Measuring Cyber Programmatic Success: Risk or Security?

so i'm going to say hello besides knoxville so my song was hello and that was why so anyway uh my name is christine horvega and i've been in knoxville about 11 12 years now and had an opportunity to work at multiple companies in the area as well as in consulting and so currently i'm a director of cyber for cgi and i work with the federal clientele doing cyber advisory and programs so i thought this would be fitting i've done cyber programs for over 15 years now and i have worked with multiple clients and also companies supporting development of metrics development of the program and so one of the things that i typically run into right away is

this like aversion to metrics this idea that they're hard what are we actually measuring are we going to be you know is it going to count against us and so what i will say is not being an engineer by trade or practice um just starts somewhere it just you know that barrier of like we we've got to get everything right it's got to be 100 just start somewhere and when you start to learn more from the metrics you do start with you'll actually start to develop more metrics and it will actually get better over time the other thing is i'll talk about design so that's the other thing is when we talk about you know vulnerabilities you can

pull from any system well what are some metrics that i can design and then how do i layer those metrics so that they meet the needs of all of my organization i'm not just going to do board reporting or i'm not just going to do business unit or even just cyber teams i'm going to look at how do i have metrics across my organization so i can support all levels and then why those metrics are valuable and what you should be doing with them additionally we'll talk about the program so when i talk about a cyber program i'll actually define it for you but it's really that collection of all the initiatives you guys have been here

today learning about processes you've been learning about tools and technologies when you want to put all of those together you should create this program in order to show that return on investment show how they all help each other out or where security is actually reducing your risk or making your business process more effective or even just securing that value of your company that you're trying to build through your devops and then i'll go over some dashboards it's more just for visuals but i will talk about kind of the value there and where you can differentiate and how you create your dashboard but the real objective here is really to get people past that really the barrier or your hesitation to

putting metrics out there metrics are going to help you they're going to put your program in play and then also they're going to help you define specific things that you want to measure so going back to that cyber program how many of you out there are currently have a cyber program you may call an information security program at your company and are currently putting together a portfolio projects not very many so that's interesting one of the things that i hope you take away today like i said i do have a whole approach i have dashboards i have metrics that we've written um or that i've written and put in here please reach out to me i'm willing to share

everything i have i've been doing this like i said for over you know 10 15 years i have a lot of materials so cyber program what is that i define it as again it can be an is program it can be a cyber security program the program itself is really bringing together those initiatives so when you think about people process and technology we have to be able to see how they come together we want to measure them from end to end and we want to show the value of how those initiatives are really driving towards reducing the risk for the organization enabling it to meet its objectives and how security plays into that i typically do not put cyber security

together right away i like cyber risk because i think cyber risk is different it's that probability of the loss or the adverse impact event that is going to really prevent you from meeting those bigger objectives it's where's my loss of availability confidentiality or integrity for my data systems network processes again that could go on and on whereas security or cyber security security posture is really when i define it as the evaluation of how your controls or your frameworks or your standards how are you lining up to what you said you were going to do and your expected outcomes and typically i will say it is compliance related and i will say it that way security is a control function

it is set to oversight your i.t activities and your business processes so it is typically aligned with a compliance concept this i will show you again some different metrics i've seen around that are dashboards uh but again i just like to differentiate that because one of the big things that i always come to the table with my leadership is is that you can be secure but not even touch the risks that are actually hitting you and that's why i say it typically will can align with your compliance programs now i work with the federal government a lot and i've also worked with federal entities this is typically the case it's all it's very focused on

the compliance the requirements the frameworks whether it's nist whether it's cmmc how can i meet those requirements and then ultimately it needs to come full circle back to the risk whereas the indicator should help you with that so i have performance and risk indicators risk indicators are really letting you know when something's coming at you and i always like to give the example of you know i drove in this morning lots of traffic or for those of you in this area there's lots of traffic i came from the dc area that's a joke for traffic um so you know i'm coming in and all of a sudden it's jamming up again right as i'm coming towards the city and i see

the brake lights indicator i need to change my behavior i need to think about how i'm going to respond to the traffic ahead of me whereas key performance indicators are really about how you're doing so when we talk about program success we're going to talk about those performance indicators how do i make sure that i know i'm meeting the objective or the expected outcome that i have uh and interestingly enough before we talked about governance and so the previous uh you know the previous presenter said okay governance i agree i typically live in the governance world but the way i also uh talk about is roles and responsibilities and different levels of the organization because if you think about your

strategic level and your board reports your business leader reports and then also your cyber reports at your team level or even your end user level they're all going to be different but they should be synchronized to again support the bigger objectives of your company and meet those uh goals and produce value for the organization so one of the analogies i like to use is i go to the doctor and so if you think about it measuring your vitals is the first thing you do at every doctor's appointment you walk in you know they say step on the scale my least favorite activity when i get there it just brings a downer right up and then of course they hit my blood

pressure well that's already elevated again um and so then they go and check you know my temperature in the covered days it's getting a little less but then they also ask me questions they say how are you feeling do you have pain anywhere so it's really those indicators is there potentially something wrong should they go further test further do you think they jump right into hey let's go do an mri scan let's do a cat scan no because one they're expensive two timely and three i never have enough time to get to all those different appointments so what i like to do is say hey if i have something wrong let me know so how

is this information being shared with me are we talking you know jumping right from i have a pain in my back to back surgery no it's i'm talking through what the implications or what the impact could be what could be causing it and what those root causes are and then also thinking about vitals from an indicator perspective they should be aligned with my objective i'm trying to get healthier i'm trying to bring my blood pressure down and they also provide context for those next steps so my doctor's giving me some activities my all-time favorite is my heart doctor loves to tell me don't eat red meat and i said yeah that's never gonna happen so i tell him you know i

gotta live a little and so he says yeah just don't order it then i have to make it myself so i try to do that on the grill but that's really where you can kind of set yourself up very similar to taking those vitals now good practices when developing metrics is really around again the audience think about your audience i kind of came up in the grc world where it was the right time right person right metric or right information very relevant in that your strategic metrics should be saved for those at the top the senior leadership your board it's really not going to do a lot of good to share those metrics with your

team that's acting on the ground thinking okay it's great but what does that mean to me so your operational metrics you're really looking at that's where it starts to get into the processes and the technologies what's that interaction how can i change that interaction and then your tactical again your outcomes of your staffs and they're going to be outcome driven they're going to tie back but they're going to be relevant for that you know tactical everyday day-to-day what do you need me to do now your metrics my all-time favorite is need to have decisions or actions i always used to ask my clients you're going to have to gather all this data we're going to put these metrics

together what are you doing about it and like what do you mean well you're not gonna make a decision you're not gonna change what you're doing oh no i just wanna know what's happened no that that just takes time and energy that no one has if you're not gonna change anything or you're not gonna make a decision or change your actions then you really need to think about that metric and step back for a minute and say okay what can i actually measure that i can then do something with also operational improvements or revenue gains so going back to that value if you're going to add value but again it's about how will i respond or will i

respond if you're not willing to respond to any of those metrics don't measure them right away work on other ones that actually give you some action and then i love my favorite is keep current or don't bother um people tend to just keep running metrics and running metrics or my all-time favorite was the board reporting we'd spend two weeks putting the metrics together and they'd already be two weeks old so as we're putting the slides together like what are you supposed to do with that information um you can't act upon it it's already old so keep it relevant and that's helpful so as i was talking about the organization those roles and responsibilities one of the things you

want to do is communicate right up front what are the layers now these are three layers and i'll show you where i got my reference from after but these are typically the three layers you see and it talks about the different levels of metrics that you should be thinking about for the that specific group so if you're talking about your boarding executives they want to know what your risks are what are the risks to those objectives that's the real focus but also that cyber program approach they want to say overarching what are you addressing what are your initiatives and where's the spend going going back to the business or going down to the business leader level you're

really looking at that overall state one of the things i always like to say about business leader metrics it goes back to where where's the money it's the show me the money what are you spending money on what are you measuring when you do that because that's what they care about they often hold the dollars and they'll put the money where it matters and that's where you get into your risk treatment actions or your plans your business plans your operational team level metrics that's going to again go back to that day-to-day tactical they're going to want to know where those kris are what am i looking for what's my triggers where do i need to

either alert someone escalate what's important to then measure and roll up or what do i need to be aware of if i need to change my behavior set an incident response in place those are those kind of metrics you want to have at that team level and i get this from and i i find the most valuable that i've used and i've seen is the nist cyber security framework this is their outline of what it looks like to do you know an organizational tiered approach of building metrics communicating and then working through a cyber program i have seen this work in every instance i've looked at you can take the nist off it but in the end this csf they give the

whole outline they help you identify those roles and responsibilities and they really show you how this comes together from a communication perspective so now talking about cascading what does this actually look like so you're telling me okay i have all these metrics great idea so i'm saying okay operational metrics i'm going to look at a leading metric and i'm going to cascade it down so my executive management the policy adherence reduces risk of exploitation of critical assets so i'm going to look at policy adherence that's going to be my metric for them how many times do i see that if i'm at a business unit level i have number of policy exceptions now i got to tie those policy exceptions

so so what you have the exceptions we all have them i know we used to get carried away with ours and then you have to look at it related to your number of issues because if you're having issues in those same areas that you have the policy exception you really want to start to look at should i be accepting that or should i be changing my risk tolerance or should i be thinking about that metric or that policy a little different and maybe update it one of the things i always like to tell again my clients or even my business leaders when i worked with them i'd say so we have a policy we're getting to a point where it's about

every third interaction with this policy works we're giving exceptions after about the first year of that shouldn't we just review the policy and update it to think about those exceptions and maybe add them and then we're not doing so many exceptions and i was like oh you know that's really a good idea maybe i should do that so again measuring it gives you an action you can then think about to move forward and then of course you have your cyber ops team so those policy exceptions they're going to be looking for those security alerts they're going to be looking at those specific assets and where that policy is tied in because they're going to feed into your issues

they're also going to be looking at the percent of critical assets that are assessed with deficiencies that's typically where you're going to see your issues if you have deficiencies you're going to see issues if you have exceptions then you're going to see lack of policy adherence you're definitely going to see increased risk in that area so this ties back to an asset a process and again a network or even a transaction that's going on so these are the like i said the build up of a or a built down of a metric that then helps everyone in the organization understand where the risk is and also where they can be more secure so i'm going to go into cyber program

and the metrics that go with it but i'm going to start off with the program so what does a program look like now again very generic uh you don't have to start off with as much detail but this really goes back to what's the program and these are typically security programs or it programs and then what's the objective so going back to your organizational capability going back to what it ties to make your organization successful think about your objectives because again that will help you set up what's the metric what's a really valuable metric to ensure i'm meeting that objective and that it ties back to my organizational value now you can also see that we do have training and

awareness so your people side you've got your data security and management asset inventory you've got your technology and then we typically have a process a configuration or patch change control you're going to look at those processes so you're trying to capture a little or one or two of each so that you make sure you measure all aspects of your program now this isn't a full one but again making it so it can fit on the slide you can build it out you can build it less making it readable for you is much more important to me at the time so this is the approach and i've actually used this approach i've implemented it and i've seen it work

one of the things that i would say when it comes to building any approach or any program is consistency one people understand what what the expectation is you know when things are happening and you can reiterate and do continuous improvement when you follow an approach and it's standardized so you're going to look at identi when you identify you're going to look at your wrists so we talked about the risk to the organization now this is not going to be the risk that your you know your patch management program isn't working that's not this risk this risk is what does it mean if i have infiltration into my or i have exploitation of a system and

somebody comes in and infiltrates my network takes my pii or gets into my bank accounts or my banks or my financial statements that's the kind of risk we're really looking for is how am i going to impact my organization and from there you'll build the metrics through those business objectives you're going to tie the two together you're going to understand at a strategic level or through your senior leaders which they typically roll down what are we really trying to do this year and i thought it was interesting that the earlier one i've actually worked with brian saylor i was on the security team for his organization at the time um and i did cyber programs um one of the

things that i found interesting was this idea that security um you know i said to him after security actually protects the value too because you can say that you know well i couldn't get my um i couldn't get my app out or i couldn't get that specific service out yes but if it went out it's unsecure and somebody comes in and you have the you know you basically have reputational risk you have uh which then gets to your shareholders or you have strategic risk where they shut down entire services those are things you have to think about from a security side and it's not that we're trying to inhibit we're really trying to think about how do you protect

at the same time and it is a balance that you have to find so anyway so looking at design you're really going to then go into what are my key indicators so we talked about key indicators and the big thing here is you're going to put those indicators across against a business process or again a capability a tool and the reason being is because you're going to watch that target so you're going to set upper and lower spec limits you're going to have a threshold or you're going to have something like a trigger and when those are hit that says oh too risky i have too many exceptions to this policy i've got multiple issues

you know all my alarms are going off my risk is too high i need to adjust that then allows you to go into those treatments so when you think about the targets that's really about that where do you live and where do you want to live or what's making you uncomfortable i always find that when i worked with executives they never wanted to do risk appetite it was like the most painful exercise we would go through why because i don't want to commit to that what happens if we actually hit it what happens if everything goes wrong yeah what if you tell somebody you never actually paid attention to it that's even worse because you've actually seen companies

crash over that so i think that's one of those things is you set the targets and again they're not set in stone you can do ranges if it makes someone feel better um it's really just about giving you that comfort level like when are you gonna start not being able to sleep at night when do you want me to escalate to you that's your target and then data collection and automation so we did talk about automation also and one of the things with data collection is get a single source of the truth one of the things i found during grcu pro projects and implementations of big data you have to have a single source of the

truth and you have to define it ahead of time then you can automate it pull it and you're always talking the same and one of the examples i always give i worked for a large energy company 21 billion you know we were trading at 100 we were doing awesome um we were doing data collection one day and they said okay how much energy do we produce and four people answered and they were all different answers and we said well how could that be you know how are you saying we produce different levels of energy like don't we have certain assets one number oh no we produce energy at the so if you defined it as where total

production at the source that was one number well then it's well how much did we use and how much do we actually have at the hub to sell because that's actually more important revenue is always important so that was another number and so we just kept going through this exercise and eventually we said okay we need to define when we say in the room especially when we're doing board and um credit agency reporting we're like what is the number and how are we defining it very good point to data collection so that you know where to draw it from and you know what to bound your data at and you're not just capturing everything and from there of course my favorite is

take action you're either going to treat the risk and again you can avoid it you can mitigate it and then you're going to look at performance management and that's where you have those actions what does that plan look like what are my controls how am i going to respond to that whether it's going by another cyber security tool i say that because we usually have anywhere from 20 to 40 at other organizations or it's going and putting a process in place or a management tool and again i always like to give a practical exercise one of my favorites is unauthorized access to pii um your risk example and i am a traditionalist a risk is something

that's against an asset that's a threat it's a vulnerability it's an impact like risk is not the internet well what about the internet everybody uses it is it really a risk it's the cyber threat exploits my vulnerability to gain access to my system unauthorized access my root causes so going back to thinking about what's causing that or what what those actions are you're looking at my patches weren't conducted so that's again a security it's a it's a control because patching and that program is a control but also my system vulnerabilities remain unaddressed what i always try to bring to the table as the oversight security oversight with this patching and vulnerability program is you don't only patch vulnerabilities so

what are the other treatments we could do so you didn't patch it what else could we do that can reduce it as well that can mitigate so those are things you need to think about and then of course our kris is patch latency time frames you're looking at high risk vulnerabilities over 30 days your percent of vulnerability is not addressed so the again these are going to give you indications that something's not going right you're not following your controls you're not following your policy and eventually you're going to have to look at what's going on in your organization and do you have to change your program so bringing it all full circle you're going to look at what is my program or

what is my initiative what's my objective what's my risk to that specific program or objective or the organization and then look at the metrics in alignment with that now i've added the maturity model and this one is the nist csf you can pick any of them i've worked in the iso i've worked in cobit cmmc i've worked in nist 800 and miss csf so they all come together and they're very similar what you're going to want to do is look at that maturity model or that category and the reason being is one you want to see that you spread it out you don't want to only do protect you don't only want to live in one area it goes

back to people process technology and ensure that you spread out your program so that you're addressing all the areas at least once that ensures that you have a holistic program so now i'll go into some cyber program dashboards i'm a visual person and so one of the things that i used to develop a lot of was these dashboards i do like bi products today they're much better but what you can see is a control catalog and again going back to that security posture and the security dashboards what i typically have seen and what comes up is well how is my controls doing based on what i expected it for the outcome how am i measuring

them what's the maturity of them how are they um are they doing what i think they're doing and again being secure is good but it doesn't mean you're addressing all your risks which is why it's important to go back to risks and objectives and understanding how that ties back and then of course you have the cyber program security posture this has the people process and technology piece it has some risk ratings it has some you know patch programs so it's really capturing all angles of that prospect of well i have a program or i have an initiative going i'm spending on this program i have all the people lined up i have all my policies in place i know what my

