Hi [[ session.user.profile.firstName ]]

Enterprise-Wide Risk Management

For decades, organizations have managed risk at the information systems level. This information system focus provided a very narrow perspective that constrained risk-based decisions by senior leaders/executives to the tactical level—devoid, in many cases, of any direct linkage or traceability to the important organizational missions/business functions being carried out by enterprises. The concentration on information systems security by organizations resulted in a focus on vulnerability management at the expense of strategic risk management that is applied across enterprises. NIST Special Publication 800-39 introduces a three-tiered risk management approach that allows organizations to focus, initially, on establishing an enterprise-wide risk management strategy as part of a mature governance structure involving senior leaders/executives and a robust risk executive (function). The risk management strategy addresses some of the fundamental issues that organizations face in how risk is assessed, responded to, and monitored over time in the context of critical missions and business functions. The strategic focus of the risk management strategy allows organizations to influence the design of key mission and business processes—making these processes risk aware. Risk-aware mission/business processes drive enterprise architecture decisions and facilitate the development and implementation of effective information security architectures that provide roadmaps for allocating safeguards and countermeasures to information systems and the environments in which those systems operate.
Recorded Feb 3 2011 41 mins
Your place is confirmed,
we'll send you email reminders
Presented by
Ronald S. Ross; NIST Fellow
Presentation preview: Enterprise-Wide Risk Management

Network with like-minded attendees

  • [[ session.user.profile.displayName ]]
    Add a photo
    • [[ session.user.profile.displayName ]]
    • [[ session.user.profile.jobTitle ]]
    • [[ session.user.profile.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(session.user.profile) ]]
  • [[ card.displayName ]]
    • [[ card.displayName ]]
    • [[ card.jobTitle ]]
    • [[ card.companyName ]]
    • [[ userProfileTemplateHelper.getLocation(card) ]]
  • Channel
  • Channel profile
  • Election Takeaways for Cybersecurity Leaders Jan 20 2021 5:00 pm UTC 60 mins
    Diana Kelley, Security Curve
    The 2020 US presidential election is behind us, but the key cybersecurity issues surrounding election integrity could linger for years to come. From ransomware attacks on local governments, to the untamed spread of disinformation, to experimenting with online voting apps and the myriad of vulnerabilities uncovered across election infrastructures, cybersecurity had never before taken such a central place in the national conversation as it did in 2020.

    So, what have we learned in the aftermath? And how can we apply it to better protect upcoming elections as well as enterprises, customers and employees?

    Join this interactive panel with security experts and tech leaders to learn the biggest lessons from the election from a cybersecurity and privacy standpoint. Discover what went down, what could have gone better and how to prepare for the midterm elections in 2022.

    - Can we build a hack-free election
    - Does misinformation on social sites impact how people vote and what can be done to stop the spread
    - What was new this time and what should security leaders keep in mind for their organizations
    - Would it be safer if we brought the voting process online or in app
    - Can nation state actors change voter rolls or polling data
    - What the biggest election threats mean for industry
    - Key takeaways for cybersecurity leaders

    This episode is part of The (Security) Balancing Act original series with Diana Kelley. We welcome viewer participation and questions during this interactive panel session.
  • All PCI and NOTHING about PCI DSS v4 Dec 10 2020 5:00 pm UTC 60 mins
    Ben Rothke | David Mundhenk | Jeff Hall | Arthur Cooper "Coop"
    This session is Part 10 of the PCI Dream Team series on BrightTALK.

    Our panelists are some of the top PCI QSA’s in the country, with decades of combined PCI and card processing experiences. They’ve seen it all: the good, bad and ugly; and lived to tell the tale.

    Join Ben Rothke, David Mundhenk, Arthur Cooper, and Jeff Hall for an interactive Q&A session, and get answers to your most vexing PCI questions. No PCI question is out of bounds.
  • The Cloudscape GRC Landscape Dec 9 2020 10:00 pm UTC 45 mins
    Brett Osborne, Security Architect/Translator, independent
    The Cloudscape provisions a shared/split model for responsibility. This generally means that the cloud provider is responsible for certain layers of the environment. But the provided graphics are usually more IT focused than Information Security let alone Risk Management. The information security elements of cloud have been improving for years. However, there are still areas that are light in detail or clarity This presentation will take you on a deeper dive of Cloud GRC. This presentation will use the premise of Platform (PaaS) clouds, as this model provides a clear “bang for the buck”. Other models (Infrastructure IaaS, Software SaaS) are do provide benefits, but at different specialization levels. In this conversation, we will discuss repercussions of the shared/split responsibility model. In this webinar you will learn:

    · Viewpoint changes
    · To distinguish shared responsibility and shared risk
    · Changes to compliance and continuous monitoring
    · Changes to Risk management and assessment from shared/split responsibility model
    · and what you are (really) protecting
  • 2021 Readiness: Balancing Security in a Post-COVID World Dec 9 2020 5:00 pm UTC 60 mins
    Diana Kelley | Mark Weatherford | Ted Harrington | Amir Shaked
    Earlier this year many companies experienced an incredible shift to fully remote work almost overnight, in response to the COVID-19 pandemic. This accelerated the “digital transformation” journey for many companies compressing what was a multi-year timeline into a few months and making 2020 different than any other previous year. In this episode we’ll explore how the balance between security, privacy and productivity was tipped this year, and what can we expect to see in 2021 as some, but not all, organizations head back to office work with a post-pandemic mindset.

    The audience will hear from CISOs and Security Directors about how this year was different, what they're going to do differently going forward, and what they expect (or have already seen) as organizations get back to pre-COVID levels.

    Topics covered:
    - 2020 in review
    - The hard lesson that a mobile workforce is not the same as a remote workforce
    - How the attack surface expanded and what CISOs are doing to ensure risk doesn’t expand too
    - How digital transformation sped up and what they meant for security, privacy and productivity
    - During the speedy journey to the cloud - what mistakes were made?
    - Lessons learned that will be carried forward for security teams
    - What CISOs are doing to prepare for whatever 2021 may bring

    Panelists:
    - Mark Weatherford, Chief Strategy Officer and Board Member, National Cybersecurity Center
    - Amir Shaked - VP, R&D, PerimeterX
    - Ted Harrington, Executive Partner, Independent Security Evaluators [ISE]

    This episode is part of The (Security) Balancing Act original series with Diana Kelley. We welcome viewer participation and questions during this interactive panel session.
  • GDPR Wins, Challenges & Lessons for Organizations Dec 9 2020 4:00 pm UTC 60 mins
    Kalani Enos, CEO, KEnos Technologies | ISSA | Further panelists to be announced
    It’s been more than two years since EU's General Data Protection Regulation (GDPR) came into force. To date, more than $126 million in fines have been imposed, and over 160,000 data breaches have been reported in this time -- most of them coming from the UK, Germany or the Netherlands, according to the law firm DLA Piper.

    Join us for an in-depth look into how the world and the regulations landscape has changed since GDPR and what this means for businesses in the US, UK, Europe and globally (compliance, security, privacy).
    - Post-GDPR data regulations around the world
    - GDPR vs CCPA
    - Data access rights - Has anything changed?
    - Facial recognition & GDPR
    - COVID-19, data collection and compliance
    - Is GDPR turning into a “paper tiger”
    - What to look for on the regulations landscape in 2021
  • The cloud security dilemma: Cloud native or third-party tools? Dec 8 2020 6:00 pm UTC 60 mins
    Sushila Nair, NTT Data | Matt Soseman, Microsoft | Scott Vachal, Soter Cloud Solutions | John Aarsen, SonicWALL
    As your enterprise moves to the cloud, you need to develop a holistic cloud security strategy. Should you adopt tools developed and provided by cloud platform providers, or is it better to invest in third-party offerings? Now you can discover cutting-edge strategies from industry leaders and leverage best practices to easily secure your cloud investments.

    Moderated by ISACA GWDC, join this insightful discussion that brings together leading cloud IT Integrator NTT DATA, cloud service provider Microsoft, and cloud security solution provider.

    Sushila Nair, VP, Security Services, NTT Data
    Matt Soseman, Sr. Security Architect, Microsoft
    Scott Vachal, Founder, Soter Cloud Solutions
    John Aarsen, Cybersecurity Expert & Territory SE Northern EMEA, SonicWALL
  • Election Recap & Cybersecurity Lessons Learned Recorded: Nov 19 2020 49 mins
    David Morris | Lee Imrey | Mick Baccio | Harrison Morris
    The 2020 U.S. presidential election has brought cyber security to the forefront for many in the U.S.

