SlideShare uma empresa Scribd logo
1 de 35
From Technology Risk
  to Enterprise Risk:
   The New Frontier
                          Ramsés Gallego
CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt
                         General Manager
                 Entel Security & Risk Management
                         rgallego@entel.es

                                 1
2
3
Definitions


frontier
noun
• the farthermost limits of knowledge or achievement in a particular subject
• a line of division between things <the frontiers separating science and the
humanities — R. W. Clark>

• a new field for exploitative or developmental activity
frontierless adjective

ORIGIN late Middle English : from Old French frontiere, based on Latin frons,
front- ‘front.’



                                           4
What is risk?

•	
  An	
  inherent	
  part	
  of	
  any	
  ac3vity
•	
  Imprac3cal	
  to	
  eliminate	
  totally
•	
  The	
  risk	
  equa3on	
  includes:	
  value,	
  threats,	
  
vulnerabili3es,	
  impact,...




                                     5
Some facts

•	
  36%	
  of	
  companies	
  do	
  not	
  know	
  the	
  threats	
  that	
  
they	
  are	
  exposed	
  to
•	
  24%	
  admit	
  that	
  the	
  organiza3on	
  lacks	
  the	
  
procedures	
  that	
  would	
  allow	
  to	
  manage	
  them
•	
  19%	
  acknowledge	
  that	
  does	
  not	
  have	
  the	
  tools	
  
to	
  analyze	
  and	
  control	
  risks
Soruce: Merrill Lynch CISO Survey, Deloitte 2009 Security Survey




                                                                   6
The changing face of risk


• 	
  Risk	
  is	
  the	
  level	
  of	
  exposure	
  to	
  uncertain3es	
  that	
  an	
  organiza(on	
  
    must	
  understand	
  and	
  manage	
  effec(vely	
  while	
  performing	
  its	
  
                 du3es	
  to	
  achieve	
  objec3ves	
  and	
  create	
  value


•     	
  The	
  uncertainty	
  of	
  an	
  event	
  happening	
  (or	
  not)	
  can	
  have	
  an	
  
                impact	
  on	
  the	
  achievement	
  of	
  corporate	
  goals




                                                  7
What type of risks are we
                                                          facing?

•	
  Different	
  categories:	
  reputa3onal	
  risk,	
  project	
  management	
  risk,	
  
provisioning	
  risk,	
  HR	
  risk,	
  hygienic	
  risk,	
  fraud	
  risk,	
  legal	
  risk,	
  environmental	
  
risk,	
  opera3onal	
  risk,	
  financial	
  risk,	
  TECHNOLOGY	
  RISK,	
  ...
•	
  Related	
  to:
             –	
  its	
  origin
             –	
  a	
  specific	
  ac3vity,	
  an	
  event	
  or	
  an	
  incident
             –	
  its	
  consequences	
  or	
  impact
             –	
  a	
  reason
             –	
  protec3on	
  mechanisms	
  or	
  countermeasures
             –	
  3me	
  of	
  occurrence




                                                          8
Risk Hierarchy




9
What can we do with risk?


•	
  Transfer	
  risk

•	
  Tolerate	
  or	
  accept

•	
  Terminate	
  the	
  ac3vity

•	
  Treat	
  risk



                                10
Technology risk management


•	
  Part	
  of	
  Global	
  Risk	
  Management
•	
  Focused	
  towards	
  and	
  efficient	
  
balance	
  between	
  opportuni3es	
  
and	
  losses
•	
  Needs	
  a	
  risk	
  analysis	
  combined	
  
with	
  a	
  business	
  impact	
  analysis	
  
(BIA)

                                         11
Implementing Risk Management


•	
  Five	
  core	
  processes:
        –	
  Defini3on	
  of	
  scope
        –	
  Risk	
  analysis
        –	
  Risk	
  Treatment
        –	
  Risk	
  Communica3on
        –	
  Monitor	
  and	
  review


                                  12
Framework for a risk analysis

•	
  Start	
  a	
  value	
  analysis
•	
  Consider	
  aggregated	
  risk




                                       13
The Risk IT Framework




  14
15
16
Risk Analysis


•	
  Can	
  be	
  quan3ta3ve	
  or	
  qualita3ve
•	
  Works	
  at	
  mul3ple	
  levels
•	
  Visibility	
  across	
  the	
  company
•	
  Management	
  support	
  is	
  instrumental



                                  17
The value of assets


•	
  Value	
  at	
  Risk	
  (VAR)

•	
  Single	
  Loss	
  Expectancy	
  (SLE)

