Ron Gibbs

Cybersecurity Risk

A risk based approach to identifying and prioritizing cybersecurity gaps is often the best approach when creating value for the business. Cybersecurity needs to work closely with the business strategy plan. Business understands the demands of the market and how to address ongoing customer need, but may not understand the risks and vulnerabilities their offerings may have.  Cybersecurity can offer business vision into where potential threats may be, what the consequences of those threats may be, and how to mitigate those threats. When business and cybersecurity work hand in hand, value is created. Customers gain assurance in the product and the brand, business gains brand respect and differentiation from the competition, and gains more growth opportunities.

 

Risk assessment starts with a complete data inventory and classification, understanding those datasets that are critical for the companies business. Once data and data flows are defined, and held to standards and certifications such as NIST 800-53 and ISO 27001, gaps will emerge. These gaps should be cataloged in a risk register. Each risk should be rated by the business stakeholders as well as the cybersecurity representatives on the likelyhood that the risk will occur and the impact that the risk would have to the business should it occur. Each rating should be quantitative on a scale such as 1 to 5. Those ratings should be multiplied together to come up with a risk rating ranging from a scale fo 1 to 25. 

 

These risk ratings will indicate the highest risk and assist with prioritizing resources. However, some risks may be difficult if not impossible to solve and may require mitigating controls rather than direct fixes, or may require extensive resources and time to fix. Categorizing these risks again on a scale of 1 to 5 based on resources needed to fix, and time to fix, then multiplying those together will give visibility into the needs and time to fix it. This should transulate into a cybersecurity roadmap so that resources and be spread appropriately across the projects.

 

This process worked extremely well for me at Alameda County. Prior to my arrival, the County had no process for assessing risk. They would identify a risk, and try to fix it without understanding the risk, resources needed, impact to the business, and so forth. A good risk management program will involve extensive planning. Additionally, setting up quarterly reviews of the risks with all the appropriate stakeholders keeps the visibility into the efforts to fix and mitigate the risks.

 

Certifications

  • Certified Information Security Manager (CISM) #1841436

  • Certified Incident Handling Engineer (CIHE) #14282-162-075-8681

  • ISO 27001 Lead Auditor (TPECS)

  • Certified Project Manager (CPM)

  • Project Manager Professional (PMP)