    From shedding light on disinformation campaigns aimed at disrupting the election, to testing voting machines and pentesting online voting apps, to raising awareness around the risk of ransomware and other attacks to local governments, voter registration databases, poll books and election reporting websites - security researchers and practitioners have been raising red flags throughout the election cycle.

    Join this episode of the Election Hacking series to learn about:
    - The 2020 election takeaways from a cybersecurity viewpoint: What went down, what could have gone better and how to better prepare for the midterm election in 2022
    - What the biggest election threats mean for your industry and organization
    - What have we learned and will it change anything in time for 2022
    - Post-election cybersecurity lessons for tech leaders

    Panelists:
    - Lee Imrey, Security Strategist at Splunk
    - Harrison Morris, PhD Candidate Georgia Tech researching the intersection of Cybersecurity and Cognitive & Brain Sciences
    - Mick Baccio, Security Advisor, Splunk

    Moderator: David Morris, Executive Director at Digital Risk Management Institute

    This episode is part of the Election Hacking Original series examining the threats to democratic elections, the technologies used to power and hijack elections, and what's needed to educate and empower voters before Election Day.
  • Deceiving the Attacker Recorded: Nov 17 2020 56 mins
    Diana Kelley | Chris Roberts | Christina Fowler
    When it comes to deception technology, the industry is evolving beyond simple honeypots to a more automated, scalable, and effective approach.

    Join this episode of The (Security) Balancing Act to discover how deception technology can be used by organizations to detect, investigate and respond to malicious intruders. How does deceiving the attacker save your company and buy you time?

    During this episode, we'll go over:
    - What is deception technology and what does it help with?
    - How does it work? (e.g. Deception decoys, lures, honeytokens, traps, grids)
    - Is your organization ready to adopt deception?
    - What do you need to do before you buy the technology / build it in-house?
    - Key benefits of using deception for threat hunting
    - What else can deception be used for?
    - Deception use cases
    - The role of AI in deception (e.g. dynamic deception)

    Panelists:
    - Chris Roberts, vCISO, Researcher, Hacker, Consultant, Devils Advocate
    - Christina Fowler, Chief Cyber Intel Strategist at MITRE Corporation

    This episode is part of The (Security) Balancing Act original series with Diana Kelley. We welcome viewer participation and questions during this interactive panel session.
  • Eyes wide Open: Magecart Web Skimming Attacks, Detection and Prevention Recorded: Nov 11 2020 61 mins
    David Mundhenk (Herjavec Group) | Ivan Tsarynny (Feroot Security) | Tabitha Gallo (Herjavec Group)
    The client-side or the front end of web applications, aka ‘digital user experience,’ actively ingests customer/user information at data input points that can include very sensitive information.

    As the web front-end code runs on unmonitored and untrusted devices, spyware, malware and other malicious actors leverage client-side security flaws and third-parties to steal credentials, financial transactions and payment card data to conduct fraud.

    Speakers:
    - David Mundhenk, Information Security Consultant, Herjavec Group
    - Ivan Tsarynny, CEO and Co-Founder, Feroot Security
    - Tabitha Gallo, Principal Security and Privacy Consultant in the Advisory Services team, Herjavec Group
  • Pre-Election Check-In Recorded: Oct 29 2020 55 mins
    David Morris | Mick Baccio | Harrison Morris
    With the 2020 U.S. presidential election less than a month away, let's take a look at the current state of this election from a tech and cybersecurity perspective. What are the new challenges and threats to democracy that we have not seen in previous election cycles?

