Podcasts about risk management framework

Welcome to RIMScast. Your host is Justin Smulison, Business Content Manager at RIMS, the Risk and Insurance Management Society.   Justin Smulison interviews Daniel Eliot of NIST about NIST, its new publications on cybersecurity, including two Quick Start Guides, the Cybersecurity Framework 2.0, and more, Daniel's history with cybersecurity for small businesses and his career-long passion for helping small businesses protect themselves against cybercrime.   Listen in for the latest information on NIST and cybersecurity guidelines for your organization. Key Takeaways: [:01] About RIMS. [:14] RISKWORLD 2025 will take place in Chicago, Illinois from May 4th through May 7th. The call for submissions is now open through August 27th. A link to the submission form is in this episode's show notes. [:30] About this episode. We will be joined by Daniel Eliot from the National Institute of Standards and Technology, or NIST. [:52] First, let's talk about RIMS Virtual Workshops. The full calendar of virtual workshops is at RIMS.org/VirtualWorkshops. August 15th starts the three-part series, Leveraging Data and Analytics for Continuous Risk Management. Other dates for the Fall and Winter are available on the Virtual Workshops full calendar at RIMS.org/VirtualWorkshops. [1:14] Let's talk about prep courses for the RIMS-CRMP. On September 10th and 11th, the RIMS-CRMP Exam Prep will be held with NAIT. There is another RIMS-CRMP Exam Prep on September 12th and 13th. [1:29] The next RIMS-CRMP-FED Exam Prep course will be hosted along with George Mason University on December 3rd through 5th, 2024. Links to these courses can be found on the Certification Page of RIMS.org and in this episode's show notes. [1:44] We've got the DFW RIMS 2024 Fall Conference and Spa Event happening on September 19th in Irving, Texas. Learn more about that event in Episode 299, which features an interview with the Texas State Office of Risk Management. [2:02] Also on September 19th is the RIMS Chicago Chapter's Chicagoland Risk Forum 2024. Register at ChicagolandRiskForum.org. [2:12] Registration opened for the RIMS Canada Conference 2024 which will be held from October 6th through the 9th in Vancouver. Visit RIMSCanadaConference.ca to register. [2:25] Registration is also open for the RIMS Western Regional, which will be held from September 29th through October 1st at the Sun River Resort in Oregon. Register at RIMSWesternRegional.com. [2:38] We want you to join us in Boston on November 18th and 19th for the RIMS ERM Conference 2024. The agenda is live. The keynote will be announced soon. We want to see you there! A link is in this episode's show notes. [2:53] The nominations are now open for the RIMS ERM Award of Distinction 2024. Nominations are due August 30th. A link to the nomination form is in this episode's show notes. [3:07] If you or someone you know manages an ERM program that delivers the goods, we want to hear about it. A link is in this episode's show notes. All RIMS regional conference information can be found on the Events page at RIMS.org. [3:24] On with the show! In October, we will celebrate National Cybersecurity Awareness Month. You should observe it all year round, of course. My guest today has a lot of great insight into risk frameworks. He is Daniel Eliot, the Lead for Small Business Engagement in the Applied Cybersecurity Division of The National Institute of Standards and Technology (NIST). [3:48] NIST is part of the U.S. Department of Commerce. Today, we will discuss some of the publicly available risk management frameworks and how they've evolved through the years and the new frameworks that address AI, as well. [4:05] You may remember Daniel from his appearance on an episode in April 2020, when he was with the National Cybersecurity Alliance. He is back to provide some new tips for the global risk management community. [4:18] Daniel Eliot, welcome back to RIMScast! [4:42] Justin and Daniel comment on some things that have changed since April 2020. Daniel was at the National Cybersecurity Alliance (NCA). [5:50] Now Daniel is the Lead for Small Business Engagement in the Applied Cybersecurity Division of The NIST. He shares his journey from NCA to NIST via the National Cybersecurity Center of Excellence, a NIST facility operated by Mitre. [6:52] Daniel is happy to be back supporting the small business community. [7:04] Daniel had worked in a small tech startup for almost seven years. He helped them scale the business and manage the development of their product. Next, Daniel joined the University of Delaware's Small Business Development Center, helping tech businesses start and scale. [8:16] Daniel applied for an SBA grant to help small businesses with cybersecurity. This was in 2014. The Cybersecurity Framework was published in 2014. Daniel applied the Cybersecurity Framework to small businesses. That started Daniel's career in small business cybersecurity. [9:32] There's a new NIST Risk Management Framework (RMF) Small Enterprise Quick Start Guide. Daniel's role at NIST is to coordinate across NIST, government, and the private sector, to create opportunities for the small business community to engage with NIST expertise. [10:19] The RMF Small Enterprise Quick Start Guide is a product of that coordination across NIST, government, and the private sector community. In February, NIST produced the Cybersecurity Framework 2.0 Small Business Quick Start Guide. [10:44] NIST decided to do a Quick Start Guide for a risk management framework for small to medium enterprises. The Risk Management Framework is a process. It's a holistic and repeatable seven-step process for managing security and privacy risks. [11:23] The NIST RMF Quick Start Guide provides an overview of the seven steps of the process, the foundational tasks for each step, tips for getting started with each step, a sample planning table, key terminology and definitions, questions to consider, and related resources. [11:53] It's RIMS plug time! Webinars! All RIMS Webinar registration pages are available at RIMS/org/Webinars. On August 27th, Riskonnect returns to discuss How To Successfully Deploy AI in Risk Management. [12:12] On September 5th, Merrill Herzog makes their RIMS Webinars debut with the Role of Insurance in Building Resilience Against an Active Assailant Attack. On September 19th, Origami Risk returns to deliver Leveraging Integrated Risk Management For Strategic Advantage. [12:28] Justin jumped ahead a bit. On September 12th, HUB International returns to deliver the third part of their Ready for Tomorrow series, Pivot and Swerve: Staying Agile During Shifting Market Dynamics. [12:44] Justin is delighted to be joined by the moderator for that session, the Chief Marketing Officer for Canada at HUB International, Linda Regner Dykeman. Justin welcomes Linda to RIMScast! [13:13] The webinar will be at 1:00 p.m. Eastern Time on September 12th. Linda says they will be discussing current market trends and challenges. The industry has been able to produce some very strong profits over the last few years. [13:29] The market needed correction after many years of unprofitability driven by weather events in the property line where rates seemed to be unsustainable. Casualty also had its issues, particularly with Directors and Officers Liability. [13:47] As a result of the profitability the industry was able to achieve over the last few years, most carriers have become more competitive in growing their books of business. This competition is not being seen in all lines, segments, or geographies. [14:04] Some catastrophe-prone zones such as BC and Alberta have not seen the same level of competition across the board. As the market transitions from a hard market to a competitive environment, there is some unusual and inconsistent behavior. [14:21] Carriers in Canada are being more flexible with their appetite. London is looking to grow significantly over the next couple of years with goals of hitting $100 billion by 2025. Add to that NGAs who are seeing their market share change as local carriers become more competitive. [14:39] As we transition out of what was considered to be a hard market, we see a lot of inconsistency in this market. [14:48] Add to this the supply chain issues, which are not what they once were, the economy is flat with spending, once normalized for an increase in population, it reflects that of a market in a recession. [15:02] We, as brokers are finding competitive solutions to protect our clients. We have to pivot and swerve to discover the right opportunities. [15:13] We had a significant rain event in Toronto, followed by one of the worst wildfires Jasper has ever seen, seemingly a once-in-a-hundred-year event; weather catastrophes are more severe and more frequent. [15:27] How is this going to change the availability of capacity and pricing? Time will tell, as insurers try to figure out if their pricing models included the right loadings for these events. [15:49] Being informed by what is happening in the market; the trends, the opportunities, what's available, and partnering with the right broker, will help a risk manager make an informed decision, appropriate for their business. [16:11] The panelists have decades of experience and expertise across North America. They work with clients, markets, and other experts and bring a much broader perspective and experience to this session. [16:26] Steve Pottle is the risk manager on the panel. He's been omnipresent in RIMS Canada for years. He's a former RIMS VP and is currently the Director for Risk and Safety Services at Thompson Rivers University. Justin says he's one of the best and Linda agrees. [16:57] Linda will moderate. She'll ask the panelists questions HUB International has received from its clients, based on what they are seeing happening in the environment around them. She would also like the audience to pose some questions. Audience participation is encouraged. [17:21] Justin thanks Linda Regner Dykeman of HUB International, and will see her again on September 12th, 2024 for the third installment of HUB's Ready for Tomorrow series, Pivot and Swerve: Staying Agile During Shifting Market Dynamics. [17:37] Let's return to today's interview with Daniel Eliot from NIST. [17:53] Daniel states that the Risk Management Framework is a repeatable seven-step process for managing security and privacy risks. It starts with preparation, categorizing, and understanding the information that your organization processes, stores, and transmits.  [18:20] Then you select controls, and implement those controls to protect the security and privacy of the systems. Then you assess, authorize, and monitor the controls. Are the selected controls producing the desired results? Are there changes to the organization that require new controls? [18:45] You follow the seven steps of the framework in order and repeat them in a cycle. Keep going through it. Every organization regularly changes. Technologies change. People change. That's why the framework has to be repeatable and flexible. [19:05] NIST published this Risk Management Framework Smal Enterprise Quick Start Guide as a tool to raise awareness within the Small and Medium Enterprise (SME) Community about what the Risk Management Framework is and how to get started with it. [19:26] This Quick Start Guide is not intended to guide you on your journey from start to finish for a comprehensive risk management implementation. It is a starting point. [19:41] The Guide has an overview of the steps of the Risk Management Framework, some foundational tasks for each of the RMF steps, some tips for getting started, some sample planning tables, and graphics to help people understand concepts that might be new to them. [20:02] NIST spent a lot of time defining key terminology, extracting terms out of the Risk Management Framework, and highlighting them in this Quick Start Guide. There are phrases and terms in the Risk Management Framework that some people new to it might not understand. [20:24] For example, “authorization boundary.” The Guide highlights and illustrates what these terms mean in the Risk Management Framework and adds questions for organizations to consider and use internally for discussion. The answers may be different for every organization. [21:12] This Guide is a derivative tool from the existing publication that went out for public comment. The Quick Start Guide did not go out for public comment but NIST has circulated Quick Start Guides to some small businesses they know to make sure it's hitting the right note. [21:56] Daniel monitors commentary and looks at how the Guide is received out in the world once it's published. In every Quick Start Guide, there is an opportunity for people to contact NIST if they have questions or if there is an error. NIST is always open to feedback. [23:03] In small businesses, Daniel finds the owner or operator is the Chief Risk Officer, the Janitor, the CISO, and the Chief Marketing Officer. Anyone can use the Risk Management Framework. It's a process. [23:25] Federal agencies, contractors to the federal government, and other sources that use or operate a federal information system typically use the suite of NIST Risk Management Standards and Guidelines to develop and implement a risk-based approach. [23:48] A lot of the audience for this Small Enterprise Quick Start Guide might be small universities, small municipalities, or small federal agencies implementing this Risk Management Framework. [24:27] We have time for one more break! The Spencer Educational Foundation's goal is to help build a talent pipeline of risk management and insurance professionals. That is achieved, in part, by a collaboration with risk management and insurance educators across the U.S. and Canada. [24:45] Whether you want to apply for a grant, participate in the Risk Manager on Campus program, or just learn more about Spencer, visit SpencerEd.org. [24:55] On September 12th, 2024, we look forward to seeing you at the Spencer Funding Their Future Gala at The Cipriani 42nd Street in New York City. Our recent guest from Episode 293, Lilian Vanvieldt-Gray, will be our honoree. [25:11] Lilian is the Executive Vice President and Chief Diversity, Equity, and Inclusion Officer at Alliant Insurance Services and she will be honored for her valuable contributions to supporting the future of risk management and insurance. [25:28] That was a great episode, so after you finish this one, please go back and listen to Episode 293. [25:34] Let's conclude our interview with Daniel Eliot of NIST. [26:10] Daniel introduces the U.S. AI Safety Institute, housed within NIST. It's tasked with advancing the science, practice, and adoption of AI safety across the spectrum of risks, including those to national security, public safety, and individual rights. [26:39] The efforts of the U.S. AI Safety Institute initially focused on the priorities assigned to NIST under President Biden's Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. [26:51] On July 26th, 2024, they released resources for a variety of aspects of AI technology. Two are new to the public. The first is an initial public draft of a guidance document intended to help software developers mitigate the risks of generative AI and dual-use foundation models. [27:19] The other is a testing platform intended to help AI system users and developers measure how certain types of attacks can degrade the performance of an AI system. These are two opportunities for the public to provide comments on these publications and tools. [27:49] There is a link to the call for comments in this episode's show notes. [28:03] At NIST, foundational publications go out for public comment. NIST wants to hear from U.S. citizens and people all over the world to get their perspectives on NIST's approach to what they're addressing. This is a community effort. Comment periods are important. [28:37] From Daniel's perspective of small business, he seeks the comments of small businesses on these publications. Authors need to hear from organizations, large and small. [28:53] These two new publications are open for public comment. [28:59] three releases are final publications. One is The AI Risk Management Framework Generative AI Profile, which helps organizations identify unique risks posed by generative AI. It includes actions for generative AI risk management. [29:34] A second publication is the Secure Software Development Practices for Generative AI and Dual Use Foundation Models. It addresses concerns about Generative AI systems being compromised with malicious training data that would adversely affect system performance. [30:16] The third publication is A Plan for Global Engagement on AI Standards. It's intended to drive worldwide development and implementation of AI-related consensus standards. Standards require global input from businesses, governments, non-profits, and academia. [30:57] These three final publications have been informed by public comment periods. They're ready to hit the ground running and people can put them into action. [31:15] Daniel is part of the Applied Cybersecurity Division of NIST. The U.S. AI Safety Institute is a different part of NIST. [31:44] Every once in a while, public comments receive spammy messages. [32:23] Daniel says all cybersecurity and privacy risk management comes back to governance and having policies and procedures in place, knowing your contractual and legal responsibilities. Organizations need policies that guide behavior for the appropriate use of AI in their business. [32:59] Individuals in companies have pasted confidential company information into publicly available AI systems. That creates a vulnerability. Have a policy around the use of these tools. [33:31] Criminals have used AI to upgrade phishing scams, reduce grammatical errors, and craft more convincing appeals. [35:00] NIST is raising awareness of different ways of identifying phishing attacks besides looking for grammatical errors, such as looking at the links and the calls to action and other factors that show it is a phishing scam. AI is contributing to their increasing sophistication. [35:43] Daniel shares his tip for new risk professionals. Familiarize yourselves with the suite of resources that NIST has available for cybersecurity and privacy risk management. They have a broad variety of risk management frameworks and resources, like the Quick Start Guide. [36:42] There are online courses, extensive FAQs with answers, and archived talks from SMEs. Take advantage of these resources. Also, let NIST know what other resources might be helpful to you. The core of NIST guidance for any framework is good governance. [37:21] Understand your mission and requirements. Create and maintain policies for good behavior. Understand your supply chain dependencies and vulnerabilities. Good governance sets your organization up for success when implementing and monitoring risk-mitigating controls. [37:56] NIST offers consistent, clear, concise, and actionable resources to small businesses. Since 2018, they have maintained a website, NIST Small Business Cybersecurity Corner, with over 70 resources on the site, all tailored to small businesses. The Quick Start Guides are there. [38:32] The resources include short videos, tip sheets, case studies, and guidance organized by both topic and industry. All the resources are free and produced by federal agencies, such as NIST, FBI, CISA, as well as nonprofit organizations. It's a one-stop shop for this information. [39:04] The resources are regularly updated and expanded to keep the content fresh and relevant. The resource library has the Cybersecurity Basics Section, with eight basic steps businesses can inexpensively implement to reduce cybersecurity risks. [39:28] The Cybersecurity Framework Page highlights the CSF and small business resources related to the CSF. There is topical guidance on Multi-Factor Authentication, Ransomware, Phishing, Government Contracting Requirements, and Choosing a Vendor or Service Provider. [39:53] All the resources are available at NIST.gov/ITL/SmallBusinessCyber. The link is in this episode's show notes. The resources are there for you to use in your organization. [40:30] Justin says, “It has been such a pleasure to reconnect with you here on RIMScast! I always love it when you post on LinkedIn! I think you're great! You're keeping me informed. Happy National Cybersecurity Awareness Month to you!” [40:55] With developments in tech and AI, cybersecurity has taken a back seat, but Justin says it will come back pretty hard. Justin feels it will be sooner than four-and-a-half years for Daniel to return to RIMScast. [41:23] Whatever new technology comes out, cybercriminals are looking at it to see how they can exploit it. There will always be a cybersecurity component to it. [42:05] Daniel Eliot, thank you so much for rejoining us here on RIMScast! [42:10] Special thanks again to Daniel Eliot of NIST for rejoining us here on RIMScast. Lots of links are in this episode's show notes to aid small enterprise owners and risk professionals. [42:25] These resources are publicly available and complimentary, so by all means, use them and leverage them to ensure your organization's cyber resilience. I've got lots of links in this episode's show notes for more cybersecurity coverage from RIMS, as well. [42:44] It's RIMS plug time! The RIMS App is available to RIMS members exclusively. Go to the App Store and download the RIMS App with all sorts of RIMS resources and coverage. It's different from the RIMS Events App. Everyone loves the RIMS App! [43:18] You can sponsor a RIMScast episode for this, our weekly show, or a dedicated episode. Links to sponsored episodes are in our show notes. RIMScast has a global audience of risk and insurance professionals, legal professionals, students, business leaders, C-Suite executives, and more. Let's collaborate and help you reach them! Contact pd@rims.org for more information. [44:02] Become a RIMS member and get access to the tools, thought leadership, and network you need to succeed. Visit RIMS.org/membership or email membershipdept@RIMS.org for more information. [44:20] Risk Knowledge is the RIMS searchable content library that provides relevant information for today's risk professionals. Materials include RIMS executive reports, survey findings, contributed articles, industry research, benchmarking data, and more. [44:36] For the best reporting on the profession of risk management, read Risk Management Magazine at RMMagazine.com. It is written and published by the best minds in risk management. Justin Smulison is the Business Content Manager at RIMS. You can email Justin at Content@RIMS.org. [44:58] Thank you for your continued support and engagement on social media channels! We appreciate all your kind words. Listen every week! Stay safe!   Mentioned in this Episode: DFW RIMS 2024 Fall Conference and Spa Event | Sept 19‒20 Chicagoland Risk Forum 2024 — Presented by RIMS Chicago Chapter — Sept. 19, 2024 RIMS Western Regional — Sept 29‒Oct 1, Oregon | Registration is open! RIMS Canada Conference 2024 — Oct. 6‒9 | Registration is open! Spencer Educational Foundation — Funding Their Future Gala 2024 | Sept. 12, 2024 RIMS ERM Conference 2024 will be in Boston, MA Nov. 18‒19 | Register Now RIMS ERM Award of Distinction — Nominations Open Through Aug. 30, 2024! RISKWORLD 2025 will be in Chicago! May 4‒7 Education Content Submissions for RISKWORLD 2025 NIST Risk Management Framework Small Enterprise Quick Start GuideCybersecurity Framework 2.0 Small Business Quick Start Guide NIST Small Business Cybersecurity Corner U.S. Artificial Intelligence Safety Institute New Guidance and Tools to mitigate AI Risks Managing Misuse Risk for Dual-Use Foundation Models Testing How AI System Models Respond to Attacks Users can send feedback to: dioptra@nist.gov RIMS DEI Council RIMS-Certified Risk Management Professional (RIMS-CRMP) RIMS Strategic & Enterprise Risk Center NEW FOR MEMBERS! RIMS Mobile App   RIMS Webinars: How to Successfully Deploy AI in Risk Management | Sponsored by Riskonnect | Aug. 27, 2024 Role of Insurance in Building Resilience Against an Active Assailant Attack | Sponsored by Merrill Herzog | Sept. 5, 2024 HUB Ready for Tomorrow Series: Pivot and Swerve — Staying Agile During Shifting Market Dynamics | Sept. 12, 2024 Leveraging Integrated Risk Management For Strategic Advantage | Sponsored by Origami Risk | Sept. 19, 2024 RIMS.org/Webinars   Upcoming Virtual Workshops: Leveraging Data and Analytics for Continuous Risk Management (Part I) 2024 — Aug 15 See the full calendar of RIMS Virtual Workshops RIMS-CRMP Prep Workshops   Related RIMScast Episodes: “Daniel Eliot's 2020 RIMScast Debut: Cybersecurity Tips for Small Businesses” “300th Episode Spectacular with RIMS CEO Gary LaBranche” “Mid-Year Risk Update with Morgan O'Rourke and Hilary Tuttle” “Emerging Cyber Trends with Davis Hake” “Cybersecurity Awareness Month with Pamela Hans of Anderson Kill”   Sponsored RIMScast Episodes: “Weathering Today's Property Claims Management Challenges” | Sponsored by AXA XL (New!) “Storm Prep 2024: The Growing Impact of Convective Storms and Hail” | Sponsored by Global Risk Consultants, a TÜV SÜD Company (New!) “Partnering Against Cyberrisk” | Sponsored by AXA XL (New!) “Harnessing the Power of Data and Analytics for Effective Risk Management” | Sponsored by Marsh “Accident Prevention — The Winning Formula For Construction and Insurance” | Sponsored by Otoos “Platinum Protection: Underwriting and Risk Engineering's Role in Protecting Commercial Properties” | Sponsored by AXA XL “Elevating RMIS — The Archer Way” | Sponsored by Archer “Alliant's P&C Outlook For 2024” | Sponsored by Alliant “Why Subrogation is the New Arbitration” | Sponsored by Fleet Response “Cyclone Season: Proactive Preparation for Loss Minimization” | Sponsored by Prudent Insurance Brokers Ltd. “Subrogation and the Competitive Advantage” | Sponsored by Fleet Response “Cyberrisk Outlook 2023” | Sponsored by Alliant “Chemical Industry: How To Succeed Amid Emerging Risks and a Challenging Market” | Sponsored by TÜV SÜD “Insuring the Future of the Environment” | Sponsored by AXA XL “Insights into the Gig Economy and its Contractors” | Sponsored by Zurich “The Importance of Disaster Planning Relationships” | Sponsored by ServiceMaster   RIMS Publications, Content, and Links: RIMS Membership — Whether you are a new member or need to transition, be a part of the global risk management community! RIMS Virtual Workshops On-Demand Webinars RIMS-Certified Risk Management Professional (RIMS-CRMP) RIMS-CRMP Stories — New interviews featuring RIMS Risk Management Honor Roll Inductee Mrunal Pandit!   RIMS Events, Education, and Services: RIMS Risk Maturity Model® RIMS Events App Apple | Google Play   Sponsor RIMScast: Contact sales@rims.org or pd@rims.org for more information.   Want to Learn More? Keep up with the podcast on RIMS.org and listen on Spotify and Apple Podcasts.   Have a question or suggestion? Email: Content@rims.org.   Join the Conversation! Follow @RIMSorg on Facebook, Twitter, and LinkedIn.   About our guests: Daniel Eliot, Lead for Small Business Engagement Small Business Cybersecurity CornerApplied Cybersecurity DivisionNational Institute of Standards and Technology U.S. Department of Commerce Linda Regner Dykeman, HUB International, Chief Marketing Officer for Canada   Tweetables (Edited For Social Media Use): I'm happy to be back at NIST, supporting the small business community. — Daniel Eliot   The industry has been able to produce some very strong profits over the last few years, after many years of unprofitability driven by weather events in the property line. — Linda Regner Dykeman   Follow the seven steps of the framework in order and repeat them in a cycle. Keep going through it. Every organization regularly changes. Technologies change. People change. That's why it has to be repeatable and flexible. — Daniel Eliot   There are phrases and terms associated with the Risk Management Framework that some people who are new to this might not understand. — Daniel Eliot   When talking about small businesses, the owner or operator is the Chief Risk Officer, the Janitor, the CISO, and the Chief Marketing Officer. — Daniel Eliot   An AI system is only as good as the information that's put into it. — Daniel Eliot    

