Technological change is inevitable and often one of the aspects that attracts people toward careers in information and operational technology. Although risk management is a part of navigating advancement in any area, the fundamental flaw in any management system is our human tendencies.

This episode explores how organizations can make slow, steady migration from first principles to risky undertakings without noticing. Marco Ayala, an operational technology cybersecurity expert and current Houston InfraGard president, joins this episode to further explore the reasons behind this normalization of deviance, a concept first introduced to OT cyber specialists at S4 in 2024.

Mr. Ayala is also CCE proponent and facilitator leading to a discussion on possible options for course correction back off the normalization path.  Although solutions must always be tailored to work within organizational constraints, the early contributors to catastrophic outcomes associated with the Challenger space shuttle and Boeing 737 Max warrant exploration or we will inevitably repeat. 



 

Whether it's the NIST CSF, 8276 or the new European Cyber Resilience Act there is no denying the expectation that supply chain management (SCM) is a risk management area no organization can ignore.  While SolarWinds is recent common reference in many SCM discussions, this episode's guest takes us back to Target's major data breach that resulted in significant changes to the PCI-DSS standard. 

Darren Gallop, a serially successful Canadian tech entrepreneur, recounts the early journey into the software as a service business up to his current role as CEO of Carbide. The episode talks frankly about the current challenges with supply chain management, but Mr. Gallop also shares where he sees bright lights on the horizon and a path forward for organizations willing to consider the shift.   

Post GSX conference, which  included an in-depth review of ESRM and an interview with former U.S. president George W Bush, this episode considers how enterprise security risk management has stood the test of time as well as how risk analysis will need to evolve . 

Financial receptors can be found in almost every organizational risk matrix but how do those decisions change with modern ransomware attacks? How does a threat intelligence program contribute to organizational defense and resilience?

The convergence buzzword has come and gone and some organizations have struggled to reap the benefits of physical and cyber security departments working in tandem toward common goals.  Michael Lashlee, deputy Chief Security Officer at Mastercard,  shares security insights from the US Marines, secret service and financial services tech giant Mastercard, illustrating how principles from very different missions overlap surprisingly often.  Mr. Lashlee also discusses how technology supports the physical, intelligence and fraud specialists working to keep Mastercard customers client data safe as well as steps they are taking to resolve the cyber skills talent shortage.

Calgary was an ICS cyber hub before most knew such measures were  necessary, Terry Freestone was one of the ICT specialists from those early days who now applies his decades of hard-won knowledge  in the offices of the Canadian Energy Regulator.  

Speaking as a private citizen and cyber security expert rather than a government representative,  Terry and the Caffeinated Risk team explore risk management from the energy producer's perspective and his four point strategy for risk mitigation prioritization that works for any size staff or budget. 

Keeping up the accidental annual tradition Tim and Doug take a retrospective look at risk management as a mid-year pulse.  The 10th annual Cyberthreat Defense report forms the underlying theme but digging under the statistics to analyze how these might pertain to ESRM.  Communication also popped up as a topic, and Tim shares some lessons learned from the field as well as a professional development resource.

One of the original authors of the ESRM framework, now in it's tenth year,  and Caffeinated Risk's first guest returns to discuss how data science is changing security and risk management.  While alchemy may be a bit of a stretch, Ms. Loyear ongoing focus of including human behaviour in the risk equation is leading to the development of data science based detection capabilities that would have appeared magical even 5-10 years ago.

Rachelle Loyear is the Vice President of Integrated Security Solutions for Allied Universal and co-author of The Manager's Guide to Enterprise Security Risk Management.

Threat modeling expert and inventor of one of the world's first attack tree modeling  products talks about how to integrate subject matter expertise into the risk equation, the answer may be surprising.

Bonus content  not included in the original interview with Terry which dove deep into the history of attack trees, modern applications and exploring why there is no AI magic when it comes to identifying events that could end your organization.  Well worth a listen if you missed it.

