So okay. Hi, everybody. Thank you for joining the session. Thank you, Mo, for confirming that you can see and hear my slides. Hi, Celine too.So, please, please communicate via chat. It's a twenty minute session, so I'll go over the content. If there is any questions, I'll try to answer them as much as possible, during our session. If not, we can connect offline and, discuss more about it. Today's session, so a bit about me. I'm Amrita. I'm a cybersecurity, professional. I started myself, as a consultant doing a lot of, security works that you can think of in terms of risk assessments, developing a cyber program, and managing cybersecurity for companies. From there, I transitioned myself into, workers working and focusing on risk management activities exclusively. I used to work, within the cyber department, identifying and managing risks. 

Now I've transitioned and moved myself into the enterprise risk management team, again, focusing on the side by side. So I would say I've seen both sides, and and and identified a couple of gaps and issues that I've seen, through my career, in this last ten years. So I'd like to share, my experiences, back to the community. So starting with, just so we'll go about, on a high level about what an enterprise risk management framework is and then move into understand what a cyber risk management framework would look like. I'm assuming this, you have a bit of background about, what these are. This would not be a deep dive into what each of these frameworks is about, but more in terms of what are the challenges and how best we can align these two frameworks and better manage risks in an organization. 

And and some some recommendations that I think of, which would help, integrate these two processes, to better control and view the risks of an organization. So starting with what an enterprise risk management framework is. It's more or less an organizational wide risk strategic approach of risks, where you identify your risk, where you assess your risk, and manage your risk. The so in organizations, usually, there is a team, which is called e r m, where the sole responsibility is about going to each and every department in an organization and identify and gather risks from them. So they look at different kinds of risks, your strategic risks, your fraud risk, your financial risk, including your technology and cyber risks. So, this is a centralized, department where they collect all risks for the organization and report back to the senior leadership to say this is the organization's risk profile. 

Now this would vary from the from organizations to organizations. If you're a large organization or an MNC, they would hold an in a centralized in their headquarters and have smaller units across the globe reporting up to them. But if you are a smaller set of organization, an SMB kind of an organization, you will have a smaller team, that's centralized again that would collect, information from all the departments that's there. Now coming to cyber risk management, this is this is one place where the security teams would identify and build a risk management framework within themselves, to identify very specific cyber risks. So they would if I would say, they would exactly mimic what an does, but very focused on cyber part. It's so this is mainly, you know, they would hire somebody within, with risk, skill set plus cybersecurity experience to, to objectively evaluate processes in the organization, the activities that the cyber team performs, and then evaluate the risks and try to mitigate it. 

This is how it works. Oftentimes, I've found these two departments work in silos. And, sometimes the language that's spoken between these two teams differ. You know? So throughout this presentation, we'll look at how we can improve on that and, what are the ways that, we can, synergize both of these two teams' activities and, improve on them. And, Kav, one thing I would like to add is that, cyber risk management or the cyber risks are often that stems out of this security teams often get reported up to the security steering committee, and max a couple of governance committee. Usually, what happens is is the one who would gather all these risks and then take it up one level above to maybe your senior leaderships or wherever your CISO has a seat, they would present these risks over there. Now how would you build an effective cyber risk management framework? You know? Generally, a component of any risk management framework would include all this. That is identify your risks. Like, how would you identify your risks? How would you assess your risks? For cybersecurity, it's mostly focused around your threats, vulnerabilities, and asset criticality. 

One thing I would like to add is that asset criticality is important because we, we are not short of threats and vulnerabilities in the cyberspace if you look at. The importance of asset criticality is when all the threats and all the vulnerabilities that you've assessed, unless and you find out that these the risks that's coming out of it is very high, your mitigation activities and the energy that you put to fix or resolve this issue would depend on that asset criticality. 

If it's an asset that's not a high critical asset, you can and your risk is very high, you can look at options to either, effectively manage it or even effectively avoid it or just push it down your list to fix it later. Because it'll help you prioritize how you would want to ask how would you want to manage your risks. This is this is that phase where it comes into after you identify all all your risks, the management part is where it comes in and talks about, okay. What do you do with this risk today? Do you wanna mitigate it? Do you wanna fix it? Or do you accept it as an organization? Maybe if your risk tolerance is, let's say, 1,000,000 and your risk, that you've identified is of, let's say, fifty thousand, Do you wanna accept the risk, because it's still within your threshold? Avoid the risk. I would completely stop doing what you're doing to from where the risk is coming up. That is what avoid is. 

Transfer is pretty much how would you move this risk to another team, mostly as insurers, where you would say, okay. I have an I'm buying an insurance of 10,000,000. And, anything less than that, I will just make sure, the insurance is gonna get covered about it. So these are the general components in a risk management framework. This is what even cyber team does when they build their own risk management framework. The key part is about how do you map the cyber risk management framework to So generally comes up with a classification matrix about how they assess, and how they evaluate risks. If you're familiar, you would have seen either a five cross five matrix or a three cross matrix, in which they would translate all risks and then put in put in one of them in any of these buckets. CyberTowIM also does the same thing. But sometimes because we assess all our risks by evaluating threats and vulnerabilities, our impacts or our classification matrix would look differently. 

So let's say you would be putting something as high in a cyber risk management framework. You should make sure it effectively translates into a similar terminology with the This doesn't necessarily mean that you you need to copy the exact classification metrics in your framework. You will have to build that translation mechanism in between between your cyber classification and your classification so that your reporting process is effective. When I say reporting process is effective, it's because would definitely come to you, come to the cyber departments and ask them, what are the possible risks that you have in your organization? Either you can use your existing risks and communicate to them and go go back and forth about how to find the correct classification level about it. Or we can use this translation that's there in between to map and say, okay. 

My cyber risk that's medium at my framework would be an equivalence of high in an And what is the rationale between this? So once you build that translation within within your framework, within your cyber framework, it would be very much effective when you start reporting on these, cyber risks. And, this is very important because, at at many places, what happens is, you build a risk register. This is the one example of a risk register. How would you fill a risk register? So all the risks that you identify technically falls and documents gets documented in a risk register. So you would have seen a risk register which gets inputs from your procurement assessments, your third party assessments, your project assessments. There are a couple of places from where this risk register gets build up for security teams. 

So when when your framework is defined exactly, and it's very clear for both the teams, communication and documenting these risks would be efficient. So today, let's say you say, I have a I have a project risk, which has which would not get closed after the project, and it is a security risk, it should it should get documented in your cyber risk register. So when that is marked at, let's say, high during your reporting phase or when you're reporting about your risk profile, upon communication to the enterprise risk management teams, you can now effectively say that, okay. I have identified a security risk, which is high, which translates automatically as a minor risk in as per the classification. So this becomes a very effective exercise where you automatically get that translation built in. When I say automatically built in, it's, it's the formula that you, within the organization needs to define. It would there is no standard reference for this. 

It would be built upon what your organization is and how much your risk appetite is about. So so eventually, when you do that, when your risk register has this mapping that talks about what your risk framework residual risk level is and what is your framework's residual risk level, it tells you where this risk lies in the organization's profile. And it's much efficient in communicating and, talking about these risks. Now, we I I did talk about a couple of challenges, in in in translating between your cyber risk management framework and your framework. Couple of other challenges that I've noticed is that, sometimes security teams do not get a seat at the table, especially at the procurement intakes and whenever you configure a solution or an app. It's changing because, because of the, rise in third party risks. This is improving. 

But still sometimes, the processes are built in such a way that, you do not get much of the vetting power or much of weight in these assessments for security to make a decision or to put a foot and say, okay. These procurements cannot go through because of the weak security posture of the vendor or because of so and so, whatever reason that they have. So that's one challenge because procurements are one place where security can see what all comes into the organization. Okay? And then so if you clean at the fur if you don't if you do a lot of cleaning at the first phase, it's much helpful to, it's much more efficient, in bringing much secure solutions into your organization. And the second thing is when you configure it. Okay. You vetted a solution that's safe, secure, but now how do you configure it? Configuring is mostly left to either IT or your architectural teams, but security needs to be also having a view or decision, let's say, in, the configurations to make sure that these are done. 

These solutions that you buy are configured securely too. Another thing is, another common challenge is alignment between the and the security assessments. Assessments mostly pick a scope based on what they identify as a risk, and security assessments also some periodic activities that they do. It can be mostly technically focused, either an AD review or a, cloud review or maybe even a third party review. It helps if your security teams work together with the and you build a plan for a year that says, okay. These are the assessments that we are going through, or this is what we would do, so that, you're focusing more of an in-depth assessment rather than a very high level assessment. See, folks do understand risk. 

They may not be technically skilled enough to do a full fledged security assessments, but your security teams are or do have that skill set to do security assessment. So I would say it's the best of both worlds if you can combine these technical skill sets and the risk management skill sets together and plan your risk activities. You know? So that, it's much it's it's good for the organization to see what the entire risk profile would look like rather than just two different teams doing two different assessments, and activities. I understand that we have three lines of defense where sits on the second and the security teams would actually sit on the first line. The this does not mean that should completely depend on security team to complete all their assessment, but, should govern the process to make sure that nothing is getting overlooked at. 

