DeepINTEL 2018 Talk: Risk Management in Complex Scenarios – Oscar Serrano
ICT risk management is a well-stabilized practice and as such is supported by international security standards and guidelines. But, despite advances in the legal and policy areas and the maturation of standardized frameworks for efficient risk management, it has still not become a controlled, systematic process in the cyber security domain of most organizations. One of the problems preventing organizations from having an enterprise approach to cyber security risk management is that these efforts have not been supported by commensurate investment to produce robust, technical implementations of suitable risk management methodologies and supporting systems. Although some tools do exist, such as PILAR, CRAMM, Ebios, Mehari, or Octave, they all implement different risk management methodologies and all of them are implemented to satisfy the need of specific users. None of them is a truly enterprise system able to model how a complete organization works or improve enterprise awareness. Moreover the existing methodologies are easily applicable to simple systems, but they fail to provide support to complex scenarios.
In his talk Oscar Serrano will introduce why ICT Risk management is important for all organizations and provide guidance that can be used to manage risks in highly complex interconnected environments. Guidance that could be applicable to major international organizations.
We asked Oscar Serrano a few more questions about his talk.
Please tell us the top 5 facts about your talk.
The main takeaways from this talk are:
- Security Risk management is an important process which is often ignored.
- Current automatic tools are not prepared to cope with complex scenarios.
- A security accreditation process is required to ensure that risk can be managed in complex scenarios.
- The principle of self-defending nodes is a very important security safeguard to ensure the security of complex systems.
- The separation between physical and electronic security facilitates the risk management.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
My work is to ensure the security of very complex systems. During my day to day work I have encountered situations in which we have difficulties to demonstrate the security of very complex information systems to the Operational Authorities. The suggestions that I will propose during my talk are based on the day to day best practices that I have found useful to be able to demonstrate to senior stakeholders that the risks of the systems under their control are properly managed.
Why do you think this is an important topic?
There is in general a lack of understanding in senior management about what security risk assessment is and of its importance. Most organizations are not able to maintain functioning Security Risk Management practices. My talk will give some hints about how Risk management can be simplified in some cases.
Is there something you want everybody to know – some good advice for our readers maybe?
Despite advances in the legal and policy areas and the maturation of standardized frameworks for efficient risk management, it has still not become a controlled, systematic process in the cyber security domain of most organizations. I hope that my talk helps to raise awareness and that in the future Security Risk Management can be a more controlled process.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
I miss enterprise ready capabilities for Risk Management, there is a need to produce robust, technical implementations of suitable risk management methodologies and supporting systems. Although some tools do exist, such as PILAR, CRAMM, Ebios, Mehari or Octave, they all implement different risk management methodologies and all of them are implemented to satisfy the need of specific users. In addition, there is a need to move from Quantitative and Qualitative Security Risk Analysis to model based systems that can compute the risks based on well-defined security models, which take known evidence into consideration and evolve as new events are recorded. The final goal is to compute security risks with the same accuracy as it is currently done, for example, in the finance or insurance sectors, but at the moment we are far away from this goal.
Oscar Serrano holds PhD, master and bachelor degrees in Computer Engineering. He has worked for more than 15 years as a consultant and researcher for large international companies, including Telefonica, Vodafone, the Austrian Institute of Technology, Siemens, and Eurojust. In August 2012, he joined the North Atlantic Treaty Organization (NATO) as senior scientist in the field of Cyber Security, where he supports NATO efforts to improve the cyber security capabilities of the alliance. As one of the main experts in CIS Security Risk Management in the organization he leads the security accreditation processes of large distributed missions critical systems.His research interests include Cyber Security information sharing, detection of advanced threats, risk analysis and management, policy and governance development and cyber Law.