Join us as we chat with Patrick Hall, Principal Scientist at Hallresearch.ai and Assistant Professor at George Washington University. He shares his insights on the current state of AI, its limitations, and the potential risks associated with it. The conversation also touched on the importance of responsible AI, the role of the National Institute of Standards and Technology (NIST) AI Risk Management Framework (RMF) in adoption, and the implications of using generative AI in decision-making.Show notesGovernance, model explainability, and high-risk applications 00:00:03 Intro to PatrickHis latest book: Machine Learning for High-Risk Applications: Approaches to Responsible AI (2023)The benefits of NIST AI Risk Management Framework 00:04:01 Does not have a profit motive, which avoids the potential for conflicts of interest when providing guidance on responsible AI. Solicits, adjudicates, and incorporates feedback from the public and other stakeholders.NIST is not law, however it's recommendations set companies up for outcome-based reviews by regulators.Accountability challenges in "blame-free" cultures 00:10:24 Cites these cultures have the hardest time with the framework's recommendationsPractices like documentation and fair model reviews need accountability and objectivityIf everyone's responsible, no one's responsible.The value of explainable models vs black-box models 00:15:00 Concerns about replacing explainable models with LLMs for LLM's sake Why generative AI is bad for decision-making AI and its impact on students 00:21:49 Students are more indicative of where the hype and market is todayTeaching them how to work through the best model for the best job despite the hypeAI incidents and contextual failures 00:26:17 AI Incident Database AI, as it currently stands, is a memorizing and calculating technology. It lacks the ability to incorporate real-world context.McDonald's AI Drive-Thru debacle is a warning to us allGenerative AI and homogenization problems 00:34:30Recommended resources from Patrick:Ed Zitron “Better Offline” NIST ARIA AI Safety Is a Narrative ProblemWhat did you think? Let us know.Do you have a question or a discussion topic for the AI Fundamentalists? Connect with them to comment on your favorite topics: LinkedIn - Episode summaries, shares of cited articles, and more. YouTube - Was it something that we said? Good. Share your favorite quotes. Visit our page - see past episodes and submit your feedback! It continues to inspire future episodes.

Here's part 2 of what's in the NIST Artificial Intelligence Risk Management Framework (NIST AT-RMF)? And, how do you use it? Let's find out with your hosts Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

David Widmar of Agricultural Economic Insights shares a four step frame work to think about farm risk.

What's in the NIST Artificial Intelligence Risk Management Framework (NIST AT-RMF)? And, how do you use it? Let's find out with your hosts Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