You need to find that synergy in the end. You know? It doesn't mean that your line one should not do what they're supposed to do and line two is not doing what they're supposed to do. It would be much efficient if you do it, together. For example, if you if you're planning to do an AD review, you know, and wants to do an onboarding and offboarding process review, it would make sense if you do them together where they are doing an process level assessment and security is able to do an in-depth AD review or your intra reviews to make sure all the people that's coming in and going out of your organizations, their IDs are removed effectively. 

That's the that's that's the approach I'm talking about here. One another thing that's overlooked often is also the business process where, you you do not, assess your businesses, you know, your business processes. For example, do you look at, how your marketing functions? Because, your reputational impact is very important. So they use a lot of third party tools, which sometimes is not integrated with your organization. So, assessing their processes, the tools that they use, what are the identities that they create, do they have two FA enabled, couple of things that helps, when you build these, when you make sure your business processes are also included in your security assessments. So what can be done? What are the ways that we can improve on these things? 

A couple of them are, we should make sure that's good synergy between the cyber team and the enterprise risk management teams. You can use risk teams can effectively use their risk register, to make sure, you know, you you get a wider organization support, to complete your projects. It's one way to show the organization what are the risks that you have, and these are your projects that you want to build on to reduce these risks. I found it much efficient, when you present it that way rather than just saying, oh, I want to do one, two, three, four projects in the organization, and these are security projects. Another thing would be plan your risk assessments effectively. Like, understand your organization and plan them. One good place would be your BI and BCP. They'll tell you what are your critical processes. Begin from there and start doing your risk assessments from there. That'll be much efficient. That'll be much helpful for you. 

Thank you. That's that was the quick round on the, cyber and risk management framework. If if there are any questions, please, shoot them in the chat. I can help you. I do have some questions here that talks about e r m in any organization should be reporting inclusive of Tech and Buzz. Okay? How do you handle a situation where the e r m team doesn't think the tech risks belong on the enterprise risk register? How do you influence them to include IT security risks? I'm assuming your Rachel, I I'm assuming the question was about how how do you convince a risk, which is of a lesser risk level, to be in the risk register? Because, technically, by definition, should include all risk, including your technology and your cyber risks. 

It would not exclude, you need you it would definitely not exclude any cyber risks from it. The only place where I found challenges where they don't think it's on a higher level or a higher impact because, it does not match their classification metrics. You know? That's where I said your synergy between both your frameworks and your classification exercises help. And sometimes adding the possible types of attacks, within your organization's processes helps, helps them understand or resonates with them much more, rather than speaking sometimes technically too much. You know? We need to understand not everybody at the other side of end is technical. So maybe giving them examples, short examples about how those risks, apply in your organization would help resonate with you. 

And, again, if still you're not getting a a foot at the table in your, corporate risk register, I would use the platforms of steering committees. This is where security teams lead. The security activities are present, these activities. So, I would definitely call it out in these kind of forums where we wanna talk about this risk and make sure it's communicated across organization. And then the questions would be asked about, oh, why some things like these are not in the corporate risk register? Peng, how does AI help with, cyber risk management? That's an that's a that's a very good, that's a very good question and an important one too. I would need another session to talk about it, but I can just give you a quick, quick, short insight on what we are doing at, our end, or what I'm doing at my end is that, risk frameworks that we do traditionally for cyber does not exactly pick and apply on the AI front. 

AI risk needs to be evaluated quite differently, and assessed differently. You need to scope them very, separately to assess them. It cannot be built by generalizing all the possible AI attacks and putting them in your risk register. Now if if your question is about how do you wanna automate or use AI to come up with your, cyber risk management, or I would say that risk management would be more about your cyber risks. You can use it if if, I would say, build something within, rather than buying something off the shelf, about AI tools, where you can feed a model about your common risk in your risk register and kind of tune the model to say, okay, what are the possible attacks or what are your common threats in your organization's profile? 

That's something interesting, where building I've been building on a platform. It's still not completeable. I'm it's I'm still trying to build one to see, how effective, it is going to be. AI space is an interesting one. There's lots to learn, and there's lots to do too. So, just keep learning, and share your knowledge too. That's all for today. Thank you very much, for everybody who joined. If you if you have any questions or anything, please reach out, and let's learn and grow together. Thank you very much.