 to Mike Jervic, who is risk management consultant at Trusted Systems Consulting nowadays. Mike has worked his entire career in the Silicon Valley, where he now heads up his own information risk consulting practice. He's the current chair of the Open Group Security Forum, which sustains the open fair industry standard quantitative risk analysis body of knowledge. Prior to that, Mike had 35 years of extensive experience, including developing and managing high-technology products at Kulit Packard, managing information security IT projects at Visa, and teaching college economics courses at San Jose State University, and leading risk analyses at clients such as the city and county of San Francisco. This morning, Mike's session is going to present the Open Group Security Forum standards and tools that help confront the risk and security issues associated with digital-first architecture. So a warm welcome from the Open Group, a virtual welcome from the Open Group for Mike Jervic. Over to you, sir. There. Terrific. Thank you. So it's easy. It's obvious to everybody that a lot has changed in the last, in a very short time, just the last three months. Locations have changed of where we're doing things. Platforms have changed to where we don't often know if maybe we're in kind of this emergency, fast turnaround time working with individually-owned devices that used to be corporate-owned. Other technologies we may not know because we're really adapting on the fly. And that adapting on the fly is occurring, you know, across every industry segment, whether it's education, retail, it doesn't really matter. A lot is really changing really fast. And a lot of relationships are moving on the fly, where we had one supply chain, as we've been talking about, we may be trying to invent new ones very quickly in order to keep our businesses running. So boundaries and segmentation of functional responsibilities have been changing really rapidly. On the economic front, a lot has changed as well. The IMF World Economic Outlook for June 2020, in its article, A Crisis Like No Other, An Uncertain Recovery, estimate is revised global output to decline by approximately 5% this year. And the estimate for 2021 is 6.5% lower than January of 2020's estimate. What this means is that this change, this impact, is a likely protracted one, one that's going to take quite a bit of time, and it's deep. And so people are in, you know, something of a survival mode and are making decisions that way during this time while a lot has changed. And in this chaotic environment, hostile actors are finding a really opportunity-rich environment in order to capitalize on what for them is probably a once-in-a-generation, if not longer, opportunity. But a lot hasn't changed either. So what stays the same? Well, companies in business still have the same liability to conduct their operations. They still have to comply with their regulatory mandates. And they still have to manage and govern their operations in order to keep the business running, even in an uncertain time. That becomes their job. And management's job is, even in the face of uncertainty, higher risk, they still have to forge ahead and achieve the objectives on behalf of their constituents, of their stakeholders. So what's happened, right? What's the digital security considerations in this environment? Well, it's increasingly important to connect governance, management, and operations in the right way where the language is consistent so that we can communicate clearly and hopefully maybe once. We need to have the right frame. To do that, we have to frame our questions and our issues correctly with the right objectives and key results supported by good architecture and execution. From that, what is the language and frame? Well, effective cyber risk management becomes the goal. Security, architecture, deployment, and operations are the means to the end of achieving that goal. So security controls are not the goal. Effective cyber risk management is. And we at the Open Group, our security forum, we have the mission of connecting architecture and design with risk and risk management. And it comes down to this fundamental precept. Measure what matters. Risk is the measurement of security. Security is higher when risk is lower and we can measure it. That's what the Open Group security forum is all about. And this is our vision for it. If our goal is effective cyber risk management, we have a management stack that you see on the left whose goal is to effectively govern and manage. To do that, we have to be able to make well informed decisions to effectively compare alternatives. To do that, we have to support those comparisons with meaningful measurements and accurate models. That is the management mission. The board of directors and the C-suite is to effectively govern and manage risk within their operations. At the same time, and you see that on the right side of the language mission bridge, is that management, even in chaotic times, is moving towards a continuous improvement model where they need the right measurement so that they can see what works, they can adjust and they can take corrective action when they're not achieving their objectives. So to do that, we have to support a plan-do study or plan-do-check-act kind of continuous improvement cycle made famous by Schuhart and Demick. What we have at the Open Group is a risk taxonomy articulated in the tree under the bridge that is the way that defines the language that we can use to communicate about risk and then translate that, use that to guide the functional security operations that are control-based and technology-based that use something like the NIST-CSF as a framework for thinking about technology and architecture through things like identify, protect, detect, respond and recover. And to do that, we have to have the concept of what does it mean, what are we trying to worry about? We're trying to worry about losses. How do we talk about that? And then how do we correct that? How do we control for that? That's what the Open Group does. We bring risk management and we bring technology and architecture together to holistically discuss what matters most. The measure of security that is your organizational, your risk associated with IT assets. So what do we do? What are our resources and activities? We have the open fair body of knowledge that consists of two standards, ORA and ORT. We have a risk analysis spreadsheet tool that helps, there's a good tool that's been used in the field to identify, to decompose and measure single risk issues in a way that brings new practitioners up to speed very quickly and can help people learn about quantitative risk analysis. We have a process guide, again, aimed at the new practitioner to help make that first risk analysis successful. And we have a certification regime which has already certified 775 risk analysts. So we have a vibrant community within the Open Group. To measure, quantify, cyber risk, help educate, help train, bring people up to speed with tools and support, and then help signal to the world a skill level through the foundation certification program. We also have a vibrant architecture practice. One of the more recent publications from that was the Axioms for the Practice of Security Architecture that gives a basic structure for how to think about security architecture. And then we have some relatively new activities in flight all around zero trust. So that as we don't rely upon the provenance of devices, whether your presence on a network or the network, how do we guarantee some sense or how do we think about security in that sense where we have to test for and validate security on a near every data transactional level. And then, and this was referenced but it was in really tiny print on Bob's