Mads Bundgaard Nielsen’s Post

NIS2 and DORA require you to have RTOs for your critical assets. Don't define them the same way you make wish lists for christmas: "In the best case we'll be up in 90 minutes, so that will be our RTO" Instead use Marco Felsberger's practical approach: Define a measurable criteria for your required capability and make an actual test of your scenario. 1) Ditch low, medium, high, etc. from your business impact analysis: Find out *when* the impact from a given outage would likely exceed a specific tolerance. 2) Define your objective: "Given an outage we need to be able to return to minimum viable operations with X time". (E.g. Your business impact analysis has shown that after 4 hours of unavailability your costs grows exponentially) 3) Test the scenario (not just tabletop): Is our incident response and disaster recovery (D/R) able to recover operations within 4 hours? If not, was our business continuity plan (BCP) executable and effective in deploying alternatives? (given a specific reason for outage). 4) Evaluate: Has the test given confidence that you have sufficient D/R and BCP for a given scenario? Of not, can we make a positive business case for investing in better D/R and BCP? Best of luck!

How can I defend my probability estimates? See this step by step for getting started with quantitative probability estimates! I have just begun to understand how to research, estimate and updating estimates of probabilities. Its tricky and takes actual practice with statistics and probability theory. Luckily we don't have to know everything (about cyber or probability theory) to make defensible, justified (and perhaps even reliable) estimates of the probability of cyber attacks or other event types. The guide below is a simplified version to get you started. I recommend reading "The Metrics Manifesto" if you really want to go down the Bayesian belief update calculations-rabbit hole. And for industry reports, have a look at: Cyentia Institute FAIR Institute Verizon Resilience

Thank you for the invite! I hope the audience took away these key points: 1) Identify the objectives and decisions that has significant uncertainty. 2) Identify what *matters most* in the decision scenario (risk factors). 3) Find out how to best measure risk factors (money, time, records, people, etc). 4) Model the scenario [Not in presentation scope] 5) Report: You will probably be wrong, but less wrong compared to using a matrix to analyze and report risk.

Fastest way to estimating your cyber risk exposure: Get the calculator. Knowing your cyber risk exposure in quantitative values is a difficult endeavor. It usually takes experienced risk analysts or insurance underwriters to make reliable estimates. Not knowing your exposure in $$$ makes it difficult to argue the value of additional controls as they usually require $$$. Luckily, you can reverse engineer your cyber risk exposure from your insurance premium. It only requires a few simple calculations and a few thousand simulations. All possible to build in excel in less than 30 minutes. I've made a calculator that does this for you. All you need is your insurance premium and the calculator will graph out your derived cyber risk exposure. Let me know if you would like a copy of the calculator. I wouldn't have been able to create this without help from Richard Seiersen's and Doug Hubbard's book "How to measure anything in Cybersecurity Risk" 2nd edition, see "The rapid risk audit". Important note: If you find any errors or bad assumptions, please let me know.

“80% of your security comes from 20% of your controls” - Which controls have I got wrong? - What are your top 3 priority controls?   I’m trying to develop a cost effective CISO playbook. Like everything, its not easy because CISOs usually want all the security but they’re afforded limited budget. How do you make sure to spend your security budget least stupidly and accept that some controls are simply out of reach? I’ve mapped out a CISO priority map, (First attempt). Obviously we begin with the most effective, least costly controls: 1) Strong passwords 2) Firewalls / WAP 3) Hardening (reducing attack surface) After that we take the more expensive, effective controls and if there are any budget left, we can take the cheap controls. My rankings are probably off on several items, please let me know where I’m wrong.   Rankings are loosely based on following research: - Woods Seymour (2024) Evidence-based cybersecurity policy A meta-review of security control effectiveness.pdf - Coalition (2023) Cyber Claims Report - Coalition (2024) Cyber Threat Index - NCSC (2022) 2021 Trends Show Increased Globalized Threat of Ransomware - Verizon (2024) Data Breach Investigations Report.pdf

I sommeren 2021 var Nørrebros Runddel epicenter i københavnske EM-fejringer. Det var ikke mindst pga. storskærmsarrangementer på min fars bar, Café Runddelen. Jeg håber på en gentagelse af både resultater, gadefest og folkestemning! Derfor håber jeg at rettighedshaverne giver små steder rimelig mulighed for storskærmsarrangementer. Foto: EB

Cyberforsikringer bliver ligesom ejerskifteforsikringer: De dækker aldrig. Du skal i hvert fald ikke regne med at din likviditet bliver reddet af din cyberforsikring, hvis du rammes af et alvorligt angreb. Vidste du, at du kan udlede din kvantitative cyberrisiko fra din forsikringspolice? BEREGNER Se, hvordan din organisation er eksponeret. Smid en kommentar, så smider jeg en beregner efter dig, så du selv kan lege med input. Ingeniøren har en god artikel om emnet her: https://lnkd.in/dMp_7JSQ Thank you Doug Hubbard and Richard Seiersen for providing "Rapid audit steps" in HTMA in CyberSecurity, 2nd edition!

Chokolade er godt fundet på! Hvis jeg var ude på ballade, ville jeg maskere mit phishing-forsøg som træningsmateriale: 1) "Tryk for at komme til phishing awareness-modulet". 2) Præsentere to tre slides med quiz og til sidst 3) "Indtast X, Y og Z" for at få bekræftelse på gennemførelse. To fluer med ét smæk: ✅ Jeg får oplysninger ✅ Jeg smadrer tilliden til online awareness kampagner for al fremtid 👹👹