Profile picture
Phil Venables
@philvenables
, 12 tweets, 2 min read Read on Twitter
Cybersecurity as a first class business risk. A thread.

I see a lot of commentary on the need to “treat cyber/info-security as a business issue not an IT issue”. The problem is it implies that this is not still also a technology issue. This is, of course, incorrect.

1/12
The reality (being generous, what I think people really mean) is that we need to treat cyber/info-security as a first class business risk. So how do we do this, as opposed to just wishing it so. In my experience there are 3 themes you need to drive.

2/12
1. Enterprise Integration - make this part of the fabric of business decision making.

Embed risk considerations into the enterprise governance apparatus (Boards, Committees, management oversight), establish or use a risk committee and make this topic a major part of that.

3/12
Conduct risk assessments (quantitative and qualitative) and establish a risk appetite - with particular focus on what level of the organization in what way can accept risk or authorize exceeding stated appetite.

4/12
Integrate risk considerations into all business processes - especially: strategy, business development, capital planning, budgets, hiring, promotions, employee reviews and rewards, new products, acquisition, divestment, technology investments and supply chain management.

5/12
2. Technology Integration - make this a core part of how technology is built and operated - secure products not just security products.

6/12
Recognize that basic and relentless technology controls (e.g. CIS Top 20), hygiene/operational discipline are essential. They won’t stop all attacks but will stop many (depending on your threat model). Note: “basic” doesn’t mean easy - hence “relentless” is the key word.

7/12
Embed automation/iterative improvement into the heart of tech delivery. Continuously monitor control effectiveness, presence, and operation. Strive for ambient controls - in preference to expecting employees/customers to be a significant part of your front-line defense.

8/12
3. Resilience & Recovery - plan for failure & constantly exercise/drill.

No matter how good any organization is there will always be things that go wrong, either because the adversary is awesome or (more likely) because of some misstep, slowness, dependency or complexity.

9/12
So, detect early, respond decisively, formalize accountability and test constantly (and apply lessons from tests quickly). Limit the blast radius of potential events through business and technology process adjustment (for example: data minimization).

10/12
Find and fix “broken windows” [hygiene issues that while not necessarily a top risk, nevertheless signal the acceptance of sloppiness]. Integrate cyber/info-security incident response with enterprise operational resilience and business continuity approaches.

11/12
Bottom line : don’t confuse saying cyber/info-security is a business risk with actually then managing it as a first-class enterprise risk. To do that you actually have to, well, do things to make that happen.

12/12
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Phil Venables
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @philvenables see all

Profile picture
Phil Venables
@philvenables
Fundamental Drivers of Information Security Risk. A thread.

As I get older and (hopefully) wiser it has become ever more apparent that all the issues and risks we face arise from a small number of basic “forces”.

1/9
These manifest in different ways in different contexts - strip away the detail and most issues usually stem from one of these. I don’t claim originality here - some have been said and used by others before me. I’m also not convinced this list is actually complete.

2/9
1. Information wants to be free.

Data leaks unless managed, access degrades w/o rules, information is ethereal. In the broader context of the term, from Stewart Brand: “Information wants to be free. Information wants to be expensive....that tension will not go away”.

3/9
Read 9 tweets
Profile picture
Phil Venables
@philvenables
Controls. A Thread.

Many well-known security incidents appear to have a common pattern. They are not the result of some awesome attacker capability to exploit some hitherto unknown vuln. or to realize a risk from some combination of controls weakness not contemplated.

1/15
Rather, a remarkably common pattern is that the control or controls that would have stopped the attack (or otherwise detected/contained it) were thought to be present and operational but for some reason were actually not - just when they were most needed.

2/15
There are many reasons for these failures to sustain the correct implementation of important controls, for example: a bad change, operational error, a new implementation that was incomplete, other faults/breakage, some wider change that nullified the in-situ control.

3/15
Read 15 tweets
Profile picture
Phil Venables
@philvenables
Threat Intelligence. A Thread.

Threat intelligence seems, at least to me, to get maligned too much. For many years I’ve found it an immensely useful element of an enterprise security and risk program. So, some perspectives on this.

1/11
Security is a game to win, not a state you’re in. You have adversaries and you have to therefore understand their motivations and their tactics, techniques and procedures (TTPs) in the context of their goals versus your assets and objectives.