Factor Analysis of Information Risk (FAIR) and Enterprise Security Risk Management (ESRM) took different evolutionary paths yet share a lot more commonality than catchy 4 letter acronyms and  mainstream adoption by notable organizations like NIST, The Open Group and ASIS international.  Jack Freund personifies the term "risk management thought leader" with professional qualifications and public recognitions too long to list, but co-author of Measuring and Managing Information Risk can't go unmentioned since industry peers inducted this seminal title into the Cybersecurity Cannon.   

With risk management discussions ranging from banking  to defeating door locks, Dr. Freund was consistently insightful, humorous, and a delightful guest.

 In addition to hybrid work and regular time in the office being the new normal, 2023 marks the year Caffeinated Risk's co-host Tim McCreight serves as the president of ASIS international.  ASIS has long been a proponent of both physical and cyber security professionalism and one of the first organizations to explore and embrace Enterprise Security Risk Management (ESRM) as an integral element of security.

Scholarly articles on cyber-physical security convergence started appearing in the late 1990s,  more than 25 years later the convergence buzz has ebbed and flowed but silo's remain. In this episode Tim shares his insights from the past 40 years, the benefits to a converged approach as well as some of the paths toward success. 

Realtors have long advocated  "location, location, location" as a path to investment  success. Fast forwarding  a few generations,  location intelligence applied to risk management is paying dividends well beyond real-estate and Esri is a world leader in this fascinating application  of geo-spatial information.  Esri business solutions leader Alex Martonik shares examples of businesses making improvements to  resilience and the bottom line  by combining  GIS, financial, technological and political data  into risk calculations. Mr. Martonik  also shares Esri's approach to "democratizing risk insights", helping solve the all to common problem of procuring buy-in.    

A great discussion point that didn't make it to air from the original 2021. Not all data is of equal value to the organization and the viable shelf life is seldom tracked or even discussed.

This espresso shot takes a humorous look at a serious question about privacy considerations during the development cycle and check out the original full episode with privacy thought leader Michelle Finneran Dennedy.

Long before the Matrix captured peoples imaginations, Winn Schwartau was steadily offering red pills for those reading his many books on information warfare.  A scholastic level researcher without the pretense, Mr. Schwartau has been recognized internationally as one of the leading security thinkers of our time and has a special capability for distilling complex security concepts into every day language and metaphor. 

In this episode Tim and Doug talk with Winn about the battle big tech is waging on our cognitive capabilities. Recorded just days before the release of Winn's latest book, this interview is a very frank examination of our current human state and some sound direction on how to counter the effects of coexisting with technology.

Some sample chapters of the new book and links are available here:
https://winnschwartau.com/metawar/

Communication isn't effective until the receiver understands the message well enough to take action. That pretty much sums up the challenge facing many risk professionals today, something Paul Mercer resolved, out of necessity, by building  risk management software that is proving to be a welcome solution for many notable customers.

Mr. Mercer is no stranger to the front lines of risk management, starting with the Royal Navy then extensive risk & crisis consulting for international clients. Well known ESRM practitioners are also recognizing the value of Mercer's approach to digital safety and security risk management.

Co-author of the original book on Enterprise Security Risk Management, it only made sense to have Rachelle be the first Caffeinated Risk guest.  Like many guests, there was just too much material for a 30 minute episode. This espresso shot encore digs into that nuanced  topic of truly partnering with business stakeholders. 
 

Anyone with a bit of time in the security industry is well acquainted with Murphy's law but  crisis management specialists are who you call when things suddenly get very real.  While common security guidance advocates protection,  readying your organization to weather the inevitable failure in prevention measures starts with resilience.

international crisis management thought leader  Alexandra Hoffman and 2022 IFSEC Global Influencer and Meta's head of Global Security Protective Intelligence Tim Wenzel  dive deep into what resilience really means at the organizational level.

Security folks are fond of saying "it's not if but when ...", listen in to learn  more about how to prepare your organization for that eventuality from those who have been there with some of the biggest companies in the world. 

