Caffeinated Risk

The practice of engineering dates back thousands of years, incorporating science and mathematics to solve problems in the ancient world, and remains a key requirement for developing the complex digital systems controlling the physical systems core to our modern way of life. Unfortunately connectivity and complexity have created a vulnerability we must now engineer our way out of, and just like risk management, engineering is about balancing constraints.Andrew Ginter is a recognized thought leader within the industrial security space with decades of real world experience and the willingness to distill that knowledge into a series of book on operational technology cybersecurity. Mr. Ginter's latest book "Engineering-Grade OT Security, a manager's guide" explores risk elements over multiple chapters and provided a great intersection with ESRM principles.  A self professed collector of industry wisdom, Andrew was quick to highlight Cyber Informed Engineering principles for security engineering within OT and call out calculation issues when risk assessing black swans yet also offering an elegant approach to resolution. Due to a technical glitch, this episode joins Andrew, Tim and Doug in mid-conversation about Cyber Informed Engineering instead of the typical introduction banter of most episodes. 

Technological change is inevitable and often one of the aspects that attracts people toward careers in information and operational technology. Although risk management is a part of navigating advancement in any area, the fundamental flaw in any management system is our human tendencies. This episode explores how organizations can make slow, steady migration from first principles to risky undertakings without noticing. Marco Ayala, an operational technology cybersecurity expert and current Houston InfraGard president, joins this episode to further explore the reasons behind this normalization of deviance, a concept first introduced to OT cyber specialists at S4 in 2024. Mr. Ayala is also CCE proponent and facilitator leading to a discussion on possible options for course correction back off the normalization path.  Although solutions must always be tailored to work within organizational constraints, the early contributors to catastrophic outcomes associated with the Challenger space shuttle and Boeing 737 Max warrant exploration or we will inevitably repeat.  

Darren Gallop, a serially successful Canadian tech entrepreneur, shares his insights on supply chain risk management. He revisits significant breaches like Target's, emphasizing the evolution of compliance standards. Darren discusses challenges in vendor risk management and critiques traditional approaches that focus more on compliance than proactive assessments. He highlights the need for startups to integrate meaningful cybersecurity practices into their culture. Despite current risks, he sees a promising future for organizations willing to adapt.

Winn Schwartau, an internationally recognized security thinker, shares his insights on navigating the complexities of our tech-saturated world. He discusses the battle between big tech and our cognitive faculties while promoting the need for mental resilience. The conversation dives into the lessons from his new book, addressing challenges posed by AI and disinformation. Schwartau emphasizes the importance of enhancing security awareness, fostering critical thinking, and building cognitive defenses against information overload.

Adam McMath, an expert in incident response with a rich background in both cyber and physical security, dives into resilience and risk management. He shares transformative lessons from his firefighting days, emphasizing structured incident response frameworks. Adam advocates for a business-centric approach to cybersecurity, aligning security measures with organizational goals. He also discusses the vital connection between organizational culture and effective security, highlighting the human element in navigating threats and the pivotal role of training.

Radek Havlis, VP at O2 Telefonica, discusses the evolution of ESRM in the telecommunications industry, emphasizing the importance of visionary leadership, risk management philosophy, and security as a business enabler. Topics include navigating regulations, security transformation, cultural integration, and the evolving role of risk advisors within organizations.

Exploring cyber incident response plans mandated by various regulatory frameworks, the podcast delves into recent Canadian cyber incidents, the challenges they pose, and the importance of using ESRM principles to enhance cybersecurity programs. With a focus on building resilience, the discussion emphasizes the need for contingency planning, agility, and effective communication with executives to navigate cybersecurity incidents effectively.

Learn from cyber security expert Steven J Ross about the importance of cyber resilience in the business world. Explore topics such as privacy in data management, AI impact on privacy, data recovery challenges, cyber resilience in healthcare, and building trust with clients through transparent cybersecurity communication.

Brian Allen, co-author of a new book on Cyber Risk Management Program, discusses the SEC mandated requirement for cyber risk management. Topics include the framework of a cyber risk management program, balancing risk-informed decision making, and the significance of understanding the role of security professionals.

John Cusimano, former chairman of the ISA subcommittee, talks about the origins of the OT-specific risk assessment process, managing and perceiving the methodology, and the future of cloud computing. They also discuss the integration of engineering disciplines in cyber risk management, involving subject matter experts in the risk assessment process, and the significance of collaboration and tailoring the process. The chapter on understanding a risk-based approach in OT security programs emphasizes the importance of baseline controls.