requirements are now i just need to measure and make sure that i'm living where i feel comfortable and i always like to have the green yellow red because what i say is if you know the days of when socks first came out as in sarbanes-oxley you know that companies actually got hurt financially by trying to implement every control at a hundred percent of the time it's not possible you have to make decisions about where your security is sometimes going to have to linger a little bit where you can't spend but what are some other controls or what are some other processes you can put in place but this is where i always do the green

yellow red and we have orange on this one and those triggers are really there and the trending's there because you really want to monitor it because sometimes you can actually live in the orange and you don't trigger until it trends upward and then you're like okay now we can't take on any more risk but we could live in the orange for a little while and that actually helps with that action return on investment and also the decisions but going back to our risk dashboard now why i say this is this has all of my cyber program on and why this is a little different than if i had a cyber program or a security dashboard versus

risk is it's actually about the status of these so each of these programs is actually addressing an objective so if i see that i'm not meeting those greens for my program and the outcomes of those that's when i see risk escalating because i'm not going to meet the end of my implementation or i'm not going to put that specific technology in place which then doesn't allow me to meet my objectives and i may take on risks that i didn't know so that's why i see that as a little different than what i had before when i said it was and similar things were in a security dashboard um additionally you have that program risk dashboard risks is vulnerabilities plus

threats plus assets so if you know what your assets are so going back to inventory knowing what you have knowing what's happening to them and understanding the threats that are coming at you in that probability much better chance of catching or mitigating the right risk and ensuring that you protect the value of your organization going into policies and standards that's again their governance side but ensuring that you're following uh your direction policies should be based around not only the requirements from a legal perspective or a regulatory perspective but also from an organizational perspective and then you have training and awareness again the people you always want to focus on your people and config management i have in there

so some things to avoid using metrics that no one understands there's there's no point and just you could have the greatest metric in the world and you put it up there and everyone's like i don't know why we're measuring that i don't know what it means that's where you start to lose people and they lose that understanding and also buy in for those metrics cluttering up your dashboard and your report with low value graphics less is always more when it comes to reporting and dashboards especially if you want decisions and action um failing to match the the metrics to your goals so going back to what i said where you're measuring something but you never plan to do anything about it

you're just again taking up a lot of time and effort it's not uh valuable to anyone and then too much dependency on words a lot of people you got to have the words but you really do have to focus visually because you're trying to cater to audiences that one some people learn or capture by audio some are visual and some are i have to do it i have to understand what you're saying or i have to see it done and that's why i always like to have my examples up here so you can tell i've done a lot of training especially adult ed you have to hit all those aspects and so implementing the approach i

wanted to go through kind of my story i worked through or my experience i've worked at a local company here which since uh i actually did this program has uh changed over i will say and one of the things that i did when i came into the program so i worked for the cso and the cto and i supported the cio but the cso was really my driver so i worked for him and he said i'm trying to put the niscsf program in place and as i'm putting this program in place i'm thinking about all the things that i need to do we want to do all of these programs but i don't have any regulatory

drivers and i don't really have as much buy-in as i would like because they don't see the value of security in a non-regulated very open creative environment so let's talk about those business objectives ends what's a value to the organization that we could define our program around our maturity and then what were the key risks to that organization so we started there we put together we took the objectives we sat down with the cio and cto we said what's important what should we be bringing to you from you know where do you want to make a difference what kind of technologies are we thinking and so we started to map some of those out and think about the

problem we were trying to solve so we defined the problem we looked at what the objectives were and we identified the macro risks we then went into implement so we started to implement some initiatives and actually you saw multiple dashboards that we used and that was actually our program dashboard we started to look at where the focus was so we identified that we had a lot of um un unsupported technologies out of date versions and we realized we did we weren't patching as much as we should be and our vulnerabilities were really our greatest or our weakest link at the time so we started to look at those initiatives where you saw patch management configuration management

and then we also identified that we you know fishing was becoming very uh significant for us we'd actually had two incidents that occurred where somebody had been phished through an email and it opened us up and we'd actually had money transacted so those were things okay we need to do training and awareness we need to make sure that everyone understands that this is something that's going on whether it's fishing whaling you know any kind of social engineering that was happening so we went over all of that and we put that in place as well but then we had to define those metrics and say what was going to be valuable to show success for our program

we did use the nist csf we did look at the maturity model we had a third party come in they assessed us and then we continued to use that assessment are those the context of those questions and outcomes as well as what nist csf controls were uh trying to achieve and then we would measure them periodically usually quarterly go out we'd assess it we'd ask questions we'd make sure some things were in line with where we expected them and then ultimately were able to create metrics we made sure they were in line again with our maturity or with our business objectives and those risks that we had identified so then we decided to measure once we decided to measure and set up

our metrics we said what are the data sources how can we automate this how can we put this into place and so then we were able to develop our dashboard now we did do a color-coded dashboard at one point that's the one you saw with the stoplight that was our very high level this is how our program's going this is where our risk is and things that we would actually propose for you know spending or a add-on to the initiative or something that would we had to change our plan was not working one of the things that we did do is we were at uh interestingly enough when we finished the first assessment we were

like a two out of five for the nist csf it was it's not a good day but we said you know we don't have any regulatory requirements we're going to put some stuff in place we're going to start paying more attention we started to automate and we started to act we started to change the behavior we set up those governance groups we had regular meetings we talked about what was working and what wasn't working we talked about what we needed support from the it sections we talked about the business leaders what they needed to be thinking about and how they were supporting these metrics as well and we also talked about where they were getting reported um

you'd be surprised what the driver or the change in behavior is when you're like yeah this is getting reported to the executive committee and the board and they're asking these questions and this is what they want to know about all of a sudden everybody parks up oh well let me let me change my behavior a little bit because i want to make sure i look good when you put that on paper so those are things that changes that behavior because what gets measured gets done is i learned that back in the six segment days uh and then what we did was we continuously improved you know we realized where we were not doing well or

where something was working or wasn't working and we changed we changed the plan we said no we're going to move we're going to put more emphasis on patch management we're going to really buckle down on it we ended up in 18 months moving from a two i think it was a 2.1 overall up to a 2.9 and we actually saw an increase in our maturity as well as a secure posture but we knew our risk better and we were managing them better so key takeaways measure what matters again what gets measured gets done if it's not actionable don't measure it make relevant at all the levels i showed you how to kind of cascade it down why

it's relevant to talk to each level of your organization and ultimately at the bottom it helps them understand how they're helping the organization achieve its objectives and be part of the bigger team especially if you're bonusing that's always a biggie tied to initial objectives going back to what's the value add for the organization and the business and how is their revenue being generated and how are you protecting it how are you thinking about it and then how are you measuring your success to align to that and then make it a journey and not a destination cyber programs should always be moving they should always be flexing we know our threats change i think you know as you think about solarwinds log

4j all of those things were surprises in a sense we have to be able to change and your program will give you that idea of one what you're measuring but how you can make those changes more easily how you're documenting them and actually see how they all tie together to make your organization more successful so i'm going to take questions comments

yes um on page nine gonna make me

is

so if you think about oh it does thank you based on my program where would anti-virus fit would it fit under patch management and i would say this goes back to what are you ultimately trying to measure the question that was the question i'm sorry sorry that's okay um i would say that this goes back to how you define it now from an antivirus i wouldn't necessarily say that fits under patch management patch management was more about when you have those open vulnerabilities are you moving them through faster do you have unsupported systems but antivirus would be a subsidy or like a subs uh sorry a secondary uh control that could take the place or

help out if you're not doing something just like protecting or taking a system offline or an application that again wasn't being secure so you have to define what falls into those areas and it's not prescriptive in that sense as you think about the nist controls though yes they will actually tell you where all that lives they'll tell you it lives and protect or it lives in the nist um 853 series you know it lives in you know this specific program so i think from that perspective it goes back to your framework and it would tie back to your control structure you want to use but at the same time this is an opportunity that you define that and you

scope it for the organization yes um do you suggest or have any advice regarding tooling that maps controls to so we need my organization here's the high trust and so if you're potentially going to be located

yes i've actually done high trust and it was on rsams but what i can say is yes your grc tools that's the intent they're they're intended to set it up um so it really goes back to many of the tools are the same now and just a little twist because they are doing a standard approach and they actually they started back in like 2005 2006 really becoming popular the first one i did was 2007. uh what you're really doing there is mapping those controls to your policies and your standards requirements and then ultimately looking at your risks so the tools themselves are actually set up that way it's actually a category or a alignment uh tearing it up so you'd have

