This is a preview of my RSA 2016 presentation, The Newest Element of Risk Metrics: Social Media.
The main question that keeps everyone occupied online is, “how big is yours”?
How many followers do you have on Twitter? Friends on Facebook? Connections on LinkedIn? Hits for your name on Google? Likes on Instagram?
This online popularity contest is a natural progression of how people live their lives these days (ask any kid), both in their public and professional lives. But for organizations, these questions cannot be asked so flippantly. Many modern organizations have neglected a critical aspect of this new dynamic: risk management.
Risk management, specifically in the information security industry, has come a long way from the old days of stoplight categorization (how many Red findings do I have? Yellow? Green?). Because it was a manual, highly-subject decision on the part of risk consultant, it really didn’t mean much. Over the years, it has evolved into a much more scientific (and dare I say financial) practice. Modern infosec risk management best practices calls for threat prioritization based on their potential impact to assets. Extrapolating one layer further, the asset’s value helps prioritize what matters most to a business (models such as OCTAVE and FAIR demonstrate risk prioritization clearly, and I highly suggest for anyone not familiar with these, who might still be managing risk based on gut feelings, to consultant a CVSS scoring reports to better understand their value).
But how do the worlds of social media and risk management overlap? How does one’s Twitter following concern a CISO’s risk model? That’s exactly the question that we have to ask ourselves, in light of the major increase in social media related attacks (compared to traditional email). How does an organization’s leadership measure and quantify the risk associated with their employees’ online activity (whether from within the organization or outside of it)? How can organizations prioritize applying controls, processes, and education/awareness for specific individuals vs. others in order to be more effective? Afterall, we’ve all been through the droning and generic process of clicking through some non-tailored slideware for security awareness — now, THAT is highly effective, right?
That’s why we came up with Social Media Risk Metrics, or SMRM. SMRM is a framework designed to complement existing risk management practices by providing the ability to measure the potential risk of an individual’s (or a brand’s) online activity more frequently and accurately. Factoring in organizational biases (or risk appetite) for different categories and leaning on years of experience in risk management, measurement, and cyber security, SMRM will empower your organization to figure who’s posing a risk online, who’s attracting unwanted negative attention and how to address these risks accordingly.
I’m looking forward to diving into the framework and discussing its applications at RSA 2016! The newest element of risk metrics are, those found on social media.
Check out more on Ian’s talk here, The Newest Element of Risk Metrics: Social Media.