It's always a challenge to pull information across a large environment, right when I'm managing risks in a very small environment, a very short term project affecting a single office. That's one thing. But when I'm managing a project for a new international organization and I have 2000 employees
reporting towards me
or I'm monitoring the security elements of 50 branch offices worldwide, that becomes very challenging.
So it's important that we have collection tools. It's stretching tools, correlation tools. I need the proper software, hardware, personnel support in order to make this collection of information streamlined and efficient and accurate.
Right? So what we want to do is we want to be able to see the big picture out across many different environments. Well, we can look at when we're looking at information security.
We can look ATT Audit reports across various branch offices, incident response and incident reports, lessons learned. We can listen to our users. We can use observation, look at management feedback logs. We have lots and lots of different tools
in order to figure out. Are the risks materializing? And are they being mitigated as they should
so logs? Unfortunately, we tend to think about going to our logs when something's wrong.
And if we would instead examine our logs ahead of times on a proactive basis, we get a really understanding for whether or not these risks are materialising.
Who? Excuse me, my goodness.
I wasn't sure if there was gonna be a follow up sneeze, but apparently there's not.
And again, with their logs,
Are we operating at the acceptable level of Miss Risk? Is the control meeting its objectives? Um, are we able to determine quickly enough
if a risk has materialized in? Are we able of modifying our strategies in order to be resilient and in order to be successful,
security in event management tools Very, very helpful with the correlation engine that pulls information across various systems across various locations, whether there honeypot systems, air intrusion prevention systems. But being able to pull those logs
and that relevant information so that we can examine it
at a single location SIM device is very, very useful.
We can also look at external sources. Let me tell you, um, you would ideally
rather not find out for media reports that you're not meeting your risks. Well, always felt like it was a bad thing if you wound up on Comedy Central's The Daily Show for any reason.
So ideally, we would be more proactive other than looking at the media. But certainly we can look at the media surrounding us for industrywide risks and how that threat landscape is changing. We can go to advisory boards and organizations like
a WASP in miter and certain
help educate us on common threats and vulnerabilities and exploits that are out there. Regulatory bodies. Often we see liability, ah, liability instances with other organizations, or we may see regulations and legislations change as a result of
looked appear organizations you know, there's just so many ways that you can stay on top off
the risk environment, all of these elements. All of these pieces are part of due diligence, right? And then do care says we must act upon what we find.
um and honestly risk We could talk about for 120 million years and still not really wrap up risk. But in domain to for the schism exam, we've covered the risk management life cycle from ice aka, which is identify, assess, mitigate
and monitor. Now, obviously, I'm summarizing those.
Ah, but just thio reiterate. The first step is you figure out what your assets are threats and vulnerabilities.
Then you determine the value, the potential for loss with your risk, qualitatively or quantitatively. Then we look to respond. We reduce except trains for risks. And then, of course, ongoing monitoring. Because dealing with risk is a never ending process.
Make sure that you spend plenty of time
in chapter to the domain to risk management. Because risk is everywhere and the rial shift and focus on information, security has been integration of risk in the all decisions.