Organizations tend to focus on the technical controls for protection of the company’s assets and reduction of risk. Security Operations Centers, IDS/IPS, Vulnerability Scanning and other controls are implemented and publicized. The number of implemented controls, and the number of standards satisfied are the measures of risk and risk maturity.

Unfortunately, this is not optimum, nor does it a keep an organization safe. Organizations need to measure Risk Maturity on a different scale. A scale that includes People, Processes and Systems, as much as the technical controls and compliance certificates.

This session will focus on a Risk Maturity model that covers the entire risk continuum, includes people, processes and systems, is measurable and definable. This model, which parallels proven risk reduction and quality improvement in manufacturing, will walk organizations through the 2 classes and 5 phases of risk maturity:

Class 1: Risk Control
• Phase 1: Unknown Incident
Something occurs and it can’t be fixed because we don’t even know it happened
• Phase 2: Incident Management
A risk manifests itself, somebody creates an incident ticket and the organization rushes to close the risk and mitigate the impact
• Phase 3: Protection Control
A risk manifests itself and organization mitigates the impact before the client is aware, or must be notified.

Risk Assurance
• Phase 4: In-Process Protection
We identify a trend in a risk getting worse, or new and implement controls before the risk manifests itself.
• Final Phase: Continuous Protection Improvement
There is a culture and a focus by all individuals on identifying and reducing the the risk profile on a daily basis