  http://convocourses.net https://www.youtube.com/live/Wu1DHW3VueA?si=DJqI_DDxphFRDOGK ### Introduction - Brief introduction of Bruce, his background in cybersecurity, and the purpose of Convo Courses. ### Personal Journey in Cybersecurity - Bruce's initial fascination with cybersecurity and IT. - Transition from passion to profession. - Reflections on career longevity and personal growth. ### Career Development and Financial Planning - The importance of planning beyond the day-to-day job. - Strategies for using income to build passive income streams. - Real estate and publishing as examples of passive income sources. ### Advice for Aspiring IT and Cybersecurity Professionals - Encouragement for newcomers to consider their long-term career goals. - Importance of financial planning and investment in passive income. ### Networking and Mentorship - The value of meeting people who have successfully exited the "rat race." - Insights from mentors on building financial independence through passive income. ### The Evolving Landscape of IT and Cybersecurity - Discussion on the impact of AI and technological advancements. - Personal experiences and perspectives on the changing nature of IT work. ### Corporate Experiences and Personal Growth - Anecdotes from Bruce's time in the corporate world. - Learning from challenges and using them to pivot towards entrepreneurship. ### Entrepreneurial Ventures and Lessons Learned - Experiences with blogging and creating online content. - The significance of perseverance, experimentation, and learning from failure. ### Engaging with the Audience - Q&A session with viewers. - Advice on career choices, technical skills, and job market insights. ### Cybersecurity Certifications and Career Tips - Discussion on CISSP certification and its value. - Tips for gaining experience and standing out in the cybersecurity field. ### Closing Thoughts - Summarization of key points discussed. - Encouragement for viewers to think big and plan for the future. - Invitation for topic suggestions for future discussions. This format aims to capture the essence of Bruce's dialogue, providing clear sections that can be easily expanded upon with more detailed bullet points or narrative descriptions as needed. Each section would be designed to offer actionable insights, drawing from Bruce's extensive experience and personal journey within the field of cybersecurity and beyond. Hey guys, this is Bruce and welcome to Convo Courses. Every week I do this and I'm talking about cyber security from a GRC perspective. I'm an insider. I've been doing cyber security for a very long time and normally I do this at one Mountain Standard time, but I had some business to do and as promised, I'm back. I'm a bit late because I had some stuff I had to take care of. What I wanted to talk about is what I do. When I first got into cybersecurity IT, I just did it because it was cool. It was fun. It was amazing. It's like magic to me. It's so amazing how it all works together and stuff. And as I've gotten older, it's just become a job. I'm not saying that that's bad or anything. It just is what it is. I've been doing it a very long time and now it's to the point where I got to think about, okay, where am I going with this? What's the end goal? What do I want to accomplish at the end of the road when this is all said and done? What do I want to leave to my family? When am I going to stop? So I've been thinking about that for quite some time, not just thinking about it, but doing something about it. And what I've been doing is using the income, my salary, my high salary to build passive income streams. And there's many, many things you can do for passive income. I just started doing something that worked for me and something that was more in my lane, which is like publishing and in real estate. So those are the things that I mainly focus on with my income. And it's just I guess I wanted to talk about it because it's important to think about where you want to go with this. Like if you're trying to get into cybersecurity, if you're trying to get if you just started IT or you want to get into it, you're a college student, you're in high school, whatever the case may be. And you're thinking, man, you know, IT is cool or I want to do it. It's a lot of jobs. They get paid a lot of money. It's job security, blah, blah, blah. At some point, maybe not today, maybe not tomorrow, but at some point in your career, you're going to have to think about where do I want this to go? What's the end goal? Am I just going to work a nine to five until I retire? What am I trying to do with this? And so that's what I've had to think about for the last 10 years. not just thinking about it but doing something about it so I just started trying different businesses I would use some of the income that I have to try different things and some of them worked and some of them didn't work sometimes it worked but it wasn't for me you know but the thing is you got to keep trying and failing just fail forward keep on trying different things um What's amazing is the people I've met. I've met some really amazing people who've done it all kinds of ways, all kinds of creative ways to get out of the rat race, meaning get out of the struggle. They don't struggle anymore with finances. They don't struggle with the treadmill of capitalism. They have mastered it. They have mastered it. And all the people who have mastered it all have passive income streams, I've noticed. They don't have to have a job. And I've met people who did it with real estate in different ways by either flipping houses or doing Airbnbs or doing tax liens, just doing rentals, regular rentals. I've met people doing property management. So there's many, many ways to do just real estate. And then I've met people who did, what do you call them? Homes for the elderly. I met people who just saved and put away a bunch of money in stocks and are going to be wealthy that way or are wealthy that way. I've met some people who did a combination of those things. I've met Just all kinds of people who did it their way. They were creative. One thing they all have in common is they have enough income to where they don't have to work a nine to five anymore if they don't want to. Some of them, they still work a nine to five because they're still like building a nest egg. And some of them, they have like a business and they like working that business. They like actually being there and working the business and all that kind of stuff. So seeing that these people kind of became like mentors to me. I would follow what they did. I would, I would ask them questions about what, how did they do it? What, what, what did they do? And all of them had to invest their own money or time to get to a point where to get to a point where they, their, their time was so valuable that they, that they didn't, It was more valuable for them to spend time on their business than their time at their job. So that's one thing I've noticed about a lot of them. And it's just something you should think about. And another thing is one of the reasons why you should consider doing IT and cybersecurity and progressing is that once you get to a certain income level, Obviously, your life changes. But one thing that happens is you have this surplus of income and you you've got to think about what you want to do with it. You have this little bit. It could be like an extra thousand. You like all your bills are paid. You know, you groceries are done like you. You're good. Right. You could probably even loan people money or whatever. Give people money, whatever. But you still have this extra cash. And so you got to think about, okay, what do I want to do with this money? And I would suggest that you invested in some kind of passive method of passive income. It doesn't have to be what I'm doing. It should be something that you find that works for you. And so that is a great reason to get into IT and cybersecurity because it's a high paying job. It's They're always going to need somebody doing IT. I know there's all these fears about LLMs and artificial intelligence and all that kind of stuff, but I would say that it's going to be more of a threat to not know it than to think it's going to just take all jobs. There's still... I don't think it's going to take all jobs. I think that's... hyperbole. I think it's just, we don't really know what's going to happen with it, right? One thing for sure that we know is it's going to change humanity. That's for sure. That's probably more scary. I'm surprised more people don't talk about that. What's more scary about AI is it's going to change us, just like this phone did, just like the internet did. It's changed us. We're no longer the same. We're not the same species that we were hundreds Before the internet, we're not the same. We're rapidly changing into something else. And I don't know what the hell that is, but we are not the same species that we were before. And AI is gonna speed up that process. We are gonna be different. And people keep talking about jobs. We have way more stuff to worry about than jobs. Way more stuff to worry about than jobs. It's gonna change us fundamentally as a species. And I don't know where that leads us to, but jobs is the least of our worries. That said, while we still have this thing going on, get into I.T., get into cybersecurity. You'll have all this extra income and it allows you to have a more freedom to build something that you for yourself and for your family. I'm somebody who comes from very humble beginnings, like I came from nothing and. I can tell you there's different stages and levels to this. When I first started out, like as a kid, we're struggling to survive. And so you're not thinking about necessarily, it's not real to you. $100,000 a year is not real. When you're struggling poor, it's just, it's delusional. I didn't know anybody who made 100,000 or maybe I did, but I didn't know that they made 100,000. I didn't have any friends that I knew made 100,000. It wasn't real. So it just didn't seem real at that level. It didn't seem real. And then once I started making my own income, I started meeting, my network changed. I started meeting other people who are also doing their own thing, other young people who are also doing their own thing, living their own life, doing their own thing. And I started running with that crowd. And then I started meeting older heads who are already doing, real estate and business and stuff they were talking a lot about it and I'd be like what is what what's this you're talking about this is while still in the military I got out of the military and I thought when I got out that I was going to get a corporate job make like 80 and and be cool and then just retire with that one corporation little that I know that corporations don't give don't care so much about humans. They care about the bottom line. They care about their money. So they're not really trying to take care of people. Maybe 50 years ago, they used to do that. But that's no longer the case. And I'm not trying to discourage you from going to a company. Yeah, by all means, do it. But just realize it's a stepping stone. And that's what I realize is that you're not going to stick with one company. Not anymore. Like I said, maybe 50 years ago. It's just very different now. And I got into the corporate world. I think the thing that turned me around with corporations, the thing that made me not lose hope, but think of them differently and see the reality of what was really going on is that one time my my wife at the time got really sick um she had like a pulmonary embolism or something like in her leg I mean she had like something in her leg like she had to go to uh the doctor she was out in the hospital for like three days and I asked I had just gotten hired and I asked the company I said You know, is it okay if I, I just bought a house, you know, we just moved in and we had a little baby and I said, hey, I know you guys just hired me, but can I get three days off because I need to take care of my kid. I don't have anybody here. I just moved to the state. And they were just like, well, we can't do it. It's against company policy. And it was some kind of politics that they were playing. My immediate supervisor basically wouldn't allow me to do it. It's just weird. And I'm just like, what? And it just dawned on me, these people do not give a damn about me. They really don't care. And I was like, well, why should I care about them? If they don't care about me or my family, then why am I sacrificing myself I'll do anything for these guys. I'm like, so I'm a fool. And after that, you know, it just, I just realized, man, I got to do something else. I'm not going to quit my job, but I got to figure something else out. Because if this is how it's going to be, I got to do something else, right? Because while I'm in the military, military take care of you. Military, like you have a brotherhood. If you stay with the military, you stay 20 years, they're going to give you retirement. It's not like that on the outside. And I, it just, it was a hard lesson to learn. And I said, okay, you know what, what I'm going to do is I'm going to start a business. That was the first time I was like, I'm going to start a business. And, um, the first business I did this now, this is crazy. First thing I did was blog. I made a blog and, um, it was back when blog could make a blog can make money. I mean, it could still could, but this was like, right. The early stages of blogs where blogs were brand new and people were making all this money off of blogs. And I started this blog and it got pretty popular, but now before it got popular, I remember I made 10 cents and I was super excited. I was like, I made 10 cents, you know, after writing a few articles or whatever. And the only reason I was happy is because I realized if I can make 10 cents, I can make a dollar. If I can make a dollar, I can make $10. If I can make $10, I can make a hundred dollars a day. If I can make a hundred dollars a day, you know what I mean? And that was true. what happened was the blog got really popular and it ended up landing me my first hundred thousand dollar job and allowed me to publish my first, uh, the first thing I published was like for a, it was like a pamphlet, uh, for this company. And, uh, they had me go around the world and teach, teach from this pamphlet that I wrote. And I made a little over a hundred thousand for the first time. So that blog, And one time I wrote an article, it went viral. It was making like $100 a day for a while, which at the time was crazy. And I don't know. It just opened my eyes. You never know what's going to work. So you should just try different things. And I've tried a lot of stuff, man. I've tried stuff that absolutely did not work. But I've tried things that really did work. And that's what you got to do. Just try different things. All right, I got some questions here. Thank you guys for watching. I appreciate it. Kind of a different flow right now. I just want to have you guys think a little bit bigger, especially if this is your goals. If you're trying to do IT, if this is what you're trying to do, start thinking about your future, what you want for your family far in the future, and what you can do. Somebody asked me or said, would you recommend starting at a big tech company or a small non-tech with higher pay long term. Think of it differently. What you want, the ideal job is one where you have a little bit of extra time. Like they're not, what do I mean by that? So what I'm trying to say is, I would take a little less pay to have a little bit more uh, a less stress personally. Um, but you could also go for high pay that will allow you to take some of that pay and re either reinvest it into a 401k, buy stocks, uh, buy bonds. If that's what you're into, um, play around with, with, uh, swing trading. If that's what you're into, try, try different things. You could use, if you make a, if you go to a big company and they pay you a whole bunch of money, um, or a small company and they pay you a whole bunch of money, use some of that money to invest it in. Try things, real estate, try stocks, try business, try different things. Use it as a stepping stone. As far as which one would I try, you said non-technical with higher pay or big tech. I'm just going to tell you from my experience. Smaller companies are more... There's more like a person to person feeling with smaller companies. I've worked from for literally like a two man company all the way up to multibillion dollar companies and international multibillion dollar companies and for the government. And I can tell you some of the best experiences I had was with smaller companies. And maybe this is just anecdotal, like maybe it's just my experience and maybe it's different for everybody. But in all the small companies I worked for, it was more one-on-one. I was a person. I wasn't just a number. At the large companies, I was just a number. I might have had a real good team and everything, but at the end of the day, they can replace you in a heartbeat. And because of that, they don't really value the person as much as they used to. But smaller companies, they really took their time to develop each person. And I really miss that feeling of being on this team. And with that said, when you're in a small company, it's kind of like you're in a big ocean being kind of rocked by all the market By the market that's happening, you know, whereas when you're in a big ass company, it's like you're on an ocean liner and the economy is rocking. But the boat is just going like this, you know, it's kind of wavering a bit. You're not being tossed on the sea by the economy or whatever's happening, market forces or whatever. So there's tradeoffs for different things. At the end of the day, it depends on what you want to do. Just think long term, like think big, think your entire lifespan and what you want. for yourself and for your kids and for your kids' kids. When it's all said and done, when you are nothing more than a memory, you want to have a look back and create some sort of legacy. This is one stepping stone in a long line of steps you're going to take. So just think of it. Think big is what I would say to make your decision. And that way, when you do make a decision, it'll mean something. It'll be one step in the right direction that you're going. So I hope that helps. I'm just telling you my experience with small companies and big companies and all that kind of stuff. If you went for the big money, non-tech big money, you can use that money to invest it and do what you want. And the big companies got a little bit more of... What feels like security and maybe have a little bit more time on your hands to mess around and you can use that time to tinker and mess with something else. Probably the money is what I would take, to be honest with you. Let me see. Forty Rock says a four rock says. Is IT cybersecurity still hiring? I have three years of technical support and two years of SQL development. I've been unemployed since November and I cannot get a help desk position. Open up what you're willing to take for Rock. What I would recommend is possibly going back into SQL development, be open to that, be open to technical support. um lean on your skills um a lot of times I'll give you an example of one time there was a time when I i was really wanting to get um into more technical stuff and I did I actually landed a job in a technical position as a field technician And I did know it at the time, but I took a huge pay cut because my specialty was in cybersecurity. I just didn't want to do it anymore. I just didn't want to do policies and all that kind of stuff anymore. I just didn't want to do it. So I was like, man, I want to do more hardcore stuff. And I found a job, but I took like a, I don't know, 45% pay cut. I mean, it was a lot, man. I had no idea. If I could go back, I realized my mistake was that I didn't lean on my strengths. Lean on your strengths. Your strengths are, you said, two years of SQL development. Not a lot of people know SQL, bro. That's a special skill and all the things that come with it. I guarantee you, you're not tapping into all of the skill sets that you have with SQL. SQL is very special. Very special, because that means you could work in, and correct me if I'm wrong, but with SQL, you can work in several different database environments, because many of the largest databases, relational databases and object-oriented databases, they use some sort of SQL. MySQL, Oracle, right? They use some sort of SQL. So lean heavily on your SQL experience. What you could do to see what types of keywords to put in your resume so you can quote unquote lean into your strengths is look at other people's resume. Go to LinkedIn. Go to LinkedIn right now. If you happen to be watching me, go to LinkedIn and type in SQL development. And then don't look at jobs just yet, right? That'll come next. What you want to do first is look at other people's resumes. Look who comes up on there and look at their resumes. Not all people put their entire resume out there or profile rather, but some people do. Look at their profile. Check out their profile and see what they're putting, what keywords. I guarantee you a lot of the stuff that they're doing, that they're the keywords, that the key phrases that they use are referring to skills and things that you have done in your two years with SQL development. Put that shit on your resume. Put it on your resume. Because don't just aim for a help desk job. Broaden your horizon. That's what I'm trying to tell you to do. And these guys on here who have IT experience, they'll tell you, man, listen, a lot of these guys are looking for your skill set. Mike chimed in. He says, some of these firms, non-tech, you are You're just a number, yeah, absolutely. Okay, so my man Mike is talking to you. Let me see who else is out here talking. Oh man, TikTok is crazy. Is it necessary to do help desk before jumping into cybersecurity analyst? Not necessarily help desk, but like a tier one type position. I mean, let me see if I can explain it better. The first point of contact for fixing technical problems, it's not always called help desk. Sometimes it's called customer support, technical support. field technician. There's different names for it, but they're normally the first person that you talk to. They're normally the first person you talk to when you have some kind of a problem with your internet, with the computer. It's not always just help desk. We kind of use that as a blanket term because that's probably the most known term for That first tier person that you talk to. But you get the idea. So I would say it's best. You don't absolutely have to. Like I've seen people who were cybersecurity analysts who did not have a solid help desk background. But the best people started from the bottom. worked their way up. They were field technicians and then they were help desk or field technician or customer support or something like that. And then they kind of graduated to this other level. I've seen people who skip rungs, like people who are just thrown right into systems system and administrators creating accounts and things like that. And then they were working with server problems or updating servers and stuff, and they never really touched help desk per se. I've seen people who went directly in the networking straight out of basic training, went to some technical school and then went straight to that or went straight from college to do that or They had some sort of background networking, did network, junior network administrator, and then went to something else, cybersecurity analyst or forensics or whatever. They did something else. So it's not absolutely necessary, but let me explain a little bit about cybersecurity analyst. That's one of the skill sets that I've had, something I've done in the past. A cybersecurity analyst... Um, when, when I was doing it was somebody who was, they were monitoring, they were doing a lot of, of monitoring of the network. We were monitoring the network using tools like scene, which is a security information event manager, uh, that looked at all the logs going on the network. We would look at, uh, we had. IPS, IDS, which is intrusion detection or intrusion prevention systems that we would have to know how to block certain ports or whatever, certain source IPs. We have to know different types of attacks. We were looking at the network, right? And determining if we were being attacked or if there was some kind of a threat that was on the network. That was our job as a cybersecurity and we were analyzing the network. And then sometimes we'd have to escalate it to the incident response team, or we'd have to do something like that. So that said, think about it. A cybersecurity analyst has to know quite a bit about how the network works, like how networking itself works. Because they're looking at logs over the network. And you have to know How TCP IP works and all that kind of stuff, because you're looking sometimes you're looking at packets going across the network. And sometimes we even break open packets to look at what was going on. Right. So you have to know a bit about network engineer, how networks work. You have to know the difference between a server and a workstation and how they work together. You have to know that you have to have the basics nailed down. You know, you have to know what ports are, like at least like common ports and how they work, how they can be exploited. So you kind of have to know like two or three different things and start linking them together for cybersecurity analyst work. It takes very talented people to be good at it. And I'm not saying I was good at it. I wasn't. I was just a newcomer. I was a new guy who was fascinated by it. You know, I could... I could get around, but I wasn't like one of the more skilled guys on the team. I was learning stuff. But what I'm getting at is you have to have the basics nailed down in order to do a job like cybersecurity analyst work, right? I'm not saying you have to be a master at it or some kind of brilliant person at it, but you – Even to do the basics, you have to have some basic skills, basic like help desk type skills down, first tier skills down. Somebody said, bro, where do I start? Start where you are. Consider your industry. If you happen to be from student, zero to hero. If you're a student, you can start right now. If you're in some sort of industry already, like you're in the healthcare industry, you're in the pharmaceutical industry, you're in the retail industry, you're in, you name it, restaurant, and all of them use IT, you can start where you are. if you're a student uh you're in a special position because um now if you're a high schooler shoot they they have clubs that you can start right now start doing computer start learning computer stuff right now um start fixing people's computers right now start coding right now um there's things you can do right now as a high schooler to to do the hell I know people who Um, who got a CompTIA started getting cybersecurity certifications in high school, um, just to get, get the knowledge now, um, and to build themselves up, to go to a vocational school or to go to a community college or college university or whatever, to build up their skills. Or hell, start your own business doing fixing people's computers. You know, you can get that good at it. And then that stuff you can put on a resume or just keep building, scaling your own business from high school. College is I mean, college is a huge pivot point because in college, like you don't have to wait to get your degree. You don't have to wait like you shouldn't wait. Start being a working student right away. If you're on campus, see if you can help them out, help. Help out the campus to figure out what vulnerabilities they have. See if there's a working student program. Hell, even if it's remote, like if you're doing college remotely, they might still have a working student program. look into it they have apprenticeships they have internships they have all kinds of uh sometimes I have like a b2b uh university to business pipeline um ask you got to get yourself in there and ask uh where you can start as a college student college students probably have the best they're probably in the best position to get themselves uh get the ball rolling for their career But they got to start now. Like a lot of times they just wait until they get their degree and they're like, oh, I can't get a job, you know, like get start now, right now. Now, if you happen to be, let's say you forget the student, you're not a student no more, you're in the world, you're a healthcare professional. You know more about HIPAA than I do. And HIPAA is one of the primary laws that is used to protect patient data. That can get your foot in the door right there. I mean, that right there is huge. That's a huge step in the right direction. Now, you still have to learn all the basics of information technology, but you have a good foothold in that industry. If you happen to be in retail, did you know that all the times that you're taking people's credit cards, the whole system in the background is taking all that information has to have to have to have something called PCI compliance. You can start learning a little bit about that. See if you see if you can get involved with their IT department. If everyone has one, Taco Bell has one. Walmart has one. Everybody has an IT department. Everyone start get see if they'll let you do a lateral move over there or start learning shadow marketing. shadowing somebody who already does it. And in whatever retail space you're in, you'd be surprised. Look at their career page. They might have something where they're looking for IT professionals at TJ Maxx or whatever. And I'm being serious. It's not a joke. Like whatever, start where you are. That's what I'm telling you to do. And then once you get that money, right, you get that pay bump. Don't look, listen, I know you want a better lifestyle and I'm not telling you to not have a better lifestyle, but use some of that income to start building some passive income streams. And if you don't know what that is, you might want to Google it. You might want to Google it because it's important and they don't teach it in school. But I'm telling you right now, it's important to do it. This is not me trying to get. I don't have a course on passive income streams. Right. I thought about it, but I don't have one. OK, I'm not trying to sell you anything. Right. I'm just trying to tell you, like, if you don't know what passive income is, look it up. That's what I'm trying to tell you. It's a life changer. It can change your life. So look into it. Let me see here. Getting some more comments and stuff. And I'm only going to do about an hour, guys. So I got about 30 minutes. I was on here earlier. I was doing one of my AirBVs. And now I'm here to do the real work here. Okay. Susie says, I hope I'm pronouncing that correctly. I'm sure I'm not. After getting your CISSP, did you find some of the content helpful on the job? or was it mainly a confidence booster currently studying for the exam? I'm curious. I'm going to say something that you're probably not going to like. I'm going to say something that's probably controversial, but I'm going to tell you the truth. The CISSP is so general that it really didn't, I can't say that it helped in any capacity. And I know that's not what you want to hear. You want to hear that there's a magic wand, that you take some certification and magical things happen. The magic was that everybody wanted to hire me after I got the goddamn thing. That was the magic. There are certifications that I could say that were extremely technically useful that I saw the things I was using on that certification in real life, like things like the CCNA. Cisco certification, like those Cisco certifications are the real, they're the real deal, right? What other certifications would I say were extremely useful? The Microsoft certification, the technical vendor level certifications doing their vendor level stuff is very, very useful. Qualys, like that was, that's not a big certification. It's not marketing. talked about but it's qualis is a scanner it's a network scanner and that stuff the stuff that I learned um that I had that that were on that was on the test that's the stuff that we're actually using uh at the organization I worked at so the vendor level certifications are very very much useful um I would say the security plus was very useful even though it's not vendor specific Security Plus was useful because it's talking about stuff that you're going to... Let me put it to you this way. Security Plus is usually introduced to people who are fairly new into cybersecurity. So it opens up... It's kind of touching on many different things that you might not have ever been introduced to for the first time. By the time you get to the CISSP, you kind of have some level of, you've touched a lot of different security by the time you actually take the cert. You take the cert, and the way they word it, how can I explain it without losing the CISSP? The way that they word it is like, it's a, what do they call it? Let me put it to you like this. They'll ask you a question, and the hardest part is the answers. Because you'll have two answers you can kind of throw away, and then they'll have two answers that are both right, but one's more right than the other. That's hard. That's the hard part about the CISSP. Would I say it helped me? I can't know. There's nothing on there that I could say, yeah, that right there, that's... That was on the, you know, I'm not quoting the CISSP. Like, it's not, I will say this, it's highly marketable. It's a great, it changed my life. As soon as I got it, people were like, oh, it was like I was a lawyer or some shit. It was like I had to pass the bar or something. It single-handedly changed my life. You could probably get the CISSP and not have a degree. With some years you got, of course, you have to have experience, but you could probably, that damn thing is so effective. It's so effective that as soon as you get it, like, so many people hire you just to say they, oh, we have a CISSP on the board in our IT department. He's a CISSP, you know, or whatever. That said, you know, just because you have a CISP doesn't mean I'm magically no shit because there's a lot of dumbass CISPs, you know. So I'm sorry I had to take the magic out of it. The magic is that you will get paid and people will hire you. So that just, you know, it is what it is. Let me see. I just got my Security+. six months ago, but I'm still struggling to get a job. How much experience concern, Jay? How much experience do you have? Because the certification alone is not, including the CISSP, is not enough to land you a job. They really, employers want a, they want to see that you can do the work. And that requires, and the best way to see that is via your experience. So wherever you can get experience, get experience. There's been a lot of questions about what search should I get or, you know, I get a lot of those kinds of questions, but the questions I get less of that should be asked is how do I get experience? That's a harder question for me to answer for you, but also it's, It's the best question because that's what they're really looking for. I'm not saying you shouldn't have a security plus. Security plus is fire. CISSP, I just told you, if single-handedly changed my life, it's great. A degree is, you know, people are talking shit about degrees, but if you're doing technical work, you're going to be an engineer, you're going to be doing this for a while, a degree is important. Because the longer you stay in this career path, the more competitive it gets. And the degree is very competitive. So those certs, those degrees, all the pieces of paper, those are important, right? There's an important half in your arsenal, right? But it's like you're sharpening the blades. But the best thing you can have is is experience. The best thing, that's the meat on the plate. Got to have experience. It's very, very, very important. So can't stress that enough, right? Wherever you can get it, you can get it in school, while you're still in school, wherever industry you're in, try to get it there. Wherever you can get experience that you can put something that you can put on your resume, on your profile to say, I did X, Y, and Z for this company. If you can do that, that's That's where the meat is at. Yes, get the Security Plus. Yes, get the CISP. Yes, get cloud certifications. Yes, all that, right? But those are just tools in your arsenal, right? You got to be able to wield the sword, and that's where the skill set comes in. Let me see. Got more questions, comments, complaints on here. How long should I stay in corporate? I just started my career in big tech. It depends on what your ultimate goal is. I would say stay, ride that gravy train as long as you need to. Ride that gravy train as far as it'll take you. Make them fire you. Keep collecting that check and then use that check To brick by brick build something bigger for yourself and for your family. As long as you need to, brother. Use it to build your own corporation. Use it to build your nest egg, your 401k. Use it to, especially if they're doing like that shit where they say, okay, if you put a dollar in, we'll put $3. Yes, do that shit. Ride that gravy train as far as it'll take you. Let me see here. Let me see. Let's see. I've got some more questions, comments, complaints here. Do you have a step by step how to be an ISO course? I do. If that's what you're looking for, you came to the right man. because that's exactly what I have. I have a course specifically for ISOs. I'm glad you asked that question, because that brings us to a commercial break. This is brought to you by Risk Management Framework, ISO. This is what the course is called. And this is a book, by the way, that I wrote. This is coming directly from my own personal experience. I tell you, in plain English, what this job entitles, and specifically from the perspective of an information system security officer, how to do this work for risk management framework, NIST 800. I've got two books. One focuses on the NIST 837, and one focuses on the NIST 853. I remember talking to one of my peers, and I was telling him, hey, man, I was trying to get him in with me to write books and stuff. I'm like, man, I've got this course, and I want you to help me build it. And he says, man, why would people pay for something that they can get for free? You can get this for free. All this shit here is for free on the internet. But when you read it, it sounds like just go read it. You'll see for yourself what it sounds like. When I first started learning this stuff, I was like, what the fuck? What am I reading here? It doesn't tell you what you're supposed to do. It does, but it takes 15 paths to Sunday to get to the point. What I'm doing is getting straight to the point and telling you from my experience in the Department of Defense and a couple other federal organizations exactly what you need to do, where you need to focus on, and where to not waste your time. That's what I'm doing. So it's from the perspective of somebody who's done it before. And I'm telling you how it is. So and then once you read this, all the other shit will make more sense. So, yes, I do have a course. It's out there right now. Go to convocourses.net. I've got a bunch of discounts that you can use. Huge, huge. You got to go through it. There's lots of stuff that's out there. Huge discounts been putting out over the years. And if you can't afford it, you can just get this book right here. I've got two of them and that's on Amazon. It's also on my site and it'll walk you through it. It's just stuff I wrote that I wish somebody would have told me when I first started doing this stuff. and explains it in a way that's just straight to the point like here's what you need to do then do this don't worry about this focus on this that's what the book is about that's what the course is about I hope that helps um what do you recommend to leverage your existing salary credit now I know dave ramsey is not going to agree with this but credit other people's money um leverage your set, your existing salary. A couple of things, a couple of things. It's a great fucking question. So listen, a couple of things I use credit, manage your credit. I'm not telling you if you can't manage your credit, if you don't have no discipline, do it. Don't do not do it. Go watch Dave Ramsey. Listen to everything he says, put money in an envelope and pay everything with that shit. Right. But if you can, if you have restraint, right, you're not going to, Go buy a Lamborghini with the money that the bank gives you. And you're trying to build a legacy. You're trying to build something for your kids and your family. Credit, loans, shit like that. Business credit. You don't even have to use your own personal credit if you have an LLC, if you have a business. If you have a bank account that has money going into it, After about two years, they'll give you a loan based off of that LLC. That's based off your bid. They'll give you money from your bid. They'll give your business money and it doesn't mess with your own personal credit. But yeah, that's one thing I use is credit, loans, stuff like that, other people's money. And then I use my high salary to pay that debt down or manage that debt effectively. So that's one thing you can use. And if you're doing real estate, you basically have to use other people's money. So um another thing I do I've done before not doing it currently but if I had the opportunity I probably would uh is uh over it's called over employment so what you do is you just get two jobs if you work from home you can work two jobs you can have one part-time job and one full-time job two part-time jobs or you can you could do uh what a lot of i.t guys do is they just hop from um They'll do what's called 10 99s. They won't be a full-time employee. Let's jump from contract to contract to contract and do like three months here, four months here, nine months here at these different companies. And sometimes doing it two at a time and doing that shit, you can make 200, $300,000 easy doing that, you know? So, um, that's another way you can leverage your, your existing salary. Another thing is, uh, uh, do, do, uh, have a side hustle, side incomes. Um, this is something I've been doing for many, many years and my favorite thing to do. And it's stuff like this. This is a side hustle. It does pretty good. It does pretty good. It does. All right. You know, I'm not rich or anything. I mean, look where I'm at, you know what I'm saying? But, uh, it does. Okay. You know, um, what else do I do? I mean, that's pretty much it. Um, loans credit uh making sure I maintain my credit and build using other people's money to do the bank's money to do what I need to do and managing that money with my salary right um that's one thing I do uh and then over employment I do from time to time where I'm not really a fan of it these days because I really need my time for me and my family my kids and everything um And then the other thing is side hustles. That's what I do to leverage. I use my salary to build. There's a lot of leverage you can use. These tools are very, very useful. Very, very, very useful. Let me see. Dewart says, can you work two jobs if you have a secret clearance? It's not so much about the secret clearance. It's about the agreement you have with the company. So it depends on the agreement you have with the company. Some companies are very strict and say, look, you agree to work with us eight hours a day. There's a couple of things. Okay. Let me, let me back out a little bit. Number one, you cannot have a conflict of interest. All right. You can't have a con meaning you can't work for Lockheed Martin and Northrop Grumman for this, for, for competing contracts or some shit. Like you can't, you can't work for this company and it's competing with this company and they're on the same contract or something. Like you can't, have conflicts of interest. What's a real good example of a conflict of interest? Look, you can't have a conflict of interest. That's all I'm going to say about it. You can't. Don't do it. Don't do it. It's not worth it. And then sometimes the organization that you're working for will flat out say, look, we want you to work eight hours a And that's what you're supposed to do. You're going to work eight hours for them. But they can't stop you from working some hours on the weekends. If Saturday and Sunday is yours, they don't own you. Am I right or wrong? They do not own you. Even if you have a secret, top secret, it doesn't matter. They don't own you. You're a human being. You have rights. So after hours, they don't own you. You can work after hours. Now, you can't work during their time during their, you know, so the secret clearance doesn't say that you cannot work for anyone else, right? It just says you cannot share the Volge information that they've, that's sensitive, you know? So that's what, don't do that, you know? So, yeah, it doesn't, a secret clearance doesn't matter in that regard. You can still be over, you know, uh, overemployed, but don't have a conflict of interest. Don't do not do it. Like you can't, we'll be a conflict of interest. Like if you work for the government as a GS, and then you also work as a contractor on the same contract, that's probably a conflict of interest, stuff like that. Are you two competing companies where one, they have one has this special sauce and this one has a special sauce. And then you, You don't want to do stuff like that, right? It's just, you might get yourself in some legal trouble if you do something like that. They're very clear with you. And some companies, what you can do, the company I'm currently working for, they said, look, If you work for another company, just let us know. They say, look, we can't stop you from working for this other company. Now, you can't work during the hours we want you to. Like, if you're working for us, we're not expecting you to be using our stuff to work on theirs. No way. This is our stuff. You know, you work on our time. If you clock eight hours. You're working for us. Right. That's understood. That's what this contract you're signed. So they just said the company I'm working for is like, look, just let us know. You know, that's that's it. Just let us know. And they you know, they can't stop you. Let me see. What other questions do we have here? Somebody said, what if you know how to. What if I know how to build computers? That's a really great first step. I've got a little course, a free course about this where I talk about the levels to help people understand where they have to go to get from point A to point B. And I say the first step is to become a geek. That means to get interested in computers, learn everything you can about it, learn a common body of knowledge. And so, yeah, become a geek. Learn, take computers apart, put them together. But that's only one aspect of it, right? You need to learn networking. You should probably learn a little bit about cloud technology. You should probably learn a little bit about networking technology. Maybe you mess around with a little bit of scripting or code. There's a lot of different aspects of IT to learn. Frameworks is a really good one to learn. Start learning the common body of knowledge beyond just building computers, like learn the whole landscape. That's cool that you know what mountains are, but what about valleys? What about rivers? Learn the whole map of how this landscape works from a distance, like how all this is laid out, how people are using information technology. You want to have a bird's eye view of how all this works, and that's the common body of knowledge, something that all of us have, regardless of whether you are a software engineer or a database guy or a help desk person. cybersecurity person. All of us have some idea of how IPs work. All of us have some idea of how it was a server versus a workstation. All of us have some idea of what cloud technology is. All of us know the layout, the lay of the land. So you still have to know that piece. Now, you might be a master of building computers. You could run circles around me with building computers. I've built a computer in many, many years. But that's not the only thing that you have to learn, right? So from geek, I talk about going to trying to land your first job. From there, from geek to getting your first job, now you're talking about possibly going to school, possibly getting yourself a certification. A plus certification would be something you would probably kill, you know, because it's all about how computers, the components work and how software works with the components, all that kind of stuff. So from geek, landing your first job. Now, let's say you actually get that technical support job and you talk about how to go from there to do a specialization. Cybersecurity is the one that I talk about. What kinds of things as an IT professional do you need to know to get in the door of a cybersecurity type job? So that's the kind of stuff I talk about. But Building computers is one aspect of it, and that's a great aspect to start with. I would recommend you look at the common body of knowledge in CompTIA A+, especially if you're very, very new to IT. I'm taking AWS solution architect exam on Monday. Oh, man, that's awesome. I've been thinking about doing AWS. I have not had time. I would really like to. I'm working on my CCNA next month. CCNA is no joke. I like it. Somebody says, I have a CISSP and master trying to find a job, but people want experience. Yeah. Experience is super important. What can you do to get experience? It depends on where you're at. If you're a student, maybe what you could do is go to your campus, go to your college campus and see if you can get on their IT team. Don't say that help desk is beneath you. Do it. That's experience. Get in there and fix some computers. Get in there and image some computers. do laptops, fix laptops, figure out how the laptop connects to the network. Put that experience on your resume. Try to be a working student if you still have a connection with your school. Even if it's a remote school, you'd be surprised. Sometimes they need help with their equipment that's out there in the field. You could do freelance work and start your own If you know a lot, you're CISSP, if you know a lot about a certain thing, a lot of CISPs are a mile deep in like one or two things. Take that skill set, whether it's scripting or running scans or building networks or whatever you do, whatever you are professional on, do freelance work for local companies or find some organizations. If you have a church, if you go to a church or some kind of other local community, whatever it is, interface with them and try to see if you can do work for them. Do it for free if you can. Do work for some organization so you can put that on your resume. Another thing you can do, one thing Ryan brought up that I just didn't think of it all this whole time, but join an organization called the ISSA. So this is a local – they have local chapters everywhere. In almost every major city, they have a local chapter. And this organization, they meet like monthly. And it's a bunch of information system security people and IT professionals, system admins, help desk people, captains of industry, CEOs are there, CIOs are there, chief information security officers are there. You name it, they're there. And they all meet about once a month in a city, in whatever city you happen to be in, and They're talking about career paths. If you have a CISSP, hell, sometimes they have jobs there and ways to get experience. You could talk to some of the old heads there and say, look, man, I'm trying to get in this field. I've got a CISSP. I got a master's degree. I specialize in writing scripts. How can I get experience? What do I have to do? to get experience for this field. The ISSA is the Information Systems Security Association. They have one in every single state. They have one in almost every city. Well, probably not in every city, every major city, but every state has one. And I think there's even some in other countries. So look that up and try to network with those people. Because with With all of your pedigree of prestigious papers, you should be able to land yourself a job, if nothing else, an internship or something. Somebody said create projects and post them on GitHub. That's another way to do it, especially if you know Python or something or if you know any kind of software projects. Put that on GitHub and you can put that on your resume. So there's a lot of different ways to do it. It depends on where you're at. Somebody says, I have a portfolio with five complex cloud projects. How can I get into the field? Any tips? Hmm. How could you get into? A lot of times when people say this to me, it's usually experience and their resume. It's one of the two things. It's usually one of those things that are stopping them from getting their foot in the door. Pretty clear. It's usually one of those things. They send me their resume and I look through it and it's usually one of those things. I don't know. I don't know what to say. But how could you do it? I think you've got to continue to build out your as much experience as you can. And it's hard. I mean, it's difficult because that's where the real rubber meets the road. That's where the real meat is at, is your experience. It's the hardest part. You've got to talk to people. It's hard. You've got to get out there. You've got to network. So like I said, you could try the local ISSA chapter. I mean, they've got a whole bunch of people you can network with and figure something out. I mean, you have cloud experience. Do you have any certifications that might help you out? If you don't have one, maybe try to get some certifications under your belt. That's one thing you could try. Let me see. Oh, Ryan, how you doing, man? He says, I'm presenting on election security on February 28th at Pikes Peak ISC2 chapter meeting. That's awesome. So these are the kinds of people you want to network with, cybersecurity professionals, IT professionals who are out there. They have this in your area. LinkedIn, one of the hidden gems of LinkedIn is is that if you go there, there's a bunch of forums. In your local area, there'll be a bunch of meetings, a bunch of forums, a bunch of people presenting. Sometimes they'll have job fairs that are local to you. Join those groups. Join some of those groups. And a lot of times people are trading jobs back and forth. Another pretty good resource is Reddit. Reddit might have some pretty good resources for you as well. um reddit has a lot of professionals who are talking back and forth and it's a good way to network with like-minded people who are in the same position um and uh finding finding out new stuff that's kind of bubbling up in the industry uh let me see here I got some other stuff going on here and I'm going to end this real soon guys I appreciate all the people jumping on here um Or can I find your book? Go to Amazon, type Bruce Brown Convo Courses. You'll find a bunch of my books. Risk Management Framework is just one of them. Another place you can look at is convocourses.net. You'll also see free stuff. Ryan's got a free book. I linked his on there. He's got a free book that is walking you through how to study for the ISE2 CGRC, formerly the CAP, Governance, Risk, and Compliance Certification. So we've got free stuff, discounted stuff on there. At the end of the day, what we're trying to do is help people to make your life easier to get into this field, stay in this field, and level up if you already are in this field. Let me see. Emmanuel says, let me see this one. Emmanuel says, which MOS will you advise a 25 Bravo or a 25 Hotel for a start in cybersecurity? 25 Bravo. I thought that was an IT guy. 25 Bravo is in the Army MOS. Ryan's Army. He might be able to answer this. Ryan, what do you think about this question here? Emmanuel is asking, which MOS you would advise a 25 Bravo for a start in cybersecurity? Ryan says, 25 Bravo is a great start. Yeah, that is a great start because that's an IT, yes, and that's an IT specialist, as a matter of fact. So that is a great start. Don't do that. What are you doing? OK, I'm wrapping it up. I'm wrapping it up. Let me see. I'm going to stop this thing. I'm going to answer one more question. Ryan's taking care of the manual. He says, get a network plus or security plus ASAP. That's a great security plus. I would highly recommend a security plus. Oh, boy. OK, I think it's time. OK, one more question. OK, one more question. Okay, I got a bunch of Army guys jumping on here, giving great advice on TikTok. Do I have experience with overlays? A bit, a bit. 25 Delta, 17 Charlie, 25 Bravo. You locked in for six years. Man, I've got a lot of Army guys on here. and highly transferable to civilian sector. Okay, that's where we're going to end this. So 25 Bravo, let me tell you something. If you're a 25 Bravo, and they have an equivalent for this in every branch of the military. I believe the Air Force, they changed it. It used to be a three char... Oh, my Lord. Oh, my Lord. They changed it. It used to be called a three... 3Charlie. 3Charlie. Man, my brain. 3Charlie. 3COX1. That's what it was. 3COX1. That's what it used to be called. But it's no longer called that. So I don't know what they call it these days. 3Delta or something? 17Delta? I don't remember. But every branch has a 25 Bravo equivalent. And it's an IT professional. And somebody on TikTok nailed it. So he said that It is highly transferable to the civilian world. And he is absolutely right. So I was a, I'm an old head. So when I was in the air force, it was called a three Charlie, a three CLX one is what we called it. And a computer operator, same thing as a 25 Bravo. And I was, the thing is, and I don't know how they do it in the army. An army has really sharp IT guys. especially the warrant officers. Very impressive. But the thing is, the Air Force will specialize you in certain things. A computer operator, you could narrow down into firewalls. You could go into network engineering. You could go into not software engineering. That was a completely different field. But you get databases. You could focus on one kind of one area. And once you got out, I mean, you have certifications. If you put the effort in, you had a degree. Listen, if you have a year or more left, I would highly, highly recommend you get a degree. Because look, All of the training, all the way back to boot camp, all the way back to boot camp is going to go towards your degree. You have some credits there that are transferable to your degree. So you're probably only a few points away, maybe six credits, maybe 10 credits away from an associate's degree. Once you get the associate's degree, you have maybe, what is it, 60 more credits? I want to say 60 more credits, and then you have a bachelor's degree. That may sound crazy, like a lot of work, but it's actually not that much work. It's a few classes. Maybe not a few, maybe 10. Look, it's going to be some work, but You can get out with a bachelor's degree within a year. You can be within arm's reach of a bachelor's degree. At the very least, get an associate's degree because literally that's like two classes away. If you have one year left in the military and you are a 25 Bravo, hell, whatever MOS you're in, listen, get your damn degree. Just get the damn degree. All you got to do is go to – they've got a unit on base. I don't know what the Army calls it, but there's a unit on base that you can go to. They'll tell you exactly. They'll have a counselor. They'll break down. They'll take all the credits you already have. They'll say, listen, you went to boot camp. That's six credits. You went to 25 Bravo school. That's – You've got 30 credits for that, right? And of these 40 credits you have, you can apply 25 of them to this associate's degree. You only need two classes. This is what they're going to tell you. You only need two classes. You need one in math and you need one in history and you need one. And basically you can clep your way out of it. Clep is a test. You can just take a test and then they'll give you credits and then bam, you have a degree. Just do it, man. And then it's more, put it to you this way, it's more money. If you want more money, then just do it. Just go through this little bit of process that you have to do. Let them take your transcripts from the military, consolidate them, and you're going to boost up your income by like 15% to 25% when you get out of the military. And then also what Ryan said, Security+. Get a certification. And now you have experience, you have a degree, and you have a certification. And you're very, very deadly. You're very competitive. Very competitive. It's hard out here. It's hard out here on the outside, man. They don't just magically give you stuff here. Like, you got to work for this shit. But the good news is you're in a place where you can really sharpen some swords and come out swinging. All right. That's it, guys. I got to get off of this thing. I appreciate everybody. Remember what I said, like use this as a stepping a stepping stone, like use this as this is one step. You got to go to the next step, whether that's to level up your career, to make. big money as a director and retire with a bunch of 401k money or use this money to go start a business, use this money to invest in real estate. Use it to build up passive income streams because you can't do this forever, guys. You cannot do this forever. I know if you're 30 or you're 20, you think, oh, I'm going to... You just don't even think about it. You think you're going to live forever, man. Then you start seeing your friends die. I'm not trying to bring you down or anything, but I'm just telling you, like, life has an expiration date. And you got to start thinking about, okay, what's my plan? What am I trying to do? You can use this field as a way to go to another level and level up your family, too, and the people you love. So... Just some words of advice from an old guy. I hope some of you guys, I hope at least one of you guys listen to what I'm saying because it can change your life. All right, guys, I'll talk to you guys on the next week. Give me some suggestions of what we should talk about next. Sometimes I just get on here and ramble. So, all right, guys, talk to you later.

