to figure out what's at the bottom of this flaw that we found. Maybe we found that Ah, it's upset the susceptible to, um,
00:58
code injection. So we have to think about, well, water all the causes for that. Or what if there's a security error that allows a com prom, prom ise or a bypass of access control. So on the backbone we write out, what is the defect?
01:14
And then each of these little vertebrae that stemming off the backbone is where we say, Okay, here's one of the possible causes.
01:21
Here's another possible cause. Here's another possible calls. And then you can also have information branched off the vertebrae as well. But ultimately, you know, we're gonna brainstorm. We're going to track our defects and try to get to the root underneath things.
01:38
The next tool that we have is gonna be the SWAT analysis. SWAT analysis is really helpful. When we're looking to take on endeavors. We have to think about our strengths and our weaknesses and then look at the endeavor for opportunities and techniques. So it's called SWAT. So of course, with strength, what do we do? Well,
01:57
we as a company, what are those things that we're good at?
02:00
Okay. How are we better than our competitors in this particular focus?
02:06
Now, if we're gonna look at the positives, we've also got a look at the negative. So we have to think about what? Of our weaknesses. What are the things that our competitors do better than us?
02:15
Waterson limitations that we have. What are areas that were just not a strong at Those are our weaknesses, of course.
02:22
And then, like I've said, you know, we've been talking about opportunities versus threats. So in undertaking this particular endeavor, what is the potential for positive outcomes? Right. So what are our opportunities?
02:37
Ah, is this Ah, an area that, um,
02:42
you know, is is this an area that just hasn't been? Ah, well, we see here underserved markets. So in this particular market, is there real need where there's no competitors present? Perhaps. Do we see a trend? Can we get aboard the get on board the train before our competitors do?
03:01
What are the opportunities there?
03:06
We've also going to think about threats, Of course.
03:07
So
03:08
we've got to think about Okay. If we invest all of this money and moving in this direction, our competitors gonna get there first. And we've done all this work for nothing. Do we run the risk of alienating customers or stakeholders by taking on this new endeavor? Whatever the threats are. So
03:28
what we've got to do when we're considering new endeavors is we sit down. We conduct a SWAT analysis to determine
03:34
Is this the right move for me right now?
03:38
Now, Comparable technique one, that kind of ah reminds me a little bit of SWAT is called the BCG matrix. And the BCG matrix comes to us from the balls Boston Consulting Group. And this is all about evaluating I t endeavors or in evaluating
03:58
the elements in your portfolio and determining
04:01
how to move forward with it.
04:03
So the BCG matrix says they're basically four types of investments. You have stars, you have question marks. You have cash cows and you have dogs.
04:14
That's a sad little picture of the doll there in the corner, isn't it?
04:16
All right, so when I'm looking my portfolio I have some investments that are making me money. They're stable or growing.
04:27
I can feel like these areas are gonna continue throughout, and I feel like they're gonna grow.
04:34
So in that instance, that would be considered a star. So I'm gonna continue to invest in it
04:42
now a cash cow.
04:45
Money's coming in. Money's come in, it's going to come in. It's just one of those things that just keeps profiting us. I'm going to continue to invest there as well. I'm gonna do everything I can to continue to maximize the cash flow.
05:00
So the star in the cash cow obviously are positive.
05:03
The question mark, though, is that that investment that's kind of iffy. It's unstable. It's not profiting me anything, you know. It's kind of up and down, up and down. So at that point in time, we can't just let it go into that nebulous unknown,
05:20
you know, frame. We we want to really take a look and analyze and see,
05:25
you know, go through further analysis and determine where do we really think this is going? Because as it is right now, it really has the potential to become a money suck, right? So we've gotta analyze it and figure out and become a star or is gonna become adult,
05:42
which, personally, I take offense that the most negative one on this is a dog. I'm a huge dog lover.
05:47
It's a matter of fact. You can note
05:48
my coffee cup.
05:50
I have a paw ge. So
05:53
it's a sad little dog here. Put its qualified to be a dog. If it doesn't make money, not only does it not make money, but it's likely losing you money
06:02
the earning potential is low. It's unstable, unstable. It's just one of those things where we sunk some money in.
06:13
Just because you've put money in doesn't mean you continue to do so. So at some point in time, you gotta look at that and say, You know what? It's too unstable. It's costing me money. It's not worth the time and interest and effort, and at that time you need to divest. You need to get rid of that stock and move or that endeavor,
06:30
and you need to move along to something that has a higher potential.
06:34
So that's the BCG matrix, and those are just a couple of the tools that you can use in order to address or assess risk.

Up Next

CRISC

This course on Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor