Governance, Risk and Compliance

Security Congress Abstract

Multi-Dimensional Risk Management

Speaker(s)

• 

  Lloyd Diernisse, CISSP, CCSP, LSSBB, PMP, CSM, CMMI-A, ITIL-F

  Cybersecurity Consultant to the U.S. Government
  Consultant

Risk management is often implemented according to ISO 31000:2018, or Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA) imperatives, or the U.S. government’s Risk Management Framework (RMF), among other approaches. These are highly regarded attempts to provide a clear and disciplined approach for managing risks, and they are great tools. However, when used in isolation, none protect as well as a collective approach would.

This presentation focuses on the strengths and weaknesses of various approaches in a multi-dimensional enterprise, one that needs to secure more than just the technology that’s on-premise. Today, comprehensive cybersecurity risk management requires a collective understanding of the risks and issues inherent in both hybrid and stand-alone virtualized IT, physical operational technology (OT) and cloud service offerings.

 

Learning Objectives:

• Learn why it is often hard to know if a risk-based decision is a sound one; in other words, realize the value of a good decision. Conversely, learn to appreciate the costs of making a poor decision, both the "apparent costs," and the "actual costs."
• Understand the appropriate risk frameworks and techniques for IT, OT and cloud environments. This includes risk identification, how to determine the probability of manifestation, and how to prioritize mitigation or remediation work.
• Comprehensive risk management doesn’t replace existing frameworks, it augments them. It gives the leadership a unified viewpoint—a single pane of glass—through which they can understand risks and issues from multiple dimensions, such as money, time, labor, or material. This presentation will demonstrate how to create that unified view.