•	
  Annualized	
  Loss	
  Expectancy	
  (ALE)

•	
  Exposure	
  Factor	
  (EF)



                                    18
Risk Communication


•	
  Communica3on	
  channels	
  must	
  be	
  created
•	
  Mul3-­‐dimensional
•	
  Related	
  with	
  incident	
  &	
  response	
  
management	
  disciplines
•	
  Metrics	
  and	
  indicators



                                   19
Risk Communication




20
21
22
Business	
  drives	
  IT




23
Alignment?	
  with	
  the	
  business




        24
What is a control?


•	
  An	
  ac(on	
  taken	
  by	
  Management	
  in	
  order	
  to	
  manage	
  

risk	
  so	
  that	
  objec(ves	
  are	
  met

•	
  Preven3ve,	
  Correc3ve	
  and	
  Detec3ve




                                      25
CSFs, KGIs, KPIs: what are
                    they?

            • CSFs: Critical Success
            Factors or “vital elements”

            • KGIs: Key Goals

            Indicators or “what” needs

            to be accomplished

            • KPIs: Key Performance

            Indicators or “how good” the

            process is behaving




                                   26
Monitor vs. Manage

                                  R                                                            A GE
                               ITO Refine,	
  observe,	
                               MA
                                                                                           N
                          M ON       analize	
  and	
  
                                               classify	
  data	
  
Value (and cost)




                                               provided	
  by	
                                Act with
                                                 systems                                       business
                                                                                               knowledge, in a
                     Centralize                                                                single place
                   access	
  to	
  data	
                                  Apply business
                                                                           relevance to the    according to
                    content	
  and	
                                       information to      business needs
                    applica3ons                                            determine
                                                                           business
                                                                           priorities

                              DATA            INFORMATION                  KNOWLEDGE              ACTION
                           Level 1                 Level 2                      Level 3               Level 4




                                                                      27
Sample Risk Scenarios
Some	
  examples...




                                                                                     © Business Objects. Crystal Xcelsius dashboard from www.xcelsius.com




© Business Objects. Crystal Xcelsius dashboard from www.xcelsius.com




                                                                       29
...from	
  the	
  real	
  world




30
From	
  technology...




31
...to	
  what	
  really	
  maOers




  32
A continuous process




 33
Time-relevant




34
THANK YOU
                       Ramsés Gallego
CISM, CGEIT, CISSP SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt
                  ,
       General Manager - Entel Security & Risk Management
                       rgallego@entel.es




                               35

Mais conteúdo relacionado

Mais procurados

Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...IBM Sverige
 
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011IBM Sverige
 
Mms201 Optimize Your Server Infrastructure
Mms201 Optimize Your Server InfrastructureMms201 Optimize Your Server Infrastructure
Mms201 Optimize Your Server Infrastructureguestd9aa5
 
High Level Intro
High Level IntroHigh Level Intro
High Level Introfaisalsadaf
 
2009 Intellinet Overview
2009 Intellinet Overview2009 Intellinet Overview
2009 Intellinet OverviewMark Seeley
 
Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?doan_slideshares
 
Align Vendor SLAs with Long Term Value
Align Vendor SLAs with Long Term ValueAlign Vendor SLAs with Long Term Value
Align Vendor SLAs with Long Term ValueCAST
 
System Center 2012 - IT GRC
System Center 2012 - IT GRCSystem Center 2012 - IT GRC
System Center 2012 - IT GRCNorman Mayes
 
IDBI Intech Limited
IDBI Intech LimitedIDBI Intech Limited
IDBI Intech LimitedIDBI Intech
 
Kascade corporate profile
Kascade corporate profileKascade corporate profile
Kascade corporate profileMukund Ananda
 
Stefan Pappe Making S O A Operational
Stefan  Pappe    Making  S O A  OperationalStefan  Pappe    Making  S O A  Operational
Stefan Pappe Making S O A OperationalSOA Symposium
 
Intellinet Overview 2009
Intellinet Overview 2009Intellinet Overview 2009
Intellinet Overview 2009mclevenger
 

Mais procurados (17)

TripleTree eDiscovery
TripleTree  eDiscoveryTripleTree  eDiscovery
TripleTree eDiscovery
 
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
Kostnadseffektiv implementation av IT-säkerhetsstrategi – Accenture - IBM Sma...
 