2/11
To understand that you, surely, need some information about that. Let’s call that threat intelligence. At the risk of oversimplifying, there are essentially 2 types of threat intelligence:

3/11
Read 11 tweets

Related threads

Profile picture
Mowliid A. Hassan
@MowliidAHassan
My friend got an offer from University of Nairobi, but he's unable to secure entry/student visa to Kenya due to illegal & money extortion business b/w Kenya Embassy in Mogadishu, corrupted Kenyan Immig. officers &Somalis sucking the blood of their brothers in need. #THREAD!
When he applied a visa at Kenyan Emb. in Mogadishu he was told by Embassy Officials tht they don’t receive applications from Somalis with ordinary passports. “Service passport holders, dual nationals & those working for @UNSomalia r only allowed to apply directly via the Embassy”
He was then instructed to take his documents to a nearby Office that receives on behalf of them. That Office is managed by Somalis allegedly affiliated with Somali Government. Kenyan Embassy in Mogadishu said “the reason we are sending to that office is criminal clearance.”
Read 14 tweets
Profile picture
Anthony Ebitimi OWEI
@tonyOWEI
THE TRIANGLE OF PROFITS

Many ideas and quotes will come from @ronaldnzimora's Triangle of Profits books.

Everyone who starts any venture wants to make profit. You can only make profit when you sell enough to cover your cost of production and still have more money left

#Thread
Many people make sales or earn revenues but do not make profit.

Triangle of profits is basically your market, the message your market needs and the best media to reach them.
Now since we have established that you can only make profits when you sell, triangle of profits will therefore focus on sales:

How you sell,

What to sell, and

Who you should sell to.
Read 43 tweets
Profile picture
Stan
@Travelbrothers_
German Student Visa Interview Questions, Answers and Tips:

Despite that no one can certainly conclude about the specific questions to be asked to the next German student visa applicant, there are common questions that are commonly asked. #thread #TPStudyAbroad
These following questions matters:

1) Decision on why study in Germany.
2) Knowledge about Germany.
3) Information about future studies in Germany.
4) Current academic and work experience.
5) Blocked account and future financial status.
6) Common information about the study field.
7) Accommodation arrangement in Germany
8) Relationships with people living in Germany or Europe maybe.
9) What you plan to do during Holidays and semester-break.
10) Your Plans of the future.
Read 15 tweets
Profile picture
Vijay
@scanman
#Thread Family Doctors (Primary Care) Vs Speciality Care in #India
A few weeks ago, in response to a different thread ( ) there was a comment from @spinesurgeon that we need family physicians. (1/31)
Another comment in that thread by @VaradhKrish referred to the issue of patients going directly to specialists, bypassing primary care doctors. (2/31)
The problem of patients going to specialists directly, rather than to primary care/family doctors first and then being referred by them to specialists is one that requires a more in-depth analysis. (3/31)
Read 36 tweets
Profile picture
AeroDynamic Women
@AeroWomen
2nd #Thread of responses from women in aerodynamics to the question, 'what do you currently see as being the major obstacle to women entering your field?'

Responses incl gender career stereotypes from an early age, lack of self-esteem and lack of female role models #WomeninSTEM
1. "I think that there is not enough awareness of female role-models in my field. There need to be more initiatives that allow young women to connect with female role-models so that they can be inspired and motivated to follow in their footsteps."
2. "Discouragement from teachers in high school to pursue a STEM career and an unwelcoming atmosphere in technical universities."
Read 86 tweets
Profile picture
Oby Ezekwesili
@obyezeks
From Poverty Central to Prosperity: How the Obiageli 'Oby' Ezekwesili Presidency will lift 80+ million Nigerians out of poverty. #Thread
#Fight4Naija
Today is an exciting day for this campaign as we will be sharing the most important issue in our ambitious plan for Nigeria that shows our readiness to govern from Day One. I will be telling you how we intend to lift 80 million Nigerians out of poverty. #Fight4Naija
We expect citizens to hold us to account for every word we say and every promise we make, not just on our innovative solutions for tackling poverty which I would be sharing today, but on our entire manifesto to be released to the public on Friday. #Fight4Naija
Read 237 tweets

Trending hashtags

#ContentCuration #Kashmir #Canada #Europe #DigitalSoldiers #ucpAGM #infosec #russia #SEM #misinformation #Austria #Kurukshatra #USCYBERCOM #journalist #CafeCoffeeDay #DigitalPatriots #lawenforcement #TPStudyAbroad #PublicRelations #Fight4Naija #AfricaCareerChat #Business #DigitalNetworking #France #cyber
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!