Managing Security at the Speed of the Wild

Training Duration: 2 days

Training Delivery Method: On-site, instructor-led course

Prerequisites:

There is no formal prerequisite to attend for this course. However, attendees should already be familiar with the technology in their environment – both security and operational products – have read the products manuals and familiar with configuring those products (e.g., firewalls, IPS, routers, operating systems, enterprise software) for the desired level of security. This workshop builds on that product-level knowledge by focusing the processes used to manage security.

What Problem Does This Training Help Solve?

Typical approaches to IT and information security have several weaknesses including:

  • Using tools designed for managing risk to relatively static financial reporting that were never intended to managing more dynamics risks like security that move at the “speed of the wild”
  • Narrow or silo focus on a few areas (e.g., data breach), missing far larger risks to the business
  • Excessive emphasis on compliance/audit/controls over broader risk to business objectives
  • Concepts such as risk appetite, registers, residual, material/significant, emerging risk, and then “frozen” heat maps not only distract, but can mislead users away from high-priority risks.
  • Using methods for engineering security into systems for managing those systems when operational
  • Using controls to manage risk rather than more efficient and effective approaches
  • Using controls without testing the control approach with the 4Cs and testing specific controls with the Controls Chain of Fitness
  • Missing opportunities for personal and professional growth through the use of the “power of the invite and flashlight”

This outcomes acceleration workshop seeks to overcome these typical weaknesses by describing how to shift from more static approaches to more dynamic approaches designed to move at the speed of the wild. Drawing on decades of practical, proven experience, managing risk in aviation, manufacturing and sports is more efficient and effective in achieving results in dynamic situations such as security. To simplify the process of managing risk and empower risk managers to provide more business value, the approach features the 5+2 Step Cycle for Managing Risk.

Who Should Attend?

Professionals who are responsible for:

  •  Security processes, data, perimeter or compliance
  • Security team leaders
  • Auditors who need to first understand security risk management before they can effectively audit it.

As managing security is a “team sport,” teams are encouraged to attend together.

Course Material:

  • Course handout
  • Reference Materials:

Course Syllabus:

Security isn’t just about protection and breaches. If that was the objective, just shut down the organization, unplug all the systems and destroy the data. That’s not was security is about, it is about enabling business to more safely grow revenue, cash flow and jobs in a dynamic world of change, complexity and fatigue. To achieve these objectives, businesses need to be competitively differentiated. This includes managing security – better than competitors.

In enabling business leaders to more easily achieve performance objectives, security professionals are struggling to determine “what good looks like” in managing security (data, perimeter and overarching processes). Typical “steady state” programs are wasting 20-40% of their resources, those in planning stages, over 50%. Guidance from industry organizations, technology vendors, regulators and others is often difficult to implement leaving practitioners asking, “Where do I start?” Decades of improvement initiatives of all types have failed in implementation. What lessons can be learned? How does security become better?

For leaders who want to bring clarity, and make a difference in their organizations and careers, this workshop walks through key lessons (using worldwide recent examples from Fortune 500 companies), helps build a solid foundation and reviews typical tools one by one to help practitioners determine what to stop, continue and start in order to improve.

Different from other security workshops, this one is designed:

  • For professionals who feel they are laboring under the burden of: control environments that seem to be adding more time and cost than fighting against “black hats” to protect and enable business growth.
  • Based on proven practical experience in systems analysis, gaming, operations and quality management from dynamic situations such as aviation, manufacturing or sports, rather than compliance methods originally designed for more static situations such as employee expense or accounts payable disbursement. This experience includes diagnosis of where controls missed the looming “bad thing.”
  • For advancing personal career by growing business benefit, rather than memorizing content needed for certification.
  • To align methods for managing a range of risks – security, IT, operational, product, fraud, strategy, economic and more – to make it far easier to manage those risks to business performance objectives. These risks are all linked through the power of the 5+2 Step Cycle for managing risk.
  • By Brian Barnier with years of experience contributing to professional practices guidance (Risk IT, COBIT, SIG, AUPs, Red Book, …);  practical experience “making it work” as reflected in his books, articles, videos, podcasts and more; and personal business experience at investor, board and management levels. This workshop is based on The Operational Risk Handbook (Brian Barnier, Harriman House, Great Britain) for managing risk to performance objectives. The Handbook is uniquely designed to apply practical, proven lessons learned from across a range of industries, countries and professional disciplines.

“Core Fitness” Foundation Workshop is designed to help participants learn how to:

  • Better manage risk programs:
    • Create a program focused on security to protect and enable business growth, not just controls or compliance
    • Avoid “bolt-on” management of risk that disconnects from the business and business benefit
    • Explain dynamics of risk to business leaders and engage those leaders in managing risk to their business objectives
    • Shape business cases for improvement
    • Inform better business decisions to more easily achieve better business outcomes
  • Better manage the risk cycle
    • Scope an environment, understand the factors in an environment
    • Understand implications of capabilities in an enterprise, partners, customers and competitors
    • Identify business dependencies on IT, how IT risk typically gets disconnected from the business, and how to reconnect
    • Create life-like, realistic stories that are based on real causes in the real world
    • Spot and avoid the dangers of bias in evaluating risk
    • Identify key warning signs of unfolding situations
    • Identify roots of effective risk responses

Benefits include

  • Less:
    • Gaps and blind spots
    • Complications and cost in controls
  • More:
    • Actionable insights for risk-aware business decisions
    • More benefit to the “the business”
    • Valuable career path

Learning Objectives:

Participants will gain new insight into:

  • How to best apply the 5+2 Step Cycle for managing risk to performance objectives
  • Why scenario analysis is the heart of risk management to manage risk at the speed of the wild
  • Why typical techniques create blinders to risk, increasing risk; then, learn to take off the blinders to be more situational aware and agile in response.
  • How to implement new insights more effectively through workshops that foster substantive and culture change at the same time.
  • How to use scenario analysis workshop to save time and cost in your organization – and better understand “what if?”
  • Power of “the invite and the flashlight/torch”