Regulatory frameworks from PCI-DSS to NERC-CIP  to  the newly minted NIST CSF 2.0 each require organizations of all sizes to have cyber incident response plans.  Most of us who have spent any time in cubicle filled office towers are familiar with fire drills to clear the building and gather staff at muster points, and that is as close as we get to the real thing.  Unfortunately that same lucky streak will   Unlike a fire drill, recent research estimates 85%  of businesses will expereince a cyber incident annually,  and many will find short-comings in their in ..read more

Those running a business today who have not experienced disruption due to cyber issues or attacks know it is only a matter of time. Even if their organization is not directly targeted, the  modern marketplace comprised of multiple, interconnected  supply chains, means impact is unavoidable but this episode's guest, Steven J Ross contends planning, design and clear priorities can provide mitigating resilience. Steven J Ross, executive principal of Risk Masters International, is a recognized cyber security expert, specializing cyber resilience, recovery and  business continuity ..read more

The U.S. Security Exchange Commission defined new rules for cyber risk matters facing publicly traded corporations in July of 2023.  Although the SEC's mandate is limited to publicly traded companies in the United States, where one regulator goes others are apt to follow.  Brian Allen is the co-author of a brand new book putting form, structure and traceability around the SEC mandated requirement for a Cyber Risk Management Program.   Mr. Allen was on of the original creators and advocates of the ESRM framework first published in 2013, and has been practicing security risk manag ..read more

The ISA 99 standards body is one of the most recognized authorities on cyber physical security covering many aspects of a cyber security management system for industrial control systems including risk management.  This episode features John Cusimano, former chairman of the ISA subcommittee  responsible for authoring the risk management portion of the standard 62443-3-2:2020  Mr. Cusimano takes us back to the origins of the OT specific risk assessment process, originally dubbed CyberPHA,  we also explore how the methodology can be managed and percieved at different levels of ..read more

Security and crime are often in close proximity but not always studied together. This month's episode features Martin Gill a criminologist who made the study of crime and security his life's work.  After a decade as a lecturing professor at the University of Leichester,  Mr. Gill started Perpetuity Research in 2002 and continues to provide very high quality research, both qualitiative and quantitiative,  on what works -- and more importantly what does not --  on many different areas of the security field.    In addition to leading the annual Security Research Ini ..read more

Post GSX conference, which  included an in-depth review of ESRM and an interview with former U.S. president George W Bush, this episode considers how enterprise security risk management has stood the test of time as well as how risk analysis will need to evolve .  Financial receptors can be found in almost every organizational risk matrix but how do those decisions change with modern ransomware attacks? How does a threat intelligence program contribute to organizational defense and resilience ..read more

The convergence buzzword has come and gone and some organizations have struggled to reap the benefits of physical and cyber security departments working in tandem toward common goals.  Michael Lashlee, deputy Chief Security Officer at Mastercard,  shares security insights from the US Marines, secret service and financial services tech giant Mastercard, illustrating how principles from very different missions overlap surprisingly often.  Mr. Lashlee also discusses how technology supports the physical, intelligence and fraud specialists working to keep Mastercard customers client ..read more

Calgary was an ICS cyber hub before most knew such measures were  necessary, Terry Freestone was one of the ICT specialists from those early days who now applies his decades of hard-won knowledge  in the offices of the Canadian Energy Regulator.   Speaking as a private citizen and cyber security expert rather than a government representative,  Terry and the Caffeinated Risk team explore risk management from the energy producer's perspective and his four point strategy for risk mitigation prioritization that works for any size staff or budget.  ..read more

Keeping up the accidental annual tradition Tim and Doug take a retrospective look at risk management as a mid-year pulse.  The 10th annual Cyberthreat Defense report forms the underlying theme but digging under the statistics to analyze how these might pertain to ESRM.  Communication also popped up as a topic, and Tim shares some lessons learned from the field as well as a professional development resource ..read more

One of the original authors of the ESRM framework, now in it's tenth year,  and Caffeinated Risk's first guest returns to discuss how data science is changing security and risk management.  While alchemy may be a bit of a stretch, Ms. Loyear ongoing focus of including human behaviour in the risk equation is leading to the development of data science based detection capabilities that would have appeared magical even 5-10 years ago. Rachelle Loyear is the Vice President of Integrated Security Solutions for Allied Universal and co-author of The Manager's Guide to Enterprise Security Ri ..read more