Cybersecurity incidents continue to increase exponentially across engineering organizations and it seems this rise is less about technology solutions and more about ineffectiveness of risk management programs. While security practitioners in technology organizations often have a good understanding of technical issues causing organizational risk, many don't have the relational skills to collaborate and drive change needed to improve the organization's risk profile. This leads to flawed programs. If security teams want to build effective programs that reduce the negative impact of security vulnerabilities and data breaches, they must learn to meet software development and engineering teams where they are through more collaborative processes. Restorative practices could provide a framework through a set of techniques that would foster a relational culture to support the organizational change efforts in managing risk. By partnering "with" development and engineering teams, security practitioners could work more supportively and embed themselves into the overall software development and operational lifecycle. By operating as collaborative partners, security, engineering and development teams are empowered to resolve conflict and add value to the business portfolio through less operational friction. This transforms the security professional's role from the organization naysayer into hero.

1. Reimagining risk management: How
restorative practices can transform
information security programs
Michele Chubirka

2. • Michele Chubirka, 20+ year
technologist working as a cloud
security advocate at Google.
• Creator of the Healthy Paranoia
Security Podcast.
• Analyst, architect, researcher, writer
for Dark Reading, Information Week,
Network Computing, and Tech Target
• Focus on security architecture and
“best practices.”
• Views are my own.
http://postmodernsecurity.com
@MrsYisWhy
Who Am I?
Who Am
I?

3. Why risk management?

4. Worldwide
information
security services
spending from
2017 to 2022
(in billion U.S.
dollars)

6. What is risk management?
RISK =Threat x vulnerability x impact
According to the National Institute of
Standards andTechnology (NIST) SP
800-37 Rev. 2, Risk Management is
“The program and supporting
processes to manage risk to agency
operations (including mission,
functions, image, reputation), agency
assets, individuals, other organizations,
and the Nation, and includes:
establishing the context for risk-related
activities; assessing risk; responding to
risk once determined; and monitoring
risk over time.”

7. The Risk Process
From Enterprise Risk Management, 2nd Edition

8. Risk management in the
context of Restorative
Practices

9. What is the risk
management
relationship?

10. What is the
organizational
impact?

11. Responses
from
stakeholder
s

12. Restorative opportunities

13. Compliance as
Property
• In technology and software engineering, a
common approach to security is to address
requirements after delivery.
• This approach fails to consider how the
requirement(s) can be integrated during
development, which avoids reengineering later.
• Disempowers engineering teams by
outsourcing compliance and the
understanding of the requirements to another
group.
• To proactively address security concerns, a
team must see these requirements as their
“property” to address them efficiently during
the design and development phases.

14. Security is a
social problem
Most practitioners treat risk
management as a technical problem
It’s really a social problem.
Diverse groups are involved in the risk
management process. To be effective,
we need to cultivate relational skills to
support collaboration.

15. Thank you
• Michele Chubirka
• Chubirka@google.com

16. References
• https://www.statista.com/statistics/217362/worldwide-it-
security-spending-since-
2010/#:~:text=In%202022%2C%20the%20security%20service,over
%20150%20billion%20U.S.%20dollars.
• https://www.migso-pcubed.com/blog/pmo-project-
delivery/four-step-risk-management-
process/#:~:text=The%204%20essential%20steps%20of,and%20Re
port%20on%20the%20risk.
• https://www.360factors.com/blog/five-steps-of-risk-
management-process/
• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.8
00-37r2.pdf
• Enterprise Risk Management, 2nd Edition, Fraser, Quail and
Simkins
• https://www.tandfonline.com/doi/abs/10.5235/20504721.1.3.3
11?journalCode=rrej20
• https://postmodernsecurity.com/2021/11/29/compliance-as-
property/