Caffeinated Risk – Details, episodes & analysis

Technological change is inevitable and often one of the aspects that attracts people toward careers in information and operational technology. Although risk management is a part of navigating advancement in any area, the fundamental flaw in any management system is our human tendencies.

This episode explores how organizations can make slow, steady migration from first principles to risky undertakings without noticing. Marco Ayala, an operational technology cybersecurity expert and current Houston InfraGard president, joins this episode to further explore the reasons behind this normalization of deviance, a concept first introduced to OT cyber specialists at S4 in 2024.

Mr. Ayala is also CCE proponent and facilitator leading to a discussion on possible options for course correction back off the normalization path.  Although solutions must always be tailored to work within organizational constraints, the early contributors to catastrophic outcomes associated with the Challenger space shuttle and Boeing 737 Max warrant exploration or we will inevitably repeat. 



 

Whether it's the NIST CSF, 8276 or the new European Cyber Resilience Act there is no denying the expectation that supply chain management (SCM) is a risk management area no organization can ignore.  While SolarWinds is recent common reference in many SCM discussions, this episode's guest takes us back to Target's major data breach that resulted in significant changes to the PCI-DSS standard. 

Darren Gallop, a serially successful Canadian tech entrepreneur, recounts the early journey into the software as a service business up to his current role as CEO of Carbide. The episode talks frankly about the current challenges with supply chain management, but Mr. Gallop also shares where he sees bright lights on the horizon and a path forward for organizations willing to consider the shift.   

Post GSX conference, which  included an in-depth review of ESRM and an interview with former U.S. president George W Bush, this episode considers how enterprise security risk management has stood the test of time as well as how risk analysis will need to evolve . 

Financial receptors can be found in almost every organizational risk matrix but how do those decisions change with modern ransomware attacks? How does a threat intelligence program contribute to organizational defense and resilience?

The convergence buzzword has come and gone and some organizations have struggled to reap the benefits of physical and cyber security departments working in tandem toward common goals.  Michael Lashlee, deputy Chief Security Officer at Mastercard,  shares security insights from the US Marines, secret service and financial services tech giant Mastercard, illustrating how principles from very different missions overlap surprisingly often.  Mr. Lashlee also discusses how technology supports the physical, intelligence and fraud specialists working to keep Mastercard customers client data safe as well as steps they are taking to resolve the cyber skills talent shortage.

Calgary was an ICS cyber hub before most knew such measures were  necessary, Terry Freestone was one of the ICT specialists from those early days who now applies his decades of hard-won knowledge  in the offices of the Canadian Energy Regulator.  

Speaking as a private citizen and cyber security expert rather than a government representative,  Terry and the Caffeinated Risk team explore risk management from the energy producer's perspective and his four point strategy for risk mitigation prioritization that works for any size staff or budget. 

Keeping up the accidental annual tradition Tim and Doug take a retrospective look at risk management as a mid-year pulse.  The 10th annual Cyberthreat Defense report forms the underlying theme but digging under the statistics to analyze how these might pertain to ESRM.  Communication also popped up as a topic, and Tim shares some lessons learned from the field as well as a professional development resource.

One of the original authors of the ESRM framework, now in it's tenth year,  and Caffeinated Risk's first guest returns to discuss how data science is changing security and risk management.  While alchemy may be a bit of a stretch, Ms. Loyear ongoing focus of including human behaviour in the risk equation is leading to the development of data science based detection capabilities that would have appeared magical even 5-10 years ago.

Rachelle Loyear is the Vice President of Integrated Security Solutions for Allied Universal and co-author of The Manager's Guide to Enterprise Security Risk Management.

Threat modeling expert and inventor of one of the world's first attack tree modeling  products talks about how to integrate subject matter expertise into the risk equation, the answer may be surprising.

Bonus content  not included in the original interview with Terry which dove deep into the history of attack trees, modern applications and exploring why there is no AI magic when it comes to identifying events that could end your organization.  Well worth a listen if you missed it.

Factor Analysis of Information Risk (FAIR) and Enterprise Security Risk Management (ESRM) took different evolutionary paths yet share a lot more commonality than catchy 4 letter acronyms and  mainstream adoption by notable organizations like NIST, The Open Group and ASIS international.  Jack Freund personifies the term "risk management thought leader" with professional qualifications and public recognitions too long to list, but co-author of Measuring and Managing Information Risk can't go unmentioned since industry peers inducted this seminal title into the Cybersecurity Cannon.   

With risk management discussions ranging from banking  to defeating door locks, Dr. Freund was consistently insightful, humorous, and a delightful guest.

 In addition to hybrid work and regular time in the office being the new normal, 2023 marks the year Caffeinated Risk's co-host Tim McCreight serves as the president of ASIS international.  ASIS has long been a proponent of both physical and cyber security professionalism and one of the first organizations to explore and embrace Enterprise Security Risk Management (ESRM) as an integral element of security.

Scholarly articles on cyber-physical security convergence started appearing in the late 1990s,  more than 25 years later the convergence buzz has ebbed and flowed but silo's remain. In this episode Tim shares his insights from the past 40 years, the benefits to a converged approach as well as some of the paths toward success.