Episode 11

Published on:

2nd Jul 2021

#11 Risk Management is a Game of Snakes AND Ladders

Is your risk management one-sided, designed to minimise the likelihood and negative impacts of uncertain events. How is the uncertainty of events with positive business impacts managed? Not by the security team or using the same risk management framework, right?

Threats and opportunities both rely on uncertainty. Add factors including likelihood (or frequency) and impact to either and you derive a risk. A risk that can be influenced by actions you take and external factors you don't control. While some terminology will likely need to be revised (for example we don't want to mitigate upside risks, we want to promote them) can we not manage all risk using the same framework?

In this episode we talk about Balanced Risk. A holistic view on risk and risk management. One that considers both threats and opportunities, with risk treatment driven by business goals and tempered by risk appetites. Risk treatments that are rarely simple and may affect multiple risks and themselves introduce new risks. Reimagine risk management not as minimising (downside) risk, but as gaining confidence in achieving business goals.

Show artwork for Attributive Security

About the Podcast

Attributive Security
The podcast anchored in the expression “security is a property of something else”.
There is often a lot happening in the world of cyber security: new threats, new exploits and new products. Don’t get us wrong, there is a lot of cool technology, and we appreciate that. But, at least on the surface, a lot of the defensive advances look to be very bottom up and technology focused. It is easy to lose sight of the context, what matters to us that we want to protect, and yes even enable.

Join us as we get together for unscripted conversations about a broad range of topics and relate them to cyber security. We’ll draw on various disciplines, and our own experiences, as we discuss ideas and practical approaches to tailored information security. We won’t be afraid to challenge one size fits all and best practice norms, or the misapprehension that bespoke security frameworks are infeasible for all but the biggest of enterprises. Be prepared to reimagine what an effective cyber security program can look like when it is engaged with and aligned to the business.

About your hosts

Martin Hopkins

Profile picture for Martin Hopkins
Martin is a cyber security leader and an experienced consultant most recently specialising in technical and business security advisory, and enterprise and technical security architecture. A regular speaker on cyber security topics, he is a strong advocate of business driven security, balanced risk management, and enterprise security architecture.

With over 25 years' experience in technology, primarily in security related fields, Martin has extensive experience in financial services having been engaged by leading global institutions.

Prior to his current focus on security architecture and risk he was a security testing consultant working on everything from mainframe systems to IoT devices and has a background in system software development for information security and virtualisation.

Maurice Smit

Profile picture for Maurice Smit
A Principal Security Consultant and SABSA Instructor, with over 20 years of experience in IT Security operations, management, governance and architecture, in a variety of industries including finance, healthcare, OT and pharmaceuticals. Maurice delivers accredited SABSA training in Europe, India, Africa and the Middle East

He is a founding member of the SABSA Institute Board of Trustees and was one of the first people in Europe to achieve SABSA Master Certification.

Maurice has contributed significantly to the development of the SABSA methodology, including co-authoring the “SABSA for Enterprise Risk Management” training course and leads the volunteer effort “SABSA World” with the aim of establishing regional SABSA communities of interest.