    Join this panel to ask your questions and learn more about:
    - Things to keep in mind ahead of Election Day
    - Lessons from recent cyber attacks in the public & private sector
    - Securing voter databases and election infrastructure
    - Election reporting websites and when to expect to hear the results of the election
    - Weeding through election interference and disinformation
    - What to expect after Election Day

    Panelists:
    - Mick Baccio, former CISO at Pete for America, and White House Threat Intelligence Branch Chief, Security Advisor at Splunk
    - Harrison Morris, PhD Candidate Georgia Tech researching the intersection of Cybersecurity and Cognitive & Brain Sciences

    Moderator: David Morris, Executive Director at Digital Risk Management Institute

    This episode is part of the Election Hacking Original series examining the threats to democratic elections, the technologies used to power and hijack elections, and what's needed to educate and empower voters before Election Day.
  • Securing Identity - 1 Year Check-In Recorded: Oct 14 2020 59 mins
    Diana Kelley | Aidan Walden | Shareth Ben | Doug Simmons
    According to Verizon’s 2020 Data Breach Investigation Report (DBIR), over 80% of hacking-related breaches involved the use of lost or stolen credentials - and approximately 35% of all breaches were initiated due to weak or compromised credentials.

    Last year, we kicked off The (Security) Balancing Act series with a panel of identity experts to help us understand the landscape. Join us for this 1 year check-in to learn what has changed for organizations in the last 12 months and the security implications of shifting to a more remote workforce.

    - 2020 vs 2019: Key changes & challenges for cybersecurity
    - How work from home has opened the door to attackers
    - Regulatory updates that may impact identity management programs
    - Why attackers are focused on credentials and authentication systems
    - What businesses can do to keep track of all endpoints, manage identities and privileged access, protect their data and maintain compliance

    Panelists:
    - Aidan Walden, Director, Public Cloud Architecture & Engineering at Fortinet
    - Shareth Ben, Executive Director, Insider Threat & Cyber Threat Analytics at Securonix
    - Doug Simmons, Principal Consulting Analyst, Managing Director, Consulting at TechVision Research

    This episode is part of The (Security) Balancing Act original series with Diana Kelley. We welcome viewer participation and questions during this interactive panel session.
  • CISO Insights: How to Practice Cyber Hygiene & #BeCyberSmart Recorded: Oct 5 2020 61 mins
    Dan Lohrmann | Earl Duby | Keith Hollender | Adam Ford
    By popular demand, the CISO Insights series is back in October for National Cyber Security Awareness Month with a new episode on securing connected devices.

    Join this interactive Q&A discussion with CISOs to learn more about:
    - Why connected devices are a popular target for attackers
    - Steps for easy cyber hygiene at home and at work
    - Building a security culture together
    - CISO recommendations & best practices

    Speakers:
    - Dan Lohrmann, CSO & Chief Strategist, Security Mentor, Inc.
    - Earl Duby, CISO, Lear Corporation
    - Keith Hollender, former CISO; Partner, Global Cybersecurity Practice Lead at MorganFranklin Consulting
    - Adam Ford, CISO of Illinois

    This panel is part of National Cyber Security Awareness Month (NCSAM) 2020.

    We welcome and encourage audience participation and questions.
  • AI, Vulnerability Scanning & Implementing Your Cloud Security Strategy Recorded: Sep 24 2020 61 mins
    Moderator: Tejasri Devarapalli; Richard Meeus, Akamai; Nabil Zoldjalali, Darktrace; John Aarsen, SonicWall;
    Securing the cloud can be challenging for many reasons. From data breaches that result in excess spending and loss of trust, to implementing and maintaining a security strategy.

    According to Gartner, the public cloud services market is expected to grow 17% in 2020. With this in mind, how can businesses secure their cloud access while adopting new cloud strategies? Some cloud security vendors have adopted AI and machine learning methods to protect against threats to the cloud.

    According to Cybersecurity Insiders, less than a third of businesses are monitoring abnormal workforce behavior across their cloud footprint. This is alarming considering the significant increase in usage of cloud apps and collaboration platforms. 

    Join this expert panel where cloud security leaders will discuss:
    -  The key threats faced by businesses implementing cloud services
    -  How AI, autonomous response and machine learning can help to detect threats
    -  How vulnerability scanning can optimize your cloud security strategy
  • How To De-classify Data and Rethink Transfer of Data between US and EU Recorded: Sep 2 2020 47 mins
    Ulf Mattsson, Chief Security Strategist, Protegrity
    Companies need immediate rethink on transfer data to the United States since the Privacy Shield transatlantic pact is declared invalid. The Court of Justice of the European Union found that the Privacy Shield does not meet the GPDR requirements and cannot ensure a level of protection.