Recorded two days after the July 2022  nationwide telecom outage,  co-hosts Tim and Doug explore the deeper ramifications of losing access to the very services that are so tightly integrated into our lifestyle.  While the complete root cause of the Rogers' outage may never be publicly shared, most organizations face similar constraints, leading to a discussion about ethics and our shared commitment to the common good.

Documents referenced in the show:
ACM Code of Ethics
Energy sector asset management

Sooner or later every risk management professional faces the hard reality that comprehensive risk management programs can't be implemented on spreadsheets. A corporate vice president mandate, minus the funding, started Josh Sokol on  a journey that turned his initial platform solution into an opensource project that morphed into a commercial venture. 

While meeting the risk management and compliance needs of organizations large and small, the Simple Risk founder remains committed to a practical  approach for stewarding cyber security issues and mentoring the next generation of security professionals. 

This episode explores the true GRC platform needs -- not the marketing -- and the cyber security executive's role in enterprise risk management.  

   

Chief Information Security Officer Martin Dinel has all the same technology challenges of every other large organization. Placing Alberta in front of that CISO title brings the additional requirements of protecting government secrets, interfacing with national security, protecting financial and health information of more than 4 million people as well as the infrastructure of a province almost the size of Texas. 

Mr. Dinel shares some innovative ideas for sourcing and retaining talent,  observations on how the education system needs to change and his vision for turning Alberta into a cyber security center of excellence. 

Very few organizations, from three letter agencies to the local brew pub are not using cloud services to some degree and those previously resistant had no choice once Covid 19 hit. In 2022, with global conflict, organized crime,  multiple supply chain and service concerns, what is required of a security professional responsible for navigating  risk for their enterprise which invariably includes "Cloud"?

Illena Armstrong, president of the Cloud Security Alliance, shares her insights on these challenges, honing in on key considerations for both organizations and the information technology industry as a whole.  A business first, strategist and advisor,  Ms. Armstrong was previously Editor in Chief, and VP of Editorial for SC Magazine, exploring cyber security issues across the globe for more than a decade, interviewing industry leaders before CISO was even a title. 

Acknowledged by IT World  Canada as one of the top 20 women in cyber, Cara  Wolf shares insights into the Canadian tech industry , the need for innovation and tactics for drawing senior leadership's attention to cyber security issues during a candid discussion on the changing aspects of cyber crime . Long before cyber crime was a mainstream concept Ms. Wolf was a seasoned fraud investigator with American Express travel, setting the stage for a number of entrepreneurial  ventures combining technology and risk management.  Cara Wolf's  latest company,  Ammolite Analytx specializes in complex information security problems and threat centric solutions, whether those threats are physical, cyber or a hybrid.  

The threat landscape is evolving, if your security controls are not, the outcome is all but assured.

In this episode Tim and Doug are joined by Canadian cyber security serial entrepreneur Ian Paterson, CEO of Plurilock. Mr. Paterson shares hard won insights from extensive data science research and development , how this intelligence enables continuous monitoring to be applied to a technology stack and bring organizations closer to a zero trust model. 

Ian's wealth of experience in the Canadian cyber security industry also opened up  discussions about startups,  staffing and the commercial cyber security industry, some of which, due to time limits, will appear in espresso shot bonus episodes in the future.

A light hearted espresso shot with renowned information security writer Winn Schwartau and Tim McCreight discussing the serious and all too common problem of uncontrolled ingress and egress.

While the first electronic firewalls may have come into vogue in the late 80's, Winn and Tim uncover parallels with perimeter security developed in the middles ages.  

Almost all incident response plans include a "lessons learned" step, and in the post adrenalin phase that follows many breaches,  reviewing what worked and what needs improving doesn't excite a lot of people. Adam McMath is clearly the exception,  leading incident response activities in both the cyber realm and physical. How do resilience and incident response  lessons learned while literally fighting fires translate into risk management practices within cyber security, is a good question explored in depth with this month's guest. 

Mr. McMath's experience and exuberance are evident throughout, with a great deal of additional content that will appear in a future espresso shot bonus episode.

An espresso shot covering a great idea Dave Tyson originally shared in his book and discussed during  our 2021 interview on identifying where security can contribute to the business value chain and some strategies for selling the benefits.  

