Gary Gaskell
Infosec Services Pty Ltd
Gary has been a pure play cyber security specialist since 1993.

This career has been built in part on a masters degree by research in the security field and extensive experience across government and large enterprises. In 2013 his contributions were recognised by the Australian Information Security Association when they awarded him as their Information Security Professional of the Year.

In recent years, he has focused on better ways to communicate cyber risks to the C suite and boards in keeping with the focus of boards in governing cyber security risks. Gary has served the ICT industry for 25 years. He specialises in cyber security risk management. He has presented over 50 articles and conference presentations in Australia and internationally. He combines communications and business analysis skills with a detailed knowledge of technical security controls.

TUTORIAL: Cyber Security Risk Management Master class
Technical Level (3 being the highest score): 1

There is a great diversity of opinion on where and how best to protect information systems. It is common for so-called “experts” to disagree, sometimes quite fervently. To obtain a clear and consistent view of a sound control environment, the best practice approach to the design of the security environment is to use risk management techniques. Risk management can ensure that no weak links in the (security) chain are overlooked and the most important issues are made a priority.

Risk management is not rocket science, but it is a significant departure from the traditional control and vulnerability based approaches to information security management. This tutorial provides practical information and tools to help you conduct an effective information security risk assessment and implement a risk management based security plan to manage security for your organisation.

At this tutorial you will be provided with the skills and techniques to identify, assess and evaluate IT security risks and to translate the information into a business context for your senior management. This tutorial will assist technologists and IT managers to determine work priorities and to enhance their credibility with senior management. The tutorial includes a workshop that develops a risk assessment for a hypothetical situation.

Influencing security decisions
Technical Level (3 being the highest score): 1

It's a too common frustration aired at IT security community functions - that "the boss simply ignores my expert advice". The reality is that often support decisions are required from non-technical managers and executives. If they don't have the technical background with which to evaluate your advice and proposals, they will judge you and your advice using other criteria.

This session will describe what a security technologist has learnt about the psychology of decision making and influencing people. The author has never formally studied psychology, but has read widely in order to communicate security risks more effectively.

With a little awareness you can better under understand how your 'bosses' make decisions. With this in your tool bag, you can present advice and proposals in a manner that is much more likely to obtain the decisions and support that you're after. The author has been using this information and has seen greatly improved acceptance of advice and risk assessments.

Presentation slides can be found HERE (Part 1 Tute) HERE (Part 2 Tute) and HERE

Presentation video can be found HERE