    We will discuss how to achieve compliant pseudonymization, including protecting not only direct identifiers but also indirect identifiers and additional attributes, while still preserving the data’s utility for its intended use.

    We will also discuss different international privacy standards, the new Schrems II, clarify pseudonymization and other data privacy techniques.

    We will also discuss
    • Data privacy and working remotely
    • That GDPR does not apply to data that is no longer identifiable
    • Pseudonymization used nationally, as well as for trans-border communication
    • Pseudonymization use cases for privacy protection of personal health information
    • Re-identification attacks, full and partial
    • Extracting new information out of an anonymous or pseudonymous database through re-identification
    • Linkage mechanisms
    • The data de-classification process and workflow
    • Pseudonymization services best practices and trustworthy practices for operations
    • Policy framework for operation of pseudonymization services
    • When to use pseudonymization and/or anonymization
  • PCI Dream Team - PCI Compliance with Non-supported Software & Hardware Recorded: Jul 28 2020 61 mins
    Ben Rothke | David Mundhenk | Jeff Hall | Arthur Cooper "Coop"
    Being left at the payment altar is not easy.

    PCI DSS requirements 6.1 and 6.2 address the need to keep systems up to date with vendor-supplied security patches in order to protect systems from known vulnerabilities. But what do you do if you have an in-scope application and it is no longer supported by the vendor?

    Many payment applications, gateway and software are long past end-of-life, yet still processing cardholder data. Can such a setup be PCI compliant?

    This PCI Dream Team webinar will detail the issue, challenges dealing with unsupported hardware/software, and suggest strategies for compensating controls.

    Our panelists are some of the top PCI QSA’s in the country, with decades of combined PCI and card processing experiences. They’ve seen it all: the good, bad and ugly; and lived to tell the tale.

    Join Ben Rothke, David Mundhenk, Arthur Cooper, and Jeff Hall for an interactive Q&A session, and get answers to your most vexing PCI questions. No PCI question is out of bounds.
  • Detecting & Responding To Ransomware Recorded: Jul 14 2020 56 mins
    Eric A. Nielsen, Chief Executive Officer, Defense In Depth Cyber Security
    As an information security professional your knowledge of ransomware as well as the tactics & techniques to detect & respond effectively are critical to your organization. Data breaches threaten organizational financials and reputations. Strengthen your security through the use of actionable intelligence. Attendees will hear about:

    - What is Ransomware?
    - Leveraging Architecture Components to Detect & Respond to Ransomware
    - Ransomware Scenarios & Solutions
    - Tips to Protect Your Organization
  • Malware in CSP environment- An enigmatic conundrum Recorded: Jul 13 2020 54 mins
    Srinivas Bhattiprolu, Global Head, Advanced Consulting Services, Nokia Software
    Malware is a humungous force to be reckoned with, all the recent advances in technology did not retard the progress and impact associated concomitant to it. Malware actually rode the improving technology and made it its tool and an affiliate. Social network, e mail and mobile devices are becoming a major conduits to propagating malware of different types. Malware is becoming better at protecting itself. The development of technologies that enable malware to evade detection and analysis made it virtually unstoppable in infiltrating its high-value targets. Malware continues to be a problem for Communications Service Providers and their customers. The session introduces the history of malware, how it has evolved over a period of time. A threat ecosystem is an interdependency of different technologies and the people behind them that are vital to the success of an attack.

    This presentation explains the threat ecosystem of malware. How malware impacts Communication Service Providers (CSPs). A view of malware activity in mobile and fixed networks around the world. Then the presentation will zoom in on IoT botnet activity that has increased substantially since the introduction of Mirai in 2016. Many of these IoT botnets leverage the basic architecture and functionality of the Mirai source code.

    The presentation then elucidates the IoT botnet family tree, how a botnet works, how these spread and communicate with each other as well as command and control server. The presentation then highlights different variants of botnets and provides a high level overview of each variant. What are the top 20 most prolific malware found on the internet today? Highlight the infection types and rates in different type of networks like mobile and fixed.

    Finally the presentation will provide some views on how different type of malware threats can be detected and mitigated and how networks can be protected proactively.
  • Data Privacy in 2020 and Beyond Recorded: Jun 17 2020 60 mins
    Mali Yared, Robert Razavi, Baber Amin, Lori Robinson & Elliot Dellys
    Is your organization aware of the main differences in data regulations around the world?

    Join this panel of industry leaders for an interactive Q&A roundtable to get a comprehensive look into the different data privacy and security requirements. The panel will also discuss what to expect in 2020 and beyond.

    Viewers will learn more about:
    - What's new on the data privacy and compliance landscape
    - Main differences between data regulations around the world and what this means for your organization
    - Expert recommendations regarding best tools and practices for achieving and maintaining compliance
    - The future of data privacy
    - What to expect in 2020 and beyond

    Mali Yared, Practice Director, Cybersecurity and Privacy, Coalfire (Moderator)
    Robert Razavi, Senior Security Architect CTO Office, IBM Canada
    Baber Amin, CTO West, Ping Identity
    Lori Robinson, Sr. Director, Product & Market Strategy, SailPoint
    Elliot Dellys, Director, Strategic Consulting, Trustwave
  • Data Protection & Privacy During the Coronavirus Pandemic Recorded: Jun 17 2020 60 mins
    Ulf Mattsson, Head of Innovation, TokenEx
    Remote work is quickly becoming the new normal and criminals are taking advantage of this chaotic situation.

    The EU Agency for Cybersecurity's providing guidance for the huge increases in the number of people working remotely, using tele-health it is vital that we also take care of our cyber hygiene.

    Viewers will learn more about:
    - How to use encryption, controlling new storage of regulated data and data sharing in this new situation.
    - Anonymization leaves personal data open to re-identification, which exposes firms to GDPR non-compliance risks.
    - How are the HIPAA rules changing in this situation?
    - GDPR prescribing pseudonymization and how is that work.
    - How is CCPA changing the rules?
    - How to secure wi-fi connections preventing snooping of your traffic and fully updated anti-virus and security software, also on mobile phones.
    - How important files can be backed up remote or locally. In a worst case scenario, staff could fall foul of ransomware for instance.
    - What apps are secure to use in this new era?
    - Should we use MFA, PW managers or local PW management?

    We will also discuss how to use the CERT-EU News Monitor to stay updated on the latest threats and check the following basics.
  • Multi-factor Authentication and How it can Save You! Recorded: Jun 16 2020 61 mins
    Elisabeth Happel, Director of Cyber Security, TRG Networking, Inc. & David McHale, Principal, HailBytes
    Everywhere you turn, someone is talking about MFA. When you strip away the jargon, the platform marketing and ads, what does MFA really offer to the end-user or to a business? As more and more services move into the Cloud, you’ll want to understand multi-factor authentication as a possible solution for your business or personal needs.
    A little history:
    Authentication is one means of identity management – it is how a computer system knows which user has access to what resources. In the not too distant past, this was usually controlled via active directory on a server that sat in a closet where you worked. And that worked well, because all the applications, printers, and employees were in that physical place called the office.
    But, things change! Servers and applications are more likely to reside in the Cloud than in your office. Employees could be working from home, out in the field, or half-way around the globe. Each of the resources that a person needs to access must have a way of authenticating them, but traditional authentication is no longer sufficiently secure on its own!
    Enter Multi-factor Authentication – which adds an additional and out-of-band way of authentication identity management. In this webinar we will discuss:
    What is MFA?
    Why as a Service Cloud services can be vulnerable to authentication breaches
    What is out-of-band, and why is that important?
    How utilizing MFA can be an important part of your strategy to shore your network or system defenses
    How risk factor is reduced using MFA
    The different genres of MFA, and how they can be implemented
    We will wrap up our discussion with a brief Q & A session at the end, so warm up your questions!
Trends, developments, and technology
Increasing expectations for good data governance, effective risk management and complex demands for legislative and regulatory compliance are presenting a growing challenge for organizations of all sizes. Tune in to live and recorded presentations by respected luminaries in the fields of governance, risk and compliance for insights on how to implement successful GRC strategies and processes for your organization.

Embed in website or blog

Successfully added emails: 0
Remove all
  • Title: Enterprise-Wide Risk Management
  • Live at: Feb 3 2011 9:00 pm
  • Presented by: Ronald S. Ross; NIST Fellow
  • From:
Your email has been sent.
or close