hello and welcome back to revenue protection as a C. So
in this module, we will learn why is important to be strategic in managing risk
as a C So you will wear many hats. Um,
you know the graphic that's currently on the screen, um, shows that we will manage identity and access network applications well managed our responses to breaches compliance. Third party risks a business continuity plan. Mobility,
the whole digital transformation process. It goes on and on
to be successful and managing all of these different aspects of being a C. So you have to take a very strategic approach.
not the sledgehammer, but the scalpel
as the sea. So you must lead the wrist strategy. You must learn to speak the language of the business
in a quantifiable way.
Don't go into board meetings or executive presentations with heat maps, talking about high, medium and low levels of risk.
I heard this analogy on a podcast. I can't remember which one it was, but
the ah individual say how many of us would accept a job if when we asked what the salary waas we got a response like it was, is high or is medium
or is low
without actually having
ah, quantitative number a tangible number to go along with that.
I dare say not many of us will. They set that job offer.
So why do we go into meetings presenting heat maps that say the organization has high risk or medium risk?
I'm a practitioner of the fair method,
and what fair allows you to do is quantify risk based off of scenarios. So you generate a scenario you interview.
Um, you know, subject matter experts around that particular scenario, and then you put together a forecast or model that will quantify, um, that risks to a reasonable level. So at least you can go in and say,
If we don't implement this guy's security control,
this is the amount of risk that we have not
no, we have high risk if we don't implement. You know, I ps i ds. What is that tie back to? What's the threat community that could exploit that? How many times over the year is that likely to be exploited if it's a breach of confidentiality or availability? What's that going to cost us?
Go in with hard numbers or is
as as specific as you can get, but not with heat charts. The heat maps speaking to people that
with a high degree of certainty, I can say have strong business backgrounds and understand forecast models who live in Exhale with,
you know, a power point with red, yellow and green. Don't don't don't do that
taught risk in that security.
Understand what the crown jewels are? Are you implementing security controls to protect something
that really is not work free and protected that has no real material value if it was exploited?
Um, so this goes back to meeting with the department heads and understanding what each department
has in the way of crown jewels and implementing systems around protecting those crown jewels,
um, and then using security as a competitive differentiator. When we started off, I mentioned that security
can be used to generate revenue, so a couple examples of that are, if you are again business to business focused company and you deliver a product. But, say, a SAS product,
there are compliance and regulatory things that you can achieve that will differentiate you from the competitors that may tip a deal in your company's favor.
Um, during a bake off isil. 27,000 and one sought to compliance GDP are CCP a few dealing with the federal government Fed ramp compliance
in today's um, you know Lance Gate With a new day a new breach,
companies that are undergoing digital transformation are looking for companies that can protect their digital assets in the cloud and you will receive in battle questionnaires,
and you will be scored on how well you do on those. There are also a lot of tools out there if you are, the third party is being monitored that companies will monitor the year security posture from an external.
Our perspective. It'll be passive of scanning, but they will be able to paint a somewhat of a
holistic picture of your cybersecurity hygiene.
So it is definitely in your favor to go ahead and do these things. If budget dictates right, I sold 27,001 should be a good foundational compliance for any organization that has I T and Security um,
sought to type two if you're in the cloud living in cloud service. This is an excellent way to highlight
with third party validation that you are protecting your clients data GDP are it's not going away. We've seen some very hefty fines. Companies will, especially in the national companies, will ask where their data is.
They'll ask you privacy by design questions. They'll ask you about cross board a data transfer.
Um, so go ahead and get those things out of the way
and use those things as a competitive differentiator and track with deals lost or deals. One because of complies
compliance efforts that
you implement it or ones that you need to implement to justify to the board or your boss the CEO like, Hey, if we had had this, we wouldn't have lost his deal or
because we did have. This is why we beat our competitors,
those friends a
into tangible dollars. And it's a win win again for everybody in the organization