Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hi everyone. Welcome to episode two of Cash in the Cyber Sheets. Very happy you're here.
I'm your host, James Bowers with Input Output. And if it's a little confusing, last episode we had stated was our first episode, zero, zero, zero. But unfortunately, all of the platforms that we posted on will only let us start with one.
So that one's changing to one. This one's going to be two. But for what it's worth, this is the second episode.
Happy you're here. Got some cool things to talk about to continue on from what we talked about last time, building the foundation. Want to go into today, actually, how to identify what could impact your organization, what that could mean for you.
And most companies, when they do this, they focus on all the different vulnerabilities, all the different ways that things could go sideways, but not so much on what that means to the business. So I'll show you how to focus on the things that could actually impact the business, the kind of quote unquote what's, and that way you'll be better prepared for anything that comes. So even if there's things like a worldwide pandemic that you didn't account for, you'll have plans in place to be able to take action on those.
So we'll jump into that. Very, very cool stuff. Before going any further, I don't want to forget if you're on Apple Podcasts, Google Play, wherever you're listening to us, please click that subscribe.
If it's on YouTube, that button should be right there. Also, if you get a chance, leave us a review. Let us know the things you like, the things you don't.
That really helps us improve and get out in front of more people. Also, a few kind of housekeeping things. Wanted to say over the next few shows, there might be a little variability, and I guess like the editing structure or some of the sound, just minor format things.
And that's just because we're trying a few different ways to do the editing, get everything together, and as much as we can kind of trim the fat of the processes. So the meat and potatoes are going to be there. That's all going to be the same.
But you may notice a little bit differences there. So if you do, please bear with us. Also, we're bringing on some new solutions, a lot of cool new tools, some new techno stuff, neat things to spend money on, some good retail therapy.
We'll get into those later some other time. And also, the site Cash in the Cyber Sheets will be coming up online here pretty soon. So once that's up and running, I'll let everybody know.
But again, thank you for joining us. And let's go ahead and jump into the risk management process. So I guess starting risk management 101, risk management is really in layman terms just about managing all the different things that could go sideways to keep you from reaching your goals.
So when I talk to a company, when we sit down, it's where do you want to be in a year? Where do you want to be in three years, in the next five years? And depending on the organization, that may even go out to 10. Some much larger ones will take it to 20. That's more of like a BHAG, big, hairy, audacious goal.
But for the most part, we're looking at where do you want to be over the next few years? And then the risk management side looks at all the different things that could keep you from getting there and puts controls, puts plans in place to help either survive that or to avoid those altogether. So when we look at risk management, we're really looking at a few different ways that we can handle it. There's really only four.
One, we can completely avoid a situation. So I'm going to use a motorcycle example here. I live in Florida.
Aside from being very, very hot, we have a lot of people that aren't great drivers on the road. So our roads can actually be pretty dangerous. And riding a motorcycle here, especially so.
So there's a lot of risk with riding a motorcycle. You could get in an accident. You could get, obviously, you could get hurt.
You could all the way up to getting killed, which would be a big impact to your family. Obviously, a big impact to you. But there's a lot of different risks there with riding a motorcycle.
So when we look at risk management at riding a motorcycle, we can look at first, we can avoid it. And that's what I do. I've got young kids.
It's even though it's fun riding. I just I don't want to have that risk in my life right now. So I don't ride at all.
So the chances of me getting hurt, being impacted from riding a motorcycle are practically zero. They're non-existent because I don't I don't do it. It's it's not a risk.
I don't need to put any controls in place. Anything other than being able to completely avoid it, though, then we're going to look at how can we mitigate first week we can mitigate and we can transfer risk and then we can accept and go on through each of those. We first look to mitigate.
How can we those risk of getting hurt, those risk of. Of being put into the hospital, all of all of those different risks, we can mitigate those by wearing a helmet that can be one. We can also only ride during the day, not ride when it's raining.
We could take some safety courses for riding a motorcycle. All these different things we can do to help either reduce the likelihood of something bad happening or reducing the impact if something bad does happen. So all those courses not riding at night, not riding when it's raining, that's going to reduce the likelihood of us getting into a bad accident, wearing the helmet, maybe the the leather gear.
