Cybersecurity risk management is very important when it comes to maintaining the assets of an organization. In order to effectively manage cybersecurity risks and avoid data breaches, all functions of the organization should operate with clearly defined roles and responsibilities. Amongst others, the webinar covers: 1. Cyber Security trends: What we are seeing today 2. Identify those assets that ‘matter’ 3. Understanding your threat landscape 4. What does good look like for cyber risk management? Presenters: Nick Frost Nick Frost is Co-founder and Lead Consultant at CRMG. Nick’s career in cyber security spanning nearly 20 years. Most recently Nick has held leadership roles at PwC as Group Head of Information Risk and at the Information Security Forum (ISF) as Principal Consultant. In particular Nick was Group Head of Information Risk for PwC designing and implementing best practice solutions that made good business sense, that prioritise key risks to the organisation and helped minimise disruption to ongoing operations. Whilst at the ISF Nick led their information risk projects and delivered many of the consultancy engagements to help organisations implement leading thinking in information risk management. Nicks combined experience as a cyber risk researcher and practitioner designing and implementing risk based solutions places him as a leading cyber risk expert. Prior to cyber security and after graduating from UCNW and Oxford Brookes Nick was a geophysicst in the Oil and Gas Industry. Simon Lacey Simon is a resourceful, creative Information & Cyber Security professional with a proven track record of instigating change, disrupting the status quo, influencing stakeholders and developing ‘big picture’ vision across business populations. Multiple industry experience; excels in building stakeholder engagement & consensus; and suporting organisations to make sustainable change. Simon also has considerable experience of risk management, education and awareness, strategy development and consulting to senior management and is a confident and engaging public speaker. Simon has previously worked within the NHS, Bank of England and BUPA, before setting out as an independent consultan forming Oliver Lacey Limited, supporting clients in multiple business sectors. When not working, Simon loves to run – currently training for the Berlin Marathon, a Director of Aylesbury United Football Club, records vlogs and is an experienced standup comic. Date: August 17, 2022 Find out more about ISO training and certification services Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701 https://pecb.com/en/education-and-certification-for-individuals/iso-31000 https://pecb.com/whitepaper/the-future-of-privacy-with-isoiec-27701 https://pecb.com/whitepaper/iso-310002018-risk-management-guidelines Webinars: https://pecb.com/webinars

1. ISO/IEC 27001,
Cyber Security
and Risk
Management:
How to avoid data
breaches?

2. Agenda
1. Introductions
2. Cyber Security trends: What we are seeing today
3. Identify those assets that ‘matter’
4. Understanding your threat landscape
5. What does good look like for cyber risk management?
6. Q&A

3. 1. Introduction
Simon Lacey
 20 years in cyber security
 Principal consultant – OLIVERLACEY
 Head of secuirty policy – Bank of
England
 Information Governance Lead - BUPA

4. 1. Introduction
Nick Frost
 25 years in cyber security
 Principal consultant – Cyber Risk
Management Group (CRMG)
 Head of information risk – PwC Group
 Senior researcher – Information
Security Forum (ISF)

5. 2. Cyber Security: 30 years of risky business
1988
Driven by notoriety
1998
Media attention
and first real
signs of concern
2008
Financially driven
Cyber gangs
increasingly
organised
2018
Target rich
environment
with New Tech
and IoT

6. 2. Cyber Security trends: What we are seeing today

7. Poll #1
To what extent does your board grapple with cyber security as a
real business risk?
A. The Board appointed a Head of Cyber security. Job done!
B. They get that cyber risk is a big deal, but they prefer to
leave it all to me/us
C. They're all over it! We deliver regular risk updates that
position cyber as an integral element of enterprise risk

8. 3. Cyber risk assessment – key steps

9. 3. Identify those assets that ‘matter’
Low Moderate High Very High
Financial <£100,000 £100,001 - £500,000 £500,001 - £1.5 million >£1.5 million
Reputational No or low
media
coverage
Moderate adverse
coverage (e.g story runs
over 1-2 days)
Significant adverse
coverage >2 days, main
focus of attention
Adverse coverage
sustained over
more than 1 week
Regulatory No increased
regulatory
focus
Slight increase in
regulatory focus / impact
Significant attention
from regulator / Notified
single breach
Multiple breaches /
License withdrawn
Health / Safety Very minor
injury / No
ongoing effect
Non-critical injury
requiring medical
intervention / No
prolonged effect
Critical injury requiring
hospitalisation /
medium term effect
Death / Long term
debilitation
* Consider running this as a workshop
Once a business impact assessment has been
completed: ‘Go / No Go’ to next step?
CONSIDER RISK APPETITE!

10. 4. Understanding your threat landscape
Consider:
• Intent (malicious or
unintended?)
• Capability
• Strength
• Likelihood
• Timescale
Remember: The initiator (agent / source / actor) , is different from the action!
* Use a standard list of threats as your starting point
* Consider running this as a workshop
HOW RELEVANT ARE DIFFERENT THREATS TO YOUR
ENVIRONMENT, AND WHAT’S THEIR POTENTIAL CAPABILITY?

11. What does good look like for cyber risk management?
Framework for
conducting
risk
assessments
Training and
education to
equip staff
with skills
Easy to follow
process
Approved data
sets (threat
lists, control
libraries)
Plan for
delivery and
execution
Agreement on
reporting
Stakeholders
identified
Assets
identified

12. 5. What does good look like for cyber risk management?
Focus on those systems and data assets that are business critical
Establish a practical process that incorporates the fundamentals of information risk
Evaluate GRC products to help streamline and semi-automate the cyber risk process
to minimize staff utilisation
Present the business argument to help establish a cyber risk approach (e.g. target
investment, quick wins, best practice)
Establish a phased approach (do not attempt to boil the ocean)
Extrapolate the risk insights to other areas of the security programme (e.g. policy
update, awareness and education)
Promote the approach to your clients and partners.

13. 5. Cyber risk assessment: Hints and Tips
Prioritise the
risks
Provide the
business
with options
Collaborate
to determine
a response
You will never mitigate all
cyber risks so prioritise and
be pragmatic in what you
can achieve.
Accept the risk: reduce costs,
increase exposure to an attack and
possible damage to reputation….
Mitigate the risk: increase
investment, reduce risk to an attack
Costs, Complexity, Timescale to
implement, Disruption from change,
Business obstacles, Training, End-
user-experience, Testing and
Assurance

14. Poll #2
To what extent is your cyber security programme risk-based?
A. We did a gap assessment of our security programme, so
we're good
B. We've started to do risk assessments, but it's all a bit ad
hoc and we don’t focus on underlying business criticality
C. We conduct structured risk assessment and focus on
underlying business criticality. Headline risks are reported
to the Board, which shapes meaningful decision-making

15. 5. Enterprise-wide cyber risk management
Business
awareness
Customisation (control libraries, threat lists for different tech)
Conduct multiple pilot
assessments
Training and
education
Risk review
board
GRC evaluation
Project 1
Project 2
Project 3
Project 4
Data feeds
Project 5

16. THANK YOU
Q&A
simon.lacey@oliverlacey.com
nick.frost@crmg-consult.com
linkedin.com/in/simon-oliver-lacey
linkedin.com/in/nickfrost