Grade Inflation: Understanding the Impacts a Potential Cyberwar has on the Risk Management Matrix

Course Description

Cyber security leaders rely on a risk matrix to make investment decisions, then quantify that data when they present their budget request to the CFO. Historically, we see organizations attempting to qualify risk in terms of likelihood and impact, following the NIST 800-30 framework. The results typically follow a bell-curve, with some risks ranked as High, but a majority designated as Moderate (or Medium), and the remaining as Low. Serious events — like hackers, malware, ransomware and theft of patient data — are traditionally ranked as High risks, given that the impacts involve a measurable financial loss and some risk to patient care.

Unfortunately, we have seen significant grade inflation over time, leaving little room for catastrophic impacts that could result from a cyber war. For example, organizations have serious concerns about their backup strategy to recover from a ransomware attack. The thought of not having recoverable hardware to even restore data on is an impact outside the typical risk impact axis. During this session, learn how we can alter the current risk matrix to effectively introduce tertiary/ancillary risks that may be overlooked in the current model. I think we have to take a “whole picture” look and not get pigeon holed into risks that can be truly quantifiable from a CISO perspective.

For this reason, we need to reset the risk matrix, then explore options based on a more realistic impact continuum. This analysis would drive a deeper conversation around cyber resiliency, specifically focusing on incident response and what happens “after the boom.” The potential for cyber war is higher than ever given the current political environment.

At the end of the session, the attendees will be qualified to:

Identify how a potential cyberwar would impact an organization’s current risk assessment framework
Justify an increased emphasis on cyber resiliency planning
Apply a new rubric for measuring adverse impacts to a healthcare organization
Defend the need for additional preparation across multiple workflows supporting an academic medical center

Course Curriculum

1

Webinar
- Presentation
- Slides

Instructors

Sr. Director, Information Systems & CISO, UCI Health

Sri Bharadwaj

Sriram has over 25 years of Information Management Systems experience in multiple industries including healthcare. Sri has held many leadership positions in health plans. Prior to his current work at UCI, he consulted with Integrated Delivery Networks around ACO, HIE and clinical integration.

Executive Advisor, CynergisTek

Clyde Hewitt

Clyde brings more than 30 years of executive leadership experience in cybersecurity to his position with CynergisTek. His responsibilities include being the senior security advisor and client executive, thought leader and developer of strategic direction for information and cybersecurity services, nationwide business development lead for security services, and contributor to CynergisTek’s industry outreach and educational events.