With thought leaders like Dave there are many more insights than time in each monthly episode, so in 2022 we'll be combing through older interviews and sharing previously unpublished interview content in smaller 5-8 minute blocks.  These short excerpts will be released periodically in between the monthly full episodes.

The year end episode does some comparing and contrasting of risk management in different areas, including things outside of cyber. Ironically, recorded just a couple days before most of the world learned about a module design choice in Java that suddenly makes logging dangerous, it brings home the point that our cyber threat landscape is complex .

Complexity and uncertainty are nothing new for cyber security  and risk management  professionals. Navigating  through those waters despite the lack of authority often afforded those tasked with ensuring an organization's safety adds human behaviour to that complexity.  Tim offers a number of suggestions on influencing action despite competing agendas within the organization. 

While many in risk management or cyber security reference standards and leading practices, it can often be based on tacit acceptance, rather than deep research.  There is an argument that that research is too slow compared to commercial solutions, especially considering our current threat landscape and resource constraints. 

This episode explores the possibility of a middle ground and challenges a few assumptions along the way, it turns out things haven't chanced that much since the 1970's. An unplanned discussion with one of the co-hosts regarding the "science of cyber security" led to an interview with Doug Millward, a computer scientist who spend many years in SCADA engineering, programing and system architecture before completing post graduate studies in higher education.  

Combining real world computer science and security knowledge with academic skills led Mr. Millward to becoming a senior lecturer at Wolverhampton University, teaching at all levels from HND to Masters, designing a number of Security and Computer Science modules and also working as a lead researcher on the Biolive project - examining privacy issues for vulnerable adults. Doug Millward is now teaching at Kaplan/ the University of Essex Online where he has designed and taught a number of computer science modules at Masters level, specialising in Cyber Security.  

Doug is actively involved in research around cybersecurity, specialising in designing and modelling security in composable systems, the use of secure languages and data representations, and the application of risk frameworks and taxonomies at both the micro and macro levels. 

Skilled penetration testers are some of the more specialized people within the information security industry. When it comes to safely testing kinetic systems the pool of talented ethical hackers shrinks again but does include Paul Smith who has written a brand new book on the subject.

An ICS security specialist before it was a recognized specialty, Paul Smith has been a field operator, security tester, product manager, ICS vulnerability researcher and more. This episode explores risk consideration when impacts are measured in environmental damage and human life rather than records in a database. 

Mr. Smith's new book, "Pentesting Industrial Control Systems: An ethical hacker's guide to analyzing, compromising, mitigating and securing industrial processes" , will be released November 9th 2021.

Formerly vice president and chief privacy office at Cisco, CEO of Drumwave and a licensed attorney, Michelle Finneran Dennedy is recognized as a visionary leader in information systems privacy.  Currently the co-founder of Privatus Consulting supporting clients working through the wicked problem of privacy in this digital age.

Much to the benefit of Caffeinated Risk listeners she is also a friend of  co-host Tim McCreight and her wonderful sense of humor results in some very entertaining banter on a traditionally serious subject.  Ms. Dennedy is also the co-author of the Privacy Engineer's Manifesto, a must have reference for any privacy or security professional made freely available via Amazon digital download.

A business without cash flow isn't a business for long and security solutions are seldom free yet cyber security is a line item that business owners ignore at their peril.  Cost management and risk management come together in this lively podcast with special guest Larry Whiteside Jr. a former US Air Force division chief who has held a number of senior cyber security executive positions since returning to civilian life in 2002. 

Mr. Whiteside  is also the co-founder of the the International Consortium of Minority Cybersecurity Professionals (ICMCP),  a non-profit organization working to increase female and visible minority professionals in the industry.  He offers some sage advice to all those currently struggling to enter the industry and those searching for talent while still keeping an eye on the bottom line.

Cohosts Tim and Doug explore the security implications of workers returning to the corporate networks after over a year working remotely. 

