Welcome to the cybersecurity leadership and management course. Today we will be discussing cybersecurity within risk strategy framework that produces security trust and stability. My name is Cicero Chimbonda, I am your instructor for this course. Cybersecurity within a risk strategy framework that produces security trust and stability. STS is the central piece that we have been discussing in this course. The cyber security strategy framework guided by risk management frameworks and cyber security frameworks is essentially the guide that will bring that security trust and stability to your cybersecurity program. In this course we will be discussing the following topics, cybersecurity risk strategy framework overview. We will then look at cybersecurity risk business frameworks. We will look at legal and compliance frameworks and lastly we will look at operational frameworks. Let's begin, strategy framework overview. As you have caught on at the central piece of this course in order for a leader to be successful in bringing in cybersecurity program. It needs to demonstrate that it meets that fundamental principles or the tenants of information security which are confidentiality, integrity and availability. Every element of this information security program must have controls put in place so that you can achieve these principles the CIA. And we translate with the information security governance by the cybersecurity leader bringing in the stability or security. And that security is where you have the alignment to the confidentiality and which would bring that organization strategy which will look at. You have the trust component which is preserving the integrity of that data. And lastly you have stability, which is the ability to make sure that your resources are available for those that have authority. Again, the formula that we look at is information security governance formula CIA plus STS equals OS, RS, OE. Well, how do we achieve this? We achieve this by aligning a framework. You have business frameworks that you want to make sure that you have the frameworks that minimizes the risk and this aligns to that organization strategy. You have frameworks that adhere to the legal compliance risks and these align and bring that regulatory systems that you're trying to achieve. And lastly you have operational risks frameworks and those aligned to the operational excellence. Frameworks is a foundation to build programs for specific areas. A framework includes predefined principles and functions that can be used for inputs to manage to interact with other elements. And this is what we will be talking about. The cybersecurity strategy frameworks with the goal of aligning the CIA to STS, which will result in the OS, RS and OE. Let's begin by looking at cybersecurity business risk frameworks. This is what aligns that or to the organization strategy. How do we achieve this? It starts by looking at what type of industry that you are in? We looked at that in the previous course, these are some bottom lines and these are the corporate protection goals that you have to achieve in these particular types. Obviously it's not all inclusive, but this is a good place to start. Now how do we align the business risk frameworks? Well, here's one that one can look at which is the McKinsey 7S model. And we'll look more into the McKinsey 8 7S model, which is a tool that analyzes firms organization designed by looking at the seven key internal elements, and it will look more into that. The other is the PMO, which is the project management office or sometimes known as the Office of Strategy Management. It plays a role in linking the organization projects to its strategy plans. There are other business risk frameworks that can be used to assure that you are adhering to your cybersecurity program that meets the business needs. Other ones are, for example, feasibility studies. Feasibility studies are important to business development. They can allow a business to address where and how it will operate. They can also identify potential obstacles that may impede its operations and it will allow you to get the proper funding to get the business up and running. You might use customer acquisition strategy frameworks or an acquisition strategy. This is where a comprehensive plan, identifying a potential acquisitions, for new businesses. Or return on investment, which is a framework that looks at financial metrics, to measure the probability of gaining the return from an investment. It is a ratio that compares the gain of law or laws from the investment related to its cost. Again, you can see different business frameworks that can be looked at, let's look at specifically a couple business risk frameworks. The first one I want to look at is the McKinsey 7S. McKinsey 7S model and we looked at this, we discussed it in, course one video four cybersecurity, information security, governance. And the McKinsey 7S model, it's a tool, it's a tool that has what we call the hard skills and soft skills. So the hard skills are usually done by the leadership and the strategy, this is your organization's plan for building and maintaining a competitive advantage over its competitors. The structure, this is how the company is going to be organized. That is how the department and the teams are structured including who reports to whom. And then the systems, this is the daily activities and procedures that the staff used to get the job done. Then you have soft skills, this is the managing portion of your deliverable. The style, the style of leadership adopted the staff, the employees and their general capabilities, skills, the actual skills and competences that the organization has Within its employee. And lastly the core organization value, which is the shared values. These are the core values of the organization as shown in its corporate culture and general work ethic. So again, this is a business framework that one can use to highline the business to the organization Strat or the cybersecurity framework into the business risk frameworks. Another business framework is the PMO, which is also known as the office of strategy management, the project management office, it's a role of linking the organization projects to strategic plans. And the framework consists of processes, tasks and tools used to take a project from start to finish. It encompasses all the key components required for planning. So usually the project management value ring, it's one you define PMO service, this is answering the question, are the service that your PMO provides to the client in your organization really needed? Do we really need these services? The second one is balancing the PMO mix of services and this answers is your PMO able to generate perceptible value in short term and then we have establishing the PMO processes. This one is, does the PMO selected services have formal and clearly defined inputs and outputs responsibilities? And is it really aligned with your organization? And then number four is defining the PMO KPIs the key performances in that indices. Is the performance of your PMO be measured? And then you have defining the PMO headcount and competences. How do we define the head count of the project management officer, identifying the project management, office maturity and planning evolution. This answers, how should the PMO evolved its in its maturity? And then lastly the last two calculating the PMO return of investment, is the PMO able to generate positive financial results? And lastly establishing the PMO balanced scorecard, the strategic monitoring of the PMO measuring the success of your PMO. Again, this is another business risk