Risk Management
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> In this lesson, we're going to
00:00
talk about risk management.
00:00
Now over the course,
00:00
we really have been talking
00:00
about risk management this whole time,
00:00
we're talking about managing
00:00
information security risks in Cloud environments.
00:00
However, now we're going to take it
00:00
up a level and look at it from
00:00
the perspective of enterprise risk management.
00:00
We want to talk about the risk management process,
00:00
the various responses to
00:00
risks that organizations can take,
00:00
and then also connect
00:00
this enterprise risk management view onto some of
00:00
the topics we've discussed in the cloud.
00:00
From the enterprise risk management view,
00:00
there are really two important concepts
00:00
that we need to start with.
00:00
An organization's risk appetite and their risk profile.
00:00
The risk appetite of an organization really
00:00
references how much they are willing to risk,
00:00
and let's take another step back, what is risk?
00:00
Risk is really a term
00:00
that reflects the uncertainty of an outcome.
00:00
All outcomes are probabilistic,
00:00
usually, when we think
00:00
about it in the broad scheme of things.
00:00
Risk management's job is trying to help
00:00
organizations identify the probabilities
00:00
of certain outcomes and adjust
00:00
their processes to either achieve certain outcomes as
00:00
well as implement controls to mitigate
00:00
the downside risks if bad things were to happen.
00:00
The risk appetite for an organization
00:00
is determined by identifying
00:00
their strategic priorities and goals
00:00
and the risk they need to take to achieve those,
00:00
and then the controls and things that could go
00:00
wrong or might impede
00:00
them from achieving their ultimate goals.
00:00
The risk appetite sets the upper threshold
00:00
for the amount of risk the
00:00
organization's control was taking,
00:00
as well as the minimum risk that they need
00:00
to take to go after their goals.
00:00
An organization's risk profile really references
00:00
like how dynamic is the industry we're in?
00:00
Is it heavily regulated?
00:00
What are the potential impacts?
00:00
Is this a well-established firm or is this an upstart?
00:00
Well-established firms have
00:00
a brand and a reputation to maintain,
00:00
their decisions affect many customers
00:00
or smaller firms could potentially be more
00:00
nimble and take more risks because
00:00
the downside is far less.
00:00
Every organization has a different risk profile,
00:00
but it really needs to identify
00:00
that profile in order to enact
00:00
its strategy in a way that
00:00
addresses its risks and helps it maximize its outcomes.
00:00
When it comes to risk themselves,
00:00
there are four potential responses to
00:00
risk from the perspective of this examination.
00:00
You can avoid a risk.
00:00
If a risk is really
00:00
above the risk appetite
00:00
of an organization, the organization may say,
00:00
the possibility that we do something
00:00
that incurs a risk that could put us out of business,
00:00
we really don't want to take that chance,
00:00
so we're going to avoid the risk.
00:00
Conversely, the organization
00:00
could decide to accept the risk,
00:00
meaning that they may act
00:00
on an opportunity without putting any mitigations in
00:00
place saying that either the likelihood that a risk
00:00
is going to occur is so
00:00
small and despite its large impact,
00:00
we really are going to take the chance
00:00
that this risk will not
00:00
be realized and we'll just accept it.
00:00
Then there's transference.
00:00
Many times it may be cost-effective to
00:00
transfer the impact of a risk to a third-party,
00:00
such as buying insurance, more than ever,
00:00
companies need to buy
00:00
cyber breach insurance to protect them
00:00
in the case that they have to ransomware negotiations.
00:00
Buying a cyber breach policy
00:00
is a form of risk transference.
00:00
There is a certain likelihood that you may have a
00:00
breach or have a ransomware situation where
00:00
you need to pay for the decryption keys.
00:00
However, the insurance company
00:00
will handle the payment, however,
00:00
you subsidize that payment by
00:00
paying very small amounts of money.
00:00
Then mitigation is really,
00:00
you may try to put controls in place that
00:00
reduce the overall risk to an
00:00
acceptable level that's within your risk appetite.
00:00
There is no way to completely remove a risk.
00:00
Mitigation doesn't mean the risk is not possible,
00:00
the impact cannot necessarily be realized.
00:00
Organizations, and in general,
00:00
what we've been doing throughout
00:00
this course is identifying risks,
00:00
determining the appropriate baseline level of controls,
00:00
and then also mitigate
00:00
additional controls that are dependent on our industry,
00:00
our customers needs,
00:00
the regulatory environment,
00:00
and customer expectations to reduce the residual risk,
00:00
meaning the risk that's leftover after
00:00
mitigations are placed to an acceptable level.
00:00
All of these things also
00:00
are interwoven with some
00:00
of the concepts we've talked about,
00:00
such as due diligence and due care,
00:00
and ensuring that your response to
00:00
risk is in line with those principles.
00:00
You may decide to accept a risk,
00:00
but if it really flies in the face of
00:00
best practices and the common sense baseline
00:00
for how to respond,
00:00
that really is potentially negligent behavior,
00:00
even if you're saying, oh,
00:00
well, this fits within our risk appetite.
00:00
As we said before, the amount of risk that's left
00:00
over once controls and mitigations are put in place,
00:00
is referred to as the residual risk.
00:00
This is simply the amount of risk
00:00
that an organization has to live with,
00:00
and so long as it is within
00:00
your risk appetite and your organization is adequately
00:00
protected that they feel like they've mitigated
00:00
the downside risks of
00:00
the opportunities they're pursuing
00:00
to the best of their ability,
00:00
that's really the best you can do
00:00
form a risk management perspective.
00:00
Now let's reflect a moment.
00:00
What is your organization's risk appetite?
00:00
This is such an important question,
00:00
but many people aren't aware of
00:00
this or don't necessarily think about It.
00:00
Companies often think about
00:00
what they're doing in terms of their strategy,
00:00
what they plan to do,
00:00
and how much they'd like to grow,
00:00
how they need to please their shareholders.
00:00
But looking at each of
00:00
their strategic objectives and goals
00:00
from the context of risks helps
00:00
them really be disciplined about
00:00
whether they are doing enough or need
00:00
to really address the downsides
00:00
of their current strategy in a more explicit manner.
00:00
Question number 2, what is
00:00
your organization's risk profile?
00:00
I think many people know what industry they're in,
00:00
but it always is important to
00:00
think about what regulations,
00:00
what are the trends going on in my industry?
00:00
Is there are a lot of churn,
00:00
are there a lot of technical disruptions?
00:00
Some industries have more regulations than others,
00:00
the possibility of regulation of your industry may
00:00
be something that changes your risk profile.
00:00
I think this is definitely a very present right now,
00:00
and any company that's dealing with
00:00
social media in the United States.
00:00
In summary, we talked about
00:00
the concepts of risk appetite and risk profile,
00:00
we talked about the responses to risk,
00:00
and then we talked about risk management in the cloud,
00:00
and that how the strategic risk identified by
00:00
a company's risk appetite are
00:00
manifested in terms of
00:00
the controls that should be put in place in the cloud,
00:00
and how this risk management process
00:00
is really what we've been talking about
00:00
throughout this whole course of figuring out
00:00
the risks that are inherent
00:00
with cloud and of the cloud metadata,
00:00
development process and what
00:00
controls should really be put in place
00:00
to reduce those risk to an acceptable level.
00:00
I'll see you in the next lesson.
Up Next
Instructed By
Similar Content