Is there a new art of the possible to be considered based on the changes most organizations needed to make to networks and applications to get through the pandemic lockdown? Is this now more important than ever since the financial impacts of ransomware have reached new record levels and how might ESRM practices support resilience improvements.

Dave Tyson literally wrote the book on Managing Enterprise Security Risk through converged security  while serving as the CSO for the City of Vancouver during the winter Olympic games.  A practitioner rather than a theorist, Tyson has held senior security leadership positions at multiple major organizations including eBay, Pacific Gas and Electric and SC Johnson.

In this episode Dave Tyson discusses the origins of security convergence, why organizations need to explore this now more than ever and how to gain support with the executive suite by identifying and removing value chain friction created by security processes.

"We need more science in Cyber Security"  David Hechler, TAG Cyber Law Journal
 
Threat modeling should be step 0 of any security architecture but often goes completely unconsidered. This episode features Terry Ingoldsby, a veteran cyber risk professional, physicist, computer scientist and inventor of Securitree. Ingoldsby created the attack tree development platform because he felt cyber security assessments should be defendable rather than just the educated opinion of assessor.

Despite being the inventor, there is no sales pitch. Terry, Tim and Doug talk risk, engineering, business cases and why there is no AI magic when it comes to identifying events that could end your organization. 

Serial entrepreneur, author and futurist Scott Klososky  explores some new approaches to physical and cyber security that are innovative, potentially controversial and necessary as more and more of our daily way of life is affected by these security problems. 

Ten years before Youtube Mr. Klososky founded a startup that delivered webcasted media for commercial, government, sports and entertainment.  Scott has consistently demonstrated the ability to identify market opportunities and technology trends well in advance. Following the success of Webcasts.com with a second generation online banking platform that enabled smaller financial companies to compete head to head with the majors.

Today Scott Kolosky supports business leaders and boards by merging hard won success in technology with forward looking analysis to create concepts and models needed in today's hyper competitive markets. Whether those needs are the fusion of humans and technology within an organization,  data intelligence or risk management and the development of an integrated security model.

Amongst the industry verticals classified as critical infrastructure, few would argue that telecommunications belongs in the top that list, placing even more weight on a risk management program due to cascading impacts. Consequently, safe reliable operations are essential for success while continuing to grow in a highly competitive marketplace.  A security risk management challenge across many dimensions that has become an ESRM success story. 

This episode features Radek Havlis, Vice President, Director Business Resilience and Chief Security Officer at O2 Telefonica Germany sharing insights into O2 Telefonica's transformation toward a highly converged security model.  An early advocate of ESRM, Mr. Havlis explains how the risk management philosophy remains consistent but the requirements for successful implementation can vary greatly by organization. The Telefonica journey started with visionary leadership  and in less than three years has transformed the view of security as a business enabler. 

  

A security luminary before such a title was even coined, Winn Schwartau's predictions about the internet and global security problems have been scarily spot on for more than 30 years.  Named the “Civilian Architect of Information Warfare” by Admiral Patrick Tyrrell of the British Ministry of Defense, Schwartau also testified before Congress in 1991 and showed the world how and why massive identify theft, cyber-espionage, nation-state hacking and cyber-terrorism would be an integral part of our future.

His new book, "Analogue Network Security" is a mathematical, time-based and probabilistic approach to justifiable security. Winn and the Caffeinated Risk hosts explore how the the management of time and trust as an alternative approach to blind faith in the castle & moat model that continues to fail us. 

Co-author of Enterprise Security Risk Management: Concepts and Applications ,  Rachelle Loyear has spent  her career managing programs in corporate security organizations. Focusing strongly on security risk management, she has been responsible for ensuring enterprise resilience in the face of many different types of risks, both physical and cyber.

She is currently active on a number of projects including: 
- refining and releasing a Global ESRM approach to customer solution development for G4S 
- working with customer focus groups to understand what the security industry really needs to manage risk – using Design Thinking principles

Rachelle also shares lessons learned on identifying and effectively communicating with the  correct stakeholders for risk acceptance.

The first full episode is scheduled for release February 18th. The trailer includes a few conversation segments between the cohosts on enterprise security risk management and critical infrastructure. Visit CaffeinatedRisk.com for more articles on the intersection of risk management  and technology.

Regulatory frameworks from PCI-DSS to NERC-CIP  to  the newly minted NIST CSF 2.0 each require organizations of all sizes to have cyber incident response plans.  Most of us who have spent any time in cubicle filled office towers are familiar with fire drills to clear the building and gather staff at muster points, and that is as close as we get to the real thing.  Unfortunately that same lucky streak will   Unlike a fire drill, recent research estimates 85%  of businesses will expereince a cyber incident annually,  and many will find short-comings in their incident response plan.

This episode explores a couple of recent news-worthy Canadian Cyber incidents, challenges with incident response plans and as always, how to use ESRM principles to further your program, even in a time of crisis. 

Those running a business today who have not experienced disruption due to cyber issues or attacks know it is only a matter of time. Even if their organization is not directly targeted, the  modern marketplace comprised of multiple, interconnected  supply chains, means impact is unavoidable but this episode's guest, Steven J Ross contends planning, design and clear priorities can provide mitigating resilience.

Steven J Ross, executive principal of Risk Masters International, is a recognized cyber security expert, specializing cyber resilience, recovery and  business continuity.   His decades of experience come through loud and clear with a somewhat unflinching perspective on the current digital threat landscape and the impact on organizations and individuals.  In addition to leading a boutique risk management practice helping Finance, Health care, Defense and more,  Mr. Ross has been the author of one of ISACA Journal's most read columns since 1998.

The U.S. Security Exchange Commission defined new rules for cyber risk matters facing publicly traded corporations in July of 2023.  Although the SEC's mandate is limited to publicly traded companies in the United States, where one regulator goes others are apt to follow.  Brian Allen is the co-author of a brand new book putting form, structure and traceability around the SEC mandated requirement for a Cyber Risk Management Program.   Mr. Allen was on of the original creators and advocates of the ESRM framework first published in 2013, and has been practicing security risk management throughout his career. 

Caffeinated Risk is very please to bring a very candid conversation with a true thought leader in the risk management field to our ever growing family of listeners. 

The ISA 99 standards body is one of the most recognized authorities on cyber physical security covering many aspects of a cyber security management system for industrial control systems including risk management.  This episode features John Cusimano, former chairman of the ISA subcommittee  responsible for authoring the risk management portion of the standard 62443-3-2:2020  Mr. Cusimano takes us back to the origins of the OT specific risk assessment process, originally dubbed CyberPHA,  we also explore how the methodology can be managed and percieved at different levels of the organization as well as how this approach can safely carry organizations into a future that includes cloud computing.

John is currently the Vice President for Operational Technology Security at Armexa, more than 30 years experience in OT and one of the early thought leaders in this unique areas of cyber security and risk management.

Security and crime are often in close proximity but not always studied together. This month's episode features Martin Gill a criminologist who made the study of crime and security his life's work.  After a decade as a lecturing professor at the University of Leichester,  Mr. Gill started Perpetuity Research in 2002 and continues to provide very high quality research, both qualitiative and quantitiative,  on what works -- and more importantly what does not --  on many different areas of the security field.   

In addition to leading the annual Security Research Initiative reports, Martin Gill is also the a contributing author and  editor of many criminology and security textbooks including  "The Handbook of Security" -- now in it's third edition. 

The practice of engineering dates back thousands of years, incorporating science and mathematics to solve problems in the ancient world, and remains a key requirement for developing the complex digital systems controlling the physical systems core to our modern way of life. Unfortunately connectivity and complexity have created a vulnerability we must now engineer our way out of, and just like risk management, engineering is about balancing constraints.

Andrew Ginter is a recognized thought leader within the industrial security space with decades of real world experience and the willingness to distill that knowledge into a series of book on operational technology cybersecurity. Mr. Ginter's latest book "Engineering-Grade OT Security, a manager's guide" explores risk elements over multiple chapters and provided a great intersection with ESRM principles.  A self professed collector of industry wisdom, Andrew was quick to highlight Cyber Informed Engineering principles for security engineering within OT and call out calculation issues when risk assessing black swans yet also offering an elegant approach to resolution. 

