5 hours 58 minutes
Welcome back to CyberRays. This, of course. I'm your instructor, Brad Roads.
Let's talk about stakeholder risk tolerance.
So in this lesson, we're gonna talk about a stakeholder. We're gonna talk more about stakeholders a little bit later on as well. You're gonna see stakeholders throughout the rest of the Isett domains.
We'll talk about risk, tolerance, risk. Tolerance really drives to that idea of attitude and appetite. And then we're gonna do a little quick application of risk tolerance.
who is a stakeholder? What does this take? Well,
per Ernest, a stakeholder is anybody who thinks the system impacts them or has interest in a system. That's what a stakeholder is. And stakeholders can be a variety of people. It could be your CEO. It could be users or customers in your departments and system owners. It could be shareholders. That's a huge one in commercial space
stakeholders that are often forgotten. Our folks like government regulators, right
that they have missed a quick. They can tell you whether your system is meeting the mail or not. And they could actually tell you that you need to take your system off line because it's not working within laws rules regulations, right? So stakeholders can really be what anyone So remember that
risk tolerance. So risk tolerance is all about the uncertainty. And really, it's about the uncertainty that an organization is willing to accept. So I really like this picture on the left here because you see the tightrope walker walking across a canyon and what is he wearing?
He has got attached to himself
a safety harness. And so if he slips and falls, he's gonna be caught by the safety harness. And this is a great example of dealing with uncertainty. Uh, if he so he's a low risk organization, if you will. Right. He doesn't want to fall to his doom.
Uh, because he's because he's got the safety strap on.
If he was a high risk tolerance individual, kess what he wouldn't have the safety strap on. So that's a good sort of analogy to think about when you try to remember what is risk tolerance.
So let's apply risk tolerance toe organization. So ah, less risk tolerant organization, right? Is gonna be concerned about every single threat
they're they're going to When they apply security control, they're gonna have a high degree of testing craziness, right? They're gonna, like, tested until the cows come home.
Um, they are going to probably employ multiple controls. I'm not a fan of that is an engineer. Personally, when I employ multiple controls, like, say, multiple endpoint detection of response systems. I've seen this environments. They fight with each other, right? That's a terrible idea. Don't do that.
Um, in a more risk tolerant organization, right? They're probably gonna look at what pure organizations care about on. That's gonna be the basis of how they assess risk.
Uh, they're not going to test a lot of controls. In fact, they're going to trust their people to do most of that for them, and they're not gonna worry about it.
And then most likely, they're going to spend the money. Probably a lot of money on a best in breed solution. Because simplicity for a risk tolerant organization, more risk tolerant organization is better than a whole bunch of complex controls they have to worry about.
we talked about risk tolerance, right? It comes down to
organizational culture, the potential exposures. And here's an important one that many people forget executives. Right? How an executive sees risks how the CEO C risk of an organization right directly drives to what a cybersecurity information systems security team is allowed to do or allowed to spend their time. Well,
so in this video, what do we look at? We talked about what's the stakeholders we talked about? Risk, tolerance. And And don't forget the tightrope walker analogy In terms of, you know, if you're low risk tolerance, you're wearing the safety harness. If you're high risk tolerance, you're not on. Then we applied stakeholder risk tolerance in sort of a practical discussion.
We'll see you next time.
Certified Information Systems Security Professional (CISSP) 2021
CISSP is the basis of advanced information assurance knowledge for information security professionals. Often referred ...
16 CEU/CPE Hours Available
Certificate of Completion Offered
ISC2 CISSP Practice Test: Certified Information Systems Security Professional
There is a growing need for information security leaders who possess the depth of expertise ...