All of that is going to help us in case we lay the bike down, we get into some sort of accident. It may not be as big of an impact to us. So once we put all those mitigating strategies in place and we've got to weigh those, what do what's worth it? Obviously, we don't want to put a thousand dollar lock on a hundred dollar bicycle.
But what things can we reasonably put in place? And once we've done all of those mitigating controls that we want to do, that that we think are appropriate. Turn the mic down here a little bit. All those that we that we think are appropriate.
Then we can look at how can we transfer some of this risk? And typically transferring the biggest way that most people transfer risk is insurance. So back to the back to the motorcycle analogy. There's a risk that if I get in an accident, I may not be able to work anymore.
That's going to impact my income. There's also the risk that that I may completely expire. I'm having a hard time just saying die here on the on the podcast like it's like it's too morbid.
But I could die on the on the motorcycle. And if that happens, there's going to be a big financial impact to my family. They may not be able to stay in the house that they're in.
My kids may may not be able to go to college. They may not be able to even they may have trouble putting food on the table. So these are just some of the risk.
There's there's a lot of other risk there. But on the transfer side, I'm going to get insurance, auto insurance, disability insurance, and perhaps even life insurance. So if I lay the bike down, I'm OK.
The bike gets all scruffed up. Well, I've got the I've got the auto insurance to cover the bike. If I get hurt and I can't work, I've got the disability and God forbid I die.
My family's got the life insurance so that at least their life isn't completely turned upside down. They can stay in the house. They can keep food on the table.
They can they'll be OK without without me here. So we can transfer a lot of risk. We can't transfer all of it.
But once we've mitigated everything that we can, once we've transferred everything that we can, then basically we just accept the risk. If riding a motorcycle was was that important to me after I did all those things, I would accept. That I could possibly die on the thing and lose all the time with my family.
So. That's those are the four different ways to to manage risk. Some books you read will say, like, there's five or six.
There's not. There's really only four. All of the other ones are.
Derivatives of these. A lot of times you'll see sometimes accepting a risk without without any controls or blindly accepting a risk. That's that's just accepting that's without doing anything else.
So. I like to keep as much as we can. Things simple so we can we can avoid a risk.
That's the best way. There's no way it can impact us. We can mitigate.
We can then transfer and then we accept. And the next step there, the next consideration is our risk appetite. How much risk are we willing to accept? How much risk are we comfortable with? And that's different for everybody.
That's different for every company. Me, I don't ride a motorcycle at all. I've got a very low risk tolerance for it.
Just because so well, because of me, very low risk tolerance. Other people ride their motorcycle in their bathing suits. They've got a much higher risk tolerance.
There's no right or wrong. It's it really comes down to the individual and the business and businesses are the same way. How much risk are we willing to accept, say, working in this industry or working this project or in this manner? It all depends on the company.
But those are the core aspects of the risk management. The avoiding, mitigating, transfer, and accepting, and then tying that into your level of comfort, your risk acceptance. And this is really across any industry.
If you're looking at financial, same exact thing. If you're looking at manufacturing, if you're looking at medical, that's the risk framework. It works everywhere.
So getting to how to actually identify, or I guess make use of that, why does it matter? Is we want to identify those things that can go sideways. And where a lot of companies, where a lot of people will look, where they will focus, because it's an easier thing, is what are the bad things that can happen? And I might start listing those out. Well, I could get into a car accident.
I could get, I may be speeding and get a ticket. And then that would make me late to work. If that happens enough, then I lose my job.
From a business perspective, we can think of all the different things. Maybe a supplier stops working out for us. Maybe there's a hurricane, a fire.
People really weren't thinking about it before the pandemic. Maybe there's a major supply chain issues. These are all things that we can identify.
And that's all well and good. There's a lot of structure out there. There's a lot of tools to help walk you through all those things.
But what I found in working with companies is when you look at it from that lens, all the different things that could go sideways, is it makes it difficult to step into the opportunity management of looking at if something bad happens, how could we capitalize on it? What it also does, and this is considerably more dangerous, is it's impossible to identify all the hows. What are all the different ways that something could go bad? And it's very difficult to be able to sit down and say, okay, here's all the different things that could happen. And even if you could, even if you put that much money into your risk management department, which no one does, but even if you did, that list would be so long, it would be too difficult to work with.
