FAIR Institute Sydney Chapter Online Meeting - August 26 2021 12:00 PM Sydney time
Determining Crown Jewels from Risk Appetite
This is a joint meeting between the FAIR Institute Sydney Chapter, AISA Sydney Branch and RIMA Sydney Chapter
Crown jewels are the most valuable or operationally vital systems or information in the organisation. The NSW Government Cyber Security Policy mandates agencies to report its “crown jewels” annually to their cluster CISO, or Cyber Security NSW. The organisation’s risk appetite is a robust framework for identifying crown jewels. An expert panel will discuss hierarchy of risk appetite thresholds, supported by a transparent risk quantification methodology, to identify crown jewels.
Presentation: Informing Cyber Security Management from Risk Appetite Statement
Presenter: Denny Wan Founder and co-chair of the FAIR Institute Sydney Chapter
This presentation explains how to maximise the consumption of ‘good risk” to optimise the delivery the enterprise mission beyond reducing risk. This paradigm shift is the result of the pivot from compliance to risk based management of Cyber Security Management. This approach demands a better understanding on the application of the risk appetite statement to inform decision making. The recently released NISTIR standard NISTIR 8286 is a blueprint for this approach, to integrate cybersecurity and enterprise risk management by applying the risk appetite statement. An important step in this approach is to calculate the decision thresholds informed by the risk appetite statement by applying the FAIR framework to quantifying cybersecurity risk in dollars.
Crown jewels are the most valuable or operationally vital systems or information in the organisation.
David Tattam’s research in integrating risk appetite into Enterprise Risk Management (ERM) framework developed a 3-level risk thresholds model (appetite, tolerance, capacity). Risk appetite is a critical component of a robust risk management framework which provides decision-makers “freedom within boundaries” to operate, make decisions, take risks and most importantly fail. Risk Appetite should be an enabler providing organisation with a "pool" of risk that should be used to create value. It helps identify where excessive risk is being taken and equally, where not enough risk is being taken. Kerry will draw on the panellist’s experience in applying risk appetite statement to ERM.
Kerry McGoldrick - Partner, ShineWing Australia (Moderator)
Branko Ninkovic - Founder & Executive Director, Dragonfly Technologies Pty Ltd
David Tattam - Chief of Research, Knowledge and Consulting, The Protecht Group
Denny Wan - Founder and co-chair of the FAIR Institute Sydney Chapter
Michael Collins - General Manager Information Security, HESTA
Murray Goldschmidt - Executive Director – Cyber Capability, Education & Training, CyberCX
Roderick Brown - Manager, Policy Development and Coordination, Digital.NSW, Department of Customer Service
Panellists bio (in alphabetical order)
Branko Ninkovic is the founder of Dragonfly Technologies, a thriving cyber security practice servicing Australia's most security conscious ASX listed organisations. Dragonfly helps clients in areas such as Health Care, Federal Law Enforcement, Retailing, Banking, Finance and Taxation. Branko has over 20 years' experience specialising in cyber security. Over this time, Dragonfly has worked with many well-known and trusted brands to build in their cyber defences to protect, detect and respond to data breaches.
Denny Wan is a thought leader in applying cyber risk quantification and the NIST endorsed Open Group FAIR framework. He is a strong communicator and community builder who found the FAIR Institute Sydney Chapter with a rapidly growing membership. His recent article "Targeting cyber security investment – the FAIR approach" is a practical guide for prioritising cyber security investments. His latest article "Building an APRA CPS 234 compliance template" explains how to quantify risk appetite and risk tolerance to identify the boundaries for GOOD risks, to improve competitiveness and profitability.
David Tattam thrives in spreading the word that risk management is an opportunity. Risk is “good” and has the potential to transform the way organisations do business. David is a highly experienced risk management practitioner with a primary focus in Enterprise Risk Management and Operational Risk Management. He is the founder, and current Director of Research and Training at The Protecht Group, a global company headquartered in Sydney, Australia, focused on delivering risk management software, training, advisory and consulting to a wide client base including financial services, retail, transport, entertainment and government.
Kerry McGoldrick has deep industry and advisory experience across the commercial and public sectors. He works closely with clients to transform their approach by aligning practices and performance with the organisation’s strategy and desired culture to deliver tangible outcomes. He is a skilled facilitator who understands the art and science of risk management. He brings hands-on experience in assisting senior executive teams and boards to achieve their objectives.
Michael Collins is a strong leader who drives positive cultural change and deliver effective digital transformation initiatives that benefit teams through increased engagement and productivity. He delivers new technology solutions and platforms by explaining the benefits they bring to business objectives. He is highly analytical who combines strong critical thinking and problem-solving abilities with his commercial skills to analyse current ways of working and determine opportunities for operational efficiencies.
Murray Goldschmidt is a Cyber Security Expert, having worked in the field of Information Security and Risk Management for over 20 years. He is a passionate contributor to the development of the information security industry. He is the co-founder and Chief Operating Officer at Sense of Security, and an Executive Director of CyberCX. He frequently invited to present on security topics at conferences, workgroups and seminars.
Roderick Brown is an experienced Strategic and Regulatory Policy Advisor with a demonstrated history of working in challenging Federal and State government roles. He is strong in Critical Analysis, Government, Communication, Relationship Building, and International Relations. He is strong community and social services professional with a Masters in Strategy and Policy from University of New South Wales / ADFA.