Okay, so we've talked about the different types of mitigation. Well, how do I select the strategy? What are gonna be? There's things that I have to take into consideration. Well,
the first thing that we have to think about is we need a well balanced approach, so we don't wanna put all of our eggs in one basket. If you've heard that phrase before, so we want to do is we want to think about the different types of controls that we can implement now. First of all, we have to think about the idea of having proactive
And of course, it shouldn't be an either or it should be both.
So the controls that air proactive are designed to deter or to prevent a. Those controls are often called safe carts, so those the desire behind safeguards is to keep the attack that compromise the loss from happening.
But we also understand that no controls air foolproof, so we also have to have reactive controls. We call there's countermeasures, and often those are things like detection or perhaps correction.
And then we have to think about once we implement those controls, having expectations for the success or the objectives those controls need to meet. We've got to think about continuingly auditing to determine the controls are still meeting their objectives. And then, of course, on a yearly basis, we need to go back in reassess. So
there are a lot of things to consider when we do implement a mitigating Strachey.
Not to mention the fact that when we implement security controls, sometimes that controls calls problems. You know, we talked a little bit about secondary risk. You fix one problem, just cause another
eyepatch a system to shore up the security vulnerability. Now all of that system, all of a sudden that system just reboots constantly.
But in addition to that,
controls can also bring in other secondary risks, like perhaps a false sense of security. Our company just went out and spent $60,000 on a fire. While, of course, we're safe. Do whatever you want. We've spent a lot of money on the firewall or they may be Miss Configured,
and we may have new data loss prevention system
that is tracking, um,
looking for ex filtration of information off the network. But it may be so bogged down with all the legitimate types of network transfer data transfer that we can't find the real issues of problems because it's keeping track. So much information
devices that are out of the box set up for ease of use as opposed to security. You know, I may bring a device on the network, and all of a sudden that's a new point of entry. So again, just being very cautious and thinking through the process, when we implement controls
and knowing that there's a lot more to mitigating risk,
then just opening up the box and plugging something onto the network, right?
All right, so how do I choose?
Well, we go back and look at that risk assessment report that we talked about earlier, that we produce this part of the risk assessment phase and we look at the risk register, we talk with our risk team,
and we get input from subject matter experts.
Um, we looked to industry standards and we look to the leaders in our industry and see what solutions they're implementing.
And then you know what we also do? We do a cost benefit analysis.
We look at what are the pros and the cons because that's really all the cost benefit analysis is
right. We always get so tied up. Thinking about cost is money and benefits as money,
you know, but security costs in a lot of ways.
The other than money, you know, performance, ease of use, backwards, compatibility, employees, acceptance. There are a lot of things that security costs us.
There are also a lot of benefits that it brings. Maybe it reduces our loss. You know, just from a financial perspective, it also can keep, perhaps help us maintain a reputation. It can help us inspire confidence in our customers,
so don't get to lock down into thinking. Cost benefit analysis
is about the dollars, because it's not always about that,
although generally those things that we could talk about eventually come around and effect
our money. You know, if we don't have customer confidence, we're not gonna make a lot of money, and we're going to suffer. But I just want to stress to you that costs are more than just money that I put out to buy fireable, whatever that may be.
And when we are looking at the cost benefit of controls,
you know, we have to think about. Okay, what is tthe e upfront expense for the control.
And is there an ongoing expense? Because sometimes the upfront expenses cheap. But when we look at the total cost of ownership over Siri's of years, the cost may wind up being very high.
I made by anti malware software for fairly cheap, But then I have to pay every year for updates. And that's gonna impact the Costas. Well,
we also have to think about at some point in time, we're gonna have to remove the control. Is there a cost associated with that? You know, maybe think about that from a physical security perspective. Perhaps,
But ultimately we go back to those risk assessments. We look a probability and impact.
We get an idea of our potential for loss, and we find a control to implement or, more likely, a series of controls to implement that ultimately are gonna reduce residual risk to the degree that's acceptable by senior men.
Okay. And what we're looking for is a return on investment.
And the only way that we know that we get a return on investment is we look at our calls. We have to go back and examine right? Are the controls meeting their objectives?
Are they providing the benefit that we intended?
And are we saving money by implementing the controls? And again, you can't always say
Show me the dollars. But am I noticing an increase in brand recognition or in customer confidence or my reputation in the industry's improving? That's a huge return on investment, right? So if the security controls that I'm implemented
have me perceived to be an industry leader,
you know, I may not see an immediate Oh, you know, I profited so much more money this last quarter,
but that stuff pays off in the long run, absolutely.