So what I tend to work on with companies is taking a step back and let's look at the inputs and the outputs. It's not just a clever name for the company. What are the inputs to your company? What do you need to ingest to do business, to operate, to stay sustainable? And what are your outputs? What do you need to process? What do you need to provide out to your client base, your members for you to stay, again, viable, sustainable? And that's all we're going to focus on.
So as an example, let's look at a restaurant. And we're not going to list all the inputs here. We're not going to list all the outputs, but I want to give some idea of it, some general flavor.
So the core inputs to a restaurant could say they need all of their products coming in, the food. They need that on a regular schedule. If the food doesn't get delivered to them, they have nothing to cook.
They have nothing to sell. People have nothing to eat. There's no reason to go there.
So that's a big input. We need food coming in. We also need people to serve it.
So we need employees. We also need people walking in the door and putting their butts in the seat. We need people giving us money.
So that's a big input too. So there's a lot of others. We need power to keep the location running.
We need water services. But those are the primary ones there. So if we're looking at those inputs, let's say we look at people coming in the door.
Well, what happens if people can't come in the door? And I don't even want to have a conversation yet with what could cause that. There's so many different what's, a lot that we may not even consider. I just want to focus on what happens if people can't come into our restaurant.
And a lot of times when we're looking from the vulnerability side, when we start identifying, okay, there could be a worldwide pandemic that the government shuts down everybody's ability to go into restaurants, shuts down their ability to go out in public. Well, talking with a company, that's a pretty low likelihood, maybe not now, but a pretty low likelihood so they'll typically get pushed to the side. We're not even going to consider that.
We're going to consider all kinds of other things. The danger in that is that's just one example. There could be a lot of other examples that people may not be able to come into the location, that we may not be able to serve food from that location.
Maybe there's asbestos in the roof. Maybe there's a sewage leak outside. Maybe there's a downed power line or fill in all the different ores that there could be.
There's too many of the list, but that none of that changes how that impacts the business. If we don't have people coming in our front door, how's that going to impact us? Well, typically that would put us out of business. And here's where we really start breaking it up, where the true benefit of this comes in, because we need to have a conversation of, okay, well, if that happens, are we just going to throw our hands up and close the business? Say it was a good run, but that's all we can do, nothing else to do here and go bankrupt.
That's definitely an option. And that's definitely a thing a lot of companies do. And that's saying nothing bad against any of those that do.
That's a major impact. That's hard to overcome. But from a perspective of, I want to manage all the risk.
I want to take control of the destiny of my company. What could we do? Well, if people can't come into our location, maybe we could just sell packages of really great cut steaks and other meats. Maybe we could deliver food to people.
Maybe what we could do is start creating whole meal plans for the week. If everybody's stuck at home, they're probably not eating good. Hey, we'll make healthy meals for you that you just need to heat up, very inexpensive, and we'll deliver them to your door.
We can go and identify all different methods that we could address this situation. And here at Risk Management, on that side, is we can have all these as continuity plans, business continuity plans. Okay, if people can't come in, we're gonna set up a spot outside or we'll set up a drive-through and people can just come and order boxes of meats pre-cut and we'll even put some recipes in there, make it fun for them.
We'll also start delivering food to people. We'll send out some mailers and let them know that we can do meal plans. And all these different things, they can be contingencies.
So when it hits the fan, we're ready. We can do things. We can remain viable, maybe not to the same profit level, but we can keep the doors open.
Where the real power in this is and where the overwhelming majority of companies, even large businesses overlook is the opportunity here. Well, if that happens, we could probably gain a lot of market share. Also, what's keeping us from doing some of these things right now? Maybe what we do is we start testing some of these out and see how much of a market is there for this.
Maybe there's not as great of a market as there is now, as there would be if people couldn't come in, but maybe there's enough to make this another revenue stream. And then God forbid something happens, it's just a small little shift to where we really turn up this side of the business. What it allows us to do is identify perhaps different revenue streams, but also have plans in place so that if things go sideways in a certain way, certain events happen, we can actually jump on it and turn it into an opportunity, a cup half full situation.
And the same thing with all of our outputs, we go through that same process. Of how we can deliver and how people could pick things up, but going through each of the different inputs and outputs for our company, and then looking at what would we do if this was erased? This is this input and this output, these are critical to our business. This is basically our entire business model.
