Profile picture
, 11 tweets, 2 min read
Risk management is not only about reducing risk. A thread.

It seems most risk and security programs, and instruction on how to run risk and security programs, focus exclusively on assessing risk, to then implement controls or take other actions to reduce that risk.

1/11
Once the risk is at an acceptable level the focus is to keep it like that - but essentially do nothing more - except for a periodic or trigger based revisiting of the assessment. However, a big part of the more successful risk & security programs is to never stop there.

2/11
In fact, achieving the right risk level is merely the very beginning of a more worthwhile journey that improves the way that risks are mitigated. In other words, keep risk flat but improve the efficiency of the controls that mitigate the risk - across multiple dimensions:

3/11
1. Customer experience. Deliver the same risk level but improve the usability of controls - including reducing friction for the customer to sign-up for services or new features. This typically applies in relation to authentication, authorization and fraud prevention.

4/11
2. Cost. Reduce the cost to sustain or upgrade controls and to direct those savings to other improvements - or to other risks where there is still a need to more actively implement new controls to reduce risk.

5/11
3. Efficiency. Optimize the arrangement of controls, or indeed reduce the number of controls implemented for each specific risk, being careful not to impact defense in depth.

6/11
4. Ease of continuous monitoring. Replace controls that are not amenable to continuous performance monitoring, or that don’t emit the right metrics, with ones that do.

7/11
5. Automation. Replace any manual activities progressively with automation to reduce the administrative or other maintenance load.

8/11
6. Adjacent benefits. Develop adjacent benefits for existing controls such as having security logging capture and synthesize more data to assist with performance monitoring, or enhance distributed recovery to not only improve resilience but to increase change windows.

9/11
7. Reduced negative externalities. Enhance controls to reduce impact on other risks, such as improving any trade-offs made between security, resilience and/or performance.

10/11
Bottom line : A true mark of a commercially-oriented security program is to be perpetually optimizing control performance even after risk has been reduced to the right levels.

11/11
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Phil Venables

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @philvenables see all

Profile picture
Phil Venables
@philvenables
The Stress and Joy of Security Jobs. A thread.

A few months ago there was this whole thing about the stress of security roles, CISOs self-medicating, and a whole range of burn-out talk. Ok, yes, security is a tough job. A very tough job.

1/14
To do the job well requires broad and deep technical / risk skills, leadership augmented by a wide range of emotional intelligence and a whole lot of personal resilience. Despite efforts to be “never silently awesome” it can be most visible when things go wrong.

2/14
Wrong can be both sides of the line: too much of the wrong security impacts customer experience and business agility or too little and you see incidents of varying impact.

3/14
Read 14 tweets
Profile picture
Phil Venables
@philvenables
Cybersecurity is not the only technology risk. A thread (hopefully obvious).

In fact, when you total up actual losses it is likely not even the biggest risk. Although I think it is the risk which is increasing the most and has the highest potential existential impact.

1/15
Ignoring wider business risks (process, financial, strategic, legal/regulatory) - just focusing on technology risks:

- Failed projects. Actual and opportunity costs of large-scale failed projects and the organization consequences of failed transformation.

2/15
- Software errors. Not just security vulnerabilities but regular bugs/errors/design flaws that cause outages, processing errors and financial loss.

- Hardware and telecommunications issues. Failures associated with outages of systems and networks.

3/15
Read 15 tweets
Profile picture
Phil Venables
@philvenables
Security Program Tactics. A thread.

When starting or reinvigorating a security program, focus on a small number of meta-objectives that can have sustained outsize effects - as well as diving into the immediate and very specific things that need improving.

1/15
Here are 5 of those I’ve found useful or have seen over the years in various companies (large and small) and various contexts (public and private). This is not an exhaustive list.

2/15
1. Increase Risk Transparency & Accountability.

Fundamental, but not easy - something that is a constant work in progress for all. This includes maintaining a catalog of risks, controls that mitigate those, and subjecting those to continuous automated verification.

3/15
Read 15 tweets

Related threads

Profile picture
stefano_fait
@stefanofait
#Thread

1.
 #TulsiGabbard is the de-facto leader of the emerging leftwing sovereign populist movement in the United States.
I suspect this is by design.
In due time, DNC and RNC will be dissolved and replaced by a #PatriotParty.
She will be one of the leaders.
2.
 She's never going to win the democratic primary, but many voters will see how the DNC and MSM have ganged up on her and will not vote for Hillary or Michelle. Some on the anti-war left might even vote Trump as an act of protest and reprisal.
3.
 If she were to run as an independent. She would siphon votes from the Democrats, not from Trump. She would actually help him. Why would a republican vote for her instead of POTUS? It doesn't make any sense whatsoever.
Read 41 tweets
Profile picture
Ben oui
@evidemment_
#Thread
Le 3 août 1981 à 7h du matin, suite au blocage des négociations, la PATCO (Organisation professionnelle des contrôleurs aériens aux Etats-Unis), initie une grève illimitée. Les revendications des grévistes sont très élevées, car ils disposent d'un monopole absolu.
Les contrôleurs aériens comptent bien profiter de leur position pour forcer l'administration fédérale à se plier à leurs exigences :
Augmentation de 10000$ par an (26700$ de 2019!)
Semaine de 32h
Augmentation significative des retraites et assouplissement des conditions de départ
Ces revendications, totalement hors normes comparativement aux autres catégories de fonctionnaires américains, ne peuvent raisonnablement pas être satisfaites. La grève surprise provoque immédiatement une pagaille impressionnante dans l'ensemble des Etats américains.
Read 18 tweets
Profile picture
Dr. Waitman Wade Beorn
@waitmanb
[THREAD] More on the @HolocaustMuseum statement and the letter of concern from the scholarly community.

There are some misunderstandings going on that need to be addressed.

Let's talk about this. Warning: long #thread
Here is the official USHMM statement.

ushmm.org/information/pr…
Here is the Letter of concern by concerned scholars written and coordinated by @DrO_aorzoff and @Anika_Walke. As of now, over 375 have signed.

nybooks.com/daily/2019/07/…
Read 39 tweets
Profile picture
Saiswaroopa
@Sai_swaroopa
#Thread #Kurukshetra #Analytics #Mahabharata
Started a fun project of mine today. Recording the duels of Kurukshetra war in an excel sheet in anticipation of some interesting pattern. Watch this space for interesting tidbits. Full exercise may take quite a while
Interesting Results! #Kurukshatra #Analytics. So many duels without a declared result on Day One
Could record two general battles and 26 duels on Day One. Only 6 of those duels ended decisively. Pandava side suffered horribly in the hands of Bhishma. Uttara killed in the hands of Shalya. Saving grace being Abhimanyu countering Bhishma and winning over Brihadbala #Kurukshetra
Read 432 tweets
Profile picture
AeroDynamic Women
@AeroWomen
#Thread of responses from women in aerodynamics to the question, 'what would you like to see in order for women's career progression in your field to be sustained and better supported?'

Responses incl. career flexibility, mentoring and more women in leadership roles #WomeninSTEM
1. "I think young female engineers need to see more female role models and mentors in my field. Having a visible example of someone that looks like you and is succeeding in their field is important. Having an opportunity to meet with a mentor like that can be very powerful."
2. "I would like to see that any career promotion is based on own merits and value added to the company or the society independently of the gender. I want that women are measured with the same rules as men and are given equal opportunities."
Read 68 tweets

Trending hashtags

#RSO #Twitter #9th_Division #Janmasthami #PatriotsUnited #Iraq #Government #PowerApps #శ్రీరామరక్ష #AlyssaMilano #UKIndiaWeek2019 #Kurukshatra #Tel_Bakr #KafrNabuda #Italy #SteveBannon #ClimateChangeIsReal #Pakistanis #Suqaylabiyah #ISROweareproudofyou #EU #7z #CityNext #ISPR #Salvini
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!