Has any of your ERM program has been written down? Or is it at risk of being lost when a key player leaves the insurer?  The Risk Management Framework document provides the RiskMaster Cheat Codes for understanding the overall ERM system and for specific topics like stress testing and risk reporting to allow a new risk team to start from a solid base should that be needed. It also can act as a cheat sheet for the Board to be able to participate in ERM discussions even though they do not live in the system. By Dave Ingram.

In the leadership and communications section, Advice to Aspiring CISOs, New risk management framework helps with SEC mandate compliance, A Simple Hack to Help You Communicate More Effectively, and more! Show Notes: https://securityweekly.com/bsw-333

In the leadership and communications section, Advice to Aspiring CISOs, New risk management framework helps with SEC mandate compliance, A Simple Hack to Help You Communicate More Effectively, and more! Show Notes: https://securityweekly.com/bsw-333

This week we are joined by Kenneth Bible, the Chief Information Security Officer (CISO) for the DHS Office of the Chief Information Officer (OCIO). He breaks down the National Cybersecurity Strategy Implementation Plan (NCSIP) introduced in July and provides great insights on how the plan was developed, the five key pillars of the plan, actioning each of the five elements, and the role government agencies have to play in executing against the plan and its 65 initiatives. He also provides perspective on international collaboration and partnership in achieving shared goals with the U.S. and how this will help “all boats rise” in strengthening cybersecurity across regions. And he shares what Audra likes to call one's “origin story” on the career path that led to cybersecurity. Lots of valuable insights this week you won't want to miss!   Chief Information Security Officer (CISO) for the DHS Office of the Chief Information Officer (OCIO) Kenneth W. Bible serves as the Chief Information Security Officer (CISO) for the DHS Office of the Chief Information Officer (OCIO). In this role, he is responsible for all matters relating to information and securing and strengthening the Department's information security program and information technology (IT) posture. Prior to his current role, Mr. Bible served under the Headquarters Marine Corps Deputy Commandant for Information (DCI) as the Assistant Director for the Information Command, Control, Communications, and Computers Division (IC4). In this capacity, he also served as the Marine Corps' Deputy Chief Information Officer and CISO, formulating and providing broad policy guidance for IT, cybersecurity, and communications infrastructure and applications. Among his many accomplishments, he delivered ADVANA, the U.S. Department of Defense's single authoritative source for audit and business data analytics, and led Risk Management Framework reform across the Marine Corps by guiding production of the first fully accredited secure software development (DevSecOps) pipelines. Previously, Mr. Bible served with the Space and Naval Warfare Systems Command (SPAWAR) for almost two decades, starting as a lead engineer integrating commercial Geospatial Information Systems technology, then heading the Networks Engineering Division of the SPAWAR Systems Center Atlantic. He later became the Assistant Program Executive Officer (Engineering) for PEO Enterprise Information Systems, serving as the PEO's chief engineer as assigned by SPAWAR headquarters. For links and resources discussed in this episode, please visit our show notes at https://www.forcepoint.com/govpodcast/e261

Listen to this episode of the ORX Operational Risk Podcast to hear the ORX News team cover the five largest operational risk losses of June 2023 and conclude the two-part series covering the challenges surrounding data quality, systems, and the use of data for risk oversight, as well as touch on the importance of sufficient levels of adequately trained staff – all stemming from the launch of ORX's Risk Management Working Group. You can find the top 5 operational risk losses discussed in this episode, along with all previous top 5s, on our website at: https://orx.org/blog/top-5-orx-news-losses-q2-2023 You can also find out more about our Risk Management Community and Working Group on our website here: https://orx.org/community/risk-management ORX News subscribers can read more on the stories covered in this episode via the ORX News website at: https://news.orx.org/node/7095, https://news.orx.org/node/7201, https://news.orx.org/node/11483, https://news.orx.org/node/11743 and https://news.orx.org/node/10630. Please note that there is another episode of the ORX Operational Risk Podcast to be released this month, which covers the launch of the ORX Risk Indicator Library – so make sure to give that a listen too! To find out more about ORX News, ORX Membership, and access other operational risk resources, just search ‘ORX' or visit: www.orx.org  

Listen to this episode of the ORX Operational Risk Podcast to hear the ORX News team cover the five largest operational risk losses of May 2023 and an overview of the challenges surrounding the three lines of defence model, governance, and risk culture, all stemming from the launch of ORX's Risk Management Working Group – illustrating some of the main discussion points with relevant news stories. You can find the top 5 operational risk losses discussed in this episode, along with all previous top 5s, on our website at: https://managingrisktogether.orx.org/orx-news/top-5-orx-news-losses-q2-2023 ORX News subscribers can read more on the stories covered in this episode via the ORX News website at: https://news.orx.org/node/11309, https://news.orx.org/node/11585, https://news.orx.org/node/11737, https://news.orx.org/node/11563 and https://news.orx.org/node/11743  ORX members can also find out more about our Risk Management Community and Working Group on our member-only website here: https://members.orx.org/communities-groups/risk-management-community Please note that there is another episode of the ORX Operational Risk Podcast this month, which covers some of the key learnings from our recent work on stress testing conducted for the ORX Analytics Community – so make sure to give that a listen too! To find out more about ORX News, ORX Membership, and access other operational risk resources, just search ‘ORX' or visit: www.orx.org

https://www.yourcyberpath.com/98/ In this episode, we are back discussing Security Design Principles, and this time we are focusing on Psychological Acceptability. The Security design principles are crucial for your work as a cybersecurity professional, they will not only help you do really well, they will also help your work stand out. Psychological Acceptability is defined as “the protection mechanism should be easy to use, at least as easy as not using it” and here comes the struggle of wanting to make controls easier to use while still providing high level security. Kip mentions the term “False sense of security” which is really common in the field where you as a cybersecurity professional are under the impression that you have everything under control while in fact you are missing a lot of risks due to your workforce not psychologically accepting the high level controls put in place and trying to find workarounds to make their jobs more convenient. In the end, Jason discusses Password Managers, which is a great example of Psychological Acceptability, and how it can be one of the few controls in cybersecurity where you can increase security and productivity at the same time. What You'll Learn ●   What is Psychological Acceptability? ●   What are the challenges that come with Psychological Acceptability? ●   What is a False sense of security? And how can it be dangerous? ●    What is a good example of Psychological Acceptability? Relevant Websites For This Episode ●   https://www.udemy.com/course/irresistible-cybersecurity/ Other Relevant Episodes ●   Episode 57 - Best time of the year to get hired ●   Episode 80 - Risk Management Framework with Drew Church ●   Episode 92 - Password Managers

Thad Wellin is the CEO of TRW Security Solutions where he serves as a consultant for Risk Management Framework, Cyber Security Framework, and Defense Information Assurance Certification and Accreditation Process. Listen to hear first hand about his prep process for and taking of the Certified CMMC Professional exam and other CMMC-related tidbits, including a potential issue with Windows 11. Prerecorded. #podcast #CMMC #cybersecurity #infosec #vCISO #VirtualCISOMoment --- Send in a voice message: https://podcasters.spotify.com/pod/show/virtual-ciso-moment/message

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, going into the weeds to explore a subject more fully and looking for some hard-hitting insights on sanctions compliance. Look no further than Compliance into the Weeds! Get ready to dive into the fraud risk management and prevention world with Compliance into the Weeds, hosted by Tom Fox and Matt Kelly. In this episode, they break down the recently released fraud risk framework by COSO and the Association of Certified Fraud Examiners and how it's necessary for today's cyber-based fraud and cryptocurrency. They stress the importance of data analytics and internal hotlines to prevent fraud and that all employees need to be trained to detect and prevent fraud in their industry. The hosts also discuss how financial reporting controls may not always detect fraud and how anti-fraud controls are essential. With the rise of new types of fraud like ESG and greenwashing, the hosts recommend the fraud risk report for audit and compliance professionals to stay informed about risks swirling around corporations today. Take advantage of this informative and fascinating podcast. Tune in to Compliance into the Weeds now.  Key Highlights: ·      Fraud Risk Management: COSO Report 2nd Edition ·      Effective Fraud Prevention Training for Employees ·      Importance of Anti-Fraud Controls in Fighting Fraud ·      COSO Fraud Risk Guidance and the Fraud Pentagon Notable Quotes: “But when you think about it, we have a lot of external factors, such as the rise of cryptocurrency, which is riddled with fraud and corruption risk. New methods of cyber-based fraud, which didn't exist, say, 2016, the 2010s before that. Rise of ransomware in particular, which wasn't quite a big thing back then that it is all over the place now.” “Most frauds, you the risk management function, you might never catch them. By looking for them, you'll have to depend on somebody else coming to you from the enterprise, say, I think this person over here is doing something sketchy.” “Fraud is having a moment. And fraud risk is on the forefront of many people's minds from many different areas.” “We need to do better at finding ways to assess and understand your fraud risk and then implementing new controls as necessary to push that risk down to acceptable levels.” Resources Matt  LinkedIn Blog Post in Radical Compliance Tom  Instagram Facebook YouTube Twitter LinkedIn Learn more about your ad choices. Visit megaphone.fm/adchoices

https://www.yourcyberpath.com/96/ In this episode, we unpack the first of the Security Design Principles, Least Privilege. If you have never heard of it before, Least Privilege is the act of giving a person the most minimal amount of privilege for them to be able to do their job. Our hosts take the time in this short episode to discuss the ups and downs of Least Privilege and why it's not utilized as widely as it should be. Then they go over how Least Privilege should be implemented at home and at work and how much it affects your personal and professional Cyber Hygiene. In the end, Jason discusses how Least Privilege can affect Software Development and the importance of setting different accesses and permissions for different users to improve your security posture. What You'll Learn ●   What is a CR-MAP? ●   What is Least Privilege? ●   What are the costs of using Least Privilege? ●   How does Least Privilege affect you as a user? ●   How can software utilize Least Privilege? Relevant Websites For This Episode ●  https://www.akylade.com/ ●  https://www.yourcyberpath.com/podcasts/ Other Relevant Episodes ●  Episode 80 - Risk Management Framework with Drew Church ●  Episode 83 - Automating NIST Risk Management Framework with Rebecca Onuskanich ●  Episode 94 - Ten Security Design Principles (SDP)

https://www.yourcyberpath.com/95/ In the beginning, our hosts Jason Dion and Kip Boyle talk a little bit about their new company Akylade, which is going to provide affordable cybersecurity training. They discuss their initial motivations to start the company, what the plan for the company is, and what's the road map for Akylade. Then, we get into the topic of our episode, introducing our guest, Samuel Bodine, a cybersecurity sophomore, and the leader of the cyber defense team at Liberty University in Virginia. Sam discusses the different aspects of the competitions they get into, where they simulate a business environment and bring in hackers to test their cyber defense team's abilities to protect said environments. Sam also mentions that one of the hugest benefits that he finds in college is networking and that you can make lots of connections that could really help you down the road. On the other hand, sometimes you just have to start from nothing as he tells the story of how he walked into Lockheed Martin with a resume asking for an internship and how he got it a week later. Jason then goes over internships, how they work, and how they can be very useful for both the company and the intern. In the end, Sam mentions his trifecta for the perfect cybersecurity advancement, which is certifications, hands on practice, and real-life job experience. When you combine these three, you can have a great holistic understanding of cybersecurity. To cap it off, Jason highlights that it is crucial to show initiative and how you need to show how much you want something and how it can help you achieve it. What You'll Learn ●   What is Akylade? ●   What is it like to be on a collegiate cyber defense team? ●   How to build your network? ●    How useful is an internship? ●    What is the trifecta of cybersecurity education? Other Relevant Episodes ●   Episode 80 - Risk Management Framework with Drew Church ●   Episode 54 - New Cohost Jason Dion ●   Episode 62 - The NIST Cybersecurity Framework

In this episode of Wiley Connected, we are joined by Elham Tabassi, Chief of Staff in the Information Technology Laboratory at NIST, who leads NIST's efforts to create an Artificial Intelligence Risk Management Framework (the “AI RMF”). We discuss the overall goals of the AI RMF (1:31), the use of a risk-based approach to AI (6:02), different categories of risks in AI (10:24), approaches to fairness, bias, and explainability in AI (15:09), core risk management functions for organizations (with a nod to the NIST Cybersecurity Framework)(25:18), how broadly the AI RMF applies and how to define “AI” (30:39); and how the AI RMF fits into international efforts on AI (35:20). Programming note: This interview was recorded prior to NIST's March 30, 2023 official announcement of the Trustworthy and Responsible AI Resource Center, including the first complete version of the companion AI RMF Playbook.

At the beginning of the year, the National Institute of Standards and Technology (NIST) released its AI Risk Management Framework (AI RMF) along with an AI RMF Playbook and an AI RMF Roadmap to guide the future of artificial intelligence development. Chief of Staff of the agency's Information Technology Laboratory Elham Tabassi explains the framework's collaborative development and how it incorporates trustworthiness considerations into the design, development, use and evaluation of AI products, services and systems.

The prospect of day-to-day life with artificial intelligence is no longer a future endeavor. AI systems comprise countless applications across public and private organizations, and through open-sourced systems, such as ChatGPT, AI is now consumer-facing and usable. The U.S. National Institute of Standards and Technology was directed by the National Artificial Intelligence Initiative Act of 2020 to create a voluntary resource for organizations designing, developing, deploying or using AI systems to help manage risk and to promote trustworthy and responsible development of AI systems. As a result, NIST released the AI Risk Management Framework 1.0 along with supplementary documents to help organizations. To learn more about the newly released framework and how organizations should approach it, IAPP Editorial Director Jedidiah Bracy caught up with NIST Research Scientist and Principle Investigator for AI Bias Reva Schwartz.

Elham Tabassi and Reva Schwartz – two AI leaders from the National Institute of Standards and Technology (NIST) – join us this week to discuss the AI Risk Management Framework #AIRMF released on January 26th thanks to the herculean efforts of our guests. Tune in to find out why Miriam Vogel and Kay Firth-Butterfield believe the AI RMF will be game changing. Learn the purpose behind the AI RMF; the emblematic 18-month multi (multi)-stakeholder, transparent process to design it; how they made it ‘evergreen' at a time when our AI progress is moving at a lightning speed pace and much more.—Materials mentioned in this episode:AI Risk Management Framework, (NIST)NIST AI Risk Management Framework Playbook, (NIST)Perspectives about the NIST Artificial Intelligence Risk Management Framework, (NIST)

Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: AI Risk Management Framework | NIST, published by DragonGod on January 26, 2023 on LessWrong. On January 26, 2023, NIST released the AI Risk Management Framework (AI RMF 1.0) along with a companion NIST AI RMF Playbook, AI RMF Explainer Video, an AI RMF Roadmap, AI RMF Crosswalk, and various Perspectives. Watch the event here. In collaboration with the private and public sectors, NIST has developed a framework to better manage risks to individuals, organizations, and society associated with artificial intelligence (AI). The NIST AI Risk Management Framework (AI RMF) is intended for voluntary use and to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems. Released on January 26, 2023, the Framework was developed through a consensus-driven, open, transparent, and collaborative process that included a Request for Information, several draft versions for public comments, multiple workshops, and other opportunities to provide input. It is intended to build on, align with, and support AI risk management efforts by others. A companion NIST AI RMF Playbook also has been published by NIST along with an AI RMF Roadmap, AI RMF Crosswalk, and various Perspectives. In addition, NIST is making available a video explainer about the AI RMF. FLI also released a statement on NIST's framework: FUTURE OF LIFE INSTITUTE Statement The Future of Life Institute applauds NIST for spearheading a multiyear and stakeholder initiative to improve the management of risks in the form of the Artificial Intelligence Risk Management Framework (AI RMF). As an active participant in its development process, we view the AI RMF as a crucial step in fostering a culture of risk identification and mitigation in the US and abroad.With this launch, NIST has created a global public good. The AI RMF decreases barriers to examining the implications of Al on individuals, communities, and the planet by organizations charged with designing, developing, deploying, or using this technology. Moreover, we believe that this effort represents a critical opportunity for institutional leadership to establish clear boundaries around acceptable outcomes for Al usage. Many firms have already set limitations on the development of weapons and on activities that lead to clear physical or psychological harm, among others. The release of version 1.0 of the AI RMF is not the conclusion of this effort. We praise NIST's commitment to update the document continuously as our common understanding of Al's impact on society evolves. In addition, we appreciate that stakeholders will be given concrete guidance for implementing these ideas via the agency's efforts in the form of a "playbook." External to NIST, our colleagues at the University of California, Berkeley are complementing the AI RMF with a profile dedicated to increasingly multi or general-purpose Al systems. Lastly, we recognize that for the AI RMF to be effective, it must be applied by stakeholders. In a perfect world, organizations would devote resources to identifying and mitigating the risks from Al intrinsically. In reality, incentives are needed to push this process forward. We/you/society can help to create these incentives in the following ways: Making compliance with the AI RMF a submission requirement at prestigious Al conferences; Having insurance companies provide coverage benefits to entities that evaluate Al risks through the AI RMF or another similar instrument; Convincing local, state, or the federal government to prioritize Al procurement based on demonstrable compliance with the AI RMF; and, Generating positive consumer sentiment for organizations that publicly express devoting resources to the AI RMF process. Thanks for listening. To help us out with The Nonlinea...

“The AI Risk Management Framework can help companies and other organizations in any sector and any size to jump-start or enhance their AI risk management approaches,” shared Laurie Locascio, Undersecretary for Standards and Technology and NIST Director. “It offers a new way to integrate responsible practices and actionable guidance to operationalize trustworthy and responsible AI. We expect the AI RMF to help drive development of best practices and standards.” The post A Jump Start for Managing Artificial Intelligence Risk? NIST Releases AI Risk Management Framework appeared first on ComplexDiscovery.

Link to original articleWelcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: AI Risk Management Framework | NIST, published by DragonGod on January 26, 2023 on LessWrong. On January 26, 2023, NIST released the AI Risk Management Framework (AI RMF 1.0) along with a companion NIST AI RMF Playbook, AI RMF Explainer Video, an AI RMF Roadmap, AI RMF Crosswalk, and various Perspectives. Watch the event here. In collaboration with the private and public sectors, NIST has developed a framework to better manage risks to individuals, organizations, and society associated with artificial intelligence (AI). The NIST AI Risk Management Framework (AI RMF) is intended for voluntary use and to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems. Released on January 26, 2023, the Framework was developed through a consensus-driven, open, transparent, and collaborative process that included a Request for Information, several draft versions for public comments, multiple workshops, and other opportunities to provide input. It is intended to build on, align with, and support AI risk management efforts by others. A companion NIST AI RMF Playbook also has been published by NIST along with an AI RMF Roadmap, AI RMF Crosswalk, and various Perspectives. In addition, NIST is making available a video explainer about the AI RMF. FLI also released a statement on NIST's framework: FUTURE OF LIFE INSTITUTE Statement The Future of Life Institute applauds NIST for spearheading a multiyear and stakeholder initiative to improve the management of risks in the form of the Artificial Intelligence Risk Management Framework (AI RMF). As an active participant in its development process, we view the AI RMF as a crucial step in fostering a culture of risk identification and mitigation in the US and abroad.With this launch, NIST has created a global public good. The AI RMF decreases barriers to examining the implications of Al on individuals, communities, and the planet by organizations charged with designing, developing, deploying, or using this technology. Moreover, we believe that this effort represents a critical opportunity for institutional leadership to establish clear boundaries around acceptable outcomes for Al usage. Many firms have already set limitations on the development of weapons and on activities that lead to clear physical or psychological harm, among others. The release of version 1.0 of the AI RMF is not the conclusion of this effort. We praise NIST's commitment to update the document continuously as our common understanding of Al's impact on society evolves. In addition, we appreciate that stakeholders will be given concrete guidance for implementing these ideas via the agency's efforts in the form of a "playbook." External to NIST, our colleagues at the University of California, Berkeley are complementing the AI RMF with a profile dedicated to increasingly multi or general-purpose Al systems. Lastly, we recognize that for the AI RMF to be effective, it must be applied by stakeholders. In a perfect world, organizations would devote resources to identifying and mitigating the risks from Al intrinsically. In reality, incentives are needed to push this process forward. We/you/society can help to create these incentives in the following ways: Making compliance with the AI RMF a submission requirement at prestigious Al conferences; Having insurance companies provide coverage benefits to entities that evaluate Al risks through the AI RMF or another similar instrument; Convincing local, state, or the federal government to prioritize Al procurement based on demonstrable compliance with the AI RMF; and, Generating positive consumer sentiment for organizations that publicly express devoting resources to the AI RMF process. Thanks for listening. To help us out with The Nonlinea...

Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: AI Risk Management Framework | NIST, published by

https://www.yourcyberpath.com/86/ In this episode, Kip and Jason discuss everything that makes the A in the CIA Triad, Availability. Availability is when you like to use a system and it's there ready for you to use, because no matter how secure a system is, if you cannot access it when you need to, it serves no purpose. Kip explains how the way you think about availability is also going to change depending on the industry you're in and the niche you interact with the most. Jason mentions some terms associated with availability in certification exams like redundancy, failover, business continuity, and disaster recovery, highlighting that availability is not an all or nothing pillar, because you can't always have 100% redundancy. For the third time, Jason and Kip go over some interview questions on availability to make sure you are a little more prepared for your interviews. What You'll Learn ●   Why is availability important in cybersecurity? ●   What is an impact business analysis? ●   What is the difference between the different availability options? ●   How can you prevent a DoS attack against an ecommerce website ●   How to increase power availability in an organization? Relevant Websites For This Episode ●   https://www.yourcyberpath.com/ Other Relevant Episodes ●   Episode 80 - Risk Management Framework with Drew Church ●   Episode 84 - The CIA Triad - The Basis of Cybersecurity (Confidentiality) ●   Episode 85 - The CIA Triad - The Basis of Cybersecurity (Integrity)

https://www.yourcyberpath.com/84/ In this short episode, Jason and Kip discuss the first aspect of the CIA Triad which is Confidentiality.  They break down the critically important confidentiality point and how it works in the real world, highlighting that it's not about the information itself but more likely about where that information is in the flow.  They also mention how confidentiality is brought up in certification exams and how it's always connected to encryption.  They finish up by doing some mock interview questions about things like secure erase, encryption, and secure file transfer to simulate situations that you could face when applying for cybersecurity jobs. What You'll Learn ●    What are the three states of data? ●    What questions related to confidentiality could you meet in your certification exams? ●    What interview questions could you get on confidentiality and how to answer them perfectly? ●     What is the difference between SFTP and FTPS? Relevant Websites For This Episode ●   https://www.yourcyberpath.com/ Other Relevant Episodes ●    Episode 62 - The NIST Cybersecurity Framework ●    Episode 56 - Cybersecurity careers in the Defense sector ●   Episode 80 - Risk Management Framework with Drew Church

https://www.yourcyberpath.com/83/ In this episode, we go more in depth with the NIST RMF, answering extremely important questions about the different steps of the process and the checklist mentality that can be developed when implementing RMF. Rebecca Onuskanich, CEO of the International Cyber Institute, is here to share with us some of her knowledge gained throughout her 20 years of experience with security compliance and how eMASS is used to implement RMF and its real-world adaptation. Alongside Kip, Rebecca goes over her experience with RMF discussing how different backgrounds can influence the implementation and that a lot of people will have to get over the rigid mentality of RMF in favor of a more technical, real-world, viable approach. Especially when facing the challenge of implementing RMF with different systems, including legacy systems. They also unpack eMASS, who can use it, what are the requirements to use eMASS, what are its limitations, how it helps support the process, and if there are any other ways to implement RMF, highlighting that the current direction is to emphasize resilience and survivability and always put the mission first. What You'll Learn ● How is RMF adapted in the real world? ● How to make the best use of RMF? ●     How do the NIST CSF and the RMF compare to one another? ●     What is eMASS? Relevant Websites For This Episode ●     www.YourCyberPath.com ●    www.nist.gov Other Relevant Episodes ●    Episode 80 - Risk Management Framework with Drew Church ●    Episode 62 - The NIST Cybersecurity Framework ●  Episode 56 - Cybersecurity careers in the Defense sector

https://www.yourcyberpath.com/80/ In this episode, Kip and Jason, along with special guest Drew Church, take a closer look at the NIST risk management framework to help facilitate selecting the right kind of security for your system and help clarify how to direct resources towards the right controls. Drew Church, RMF expert and global security strategist at Splunk, is here to talk about the different steps of RMF, the importance of preparation work, and understanding the bigger picture of what you want your system to accomplish. They also go through the seven steps of RMF in detail: prepare, categorize, select, implement, assess, authorize, and monitor, highlighting the best procedures and ways of going about completing each step, as RMF is highly structured. They also call attention to soft skills and how invaluable they are throughout your cybersecurity career. Drew and Jason also explain different terms, including STIGS, DIKW pyramid, and POAM, and their importance while developing the RMF. Finally, they go over various tips and tricks to make sure you are ready for your assessment, like knowing what your system is going to be graded on and maybe also testing beforehand, as well as having in mind that the assessors are not going to be experts in your system.  What You'll Learn ●     What is RMF (and what it's not)? ●     Are RMF and CSF the same? ●     What are the seven steps of the RMF? ●     How important is the DIKW pyramid in RMF? ●     What is the secret to success of system assessments against RMF controls? Relevant Websites For This Episode ●     www.YourCyberPath.com ●     www.nist.gov ●   www.splunk.com Other Relevant Episodes ●     Episode 62 - The NIST Cybersecurity Framework ●     Episode 56 - Cybersecurity Careers in the Defense Sector ●    Episode 22 - Impress Us with Your Resume Skills Section

Rafael Borras, president and CEO at Homeland Security & Defense Business Council and former Department of Homeland Security undersecretary for management, discusses the best practices for, and challenges of, building a risk management framework. Roger Waldron, president of The Coalition for Government Procurement, breaks down the new ceiling for the Alliant 2 contract from $50 billion to $75 billion. The Daily Scoop Podcast is available every weekday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on Apple Podcasts, Google Podcasts, Spotify and Stitcher. And if you like what you hear, please let us know in the comments.

Webcast URL: https://knowledgewebcasts.com/know-portfolio/third-party-risk-management-framework/ Establishing effective third-party vendors has been at the forefront of business development strategies today. With the current remote workforce setup, the importance of having efficient vendors to streamline complex business processes has been underscored, and more companies started depending on several third-party software to help with their operations. This growing reliance on vendors and other service providers, however, has opened newer risks of breaches and has intensified the call for organizations to employ a third-party management framework that is not only effective, but is also holistic. Listen as information technology experts Sandeep Bhide (ProcessUnity) and Olga Voytenko (State Street Corporation) bring the audience to a road beyond the basics of third-party risk management (TPRM). Speakers will delve into an in-depth analysis of the current digital and regulatory developments influencing vendor trends today. They will also provide the audience with practical tips in employing a strategic third-party risk management framework. For any more information please click on the webcast URL at the top of this description.

Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Actionable-guidance and roadmap recommendations for the NIST AI Risk Management Framework, published by Dan Hendrycks on May 17, 2022 on The AI Alignment Forum. This is a linkpost to our working paper “Towards AI Standards Addressing AI Catastrophic Risks: Actionable-Guidance and Roadmap Recommendations for the NIST AI Risk Management Framework”, which we co-authored with our UC Berkeley colleagues Jessica Newman and Brandie Nonnecke. Here are links to both Google Doc and pdf options for accessing our working paper: Google Doc (56 pp, last updated 16 May 2022) pdf on Google Drive (56 pp, last updated 16 May 2022) pdf on arXiv (not available yet, planned for a later version) We seek feedback from readers considering catastrophic risks as part of their work on AI safety and governance. It would be very helpful if you email feedback to Tony Barrett, or share a marked-up copy of the Google Doc with Tony, at anthony.barrett@berkeley.edu. If you are providing feedback on the draft guidance in this document, in addition to any comments via email or Google Docs, it would be particularly helpful if you answer the questions in Appendix 2 of this document or in the following Google Form: Feedback by May 31, 2022 would be most helpful! (We will also appreciate feedback after that!) We may update the links or content in this post to reflect the latest version of the document. Background on the NIST AI RMF The National Institute of Standards and Technology (NIST) is currently developing the NIST Artificial Intelligence Risk Management Framework, or AI RMF. NIST intends the AI RMF as voluntary guidance on AI risk assessment and other AI risk management processes for AI developers, users, deployers, and evaluators. NIST plans to release Version 1.0 of the AI RMF in early 2023.As voluntary guidance, NIST would not impose “hard law” mandatory requirements for AI developers or deployers to use the AI RMF. However, AI RMF guidance would be part of “soft law” norms and best practices, which AI developers and deployers would have incentives to follow as appropriate. For example, insurers or courts may expect AI developers and deployers to show reasonable usage of relevant NIST AI RMF guidance as part of due care when developing or deploying AI systems in high-stakes contexts, in much the same way that NIST Cybersecurity Framework guidance can be used as part of demonstrating due care for cybersecurity. In addition, elements of soft-law guidance are sometimes adapted into hard-law regulations, e.g., by mandating that particular industry sectors comply with specific standards. Summary of our Working Paper In this document, we provide draft elements of actionable guidance focused primarily on identifying and managing risks of events with very high or catastrophic consequences, intended to be easily incorporated by NIST into the AI RMF. We also provide our methodology for development of our recommendations. We provide actionable-guidance recommendations for AI RMF 1.0 on: Identifying risks from unintended uses and misuses of AI systems Including potential catastrophic-risk factors within the scope and time frame of risk assessments and impact assessments Identifying and mitigating human rights risks Reporting information on AI risk factors including catastrophic-risk factors We also provide recommendations on additional issues for NIST to address as part of the roadmap for later versions of the AI RMF or supplementary publications, on the grounds that they are critical topics but appropriate guidance development would take additional time. Our recommendations for the AI RMF roadmap include: Creating an AI RMF Profile providing supplementary guidance for cutting-edge increasingly general-purpose AI. For development of such AI, examples of actionable guidance could include: only increase comput...

Welcome to The Nonlinear Library, where we use Text-to-Speech software to convert the best writing from the Rationalist and EA communities into audio. This is: Begging, Pleading AI Orgs to Comment on NIST AI Risk Management Framework, published by Bridges on April 15, 2022 on The Effective Altruism Forum. The National Institute and Standards of Technology (NIST) is seeking public comment until April 29 on its Draft AI Risk Management Framework. NIST will produce a second draft for comment, as well as host a third workshop, before publishing AI RMF 1.0 in January 2023. Please send comments on this initial draft to AIframework@nist.gov by April 29, 2022. I would like to see places like ARC, OpenAI, Redwood Research, MIRI, Centre for the Governance of AI, CHAI, Credo AI, OpenPhil, FHI, Aligned AI, and any other orgs make efforts to comment. Without going into the reasons why deeply here on a public forum, I think influencing the development of NIST's AI Risk Management Framework could be high impact. The framework is intended for voluntary use in addressing risks in the design, development, use, and evaluation of AI products, services, and systems. NIST standards are often added to government procurement contracts, so these standards often impact what the federal government does or does not purchase through acquisitions. This in turn impacts industry and how they develop their products, services, and systems to meet government standards so they can get those sweet, sweet federal dollas. For example, the IRS issued a Request for Proposals (RFP) soliciting a contract with a company that would meet NIST SP 800-63-3 requirements for facial recognition technology. Another way NIST is influential is with commercial-off-the-shelf items (COTS) in that companies would benefit in making products, services, and systems that can be easily adapted aftermarket to meet the needs of the U.S. government so that they can reach both commercial and governmental markets. I have been somewhat disheartened by the lack of AI alignment or safety orgs with making comments on early-stage things where it would be very easy to move the Overton window and/or (in best-case scenario) put some safeguards in place against worst-case scenarios for things we clearly know could be bad, even if you we don't know how to solve alignment problems just yet. The NIST Framework moving forward (it will go through several iterations and updates) will be a great place to add in AI safety standards that we KNOW would at least allow us to avoid catastrophe. This is also a good time to beg and plead for more EAs to go into NIST for direct work. If you are thinking this might be a good fit for you and want to try it out, please consider joining Open Phil's Tech Policy Fellowship the next time applications open (probably late summer?). I am heartened that at least some orgs that at least sometimes if not always contemplate AI alignment and safety have recently provided public comment on AI stuff the U.S. gov is doing. E.g., Anthropic, CSET, Google (not sure if it was DeepMind folks), Stanford HAI (kind of) at least commented on the recent NAIRR Task Force Request for Information (RFI). Future of Life Institute has also been quite good at making comments of this type and has partnered with CHAI in doing so. But there is more room for improvement and sometimes these comments can be quite impactful (especially for formal administrative rulemaking, but we will leave that aside). In the above NAIRR Task Force example, there were only 84 responses. Five additional EA orgs saying the same thing in a unifying voice could make some marginal impactful in influencing the Task Force. NIST's work on the Framework is consistent with its broader AI efforts, recommendations by the National Security Commission on Artificial Intelligence, and the Plan for Federal Engagement in AI Standards and Related Tools. Congress has directed NIST to collaborate with the private and public sectors to develop...

Listen to Episode 3 of 'Off the Menu' where HACCP Mentor discusses adapting and implementing the risk management framework. The post Implementing the risk management framework to your business appeared first on HACCP Mentor.

Listen to Episode 3 of 'Off the Menu' where HACCP Mentor discusses adapting and integrating the risk management framework. The post Integration and adaption of the risk management framework to your business appeared first on HACCP Mentor.