framework that would align to your organization strategy. Looking at cybersecurity, legal compliance risk frameworks, regulatory systems equals trust equals integrity. As we looked at the last chapter, the CIO needs to understand what regulatory and legal binding rules that the company must adhere to. These are terms that we looked at before. These are some examples of legal compliance risk frameworks. You have the GRC which is governance risk and compliance stakeholders demand transparency, regulations and enforcement for third party relations and risks. You have the fair which is the factor analysis and information risk which provides cybersecurity and design executives with the standards and best practices to help the organization measure, manage and report information risk. And then there are others like for example regulatory compliance framework. Cyber hawk is a compliance framework that provides guidelines to implement compliance departments you have the Canadian of nuclear safety which is a commission in Canada which regulates the user nuclear energy materials and protect health and safety, security environment. So there are several frameworks that can be used in the legal and compliance risks. Let's look at a couple of them. One is the governance risk and compliance which is industry and government of small and large businesses not non for profit really agnostic. It's a framework that typically what it does if you have the governance which talks about achieving the business objectives. This is where the governance looks at the overall management approach of the IT risk. It also has looks at the risk management of the effectiveness of the process and then you have risk management managing the risk, risk management, identifying, analyzing and responding to risk. And lastly you have compliance where you're meeting the regulatory requirements knowing which standards and regulations are key to your organization. Another framework is the factor analysis of information risk. This provides cybersecurity and business executives with the standards and best practices to help the organization measure manage and report on information risks from the business perspective here's some components. There's four stages. The stage one is to identify scenario components. This you have two steps in this where you identify the asset at risk and you identify the threat community under considerable consideration. Stage two you actually have five components. Would you estimate probable threat event frequency, you estimate the threat capability, you estimate the control strength, you derive to the vulnerability and you look at the loss event frequency. Again, these are the different components to fall into evaluating loss event frequency. Stage three is to evaluate the probable loss magnitude. This you you estimate the worst case lost scenario. You estimate probable loss. And lastly, stage four you derive and articulate the risk and this is where you have the conclusive story of the articulated risk. Again, these are the different regulatory systems that you can build trust and integrity as you are building your cybersecurity framework. Next, we will talk about cybersecurity operational risk frameworks. These are operational balances that one must achieve as a Cissel or CIO. You must demonstrate that you can have the ability to balance. There's the front end which is your clients and you got the back end which is your infrastructure, the front end. They're trying to to have access to your data and you must have availability or deny if they don't have the proper authorities and you have stability of the infrastructure, make sure that you have access to your infrastructure. You need to answer the questions of network operation center or security Operations center. Is it going to be centralized or decentralized? One needs to answer the question of topology. Is my infrastructure network topology going to be High availability. Is it going to be insource, outsource? Are they going to be on premise, off premise, cloud, or hybrid solution? We're willing to spend the money to achieve these results. Essentially, you can use cyber security framework as known as NIST, which provides policy frameworks of computer security guidance. This can assess, improve their ability to prevent detect and respond to cyberattacks. You can use the ITIL, which is a framework that consists of best practices that can be adopted in order to provide IT service management. And there are other frameworks for operational, ISO 27001, which we talked about, which is the requirement of establishing implement, maintaining continual improvement. It's a methods of techniques to guidelines to address both security and privacy aspect, and also total cost of ownership. This is a framework of purchasing price of assets, plus the cost of operations, assessing the total cost of ownership represents taking a bigger picture, look at product and the value over time. So again, these are operational risk frameworks that can help achieve operational excellence in balancing availability and stability. Let's look at a couple of these examples. Let's look at the NIST, the National Institute of Standards and Technology. This is a private sector organization. It's a framework that provides policy frameworks of computer security guidance in the United States. It can assess and improve their ability to prevent detect and the respond. These are some components. The first one is identify. The organization must develop and understand the environment to manage cybersecurity risk to the systems, assets, data, and capabilities. Number two is to protect. The organization must develop and implement the appropriate safeguards to limit or contain the impact of potential cybersecurity events. The next one is detect. Organizations must implement the appropriate measures to quickly identify cybersecurity event. Respond, a cybersecurity incident a cure, organization must have the ability to contain the impact of any incident. And lastly, recover. The organization must develop and implement effective incident response, activities to restore any capabilities, service outages, and anything that's impaired due to cybersecurity event. So again, the NIST, the five core components of the NIST. The next one is the ITIL, Information Technology Infrastructure Library. This is a framework that is best practices that can be adopted in order to provide IT services management with stability. Usually, you see these types of frameworks implemented if the company is wanting to have high service level agreements, their clients, even in a chargeback model. I remember working for a firm where we went from a cost center to a chargeback model where we were meeting service level agreements and we were IT as a service. And so the ITIL or Information Technology Infrastructure Library was a great implementation tool to achieve that goal. Here's some components of the ITIL. First is a service strategy. To decide on a strategy to serve customers. Number two is the service design. Designing an IT service model. Number three is service transition. To build and deploy IT services. And then you have service operations. That's making sure that you deliver effectively inefficient products to your system, to your infrastructure. And lastly, continual service improvement. Using methods from quality management in order to learn from the past successes and failures to implement them to future success. Again, these are the operational risk frameworks that can bring stability and availability to your organization. This concludes this portion of this course. We'll see you next time. Thank you.
