Learn to have Fun in Mitigating Risks

Risks. There are numerous billion risks around the world and it can be exhausting to identify each and every one of the risks and implement the right security measures/controls.

We are yet to even discover all of them and now adding on to it are AI Risks.

AI Risks is another new category to even think and talk about it. Not now.

Frequently used, this term, GRC, short-form for Governance, Risks and Compliance which is to have a governance culture in managing risks to a acceptance level and ensure adherence to compliant requirements.

Another intriguing and funny part is, there are various Risk Frameworks out there and there's a demand and expectation for us to remember all of them, to comprehend them to the smallest details in order to implement them in the organization.

Plus not forgetting, to pass the relevant certifications as well.

Yet, there's a risk here. What is it? When you force yourself to study, to memorize just to obtain something will eventually lead to memory loss about the entire material you studied feverently. Or there will be an overlap of concepts and the inability to clearly distinguish between them will result into creation of new risks when not correctly implemented.

If you read the Risk Frameworks, its an reference to another, a guideline based on the other, an overlapping of rules/processes/practices and it come across as a replication that a mind can indeed become exhasuted and frustrated with it.

If everything is almost so similar 90%, than how do we create a resilience robust tailored Risk Framework to mitigate risks within the organization?

Admitting the truth, I am one of them. Even before i begin, I am already tired with all of these Risk Frameworks. Because right now at this every min, is anyone out there truly understanding the nuances of it and able to implement it correctly with a clear distincition to them?

  How do we create a resilience robust tailored Risk Framework?

In GRC, Risk is the most favorite topic in any organization because of:

1. the money involved that would lead to a major financial impact followed by the

2. organization's reputation.

   
   

Risks are mainly revolving around these two but not truly understood for the word Risk itself.

To let you know, I enjoy identifying risks at every nook and corner and marvel at it when I think of the several kinds of attacks that can happen. I myself have thought of ways how can I create attacks to bring down a system/service/application/network/organization.

So what is Risk actually, one will ask?

First question you must ask yourself when doing Risk Assessment:

Why do you need to base a risk against monetary value and reputation?

1. What's the main reasoning behind it?

2. What's the desired action in identifying those risks based against monetary value and reputation?

   1. Not to implement such services/products/applications?

   2. To set aside additional amount of money aside in case if anything goes wrong?

   3. To figure out how to inform press/directors if it damages the organizaton reputation?

A risk must not be based against on both of them as the primary reason to perform a Risk Assessment.

Seond Question, ask yourself, why are you even looking for Risks?

1. What exactly you want to protect?

   1. Assets (Computers/Servers/Network/Applications/Cloud Services)

   2. Employees

   3. Building Infrastructure

2. Why they need to be protected?

3. Who is going to be assigned the responsibilities to protect them?

4. How do you want them to be protected?
   

Third Question, ask yourself:

Now that you have identify all the risks, what will truly happen if you dont look into them? Besides monetary value and reputation.

1. Business Impact?

   1. Level of Impact (High/Med/Low)

   2. Duration of the impact?

   3. Time to Recover?
      

2. Unhappy Customers?

   1. Are they truly genuine customers?

      1. What is the intended response to appease them?

      2. How are you going to ensure they are thoroughly & properly looked after?

      3. How you going to gain their trust once more?
         

   2. Or those influences/journalists/paparazzi/gossipers who wants to blow it bigger than a mountain to even be bothered about?

      1. How are we going to provide the required & relevant information that is appropriate for a news media/social media keeping in mind honesty, openness, transparency and integrity must be upheld at all times to our customers and to the world?

      2. How are we going to hold them accountable for what they publish and ensure they do not provoke/insitgate consumers unnecessary in the form of demagoguery?

      3. What actions are we going to take on them if they were to publish differently than the actual issue and create mayhem for no reason?

      4. How do we work with the Legal Team to ensure such publication will NOT happen? --> This is also a risk if one does not look into it. Can cause financial loss to the company for no reason at the expanse of their egocentric mindset.
         

3. Data Leak/Data Breach?

   1. What's the type of data and the volume of the data that can be leaked to cause a catastrophic disaster?

      1. PII/Medical/Financial Data

      2. Delivery Details (New Risks --> Can lead to Home/Shop burglaries)

      3. The sensitivity & the criticality of the data
         

4. What long-lasting damages does it cause to the customers?

   1. Customers lose their peace of mind

   2. Customers lose trust not only in the company but in several companies (this already shows the reputation of ALL Companies are at down low)

   3. Customers will become more vary and stay away from many services/offerings and begin to stick with 'recommended' reliable companies (this already shows the monetary value is of ALL Companies are down low as well)

   4. Customers will no longer be drawn to attractive marketing/advertisments (this can be witnessed at their desperate attempts and their frequent publication)

   5. Targetted customer base will become much smaller due to lack of trust in companies in establishing the right security measures timely

   6. Customers will become more conscious on how they spend their money interms of subscriptions/signing up for new services and will require intense assurance that security is priotrized

Fourth Question, ask yourself, when you can mitigate ALL of the identified risks, what are the REAL Benefits the company will yield? Again, put monetary value and reputation aside.

1. An organizational culture where they are functioning from Security-First mindset from the beginning to every task completion is achieved.
   

2. Clear policies are implemented in the organization on how to stay ahead of risks and how to navigate through them timely & proactively.
   

3. Clear practices & processes are established for anyone who needs to know what needs to be done at all times and its clearly communicated.
   

4. A well-strucutred organization with several teams working in cross-functional team collabroation to ensure risks are identifed and proactively mitigated throughout the entire lifecycle of a project completion.
   