This week's guests are Elham Tabassi of the National Institute of Standards and Technology (NIST) and Andrew Burt, Managing Partner of BNH.ai, the first law firm focused on AI compliance, risk mitigation, and related topics. We discuss the new NIST framework – “AI Risk Management Framework” – intended for voluntary use to manage risks in the design, development and use of AI products and systems. Download the FREE Report: Trends in Data, Machine Learning, and AI → https://gradientflow.com/2022trendsreport?utm_source=DEpodcastSubscribe: Apple • Android • Spotify • Stitcher • Google • AntennaPod • RSS.Detailed show notes can be found on The Data Exchange web site.

Episode 1 introduces you to the ISO 31000 Standards, the guiding principles, & the risk management framework. The post An Introduction to the Risk Management Framework appeared first on HACCP Mentor.

We reconnect with Siraj Husain for the third time this year to hear the latest in artificial intelligence. He updates us on the National Institute of Standards and Technology and its effort to create an AI framework. Siraj discusses incidents of how AI has been used inappropriately and how it has gone wrong in the marketplace. He outlines why organizations need to do a better job about practicing responsible AI not just from an ethical perspective but also corporate. Finally, he discusses AI on a global scale and how other countries have adopted it. Siraj Husain is a partner in the Intellectual Property Group in Sheppard Mullin's Palo Alto office. Siraj focuses his practice on intellectual property and patent strategy in various technical areas with an emphasis in software and artificial intelligence. With an undergraduate degree in computer science, and over a decade of legal experience representing computer technology companies, Siraj helps clients, large and small, build and manage valuable patent portfolios in the United States and abroad. What We Discussed in This Episode: What is the National Institute for Standards and Technology? How did NIST come about creating an AI risk management framework? What is NIST doing to build trust in AI? What does it mean that AI is brittle? How does embedded bias in AI influence the marketplace? What's the timeline for the NIST process? How does the domestic and multinational world embrace this framework? What are other AI-capable countries doing about AI? Resources Mentioned: Nota Bene Episode 141: Artificial Intelligence Technologies: Past, Present, and Forward with Siraj Husain Nota Bene Episode 108: Artificial Intelligence: Landmark 2020 Developments and Rapid Business Adoption with Siraj Husain Sam Harris' Making Sense podcast #116 – AI: Racing Toward the Brink Contact Information: Siraj Husain's bio

When it comes to industry and government technology, who is the glue that holds it all together? Lonye Ford joins Carolyn and Mark to give her insight on roles and responsibilities within the cybersecurity field. From Lonye's time at the U.S. Air Force help desk, to her current role of CEO at Arlo Solutions, she offers a unique perspective on cybersecurity career path. #CybersecurityAwarenessMonth Episode Table of Contents[01:02] The Ever-Evolving Landscape of a Secure Foundation [09:20] Understanding the Importance of a Secure Foundation [16:37] The Secure Foundation of the People [26:28] A Secure Foundation Is Void of Decision Fatigue Episode Links and Resources: Secure Foundation The Ever-Evolving Landscape of a Secure FoundationCarolyn: Today, we have https://www.linkedin.com/in/lonyeford/ (Lonye Ford), CEO of Arlo Solutions. Lonye served for over 10 years in the U.S. Air Force and was named one of the top 50 in tech visionary at Intercom 2021. Since it's cybersecurity awareness month, we're super excited to talk to Lonye about her 20-year career in the cybersecurity field. Her experience on both the government and industry teams, and insights on the ever-evolving landscape of government cybersecurity. Lonye: Thank you Carolyn, for having me. Hi, Mark. When I heard the intro, I think I'm going to ask next time to move out with that 20-year experience. Makes me sound super old. Carolyn: You caught Mark and I discussing your age because we looked you up on LinkedIn, we're like, there's no way she's been doing this for 20 years. Lonye: I appreciate being invited, so thank you, I'm looking forward to this conversation. Carolyn: It's October. We have the best holiday of the year, which is Halloween, but also, super important, cybersecurity awareness month. We'd like to start out with you talking about your cybersecurity career journey. Why do you think it's such an important component of our lives? Lonye: Halloween is actually my favorite holiday as well. I have two little ones and so I get all into Halloween. Carolyn: What's your costume this year? Lonye: We're going to be the Space Jam family and I'm going to be Lola Bunny. Carolyn: We got Alice in Wonderland theme going on at my house, I will be the Cheshire cat. A Proud VeteranLonye: COVID messed Halloween up for me because, we get into it, as far as in our house and a holiday party. We open our bottom floor, so whenever the kids come through, we do a scary, little, haunted house and give. They'll have to come in and have scary movies playing. I missed that, I can't wait till we can open back up that way. My journey started in the Air Force, I am a very proud Air Force veteran. When I started at the Air Force, I started at the help desk. I like to tell people I started from the bottom, literally. No offense to help desk technicians, but working on a help desk gave me an amazing place to start. You get experience, visibility just across the gamut. I'm a service type of person, I like to service people. I am a person that really likes to help in every capacity, so I love the help desk when others hated it. Started at the help desk, then I did more network admin stuff, SOS admin, and network admin. I've been a cable dog, I've pulled cable through buildings. Then I went on to work for the program offices within the Air Force, doing things still in cybersecurity. I like to be very specific in what part of cyber I'm in, because cyber is such a huge domain. My focus is more on assessment and authorization of systems, so we started at a system called Disc Cap. It's the way that they used to do it back in the day, and then it matured into a program called Dye Cap. Now you hear people talk about RMF, Risk Management Framework, so that's what we're doing now.A Secure Foundation Focuses on Risk Assessment and AuthorizationLonye: So, that was my journey in the Air Force, I got out of the Air Force and I supported the government via contract. I was contracting...

check out: http://convocourses.com​ 0:00​ ISSO Therapy Session 14:38​ Things to read for Risk Management Framework 23:37​ How to Get a Security Clearance? 33:01​ Do I Need a Prestigious University for Cybersecurity? 43:24​ Why I don't take calls as a mentor? 44:57​ Advice for a new SCA (Security Control Assessor) 49:31​ Cybersecurity Resume Tips for Security […]

In this new series of the InfoSecSync Podcast, "Women In Cyber", Nick speaks with Cybersecurity Leader Karen Williams of JRC Integrated Systems.  They discuss her career, the Risk Management Framework, mentoring, and more! https://youtu.be/d75zjQzsDCw

Sleepy Podcast Host Jayne Lytel wraps up Chapter 2 with a provocative intro on the relationship between security and privacy and tops off the chapter with a teaser on supply chain risk management.

Sleepy Podcast Host gets into the nitty-gritty of SP 800-37 by describing the seven steps in the NIST Risk Management Framework. It will take her a few episodes to get through Chapter 2, The Fundamentals.

Sleepy Podcast Host Jayne Lytel does a gainer off the IT diving board and plunges into Chapter 1 to show you the big overview of the NIST Risk Management Framework.

Sleepy Podcast Host Jayne Lytel dives into the NIST risk management publication primarily devoted to the systems level, or Level 3. Get ready, and dive in with her for the Executive Summary.

Risk Management Framework (RMF) is commonly used among the federal government, with the goals of improving information security, strengthening the risk management process, and encouraging reciprocity among federal agencies.

Everything I am talking about is public knowledge and I do not speak for, or against, any company. Hope you enjoy. --- This episode is sponsored by · Anchor: The easiest way to make a podcast. https://anchor.fm/app Support this podcast: https://anchor.fm/james-sweet9/support

The Navy is jumping on the bandwagon of federal agencies who are reforming their IT security processes to speed new capabilites through the approval process in as little as a day. That’s a far cry from the 13-18 months it currently takes new capabilities to make their way through the Navy’s implementation of the Risk Management Framework. Capt. Susan BryerJoyner joins Jared Serbu to talk about the forthcoming changes under a program called Rapid Assess and Incorporate Software Engineering in a Day (RAISED).

It’s been five years since the Defense Department adopted the Risk Management Framework to assess the cybersecurity of its IT systems. It was a rough ride at first, but DoD organizations have started to work the bugs out. The Army has just launched a three-phase RMF reform effort called Project Sentinel. Nancy Kreidler, the director of cybersecurity and information assurance in the Army CIO’s office talked with Federal News Network’s Jared Serbu about what the Army’s changing, and why.

This week, we welcome Trevor Bryant, Senior Information Security Architect at Epigen Technology, to talk about the Risk Management Framework, and how to leverage sound business practices to promote security and compliance initiatives in the workplace!   Show Notes: https://wiki.securityweekly.com/SCWEpisode14 Visit https://www.securityweekly.com/scw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

This week, we welcome Trevor Bryant, Senior Information Security Architect at Epigen Technology, to talk about the Risk Management Framework, and how to leverage sound business practices to promote security and compliance initiatives in the workplace!   Show Notes: https://wiki.securityweekly.com/SCWEpisode14 Visit https://www.securityweekly.com/scw for all the latest episodes!   Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly

In this podcast Shane Hastie, Lead Editor for Culture & Methods, talks to Tony Grout and Chris Matts about building an IT risk management framework at a large bank and using that as a catalyst for a digital transformation. Why listen to this podcast: • Just deploying another prescriptive method will not make an organisation agile and adaptive • A risk management framework can be a catalyst for change • The components of a simple framework which enables adaptation at the team level while ensuring alignment to organisational outcomes • The importance of an organisational-level backlog which is transparently prioritised to ensure the teams who need to collaborate have clarity about cross-cutting priorities • Ensuring that controls are as easy to evidence as possible and that there very low overhead in gathering the metrics You can also subscribe to the InfoQ newsletter to receive weekly updates on the hottest topics from professional software development. bit.ly/24x3IVq Subscribe: www.youtube.com/infoq Like InfoQ on Facebook: bit.ly/2jmlyG8 Follow on Twitter: twitter.com/InfoQ Follow on LinkedIn: www.linkedin.com/company/infoq

Operational Risk Management Framework with Paul Daoust When you are striving towards excellence in maintenance and reliability, there are a lot of activities that you have to perform to avoid any risks. The asset management is one of the top activities that goes on in the organizations and there can be certain risks involved while […] The post 92 – Operational Risk Management Framework with Paul Daoust appeared first on Accendo Reliability.

DevOps, which breaks down software development silos to encourage free communication and constant collaboration, reinforces many Agile methodologies. Equally important, the Risk Management Framework, provides a clearly defined framework that helps program managers incorporate security and risk management activities into the software and systems development life cycle. In this podcast, Eileen Wrubel, technical lead for the SEI’s Agile-in-Government program leads a roundtable discussion into how Agile, DevOps, and the Risk Management Framework can work together. The panelists include Tim Chick, Will Hayes, and Hasan Yasar. Listen on Apple Podcasts.

Learn the basics of the third party risk management framework including how it relates to enterprise risk management (ERM).

As we push computers to "the edge" building an increasingly complex world of interconnected systems and devices, security and privacy continue to dominate the national conversation. The Defense Science Board in its 2017 report, Task Force on Cyber Defense, provides a sobering assessment of the current vulnerabilities in the U.S. critical infrastructure and the systems that support the mission essential operations and assets in the public and private sectors."…The Task Force notes that the cyber threat to U.S. critical infrastructure is outpacing efforts to reduce pervasive vulnerabilities, so that for the next decade at least the United States must lean significantly on deterrence to address the cyber threat posed by the most capable U.S. adversaries. It is clear that a more proactive and systematic approach to U.S. cyber deterrence is urgently needed…"There is an urgent need to further strengthen the underlying systems, component products, and services that we depend on in every sector of the critical infrastructure—ensuring those systems, components, and services are sufficiently trustworthy and provide the necessary resilience to support the economic and national security interests of the United States. NIST Special Publication 800-53 (Revision 5) responds to the call by the Defense Science Board by embarking on a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations, a comprehensive set of safeguarding measures for all types of systems, including general purpose computing systems, cyber-physical systems, cloud and mobile systems, industrial/process control systems, and IoT devices. Those safeguarding measures include security and privacy controls to protect the critical and essential operations and assets of organizations and the personal privacy of individuals. The ultimate objective is to make the systems we depend on more penetration resistant to attacks; limit the damage from attacks when they occur; and make the systems resilient and survivable. About the speaker: Ron Ross is a Fellow at the National Institute of Standards and Technology. His focus areas include information security, systems security engineering, and risk management. Dr. Ross leads the Federal Information Security Modernization Act (FISMA) Implementation Project, which includes the development of security standards and guidelines for the federal government, contractors, and the United States critical infrastructure. His current publications include Federal Information Processing Standards (FIPS) 199 (security categorization), FIPS 200 (security requirements), and NIST Special Publication (SP) 800-39 (enterprise risk management), SP 800-53 (security and privacy controls), SP 800-53A (security assessment), SP 800-37 (Risk Management Framework), SP 800-30 (risk assessment), SP 800-160 (systems security engineering), and SP 800-171 (security requirements for nonfederal systems and organizations). Dr. Ross also leads the Joint Task Force, an interagency partnership with the Department of Defense, Office of the Director National Intelligence, U.S. Intelligence Community, and the Committee on National Security Systems, with responsibility for the development of the Unified Information Security Framework for the federal government and its contractors.

Mark Bernard, Author of the NIST Cyber-Security Foundation, Canada participates in Risk Roundup to discuss Need for an Effective Cyber-Security Risk Management Framework. Need for an Effective Cyber-Security Risk Management Framework The rapid advances in cyberspace are bringing complex, chaotic, and challenging times for each nation: its government, industries, organizations, and academia (NGIOA) in cyberspace, […] The post Need For An Effective Cyber-Security Risk Management Framework appeared first on Risk Group.

Prof. Daniel Shoemaker, the Director of the Masters of Science Information Assurance Program (for Cyber-security), and a Principal Investigator for the Center of Academic Excellence Program with the National Security Agency participates in Risk Roundup to discuss Security- Centric Integrated Risk Management Framework. Security- Centric Integrated Risk Management Framework Why do we need security centric […] The post Security- Centric Integrated Risk Management Framework appeared first on Risk Group.

Kelley Dempsey from the National Institute of Standards and Technology (NIST) participates in Risk Roundup to discuss the Security Centric Integrated Risk Management Framework. Security Centric Integrated Risk Management Framework Cyberspace has brought complex, chaotic, and challenging times for each nation: its government, industries, organizations, and academia (NGIOA). Cyberspace can be related to a neural […] The post Security Centric Integrated Risk Management Framework appeared first on Risk Group.

This podcast examines the guidance published by the Committee of Sponsoring Organisations (COSO.) Relevant to ACCA Qualification Paper P1: Governance, risk & ethics.

Dan Philpott is a Solutions Architect with Natoma Technologies working with Federal customers on cloud computing and federal information security projects. His work focuses on federal information security initiatives including FISMA, cybersecurity, FDCC, USGCB, HSPD-12, risk management and other federal information assurance initiatives. Has worked on federal cloud computing security with the Cloud Security Alliance and has participated in Federal CIO Council cloud and FedRAMP efforts. Founder of FISMApedia.org, information security instructor with Potomac Forum and co-author of "FISMA and the Risk Management Framework" from Syngress. He is fully buzzword compliant and an owner of the coveted Application Security Specialist baseball cap, known in security circles as the ASS hat.