In an age when data breaches are a daily occurrence, senior leadership teams and boards of directors want assurances that their cyber security programs are doing what is required to defend their organization. But at the same time security teams are struggling to quantify risk or find effective strategies for presenting risk to leadership in a way that clearly communicates the reality of the risk an organization is accepting. Even security professionals are struggling to agree how to define or measure risk effectively.

In this presentation, James Tarala will share lessons learned from research into risk management and his experiences communicating about risk to boards of directors and C-Suite leadership teams. He will present specific strategies to consider when measuring risk, communicating risk, and helping security teams realistically setting expectations with business stakeholders. While this topic traditionally has been a nebulous, vague conversation, in this presentation, listeners will learn actionable steps to communicating risk in more effective ways.

Speaker Bio

James Tarala is a principal consultant with Enclave Security based out of Venice, Florida, and a SANS Senior Instructor. As a consultant, he has spent the past several years designing large enterprise security and infrastructure architectures, helping organizations to perform security assessments, and communicating enterprise risk to senior leadership teams. He is the author and an instructor for SEC566: Implementing and Auditing the Critical Security Controls, SEC440: Critical Security Controls: Planning, Implementing, and Auditing, and a co-author and instructor for MGT415: A Practical Introduction to Cyber Security Risk Management.
Read James’s full bio at https://www.sans.org/profiles/james-t...

About SANS

SANS is the most trusted and by far the largest source for information security training and security certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - the Internet Storm Center.