| |||||
| |||||
Search Irongeek.com:
Help Irongeek.com pay for bandwidth and research equipment: |
As security professionals, almost every action we take comes down to making a
risk-based decision. Web application vulnerabilities, malware infections,
physical vulnerabilities, and much more all boils down to some combination of
the likelihood of an event happening and the impact of that event. Risk
management is a relatively simple concept to grasp, but the place where many
practitioners fall down is in the tool set. The lucky security professionals
work for companies who can afford expensive GRC tools to aide in managing risk.
The unlucky majority out there usually end up spending countless hours managing
risk via spreadsheets. It's cumbersome, time consuming, and just plain sucks.
After starting a Risk Management program from scratch at a $1B/yr company, I
ran into these same barriers and where budget wouldn't let me go down the GRC
route, I finally decided to do something about it. At BSides Las Vegas 2013, I
would like to formally debut SimpleRisk, a simple and free tool to perform risk
management activities. Based entirely on open source technologies and sporting
a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes
and instantly provides the security professional with the ability to submit
risks, plan mitigations, facilitate management reviews, prioritize for project
planning, and track regular reviews. It is highly configurable and includes
dynamic reporting and the ability to tweak risk formulas on the fly. It is
under active development with new features being added all the time and can be
downloaded for free or demoed at http://www.simplerisk.org. With
a simple, powerful, and cost-effective tool and some basic risk management
knowledge at your disposal, you too can become the security rock star that your
business seeks out for risk-based decision making. Let me show you how to
convince your management, your peers, and yourself that Risk Management doesn't
suck. BIO: Josh Sokol, CISSP, graduated from the University of
Texas at Austin with a BS in Computer Science in 2002. Since that time, he has
worked for several large companies including AMD and BearingPoint, spent some
time as a military contractor, and is currently employed as the Information
Security Program Owner at National Instruments. In his current role, Josh
manages all compliance, security architecture, risk management, and
vulnerability management activities for NI. Josh holds a CISSP certification
and has spoken on dozens of security topics including the much hyped "HTTPSCan
Byte Me" talk at BlackHat 2010.
15 most recent posts on Irongeek.com:
|
If you would like to republish one of the articles from this site on your
webpage or print journal please contact IronGeek.
Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast