Caffeinated Risk

Follow Caffeinated Risk
Share on
Copy link to clipboard

The monthly podcast for security professionals, by security professionals.Two self proclaimed grumpy security professionals talk security risk, how they’ve managed it in the past and forward looking discussions with guests working in information security and risk management.

McCreight & Leece


    • Apr 24, 2025 LATEST EPISODE
    • monthly NEW EPISODES
    • 28m AVG DURATION
    • 48 EPISODES


    Search for episodes from Caffeinated Risk with a specific topic:

    Latest episodes from Caffeinated Risk

    Simplifying risk analysis using FAIR and Wiley Coyote with Jack Freund

    Play Episode Listen Later Apr 24, 2025 8:35


    A while back we were fortunate enough to spend time with Jack Freund, coauthor and thought leader responsible for bring the FAIR methodology and practice into the main stream. A bonus from that original recording is now an espresso shot discussing how to fast track an assessment when the threat vectors are numerous. While the metaphor Jack used is somewhat unexpected it's both memorable and an excellent approach to dealing with an entire class of attacks in a single assessment. A pro tip from one of the original practitioners of the FAIR methodology well worth a listen.

    SMB Resilience and lessons for larger organizations with Rochelle Clarke

    Play Episode Listen Later Mar 27, 2025 30:44


    At 45-50%, depending on your statistical source, there is no denying that small to medium sized businesses are a significant economic engine from both an employment and innovation perspective.  In 1978 Microsoft numbered 11 people. Unfortunately small businesses are also the least likely to survive a major disruption, an experience that changed Rochelle Clarke's corporate leadership trajectory to a business founder.The Continuity Strength founder shares insights on the needs of small to medium businesses and how to develop resilience plans while simultaneously addressing the two biggest concerns of most SMB owners, time and money.   Prior to founding Continuity Strength, Ms. Clarke was the Country Manager, Global Strategy for Heineken, a management consultant and is on multiple board and academic committees. 

    Addressing Risk and Cyber Resilience, the Alberta Approach - with Rachel Hayward

    Play Episode Listen Later Feb 20, 2025 36:13


    A surprising number of digital innovations began in Alberta, be it the world's first public digital cellular network in 1985, the DNP3 industrial controls protocol and  becoming the first Google international research lab in 2017.  CyberAlberta is another innovative collaboration focused on strengthening the cyber resilience of Alberta organizations.  At almost 330 billion annually, protecting the Alberta economy and it's citizens from digital attacks is an important mission.  In a very candid conversation, Rachel Hayward, Executive Director of CyberAlberta shares both successes and challenges observed with cyber workforces and organizational readiness. Her previous tenure with the Alberta Privacy commissioner adds some additional nuance in these times of ever greater tests of personal rights.   

    Security Risk Management in an Open Data Environment with Michael Spaling

    Play Episode Listen Later Jan 9, 2025 36:26


    Ever wondered how top universities protect their cutting-edge research from prying eyes while ensuring seamless access for their scholars? Join us as Michael Spaling, Principal Security Architect at the University of Alberta, takes us behind the scenes of this high-stakes balancing act. Just like any other large organization, research universities have many different stakeholder, operational and regulatory requirements, thousands of employees and tens of thousands of customers. In a strange twist, both Mr. Spaling and podcast cohost Tim McCreight are also recent recipients of industry awards, prompting a few questions that reveals some darker elements of social media while continuing to offer security leadership.

    Engineering, Risk Management for Cyber-Physical Systems with Andrew Ginter

    Play Episode Listen Later Nov 30, 2024 29:25


    The practice of engineering dates back thousands of years, incorporating science and mathematics to solve problems in the ancient world, and remains a key requirement for developing the complex digital systems controlling the physical systems core to our modern way of life. Unfortunately connectivity and complexity have created a vulnerability we must now engineer our way out of, and just like risk management, engineering is about balancing constraints.Andrew Ginter is a recognized thought leader within the industrial security space with decades of real world experience and the willingness to distill that knowledge into a series of book on operational technology cybersecurity. Mr. Ginter's latest book "Engineering-Grade OT Security, a manager's guide" explores risk elements over multiple chapters and provided a great intersection with ESRM principles.  A self professed collector of industry wisdom, Andrew was quick to highlight Cyber Informed Engineering principles for security engineering within OT and call out calculation issues when risk assessing black swans yet also offering an elegant approach to resolution. Due to a technical glitch, this episode joins Andrew, Tim and Doug in mid-conversation about Cyber Informed Engineering instead of the typical introduction banter of most episodes. 

    Deviance Normalization & Risk Management with Marco Ayala

    Play Episode Listen Later Oct 24, 2024 34:05


    Technological change is inevitable and often one of the aspects that attracts people toward careers in information and operational technology. Although risk management is a part of navigating advancement in any area, the fundamental flaw in any management system is our human tendencies. This episode explores how organizations can make slow, steady migration from first principles to risky undertakings without noticing. Marco Ayala, an operational technology cybersecurity expert and current Houston InfraGard president, joins this episode to further explore the reasons behind this normalization of deviance, a concept first introduced to OT cyber specialists at S4 in 2024. Mr. Ayala is also CCE proponent and facilitator leading to a discussion on possible options for course correction back off the normalization path.  Although solutions must always be tailored to work within organizational constraints, the early contributors to catastrophic outcomes associated with the Challenger space shuttle and Boeing 737 Max warrant exploration or we will inevitably repeat.  

    Managing Supply Chain Risk Management - with Darren Gallop

    Play Episode Listen Later Sep 26, 2024 32:34


    Whether it's the NIST CSF, 8276 or the new European Cyber Resilience Act there is no denying the expectation that supply chain management (SCM) is a risk management area no organization can ignore.  While SolarWinds is recent common reference in many SCM discussions, this episode's guest takes us back to Target's major data breach that resulted in significant changes to the PCI-DSS standard.  Darren Gallop, a serially successful Canadian tech entrepreneur, recounts the early journey into the software as a service business up to his current role as CEO of Carbide. The episode talks frankly about the current challenges with supply chain management, but Mr. Gallop also shares where he sees bright lights on the horizon and a path forward for organizations willing to consider the shift.   

    Metawar and Fostering Resilience with Winn Schwartau

    Play Episode Listen Later Aug 29, 2024 34:51


    Long before the Matrix captured peoples imaginations, Winn Schwartau was steadily offering red pills for those reading his many books on information warfare.  A scholastic level researcher without the pretense, Mr. Schwartau has been recognized internationally as one of the leading security thinkers of our time and has a special capability for distilling complex security concepts into every day language and metaphor.  In this episode Tim and Doug talk with Winn about the battle big tech is waging on our cognitive capabilities. Recorded just days before the release of Winn's latest book, this interview is a very frank examination of our current human state and some sound direction on how to counter the effects of coexisting with technology.Some sample chapters of the new book and links are available here:https://winnschwartau.com/metawar/

    Resilience and I.R. Lessons Learned (the hard way) - with Adam McMath

    Play Episode Listen Later Jul 11, 2024 34:31


    Almost all incident response plans include a "lessons learned" step, and in the post adrenalin phase that follows many breaches,  reviewing what worked and what needs improving doesn't excite a lot of people. Adam McMath is clearly the exception,  leading incident response activities in both the cyber realm and physical. How do resilience and incident response  lessons learned while literally fighting fires translate into risk management practices within cyber security, is a good question explored in depth with this month's guest. Mr. McMath's experience and exuberance are evident throughout, with a great deal of additional content that will appear in a future espresso shot bonus episode.

    ESRM a Transformation Catalyst with Radek Havlis

    Play Episode Listen Later May 30, 2024 29:47


    Amongst the industry verticals classified as critical infrastructure, few would argue that telecommunications belongs in the top that list, placing even more weight on a risk management program due to cascading impacts. Consequently, safe reliable operations are essential for success while continuing to grow in a highly competitive marketplace.  A security risk management challenge across many dimensions that has become an ESRM success story. This episode features Radek Havlis, Vice President, Director Business Resilience and Chief Security Officer at O2 Telefonica Germany sharing insights into O2 Telefonica's transformation toward a highly converged security model.  An early advocate of ESRM, Mr. Havlis explains how the risk management philosophy remains consistent but the requirements for successful implementation can vary greatly by organization. The Telefonica journey started with visionary leadership  and in less than three years has transformed the view of security as a business enabler.   

    Contingency Planning, Cyber Resilience and Incident Response

    Play Episode Listen Later Mar 28, 2024 28:33


    Regulatory frameworks from PCI-DSS to NERC-CIP  to  the newly minted NIST CSF 2.0 each require organizations of all sizes to have cyber incident response plans.  Most of us who have spent any time in cubicle filled office towers are familiar with fire drills to clear the building and gather staff at muster points, and that is as close as we get to the real thing.  Unfortunately that same lucky streak will   Unlike a fire drill, recent research estimates 85%  of businesses will expereince a cyber incident annually,  and many will find short-comings in their incident response plan.This episode explores a couple of recent news-worthy Canadian Cyber incidents, challenges with incident response plans and as always, how to use ESRM principles to further your program, even in a time of crisis. 

    The Business Context of Cyber Resilience with Steven J Ross

    Play Episode Listen Later Feb 22, 2024 30:51


    Those running a business today who have not experienced disruption due to cyber issues or attacks know it is only a matter of time. Even if their organization is not directly targeted, the  modern marketplace comprised of multiple, interconnected  supply chains, means impact is unavoidable but this episode's guest, Steven J Ross contends planning, design and clear priorities can provide mitigating resilience.Steven J Ross, executive principal of Risk Masters International, is a recognized cyber security expert, specializing cyber resilience, recovery and  business continuity.   His decades of experience come through loud and clear with a somewhat unflinching perspective on the current digital threat landscape and the impact on organizations and individuals.  In addition to leading a boutique risk management practice helping Finance, Health care, Defense and more,  Mr. Ross has been the author of one of ISACA Journal's most read columns since 1998.

    Building a Cyber Risk Management Program with Brian Allen

    Play Episode Listen Later Jan 25, 2024 30:03


    The U.S. Security Exchange Commission defined new rules for cyber risk matters facing publicly traded corporations in July of 2023.  Although the SEC's mandate is limited to publicly traded companies in the United States, where one regulator goes others are apt to follow.  Brian Allen is the co-author of a brand new book putting form, structure and traceability around the SEC mandated requirement for a Cyber Risk Management Program.   Mr. Allen was on of the original creators and advocates of the ESRM framework first published in 2013, and has been practicing security risk management throughout his career. Caffeinated Risk is very please to bring a very candid conversation with a true thought leader in the risk management field to our ever growing family of listeners. 

    CyberPHA - OT Risk management With John Cusimano

    Play Episode Listen Later Dec 14, 2023 31:59


    The ISA 99 standards body is one of the most recognized authorities on cyber physical security covering many aspects of a cyber security management system for industrial control systems including risk management.  This episode features John Cusimano, former chairman of the ISA subcommittee  responsible for authoring the risk management portion of the standard 62443-3-2:2020  Mr. Cusimano takes us back to the origins of the OT specific risk assessment process, originally dubbed CyberPHA,  we also explore how the methodology can be managed and percieved at different levels of the organization as well as how this approach can safely carry organizations into a future that includes cloud computing.John is currently the Vice President for Operational Technology Security at Armexa, more than 30 years experience in OT and one of the early thought leaders in this unique areas of cyber security and risk management.

    Science, Crime and Workforce Development with Dr. Martin Gill

    Play Episode Listen Later Nov 23, 2023 31:52


    Security and crime are often in close proximity but not always studied together. This month's episode features Martin Gill a criminologist who made the study of crime and security his life's work.  After a decade as a lecturing professor at the University of Leichester,  Mr. Gill started Perpetuity Research in 2002 and continues to provide very high quality research, both qualitiative and quantitiative,  on what works -- and more importantly what does not --  on many different areas of the security field.   In addition to leading the annual Security Research Initiative reports, Martin Gill is also the a contributing author and  editor of many criminology and security textbooks including  "The Handbook of Security" -- now in it's third edition. 

    ESRM a Decade In and The Emergent Threat Landscape

    Play Episode Listen Later Sep 28, 2023 29:52


    Post GSX conference, which  included an in-depth review of ESRM and an interview with former U.S. president George W Bush, this episode considers how enterprise security risk management has stood the test of time as well as how risk analysis will need to evolve . Financial receptors can be found in almost every organizational risk matrix but how do those decisions change with modern ransomware attacks? How does a threat intelligence program contribute to organizational defense and resilience?

    Business Enablement using Converged Risk Management with Michael Lashlee

    Play Episode Play 60 sec Highlight Listen Later Aug 24, 2023 36:20


    The convergence buzzword has come and gone and some organizations have struggled to reap the benefits of physical and cyber security departments working in tandem toward common goals.  Michael Lashlee, deputy Chief Security Officer at Mastercard,  shares security insights from the US Marines, secret service and financial services tech giant Mastercard, illustrating how principles from very different missions overlap surprisingly often.  Mr. Lashlee also discusses how technology supports the physical, intelligence and fraud specialists working to keep Mastercard customers client data safe as well as steps they are taking to resolve the cyber skills talent shortage.

    Interpreting Risk within a Regulatory Context with Terry Freestone

    Play Episode Play 56 sec Highlight Listen Later Jul 27, 2023 32:28


    Calgary was an ICS cyber hub before most knew such measures were  necessary, Terry Freestone was one of the ICT specialists from those early days who now applies his decades of hard-won knowledge  in the offices of the Canadian Energy Regulator.  Speaking as a private citizen and cyber security expert rather than a government representative,  Terry and the Caffeinated Risk team explore risk management from the energy producer's perspective and his four point strategy for risk mitigation prioritization that works for any size staff or budget. 

    2023 Summer Show

    Play Episode Play 56 sec Highlight Listen Later Jun 29, 2023 30:56


    Keeping up the accidental annual tradition Tim and Doug take a retrospective look at risk management as a mid-year pulse.  The 10th annual Cyberthreat Defense report forms the underlying theme but digging under the statistics to analyze how these might pertain to ESRM.  Communication also popped up as a topic, and Tim shares some lessons learned from the field as well as a professional development resource.

    ESRM and Data Science with Rachelle Loyear

    Play Episode Play 58 sec Highlight Listen Later May 25, 2023 31:28


    One of the original authors of the ESRM framework, now in it's tenth year,  and Caffeinated Risk's first guest returns to discuss how data science is changing security and risk management.  While alchemy may be a bit of a stretch, Ms. Loyear ongoing focus of including human behaviour in the risk equation is leading to the development of data science based detection capabilities that would have appeared magical even 5-10 years ago. Rachelle Loyear is the Vice President of Integrated Security Solutions for Allied Universal and co-author of The Manager's Guide to Enterprise Security Risk Management.

    Attack Tree Calibration with Terry Ingoldsby

    Play Episode Listen Later Mar 23, 2023 7:30


    Threat modeling expert and inventor of one of the world's first attack tree modeling  products talks about how to integrate subject matter expertise into the risk equation, the answer may be surprising.Bonus content  not included in the original interview with Terry which dove deep into the history of attack trees, modern applications and exploring why there is no AI magic when it comes to identifying events that could end your organization.  Well worth a listen if you missed it.

    FAIR and ESRM, exploring common ground with Jack Freund

    Play Episode Play 51 sec Highlight Listen Later Feb 23, 2023 38:12


    Factor Analysis of Information Risk (FAIR) and Enterprise Security Risk Management (ESRM) took different evolutionary paths yet share a lot more commonality than catchy 4 letter acronyms and  mainstream adoption by notable organizations like NIST, The Open Group and ASIS international.  Jack Freund personifies the term "risk management thought leader" with professional qualifications and public recognitions too long to list, but co-author of Measuring and Managing Information Risk can't go unmentioned since industry peers inducted this seminal title into the Cybersecurity Cannon.   With risk management discussions ranging from banking  to defeating door locks, Dr. Freund was consistently insightful, humorous, and a delightful guest.

    Cyber-Physical Convergence Revisited

    Play Episode Play 40 sec Highlight Listen Later Jan 19, 2023 34:40


     In addition to hybrid work and regular time in the office being the new normal, 2023 marks the year Caffeinated Risk's co-host Tim McCreight serves as the president of ASIS international.  ASIS has long been a proponent of both physical and cyber security professionalism and one of the first organizations to explore and embrace Enterprise Security Risk Management (ESRM) as an integral element of security.Scholarly articles on cyber-physical security convergence started appearing in the late 1990s,  more than 25 years later the convergence buzz has ebbed and flowed but silo's remain. In this episode Tim shares his insights from the past 40 years, the benefits to a converged approach as well as some of the paths toward success. 

    ESRM Enablement via Location Intelligence with Alex Martonik

    Play Episode Play 60 sec Highlight Listen Later Dec 15, 2022 31:55


    Realtors have long advocated  "location, location, location" as a path to investment  success. Fast forwarding  a few generations,  location intelligence applied to risk management is paying dividends well beyond real-estate and Esri is a world leader in this fascinating application  of geo-spatial information.  Esri business solutions leader Alex Martonik shares examples of businesses making improvements to  resilience and the bottom line  by combining  GIS, financial, technological and political data  into risk calculations. Mr. Martonik  also shares Esri's approach to "democratizing risk insights", helping solve the all to common problem of procuring buy-in.    

    Privacy & Toxic Data with Michelle Finneran Dennedy

    Play Episode Listen Later Nov 17, 2022 6:00


    A great discussion point that didn't make it to air from the original 2021. Not all data is of equal value to the organization and the viable shelf life is seldom tracked or even discussed. This espresso shot takes a humorous look at a serious question about privacy considerations during the development cycle and check out the original full episode with privacy thought leader Michelle Finneran Dennedy.

    Classifying and effectively communicating enterprise security risk with Paul Mercer

    Play Episode Play 59 sec Highlight Listen Later Oct 20, 2022 31:15


    Communication isn't effective until the receiver understands the message well enough to take action. That pretty much sums up the challenge facing many risk professionals today, something Paul Mercer resolved, out of necessity, by building  risk management software that is proving to be a welcome solution for many notable customers. Mr. Mercer is no stranger to the front lines of risk management, starting with the Royal Navy then extensive risk & crisis consulting for international clients. Well known ESRM practitioners are also recognizing the value of Mercer's approach to digital safety and security risk management.

    Redefining the risk management business partnership with Rachelle Loyear

    Play Episode Listen Later Sep 8, 2022 6:50


    Co-author of the original book on Enterprise Security Risk Management, it only made sense to have Rachelle be the first Caffeinated Risk guest.  Like many guests, there was just too much material for a 30 minute episode. This espresso shot encore digs into that nuanced  topic of truly partnering with business stakeholders.  

    Resilience as a Risk Management Stratgey

    Play Episode Play 60 sec Highlight Listen Later Aug 18, 2022 32:57


    Anyone with a bit of time in the security industry is well acquainted with Murphy's law but  crisis management specialists are who you call when things suddenly get very real.  While common security guidance advocates protection,  readying your organization to weather the inevitable failure in prevention measures starts with resilience.international crisis management thought leader  Alexandra Hoffman and 2022 IFSEC Global Influencer and Meta's head of Global Security Protective Intelligence Tim Wenzel  dive deep into what resilience really means at the organizational level.Security folks are fond of saying "it's not if but when ...", listen in to learn  more about how to prepare your organization for that eventuality from those who have been there with some of the biggest companies in the world. 

    Infrastructure Resilience and Ethical Considerations

    Play Episode Play 60 sec Highlight Listen Later Jul 21, 2022 31:48


    Recorded two days after the July 2022  nationwide telecom outage,  co-hosts Tim and Doug explore the deeper ramifications of losing access to the very services that are so tightly integrated into our lifestyle.  While the complete root cause of the Rogers' outage may never be publicly shared, most organizations face similar constraints, leading to a discussion about ethics and our shared commitment to the common good. Documents referenced in the show:ACM Code of Ethics Energy sector asset management

    GRC Program Development and Implementation with Josh Sokol

    Play Episode Play 57 sec Highlight Listen Later Jun 16, 2022 31:10


    Sooner or later every risk management professional faces the hard reality that comprehensive risk management programs can't be implemented on spreadsheets. A corporate vice president mandate, minus the funding, started Josh Sokol on  a journey that turned his initial platform solution into an opensource project that morphed into a commercial venture. While meeting the risk management and compliance needs of organizations large and small, the Simple Risk founder remains committed to a practical  approach for stewarding cyber security issues and mentoring the next generation of security professionals. This episode explores the true GRC platform needs -- not the marketing -- and the cyber security executive's role in enterprise risk management.     

    Strategies for meeting the cyber skill set challenge with Martin Dinel

    Play Episode Play 60 sec Highlight Listen Later May 19, 2022 32:26


    Chief Information Security Officer Martin Dinel has all the same technology challenges of every other large organization. Placing Alberta in front of that CISO title brings the additional requirements of protecting government secrets, interfacing with national security, protecting financial and health information of more than 4 million people as well as the infrastructure of a province almost the size of Texas. Mr. Dinel shares some innovative ideas for sourcing and retaining talent,  observations on how the education system needs to change and his vision for turning Alberta into a cyber security center of excellence. 

    Risk management in the cloud with Illena Armstrong

    Play Episode Play 60 sec Highlight Listen Later Apr 21, 2022 32:32


    Very few organizations, from three letter agencies to the local brew pub are not using cloud services to some degree and those previously resistant had no choice once Covid 19 hit. In 2022, with global conflict, organized crime,  multiple supply chain and service concerns, what is required of a security professional responsible for navigating  risk for their enterprise which invariably includes "Cloud"?Illena Armstrong, president of the Cloud Security Alliance, shares her insights on these challenges, honing in on key considerations for both organizations and the information technology industry as a whole.  A business first, strategist and advisor,  Ms. Armstrong was previously Editor in Chief, and VP of Editorial for SC Magazine, exploring cyber security issues across the globe for more than a decade, interviewing industry leaders before CISO was even a title. 

    Cyber Crime and Risk Management Strategies with Cara Wolf

    Play Episode Play 59 sec Highlight Listen Later Mar 17, 2022 32:31


    Acknowledged by IT World  Canada as one of the top 20 women in cyber, Cara  Wolf shares insights into the Canadian tech industry , the need for innovation and tactics for drawing senior leadership's attention to cyber security issues during a candid discussion on the changing aspects of cyber crime . Long before cyber crime was a mainstream concept Ms. Wolf was a seasoned fraud investigator with American Express travel, setting the stage for a number of entrepreneurial  ventures combining technology and risk management.  Cara Wolf's  latest company,  Ammolite Analytx specializes in complex information security problems and threat centric solutions, whether those threats are physical, cyber or a hybrid.  

    Continuous Authentication and Risk Management with Ian Paterson

    Play Episode Listen Later Feb 16, 2022 32:34


    The threat landscape is evolving, if your security controls are not, the outcome is all but assured. In this episode Tim and Doug are joined by Canadian cyber security serial entrepreneur Ian Paterson, CEO of Plurilock. Mr. Paterson shares hard won insights from extensive data science research and development , how this intelligence enables continuous monitoring to be applied to a technology stack and bring organizations closer to a zero trust model. Ian's wealth of experience in the Canadian cyber security industry also opened up  discussions about startups,  staffing and the commercial cyber security industry, some of which, due to time limits, will appear in espresso shot bonus episodes in the future.

    Castles and Network Management with Winn Schwartau

    Play Episode Listen Later Feb 3, 2022 5:33


    A light hearted espresso shot with renowned information security writer Winn Schwartau and Tim McCreight discussing the serious and all too common problem of uncontrolled ingress and egress.While the first electronic firewalls may have come into vogue in the late 80's, Winn and Tim uncover parallels with perimeter security developed in the middles ages.  

    Unpacking the Security Value Chain - Dave Tyson

    Play Episode Listen Later Jan 20, 2022 7:21


    An espresso shot covering a great idea Dave Tyson originally shared in his book and discussed during  our 2021 interview on identifying where security can contribute to the business value chain and some strategies for selling the benefits.  With thought leaders like Dave there are many more insights than time in each monthly episode, so in 2022 we'll be combing through older interviews and sharing previously unpublished interview content in smaller 5-8 minute blocks.  These short excerpts will be released periodically in between the monthly full episodes.

    Innovation and Influence

    Play Episode Play 60 sec Highlight Listen Later Dec 16, 2021 34:09


    The year end episode does some comparing and contrasting of risk management in different areas, including things outside of cyber. Ironically, recorded just a couple days before most of the world learned about a module design choice in Java that suddenly makes logging dangerous, it brings home the point that our cyber threat landscape is complex .Complexity and uncertainty are nothing new for cyber security  and risk management  professionals. Navigating  through those waters despite the lack of authority often afforded those tasked with ensuring an organization's safety adds human behaviour to that complexity.  Tim offers a number of suggestions on influencing action despite competing agendas within the organization. 

    Applying Scientific Principles to Risk Management - With Doug Millward

    Play Episode Listen Later Nov 18, 2021 33:12


    While many in risk management or cyber security reference standards and leading practices, it can often be based on tacit acceptance, rather than deep research.  There is an argument that that research is too slow compared to commercial solutions, especially considering our current threat landscape and resource constraints. This episode explores the possibility of a middle ground and challenges a few assumptions along the way, it turns out things haven't chanced that much since the 1970's. An unplanned discussion with one of the co-hosts regarding the "science of cyber security" led to an interview with Doug Millward, a computer scientist who spend many years in SCADA engineering, programing and system architecture before completing post graduate studies in higher education.  Combining real world computer science and security knowledge with academic skills led Mr. Millward to becoming a senior lecturer at Wolverhampton University, teaching at all levels from HND to Masters, designing a number of Security and Computer Science modules and also working as a lead researcher on the Biolive project - examining privacy issues for vulnerable adults. Doug Millward is now teaching at Kaplan/ the University of Essex Online where he has designed and taught a number of computer science modules at Masters level, specialising in Cyber Security.  Doug is actively involved in research around cybersecurity, specialising in designing and modelling security in composable systems, the use of secure languages and data representations, and the application of risk frameworks and taxonomies at both the micro and macro levels. 

    Risk and Kinetic Consequences - with Paul Smith

    Play Episode Play 60 sec Highlight Listen Later Oct 21, 2021 31:08


    Skilled penetration testers are some of the more specialized people within the information security industry. When it comes to safely testing kinetic systems the pool of talented ethical hackers shrinks again but does include Paul Smith who has written a brand new book on the subject. An ICS security specialist before it was a recognized specialty, Paul Smith has been a field operator, security tester, product manager, ICS vulnerability researcher and more. This episode explores risk consideration when impacts are measured in environmental damage and human life rather than records in a database.  Mr. Smith's new book, "Pentesting Industrial Control Systems: An ethical hacker's guide to analyzing, compromising, mitigating and securing industrial processes" , will be released November 9th 2021.

    Privacy Engineering, Manifesto & Beyond with Michelle Finneran Dennedy

    Play Episode Play 60 sec Highlight Listen Later Sep 16, 2021 31:10


    Formerly vice president and chief privacy office at Cisco, CEO of Drumwave and a licensed attorney, Michelle Finneran Dennedy is recognized as a visionary leader in information systems privacy.  Currently the co-founder of Privatus Consulting supporting clients working through the wicked problem of privacy in this digital age.Much to the benefit of Caffeinated Risk listeners she is also a friend of  co-host Tim McCreight and her wonderful sense of humor results in some very entertaining banter on a traditionally serious subject.  Ms. Dennedy is also the co-author of the Privacy Engineer's Manifesto, a must have reference for any privacy or security professional made freely available via Amazon digital download.

    Following the Money in Cybersecurity with Larry Whiteside Jr.

    Play Episode Listen Later Aug 19, 2021 35:46


    A business without cash flow isn't a business for long and security solutions are seldom free yet cyber security is a line item that business owners ignore at their peril.  Cost management and risk management come together in this lively podcast with special guest Larry Whiteside Jr. a former US Air Force division chief who has held a number of senior cyber security executive positions since returning to civilian life in 2002. Mr. Whiteside  is also the co-founder of the the International Consortium of Minority Cybersecurity Professionals (ICMCP),  a non-profit organization working to increase female and visible minority professionals in the industry.  He offers some sage advice to all those currently struggling to enter the industry and those searching for talent while still keeping an eye on the bottom line.

    Back to work, just in time for summer

    Play Episode Play 29 sec Highlight Listen Later Jul 22, 2021 28:01


    Cohosts Tim and Doug explore the security implications of workers returning to the corporate networks after over a year working remotely. Is there a new art of the possible to be considered based on the changes most organizations needed to make to networks and applications to get through the pandemic lockdown? Is this now more important than ever since the financial impacts of ransomware have reached new record levels and how might ESRM practices support resilience improvements.

    A Business First Security Focus with Dave Tyson

    Play Episode Play 58 sec Highlight Listen Later Jun 16, 2021 30:04


    Dave Tyson literally wrote the book on Managing Enterprise Security Risk through converged security  while serving as the CSO for the City of Vancouver during the winter Olympic games.  A practitioner rather than a theorist, Tyson has held senior security leadership positions at multiple major organizations including eBay, Pacific Gas and Electric and SC Johnson.In this episode Dave Tyson discusses the origins of security convergence, why organizations need to explore this now more than ever and how to gain support with the executive suite by identifying and removing value chain friction created by security processes.

    Security risk analysis using attack trees with Terry Ingoldsby

    Play Episode Play 50 sec Highlight Listen Later May 19, 2021 34:42


    "We need more science in Cyber Security"  David Hechler, TAG Cyber Law Journal Threat modeling should be step 0 of any security architecture but often goes completely unconsidered. This episode features Terry Ingoldsby, a veteran cyber risk professional, physicist, computer scientist and inventor of Securitree. Ingoldsby created the attack tree development platform because he felt cyber security assessments should be defendable rather than just the educated opinion of assessor.Despite being the inventor, there is no sales pitch. Terry, Tim and Doug talk risk, engineering, business cases and why there is no AI magic when it comes to identifying events that could end your organization. 

    ai attack trees cybersecurity security risk analysis
    Transitions and transformation within the security industry with Scott Kolosky

    Play Episode Play 52 sec Highlight Listen Later Apr 14, 2021 34:41


    Serial entrepreneur, author and futurist Scott Klososky  explores some new approaches to physical and cyber security that are innovative, potentially controversial and necessary as more and more of our daily way of life is affected by these security problems. Ten years before Youtube Mr. Klososky founded a startup that delivered webcasted media for commercial, government, sports and entertainment.  Scott has consistently demonstrated the ability to identify market opportunities and technology trends well in advance. Following the success of Webcasts.com with a second generation online banking platform that enabled smaller financial companies to compete head to head with the majors.Today Scott Kolosky supports business leaders and boards by merging hard won success in technology with forward looking analysis to create concepts and models needed in today's hyper competitive markets. Whether those needs are the fusion of humans and technology within an organization,  data intelligence or risk management and the development of an integrated security model.

    Security through management of time and trust with Winn Schwartau

    Play Episode Listen Later Mar 18, 2021 30:42


    A security luminary before such a title was even coined, Winn Schwartau's predictions about the internet and global security problems have been scarily spot on for more than 30 years.  Named the “Civilian Architect of Information Warfare” by Admiral Patrick Tyrrell of the British Ministry of Defense, Schwartau also testified before Congress in 1991 and showed the world how and why massive identify theft, cyber-espionage, nation-state hacking and cyber-terrorism would be an integral part of our future. His new book, "Analogue Network Security" is a mathematical, time-based and probabilistic approach to justifiable security. Winn and the Caffeinated Risk hosts explore how the the management of time and trust as an alternative approach to blind faith in the castle & moat model that continues to fail us. 

    Rethinking Security Control Design with Rachelle Loyear

    Play Episode Listen Later Feb 17, 2021 30:11


    Co-author of Enterprise Security Risk Management: Concepts and Applications ,  Rachelle Loyear has spent  her career managing programs in corporate security organizations. Focusing strongly on security risk management, she has been responsible for ensuring enterprise resilience in the face of many different types of risks, both physical and cyber.She is currently active on a number of projects including: - refining and releasing a Global ESRM approach to customer solution development for G4S - working with customer focus groups to understand what the security industry really needs to manage risk – using Design Thinking principlesRachelle also shares lessons learned on identifying and effectively communicating with the  correct stakeholders for risk acceptance.

    Preview Trailer: ESRM & Critical Infrastructure

    Play Episode Listen Later Jan 17, 2021 6:05


    The first full episode is scheduled for release February 18th. The trailer includes a few conversation segments between the cohosts on enterprise security risk management and critical infrastructure. Visit CaffeinatedRisk.com for more articles on the intersection of risk management  and technology.

    Claim Caffeinated Risk

    In order to claim this podcast we'll send an email to with a verification link. Simply click the link and you will be able to edit tags, request a refresh, and other features to take control of your podcast page!

    Claim Cancel