Due to a technical glitch, this episode joins Andrew, Tim and Doug in mid-conversation about Cyber Informed Engineering instead of the typical introduction banter of most episodes.


 

Ever wondered how top universities protect their cutting-edge research from prying eyes while ensuring seamless access for their scholars? Join us as Michael Spaling, Principal Security Architect at the University of Alberta, takes us behind the scenes of this high-stakes balancing act. Just like any other large organization, research universities have many different stakeholder, operational and regulatory requirements, thousands of employees and tens of thousands of customers.

In a strange twist, both Mr. Spaling and podcast cohost Tim McCreight are also recent recipients of industry awards, prompting a few questions that reveals some darker elements of social media while continuing to offer security leadership.

The Caffeinated Risk hosts navigate time zones and catch up with Dominic Bowen traveling between meetings to discuss risk management with an international expert on the subject. Mr. Bowen is a partner and Head of Strategic Advisory at 2Secure, one of Europe's leading risk management consulting firms, as well as the host of the International Risk Podcast. 

Political tensions are higher than they have been for years and there is seldom a month that goes by without a technical disruption that affects numerous businesses and services due to the interconnected nature of our modern world. 

Despite the serious topics covered, Dominic Bowen offers some practical solutions based on experience in the business world , the higher stakes of military service and humanitarian relief offering an unexpected, potentially positive outcome. I.E., accepting the tempo of constant crisis and becoming and effective manager of those risks can actually accelerate success. 

A while back we were fortunate enough to spend time with Jack Freund, coauthor and thought leader responsible for bring the FAIR methodology and practice into the main stream. A bonus from that original recording is now an espresso shot discussing how to fast track an assessment when the threat vectors are numerous. 

While the metaphor Jack used is somewhat unexpected it's both memorable and an excellent approach to dealing with an entire class of attacks in a single assessment. A pro tip from one of the original practitioners of the FAIR methodology well worth a listen.

At 45-50%, depending on your statistical source, there is no denying that small to medium sized businesses are a significant economic engine from both an employment and innovation perspective.  In 1978 Microsoft numbered 11 people. Unfortunately small businesses are also the least likely to survive a major disruption, an experience that changed Rochelle Clarke's corporate leadership trajectory to a business founder.

The Continuity Strength founder shares insights on the needs of small to medium businesses and how to develop resilience plans while simultaneously addressing the two biggest concerns of most SMB owners, time and money.   Prior to founding Continuity Strength, Ms. Clarke was the Country Manager, Global Strategy for Heineken, a management consultant and is on multiple board and academic committees. 

A surprising number of digital innovations began in Alberta, be it the world's first public digital cellular network in 1985, the DNP3 industrial controls protocol and  becoming the first Google international research lab in 2017.  

CyberAlberta is another innovative collaboration focused on strengthening the cyber resilience of Alberta organizations.  At almost 330 billion annually, protecting the Alberta economy and it's citizens from digital attacks is an important mission.  In a very candid conversation, Rachel Hayward, Executive Director of CyberAlberta shares both successes and challenges observed with cyber workforces and organizational readiness. Her previous tenure with the Alberta Privacy commissioner adds some additional nuance in these times of ever greater tests of personal rights.   

Enterprise Security Risk Management (ESRM) principles appear in almost every episode and this one is a bit more overt because it features two of the three people responsible for promoting ESRM in the early days of it's reintroduction through ASIS. 

John Petruzzi is now the CEO of Unlimited Technology and leading them toward an expanded influence in the enterprise security industry, sharing insights for what works with fortune 250 organizations, government and even local school boards. As the title implies, resilience is the discipline most organizations need to improve upon, and Mr. Petruzzi's personal and professional opinions on this gap may surprise some. 

The threat landscape is changing at a pace and breadth few could have predicted, those that navigate it well will prosper.