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
Kostnadseffektiv implementation av er IT-säkerhetsstrategi - PCTY 2011
 
Mms201 Optimize Your Server Infrastructure
Mms201 Optimize Your Server InfrastructureMms201 Optimize Your Server Infrastructure
Mms201 Optimize Your Server Infrastructure
 
High Level Intro
High Level IntroHigh Level Intro
High Level Intro
 
Bi Risk Services
Bi Risk ServicesBi Risk Services
Bi Risk Services
 
Bi risk services 2013
Bi risk services 2013Bi risk services 2013
Bi risk services 2013
 
2009 Intellinet Overview
2009 Intellinet Overview2009 Intellinet Overview
2009 Intellinet Overview
 
Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?Cloud Is Built, Now Who's Managing It?
Cloud Is Built, Now Who's Managing It?
 
Bi risk services 2013
Bi risk services 2013Bi risk services 2013
Bi risk services 2013
 
Align Vendor SLAs with Long Term Value
Align Vendor SLAs with Long Term ValueAlign Vendor SLAs with Long Term Value
Align Vendor SLAs with Long Term Value
 
System Center 2012 - IT GRC
System Center 2012 - IT GRCSystem Center 2012 - IT GRC
System Center 2012 - IT GRC
 
IDBI Intech Limited
IDBI Intech LimitedIDBI Intech Limited
IDBI Intech Limited
 
Why physical security just isn’t enough, Sending the heavies into virtualized...
Why physical security just isn’t enough, Sending the heavies into virtualized...Why physical security just isn’t enough, Sending the heavies into virtualized...
Why physical security just isn’t enough, Sending the heavies into virtualized...
 
Kascade corporate profile
Kascade corporate profileKascade corporate profile
Kascade corporate profile
 
Stefan Pappe Making S O A Operational
Stefan  Pappe    Making  S O A  OperationalStefan  Pappe    Making  S O A  Operational
Stefan Pappe Making S O A Operational
 
Intellinet Overview 2009
Intellinet Overview 2009Intellinet Overview 2009
Intellinet Overview 2009
 

Semelhante a From technology risk_to_enterprise_risk_the_new_frontier

Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and RemediationCarahsoft
 
S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfieldNASAPMC
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best PracticeDigicomp Academy AG
 
Risk leadership perspectives Risk Manager of the Year
Risk leadership perspectives Risk Manager of the YearRisk leadership perspectives Risk Manager of the Year
Risk leadership perspectives Risk Manager of the YearKarl Davey
 
Common Objectives of the CRO and the CAE
Common Objectives of the CRO and the CAECommon Objectives of the CRO and the CAE
Common Objectives of the CRO and the CAEWheelhouse Advisors LLC
 
Ken Kurdziel: Enterprise Risk Management
Ken Kurdziel: Enterprise Risk ManagementKen Kurdziel: Enterprise Risk Management
Ken Kurdziel: Enterprise Risk ManagementJamesMooreCo
 
A brief overview of operational risk
A brief overview of operational riskA brief overview of operational risk
A brief overview of operational riskDiane Christina
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management Ersoy AKSOY
 
Operational Risk Educational Courses to be held in Kenya
Operational Risk Educational Courses to be held in KenyaOperational Risk Educational Courses to be held in Kenya
Operational Risk Educational Courses to be held in Kenyachasecooper
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Seema Sheth-Voss
 
Amper ERM Presentation to FEI
Amper ERM Presentation to FEIAmper ERM Presentation to FEI
Amper ERM Presentation to FEIjravi
 
Solvency II IT Impacts
Solvency II   IT ImpactsSolvency II   IT Impacts
Solvency II IT ImpactsAli BELCAID
 
Does IT Security Matter?
Does IT Security Matter?Does IT Security Matter?
Does IT Security Matter?Luke O'Connor
 
Enterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeEnterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeCareer Communications Group
 
Enterprise Risk Management Erm
Enterprise Risk Management ErmEnterprise Risk Management Erm
Enterprise Risk Management ErmNexus Aid
 
Taming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paperTaming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paperIBM India Smarter Computing
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileVijayananda Mohire
 

Semelhante a From technology risk_to_enterprise_risk_the_new_frontier (20)

Risk Management and Remediation
Risk Management and RemediationRisk Management and Remediation
Risk Management and Remediation
 
S thomas sfield
S thomas sfieldS thomas sfield
S thomas sfield
 
IT-Risk-Management Best Practice
IT-Risk-Management Best PracticeIT-Risk-Management Best Practice
IT-Risk-Management Best Practice
 
Risk leadership perspectives Risk Manager of the Year
Risk leadership perspectives Risk Manager of the YearRisk leadership perspectives Risk Manager of the Year
Risk leadership perspectives Risk Manager of the Year
 
Common Objectives of the CRO and the CAE
Common Objectives of the CRO and the CAECommon Objectives of the CRO and the CAE
Common Objectives of the CRO and the CAE
 
Ken Kurdziel: Enterprise Risk Management
Ken Kurdziel: Enterprise Risk ManagementKen Kurdziel: Enterprise Risk Management
Ken Kurdziel: Enterprise Risk Management
 
Handling risk
Handling riskHandling risk
Handling risk
 
A brief overview of operational risk
A brief overview of operational riskA brief overview of operational risk
A brief overview of operational risk
 
Information Security Risk Management
Information Security Risk Management Information Security Risk Management
Information Security Risk Management
 
Operational Risk Educational Courses to be held in Kenya
Operational Risk Educational Courses to be held in KenyaOperational Risk Educational Courses to be held in Kenya
Operational Risk Educational Courses to be held in Kenya
 
Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012Fs isac fico and core presentation10222012
Fs isac fico and core presentation10222012
 
Operational risks
Operational risksOperational risks
Operational risks
 
Amper ERM Presentation to FEI
Amper ERM Presentation to FEIAmper ERM Presentation to FEI
Amper ERM Presentation to FEI
 
Solvency II IT Impacts
Solvency II   IT ImpactsSolvency II   IT Impacts
Solvency II IT Impacts
 
Does IT Security Matter?
Does IT Security Matter?Does IT Security Matter?
Does IT Security Matter?
 
Risk Health Check
Risk Health CheckRisk Health Check
Risk Health Check
 
Enterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeEnterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation Age
 
Enterprise Risk Management Erm
Enterprise Risk Management ErmEnterprise Risk Management Erm
Enterprise Risk Management Erm
 
Taming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paperTaming the data demons: leveraging information in the age of risk white paper
Taming the data demons: leveraging information in the age of risk white paper
 
Microsoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobileMicrosoft InfoSec for cloud and mobile
Microsoft InfoSec for cloud and mobile
 

Mais de Ramsés Gallego

ISACA Barcelona Chapter Congress - July 2011
ISACA Barcelona Chapter Congress - July 2011ISACA Barcelona Chapter Congress - July 2011
ISACA Barcelona Chapter Congress - July 2011Ramsés Gallego
 
Modern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelModern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelRamsés Gallego
 
Entel Service Management
Entel Service ManagementEntel Service Management
Entel Service ManagementRamsés Gallego
 
Metrics, measures & Myths
Metrics, measures & MythsMetrics, measures & Myths
Metrics, measures & MythsRamsés Gallego
 
DLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés GallegoDLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés GallegoRamsés Gallego
 
e-Symposium_ISACA_Ramsés_Gallego
e-Symposium_ISACA_Ramsés_Gallegoe-Symposium_ISACA_Ramsés_Gallego
e-Symposium_ISACA_Ramsés_GallegoRamsés Gallego
 

Mais de Ramsés Gallego (10)

ISACA Barcelona Chapter Congress - July 2011
ISACA Barcelona Chapter Congress - July 2011ISACA Barcelona Chapter Congress - July 2011
ISACA Barcelona Chapter Congress - July 2011
 
Modern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panelModern cyber threats_and_how_to_combat_them_panel
Modern cyber threats_and_how_to_combat_them_panel
 
Entel Service Management
Entel Service ManagementEntel Service Management
Entel Service Management
 
Metrics, measures & Myths
Metrics, measures & MythsMetrics, measures & Myths
Metrics, measures & Myths
 
Malware mitigation
Malware mitigationMalware mitigation
Malware mitigation
 
DLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés GallegoDLP - Network Security Conference_ Ramsés Gallego
DLP - Network Security Conference_ Ramsés Gallego
 
e-Symposium_ISACA_Ramsés_Gallego
e-Symposium_ISACA_Ramsés_Gallegoe-Symposium_ISACA_Ramsés_Gallego
e-Symposium_ISACA_Ramsés_Gallego
 
Entel SSO
Entel SSOEntel SSO
Entel SSO
 
Entel DLP
Entel DLPEntel DLP
Entel DLP
 
Entel S&RM
Entel S&RMEntel S&RM
Entel S&RM
 

Último

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 

Último (20)

IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 

From technology risk_to_enterprise_risk_the_new_frontier

  • 1. From Technology Risk to Enterprise Risk: The New Frontier Ramsés Gallego CISM, CGEIT, CISSP, SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt General Manager Entel Security & Risk Management rgallego@entel.es 1
  • 2. 2
  • 3. 3
  • 4. Definitions frontier noun • the farthermost limits of knowledge or achievement in a particular subject • a line of division between things <the frontiers separating science and the humanities — R. W. Clark> • a new field for exploitative or developmental activity frontierless adjective ORIGIN late Middle English : from Old French frontiere, based on Latin frons, front- ‘front.’ 4
  • 5. What is risk? •  An  inherent  part  of  any  ac3vity •  Imprac3cal  to  eliminate  totally •  The  risk  equa3on  includes:  value,  threats,   vulnerabili3es,  impact,... 5
  • 6. Some facts •  36%  of  companies  do  not  know  the  threats  that   they  are  exposed  to •  24%  admit  that  the  organiza3on  lacks  the   procedures  that  would  allow  to  manage  them •  19%  acknowledge  that  does  not  have  the  tools   to  analyze  and  control  risks Soruce: Merrill Lynch CISO Survey, Deloitte 2009 Security Survey 6
  • 7. The changing face of risk •  Risk  is  the  level  of  exposure  to  uncertain3es  that  an  organiza(on   must  understand  and  manage  effec(vely  while  performing  its   du3es  to  achieve  objec3ves  and  create  value •  The  uncertainty  of  an  event  happening  (or  not)  can  have  an   impact  on  the  achievement  of  corporate  goals 7
  • 8. What type of risks are we facing? •  Different  categories:  reputa3onal  risk,  project  management  risk,   provisioning  risk,  HR  risk,  hygienic  risk,  fraud  risk,  legal  risk,  environmental   risk,  opera3onal  risk,  financial  risk,  TECHNOLOGY  RISK,  ... •  Related  to: –  its  origin –  a  specific  ac3vity,  an  event  or  an  incident –  its  consequences  or  impact –  a  reason –  protec3on  mechanisms  or  countermeasures –  3me  of  occurrence 8
  • 10. What can we do with risk? •  Transfer  risk •  Tolerate  or  accept •  Terminate  the  ac3vity •  Treat  risk 10
  • 11. Technology risk management •  Part  of  Global  Risk  Management •  Focused  towards  and  efficient   balance  between  opportuni3es   and  losses •  Needs  a  risk  analysis  combined   with  a  business  impact  analysis   (BIA) 11
  • 12. Implementing Risk Management •  Five  core  processes: –  Defini3on  of  scope –  Risk  analysis –  Risk  Treatment –  Risk  Communica3on –  Monitor  and  review 12
  • 13. Framework for a risk analysis •  Start  a  value  analysis •  Consider  aggregated  risk 13
  • 14. The Risk IT Framework 14
  • 15. 15
  • 16. 16
  • 17. Risk Analysis •  Can  be  quan3ta3ve  or  qualita3ve •  Works  at  mul3ple  levels •  Visibility  across  the  company •  Management  support  is  instrumental 17
  • 18. The value of assets •  Value  at  Risk  (VAR) •  Single  Loss  Expectancy  (SLE) •  Annualized  Loss  Expectancy  (ALE) •  Exposure  Factor  (EF) 18
  • 19. Risk Communication •  Communica3on  channels  must  be  created •  Mul3-­‐dimensional •  Related  with  incident  &  response   management  disciplines •  Metrics  and  indicators 19
  • 21. 21
  • 22. 22
  • 24. Alignment?  with  the  business 24
  • 25. What is a control? •  An  ac(on  taken  by  Management  in  order  to  manage   risk  so  that  objec(ves  are  met •  Preven3ve,  Correc3ve  and  Detec3ve 25
  • 26. CSFs, KGIs, KPIs: what are they? • CSFs: Critical Success Factors or “vital elements” • KGIs: Key Goals Indicators or “what” needs to be accomplished • KPIs: Key Performance Indicators or “how good” the process is behaving 26
  • 27. Monitor vs. Manage R A GE ITO Refine,  observe,   MA N M ON analize  and   classify  data   Value (and cost) provided  by   Act with systems business knowledge, in a Centralize single place access  to  data   Apply business relevance to the according to content  and   information to business needs applica3ons determine business priorities DATA INFORMATION KNOWLEDGE ACTION Level 1 Level 2 Level 3 Level 4 27
  • 29. Some  examples... © Business Objects. Crystal Xcelsius dashboard from www.xcelsius.com © Business Objects. Crystal Xcelsius dashboard from www.xcelsius.com 29
  • 30. ...from  the  real  world 30
  • 32. ...to  what  really  maOers 32
  • 35. THANK YOU Ramsés Gallego CISM, CGEIT, CISSP SCPM, CCSK, ITIL, COBIT(f), Six Sigma Black Belt , General Manager - Entel Security & Risk Management rgallego@entel.es 35