Purplecon 2019 mikala easte, risk management without slowing down, https://purplecon.nz/talks#mikala-easte, https://www.youtube.com/watch?v=2S6acN_QY_Y&list=PLS45xFo74VF546tbfXXtKDO03cVrAalM6&index=13&t=0s
most organisations start out relying on people and their expertise when making decisions, but this doesn't scale well and leads to bottlenecks and pain. larger corporates rely on processes, controls and systems, but these can overwhelm smaller companies. i'd like to share some thoughts on how to set up lightweight risk management processes to empower teams to make informed decisions and not just rely on what the security person thinks of it.
- halfassing the job is better than not doing it
- just keep a risk register, write everything in it
- review it – even accepted risks, because the world outside might have changed
- involve multiple people in the risk-setting process