your what's my regulatory requirements and then you would look at what my standards and framework is and then you put your controls so you can actually see how they then tie back to your assets third parties business process um and then you would tie risk to them so it actually is a full circle and that's their relational databases so they actually do map for you yes highly recommend it you what we found um actually as a client we did our like i said in 2007 i did my first grc implementation we were able to reduce our controls by 40 overnight because we realized we were duplicating multiple organizations our business units were doing the same control just a

little different but we were ultimately meeting the same objective so we just started doing control objectives and then we would basically control once satisfy many and so you will find that it's very efficient if you are able to map it [Music]

so i'm going to reiterate the question because i did forget yours um the drivers of the metrics um so what are some uh again i would look at the from a driver's perspective going back to your root causes um and sorry i'll just go back to i'm gonna i have to make sure i know where i am nope it was down um so you're gonna look at what your root causes were you're gonna look at what your targets are or your business capabilities that you want to build um you're going to look at your objectives you always want to make sure that you're thinking about what your objective is but one of the big ones is for instance like your wrist so

you want to look at your macro drivers as well as your micro but when i talk macro you know if i'm in a transportation company or transportation business where my product is either on the ground or i've got to move it and you're thinking about what's going on you know even overseas in ukraine or the middle east and our policies and how those cast out cascade and impact certain things in the united states those are going to be risks that you want to think about so then you want to think about what my objectives if i'm trying to earn more money and bring down the cost of my products well then the root cause is going to be i need to

think through some of those policy implications that are going to come to me and then how do i put specific um and that's more of a i know it's more of a transfer from a cyber perspective i can go back to that one or from a cyber program i.t side you're going to look at again russia is trying to infiltrate a lot of companies so if you know you're on one of their high value tax how high value target lists one of the things you're going to want to do is look out for that so you're going gonna probably up your scanning you're gonna maybe purchase another tool or have a you know a service put in place a

managed service that helps you look for that again dealing with the federal agencies that's one of the things that we have to think about when we propose our cyber programs to them is how do they think through you know additional nation states coming after them or what might be happening because certain people have taken on you know an aggressive stance robin christina i would love to hear just a few of your tips and tricks about how do you explain

how do you translate for them what should i worry about this posture the definition of risk posture and appropriateness right if that balance right between [Music]

so i would say that some of the best conversations one uh oh so how i've worked for multiple c-suite um in fact i worked with robin and we both worked for the cso and cto um and how do i put that conversation in real context for the higher levels and make it more of a strategic conversation and they can understand it and i would say one of the things i do is i typically tend to roll things up so going back to this controls i'm not going to tell them about every control that's out there i'm going to talk about control objectives are we trying to achieve a certain you know level of scanning or do we have certain levels of

expectation around our policies so i'm going to roll things up more to an overview so that they can quickly understand okay what do you need to go drill down on what do i need to change my plan about additionally i think utilizing taxonomies or again grouping things together so i typically talk to my c-suites about strategic risks i talked about regulatory compliance risks operational risks and i don't get down into the little ones i actually talk about well you know my operational is my people process technology and business process um so or business transactions so that they understand okay that's what i'm saying when i say my operational risk is up or it's increasing okay what does that mean to

me and what do we need to do differently so rolling a lot of the information up for them and aggregating it at a higher level and then putting it in buckets and making it real to them is much easier to have the conversation and they understand because then you can drill down after but if you start too low then it just becomes too much of a well why is that more valuable than that why is one asset more valuable than another it has to be talked about the same and the other thing i found was really tricky is taking i.t and putting it in line with your other assets so if you have a business like i again i

worked for an energy company um our assets and our fuels were the biggest thing for us they were our revenue generators but yet our it assets were running a lot of those and were really responsible for the backbone of those assets so i said it has to be an asset now and how do we have that conversation and those kind of conversations are changing you just have to understand how to group it together and then think about it as they're relevant and what the risks are to both of them because one of the things you'll find is you know the revenue generators are going to be what people focus on but when the revenue generators now are so heavily

dependent on i.t and infrastructure that's one of the things you have to start changing that conversation and making it real to them so i have a few more minutes if anyone has a last question comment so i will say how many people feel they could put a cyber program or an is program together at this point at least with one or two things great [Laughter] so again thank you um and i'm also i did not put my contact information but i'll be around um you can find me on linkedin i'm local to knoxville and so i hope that this is helpful and like i said i'm always willing to share whatever i have and i have a lot of other metrics and a

lot of other information as well so thank you [Applause]