From the course: Governance, Risk, and Compliance (GRC) for the Cloud-Native Revolution
DevOps-powered risk management program - Amazon Web Services (AWS) Tutorial
From the course: Governance, Risk, and Compliance (GRC) for the Cloud-Native Revolution
DevOps-powered risk management program
- [Instructor] Risk management. Everyone knows about it. Every year you pull up your favorite spreadsheet and check all the risks that were recorded last year: which ones were remediated, which ones were transferred, which one were accepted. Represent that to leadership; they're happy about it. May ask the odd question and then see you next year. In this video, we'll talk about why this approach doesn't work anymore. We'll discuss how to develop a risk program with collaboration as a priority. The rule of risk management in a nutshell is to help the business make more informed decisions by understanding the consequences of choosing one option over another. In theory, you want the lowest level of risk you can manage. In practice, to grow and get ahead, companies take a lot of risks because it often results in competitive advantages. Developers can onboard a new system and deploy a code in production in days, if not hours. What used to take years now only takes minutes. If our approach to risk management hasn't changed with that, no wonder engineers feel risk management is out of touch. So what's the solution then? No more spreadsheets? Not quite. What we need to change is on how we manage high-level risks on a micro scale. Lecturing about potential risk scenarios and explaining to experts how their system is vulnerable doesn't work. They are the experts; they know what they're working on. Instead of telling them you should listen to them. This is it. Risk management should be a conversation between you, the security risk team and the system owners. The goal isn't to get everything right or successfully map out 50 risk scenarios. The goal is just to have an understanding of potential risks within the system. Once you have risk identified, you can map them to the high-level priorities so you don't focus on risks that aren't relevant to the business. Using this grassroots buttom-up approach will ensure the information you got wasn't from conjecture, it was from directly talking with the engineers. A couple more tips. If you spend too much time assessing a risk, you'll have less time working on remediation. Remember, it doesn't have to be perfect; it has to work. You have to keep in mind that it is a human endeavor, not a statistics assignment. Moving forward with colleagues that trust you will do wonders for your risk management program. In this video, we're focused on the why and in the next we'll walk through the how. Get ready to rapid risk assess.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.