Let's take those off the board and now identify how are we going to make money? How does our business stay viable? That's going to easily build out all your business continuity plans. So that whole section of compliance is basically done. Then what you can do is take those situations and say, here's our major concerns.
These are our major inputs, our major outputs. This is what we have to support to stay viable. Well, now you've got all your objectives identified for the business.
And you can even identify the different levels that you need those to operate at. So now we've identified core business objectives. We've got KPIs for them.
With those KPIs and objectives, that actually satisfies a whole area that people struggle with in ISO 27001 and other compliance standards. But that's also going to allow us to identify who do we need in these roles? And what do those people need to do? And where a lot of us have trouble giving real clear KPIs about what somebody needs to do in a position to be successful. We give these platitudes.
You need to be a good speaker. You need to have good leadership skills. You need to drive the business, whatever that means.
When we have our objectives identified, then we can say, you need to keep the floor operating at this percentage. You need to keep this many people coming in. You need to reach this many people with our marketing campaigns.
Becomes very crystal clear. We can get the right butts into the right seats. That's a big section of a lot of compliance standards too for the human resource personnel management side.
It's also going to allow us, when we have all of those objectives identified, is we can start handing those to relevant subject matter experts, to different teams and say, okay, us at management in the ivory tower, we came up with these things. This is what we need to operate. These are the different ways that we would work through that.
Maybe even here's some new business plans. But now what we want you to do is identify all those vulnerabilities, identify all those hows that these events could happen or that these inputs and outputs could be impacted. And then what we'll do is prioritize those likelihoods, which of these is most likely to happen or which of these would have the biggest impact.
Because even though something may impact some of those inputs and outputs, it may not be a complete, total nobody can come in. It might be a thing to where only seven booths in the interior of the restaurant are unavailable. So now we've got reduced capacity, but people can still come in.
So we'll have all of our subject matter experts IT, HR, all the different departments, finance. They'll offer in their expertise where it's relevant. And then we can identify, okay, where do we want to spend money? Which of these vulnerabilities did we identify that could turn into an impact, which ultimately is our risk? Which one of these vulnerabilities can we actually manage well? Well, for the interior, we need to make, for a fire, let's make sure we have fire extinguishers.
Let's make sure we have a fire system and good well-lit exits. That way people don't get hurt. We don't get sued.
Those things we can control. So now the possibility of being impacted from those situations is reduced a lot or we're reducing the impact of it a lot. If that happens, it's not gonna be so jarring for us.
And that's where we can leverage all of our different departments, all of our different SMEs. And management doesn't need to be directly involved. And we can, how we can segregate this compliance management, the security management across the company, across different resources.
And like I said before, it's this part we're talking about, the identifying all the vulnerabilities and way things could go sideways that most companies start and end, that they only scratch the surface of really the inputs and outputs and what that would really mean. So again, just to recap, when you sit down, make a list of all the inputs your company needs. All right, what are all the things I need coming in to operate, be viable and make money? And then what are all my outputs? What am I doing with those inputs to provide, to stay viable and continue to make money? Then just start making a list, start identifying what could I do if these different aspects disappeared? And I'm not even going to entertain the ideas of how that could happen.
Just a whole deus ex machina, it just poof, vanishes, it's gone. What would I do then? And then once you have those in place, now you've gotten a huge part of your compliance program already put together. I would say the hardest parts, you've got tools that you can give or plans that you can give to all of your other resources.
And what typically happens is you identify one, maybe two other possible revenue streams, at least opportunities, but maybe things you could be doing right now to enhance your business. So that's really the power of the risk management. First, everybody looks at it as risk management, that's what it's called.
But really, as you mature that, it turns into opportunity management and that's really where you can drive business. That's really where you can make massive changes and not only help yourself, your business, but all those that you serve too. So that's all for the inputs and outputs for today.
I am more than happy to connect with you to talk more about that. It's an area that it ties into business and business management and it's actually, I think, the most fun part of all of this, all the security and compliance because it's building up businesses and it's seeing where you can take them. So always happy to engage and talk about that.
Also to help walk you through it as well, definitely happy to set up times for that. But thank you again for listening. Cash in the cyber sheets.
Again, please click that subscribe button wherever you're at, Apple Podcasts, Google Play, YouTube, go ahead and subscribe, leave us some comments and very much looking forward to having you back next week. Have a great day.