For many years the cybersecurity community has wrestled with effective methods for how to govern a cybersecurity program in light of an ever changing threat landscape. Most risk management methodologies have been primarily academic and as a result inaccessible to the average CISO, engineer, or auditor. The result often feels as if defensive control selection is more like throwing darts at a board than the result of thoughtful modeling. Add to the problem that organizations who have had success tend to keep their secret methods close or vendors want to charge for their secret sauce, it leaves the average security practitioners feeling confused and frustrated.
In this presentation, James Tarala, of SANS Institute and Enclave Security, will teach participants a practical methodology for governing and managing risk using a free and community driven risk model called the collective Risk Model (CRM). After years of frustration, a large group of community volunteers banded together to create a new model for managing risk that would be accessible to cyber security professionals at all levels. This included a common library of defensive cyber security controls mapped against guidance from the center for Internet Safety, NIST, ISO, PCI, and many other standard bodies. In addition, this library of defenses has been prioritized and tagged to make it easier for cyber security professionals to immediately use these free resources.
The cyber security community should be working together to make the world's data more secure and trustworthy. In this presentation, attendees will see results of the community banding together to create a common set of tools that anyone can use to better defend their organization. The processes laid out here help define how any control library, including the CIS Controls v8, is selected, and is foundational to understanding control selection in general. Attendees will walk away with a better understanding of a model that can be used and specific tools that can put into practice immediately after the presentation to help their organization defend their information systems, prioritize their cyber security activities and resources, and better present risk to leadership and key business stakeholders.