5. The confidence and the ability to pass internal audits and external audits achieving the highest excellence at all times.
   

6. The ability of everyone in the organization to function seamlessly, confidently and transparently at all times including infront of the Board Of Directors.
   

7. The capability to expand, scale and open up further for new inventions, innovations and possibilities locally and globally.
   

8. The attraction of talented skilled workers who can and will further contribute to enhance the productivity and the international growth of the organization and lifting up every other team member.
   

9. The desire and the focus of each employee to further strenghten their skillset will begin to drive them forward to solidfy their knowledge, their skillset, their experience internally within the organization and lead to a longer retainment of employees and as well a profitable increase in their salary without any doubts/hesitation/skepticism.
   

10. The increase of customers satisfication, reliance, trust with the company's products/services/offerings and gradually will have a steadfast increase in the customers loyalty with the company.
    

11. The pool of customers will expotentially grow when there minimal to zero complains locally and globally.
    

12. A strong, robust, resilient, ready, adaptable, well-thought and well-structured, security posture is implemented as one of the core backbone of the organization.

    
    

13. Followed by lastly, the profit the company earns interms of monetary value as well as the reputation will continously keep building momentum and growth.
    

I hope that you have a better understanding why identifying risks are crucial to an organization and not just revolving around two concepts : Money & Reputation.

Its much more than that and it does indeed requires dedication, committment, effort to list them all down. However,

1. With the help of new emerging security technologies to assist in identifying risks and

2. Proactive mindset of every individual will lead to a comprehensive understanding and awareness of risks in their daily tasks and within the organization.

Now with the Risk Frameworks thats provided by the International Organizations (ISO 27001, NIST CSF, NIST RMF, FAIR), you can now begin to tailor it accordingly to your organization based on the identified risks and begin implementing the security measures/controls accordingly.

Implementing Security Measures/Controls

Now here is the tricky part, well to me is the fun part to be honest. Its actually to configure the security measures/controls to work exactly as intended and fulfil the tasks and completely 100% mitigate the risk including no residual risk.

I KNOWWWWWWWWWWW, this cant be the fun part. hahahaha. This is the part where one gets burn out and exhausted.

I enjoy identifying risks and I am a Security Engineer. As an Engineer, I must tighten ALL screws and leave no room for gaps/holes/loose screws and give the green signal that it's all ready to go to commence the work and it will & must last for decades with no worries.

As such, are you such an Engineer in the first place? Hence, thats why its the fun part for me although unfortunately it does involve coding/programming/scripting. ):

Not to worry, I am that Security Engineer who dont have that knowledge and skillset no matter how much I try. You are not alone. (:

But i know exactly what needs to be written and to really tighten ALL the screws and thats where I will need to depend on a Coder/Programmer/Scripter to write it out for me and implement it. Hmmmpppphh, it's annoyinggg, I knowwwwwww.

Funny enough, during this implementation process,:

1. is where all the problems arises and even more risks will crop up

2. and scope of work will begin to creep out of the lines and it will turn out to be a never-ending task

3. or 90% implemented with 10% of it to contiunously revisit to ensure it's fully mitigated.

4. Plus, this is the part where we will need the help of Coder/Programmer/Scripter and based on our luck, we can have the genius minds right beside us.

5. or well, no choice, we learn to try to work with what we have and keep finding ways to mitigate the risks fully.

6. Its not their fault, it's not a easy task for them as well. So dont ever take it out on them. Lets try to work together to get it done. (:

Lastly, you must remember implementing any security measures/controls must ensure NO RISKS are found during operation and MUST be mitigated fully. I knowwwww, even till now there are risks identified while in operation and still working on it to resolve.

The irony of implementing Security Measures/Controls in place to combat Risks. And the world keeps going on as usual. hahahahaha. (:

Have fun mitigating all the Identified Risks

A risk is a risk.

Turn the world upside down, a risk is a risk.

I truly understand your feelings, your frustration, your pain, your hurt, your burn out, your exhaustion. I have been on the same boat and I will be on the same boat again once I am hired. See you soon! (:

However, we need to know, the Senior Management are unable to think further ahead any longer except from the Monetary Value & Reputation. Due to that, millions of companies when they perform their Risk Assessments is still revolving around that two concepts almost 95% of the time.

This will lead to constant roadblocks, irritation, inadequacy, exasperation, resignation, overlooking, with more risks cropping up and constantly being exposed to attacks no matter how much you try.

If there is ever a chance to do things differently in your organization when it comes to Risk Assessments to identify risks, I hope the above will provide a better foundation, better fundamental, better structure, better perspective and have a true meaning, purpose and productivity in the work you carry out and to implement all the required security measures.

Risks will be there and same time it can be resolved and mitigated fully. Risks are not something to be afriad off, or to be overhelmed by it.

Look at it from a different perspective:

1. from a view of having fun with it (isnt that what hackers are doing),

2. from a view of respecting it,

3. loving it and

4. working together with it

5. to let it know you will do everything you can to close it fully

6. so that it will be loved by billions in the world

7. and you together with your team, together with Coder/Programmer/Scripter are the ones who have work with it and come up with ways and solutions together to solve it

8. and have a peaceful sleep.

Dont look at it from the point of view of how the Senior Managment is looking from which is causing the hatred and furstration to permeate through the entire world and they beginning to question every skilled trustworthy security professional in the world. ):

We can create a change and work together to resolve ALL of the risks and create a secure safe world for everyone. We can, we will and we have it in us!

Dont give up! (: