6 hours 30 minutes
So as we move forward and talk a little bit more about monitoring and controlling risks, one of the important elements that were gonna watch for our key risk indicators
if you remember when we worked with the risk register and we determined there many fields that you can have on your risk register lots of information to collect. But something that's incredibly beneficial is to document into monitor triggers and triggers or key risk indicators
are indications that a risk event is likely
doesn't necessarily mean that a care I causes the risk event.
But it does mean, Hey, it looks like that risk you were concerned about is going to materialize, so it often is a good um,
it's a good trigger or good alert to tell me. Okay, go ahead and implement your mitigation strategies, Right? So, for instance, I'm worried about being over budget on my project,
and I have we've determined that if the project is going to be over 15% over budget, the project's gonna get canceled. Well,
if halfway through, we're 10% over budget
well, when I hit that market being 10% over budget, I want to know because I want an early warning system before I get to the point where the project's cancelled. Right?
Just like, if you're gonna have a picnic
and you've got
1000 people invited and you get out of bed in the morning and dark clouds are everywhere and you see thunder and lightning.
Well, you've got a chance to make a decision. Hey, let's move this picnic inside, right, because you know what the warning signs are.
So we call those key risk indicators and ultimately, we're going to determine the key risk indicators back in the identification phase of risk when we're developing this risk register, because those risk indicators are going to be most essential
in the areas where we have high exposure. Right? So I want to know early on, or particularly for risks that I have very little tolerance for loss with. You gotta let me know early early on so that I can correct the ship, so to speak.
All right, So it Excuse me,
these will help me identify the biggest risks. So I'm gonna associate k r. I's with those risk events that would have the highest probability and highest impact.
Maybe I'm concerned about turnover on a project. We've got key staff in place, and the success of this project is gonna be keeping this team working together.
So our greatest threat. We've determined this project to staff turnover,
right? So I might set a k r i to give me some indication that maybe staff turnover is likely.
It's often associated that the more people call in sick
and as attendants starts to decline,
that's usually good indication that people are dissatisfied with their jobs. And so it would likely follow, perhaps that we're going to see that turnover.
So what I might say is when attendants on a weekly basis drops Balu 95% of staff,
that would be something that I want to be notified off. I want to examine her there. Any special, Ah, influences here Or is this something that is indicative? Ah, and if so, that gives me enough time to meet with my staff and determined
Hey, how can we you know, how can we make this environment better?
Ultimately, we're gonna, um, use thes key risk indicators to have our attention drawn towards those risk events that are likeliest the ones that have the biggest impact
and we're going to ideally implement them in such a way that we could make changes quickly and efficiently.
So when I monitor usually what I'm looking for is what are my K R eyes, you know. Are we there? What would alarms or sounding so to speak?
Okay, They're also very helpful that if you look backwards like after the fact and you're looking at how a project was managed, you can go back and say Hey, you know, we were over budget and if you go back and look, you can see,
you know, little points where you could have told in the past Hey, this was coming. This was coming. So sometimes, yeah, after the fact, that's a little bit late. But when you're backwards looking and you do the examination, the lessons learned, this will help you more for the project's moving forward. Right?
So you get information. You know, unfortunately, when we talk about learning, we often learn the hard way.
But as long as we learn, right,
adaption adoption rather of K our eyes will help us with trend analysis. It will help us communicate transparently with their stakeholders
and ultimately if I can identify that risks are materialising early.
I can make corrections. Then ultimately, this is gonna help me reach my objectives much more likely, right? So managing risks monitoring risk. We gotta stay on top of things. And that's what our k r I's air about.
There are lots of different types of K our eyes you can use when we talk about information security. You know, all of a sudden I'm seeing a high number of software scans of port scaling on my network.
Something's up with that.
But or I scanned the network, and I find 10% more unauthorized devices on the network this week than last week.
It's taking longer than expected to deploy security patches. Or, um, I'm finding a higher number than normal of unpatched systems. Right. You see how important this is to identify early on?
And when we look at the various risks and our risk register, we're going to document thes triggers were gonna determine these triggers or K arise. I kind of use those words interchangeably, but we're gonna document those were gonna document how often we're gonna scan and then, ideally, okay,
when we see these risk indicators.
What's our contingency plan? What do we move into so that we can be prepared for this risk event that happened.
So in order for RK our eyes to really be meaningful and relevant within our organization,
you know, it has to be
not proprietary, but it has to be unique to our organization. Right. So, um,
we want to make sure that we take into consideration our risk culture. We want to make sure that we take into account our organizational view on risk. What our tolerance thresholds are, you know, certainly areas with physical or with the legal or regulatory compliance.
If we're looking to be, if if if we're headed in the direction to fall out of compliance,
we want to know that, of course, very quickly, so that we can shift back into compartments.
And as a matter of fact, I mentioned several times, you know, we want to know this ahead of time. Well, you'll notice that timing is one of those optimization ideas for K r eyes. We've gotta have this in a timely fashion so that we can make our changes at the appropriate, you know, in order to make
a significant impact.
All right, sensitivity. We want to make sure that as we're managing these, we allow for normal tolerance, right? Like there's a normal threshold of tolerance. We don't necessarily want the alarms to sound
every single time. You know, I think about for sensitivity. I think about the fire alarm and in my house with smoke detector.
And every time I cooked piece of bacon,
the fire detector goes off. It's too sensitive, right? I can't have someone yelling. The sky's falling every time. There's a vulnerability scan directed at my network. In the same respect, we have to make sure that anything that indicates a little bit more sensitive or more determined and attack those get notified.
So when we talk about these ideas of sensitivity,
finding that range off,
what's a level where we really do need to be
and being notified in such a way through timing that we can respond appropriately?
Frequency? How often do we monitor for these K R eyes once a month? Once a year? Do we do it on? Lee is the, uh,
the result of an event. You know how frequently we monitor really has to do with a risk events, visibility,
pay. And when I talk about the visibility of a risk event,
there are a lot of negative things that can happen that are invisible to me. Meaning they happen. And I never know about it.
You could get a 1,000,000 pieces of malware infected on your system and not even know when it happens now. Chaser Good. You'll know afterwards, right? But, you know, I could get a root kit on my system and not even know what it hap.
I could get a virus or a logic bomb.
So because thes things that are harmful
can materialize and yet not be determined easily, I've got a monitor on a very regular basis. Right? Think how often we scan for malware on our systems.
Often we do it every night, right? Even, you know, ideally, we've got a live skin, but we made do a more thorough skin every single night. Why?
you you have to do it regularly because you don't know if it's gonna happen or not. Now,
processor utilization being over 99%. When that happens, I know.
So that's a very visible of them.
So it's not like I have to scan every second for processor utilization, being over 95%.
When it happens, you'll know,
right? And I would tie that in kind of a a distributed denial of service attack. When you get D dust, you know it. You can't do anything.
But when I get a malware infection,
I may not know for days and days and weeks and weeks, so I don't have to freak. I don't have to scan every day and I beat D dust.
I do have to scan every day, determine if I have malware, hope that makes sense, and then corrective action, ideally again, in my risk register thes k r. I's simply alert us Hey, go into your contingency plan because this risk event is about to materialize, so hopefully that's documented as well.
IoT Product Security
This course will focus on the fundamentals of how to set up a functioning IoT ...
8 CEU/CPE Hours Available
Certificate of Completion Offered
50 CISO Security Controls
Dr. Edward G. Amoroso, CEO of TAG Cyber and former CISO of AT&T, covers six ...