slides. We have the Outsourcing Network Services Assessment Tool that is used to help vendors, to help you understand and evaluate the supply chain of and risk associated with outsourced network services. Outsourced services broadly defined. That's not only an open group guide for the documentation and the approach to that but also a spreadsheet tool and user manual that helps embody and concretely give you tools. So one of the things that you see consistently here is that we go beyond just standards and just saying what, but we have for the last couple of years really tried to help make it real to people so that we can support the practice so that we can support the profession in quantitative risk analysis, security architecture and network assessment. We said, open fair is where risk meets architecture and we do that through what we call a loss scenario where we form a sentence, threats, breach or impair assets that cause observable loss events that have direct consequences and may have reactions from others. And from that, we can develop the concept of what happens before the loss like a contact event, a threat event that becomes a loss event and the controls in place that can mitigate a contact event from becoming a threat event or threat event from becoming a loss event. And then we can argue and support how those controls map into a control framework that the security operations people already have some familiarity with so that we can map what management cares about where risk meets architecture to the architecture and the operations. And similarly, once a loss occurs, how do we mitigate it once it's begun? So we have to detect it, respond and recover and again through forms of loss and through those functional categories of operational activities. We can help people see the complete picture for how they can achieve management objectives through security controls. The axioms for the practice of security architecture gives you a frame for thinking about how you build an architecture for controls. And you'll notice that the top of that at the basis of it is that it's a risk-driven architecture that has applicability through a context, scope, intelligence and how to build trust and how you think about trust between within the architecture then gives a structure, an interface. The interface is where the human design comes in for clarity of communication. Is it usable and is it designed well? And then it gets into detail, much of which we have already seen a lot of in the security practice like defense and depth, least privilege, access management, secure communications with a few other things added like precedence and design sovereignty. And you'll see at the link here where you could get that today. The guidance to tools to assess outsourced network services is a very recent publication that worked on and really led by the Department of Defense. But the open group contributed to that and has published on its website the overall approach to this and also then how the tool is not, the tool is not hosted on the open group website but it is hosted as you see here and we recommend that you be able to pick this up. This will help people address the outsourcing of network services and can meet the needs of multiple sizes and types of businesses. So it's designed to be flexible and scalable and publicly accessible. So what are we doing now? Well, we've spent about the last two years revising the open fair standards and some of the approach that you'll see in those upcoming standards, you've gotten a preview to today. We've done a lot of work to try to make the standard more accessible and more clear. And that we can connect and help people grasp more quickly what open fair is about so it's more tangible and more operational, more actionable. And the other activities we are focusing on are in the Zero Trust area where we're collaborating with the Open Groups Architecture Forum and the SABSA Institute. From this, I just asked our audience members if you're interested in this, come join us. We have recently attracted several new members who are in both the architecture practice and in the quantitative cyber risk practice. And so we want to continue bringing these people together so that we can continue developing this vision of connecting the board and senior management to security operations in the right meaningful way. And with that, let's take a couple of questions. Mike, thank you very much. Thank you very much for sharing what's going on. It's a great summary, there's a lot of work but you've stuck to time and managed to just hit the high points there. I mean, I know you and I have discussed this before but I'm not a security professional but it was nice to hear Bob say that he trusted me so that was good to know. But I'm not a security professional but I hand on heart can say that the open fair standards, the body of knowledge there are very easy to pick up and understand for somebody who doesn't have years of training in this. It really is a very approachable body of work and I'm sure there are quite a few of you on the attending today who may not have the extensive experience that some of the speakers have in this area but I assure you it's very easy to pick up and I encourage you to do it, it's great. And of course, you've been teaching it to economic students, Mike. So- I have. And they get it. So a couple of questions. You talked about collaborating with the Architecture Forum and the SABS Institute. Is there an Archimate Security Architecture Model or maybe a work to achieve one? So I'll say not to my knowledge but as you kind of opened me up, I'm much more specialized in the cyber risk and quantitative measurement areas and so I've less connected. So I think it'd be a good thing to let's take that offline and get back to the asker about that because I honestly don't know. Yeah, yeah. No, I'm nowhere one either but we can try and address that separately. Can you please touch upon the certifications for open fair, Mike? Sure. And if there's any further elaboration on that question but the open fair certification program has been around since 2013, we have like I said about 750 people already certified in around the world. It's an 80 question exam based upon the two standards and if you, but I will say as I've worked with people and ranging from undergraduate economic students to practitioners, it's a little hard to study for and get all the details in place to complete the certification exam but I've seen it done for self-study. I've certified undergraduate students in it, about 30 of them over the years and so it's quite doable and it's a like 80 questions, multiple choice and it's quite achievable and we have an open group study guide. It helps support the self-study student. So I feel like with that, the process guide, the risk analysis tool, for someone who wants to come up to speed on fair, there are tools and resources out there from the open group that can make that happen. Absolutely, yeah. And we'll hear a little more about those later in the day, of course. And there's a question just come in as it gets somewhere between a comment and a question. It's a bit different from TOGAS then, which clearly it is. Yes, yes, I actually have taken TOGAS certified. So I will say it is different maybe because I know fair so well. I think the fair certification approach is conceptually simpler. Oh, and it's the more the foundational level than TOGAS is. Yeah, yeah. Okay, Mike, we are gonna leave it there, but thank you once again for a great summary of what's going on in the forum. And I'll repeat your plea. Anyone interested in these things, please come and get involved. It's a great community and there's lots to be done. So meanwhile, Mike Jervik, warm round of applause from the open group. Thank you.