Making Measureable Gains                          …contextualizing „secure‟ in business.Rafal Los – „Wh1t3Rabbit“ – Enterp...
Follow me down the rabbithole© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is...
“Security” is estranged from businessWhy?A vast amount of IT Security professionals are distant from their business.• Why ...
Answer:Information Security often fails, even when itsucceeds.                     Why?             We can‟t show how or w...
Security                                                            incidents                                             ...
This is an …    business    goals6   © Copyright 2011 Hewlett-Packard Development Company, L.P. The information    contain...
And this is an …                                                                                            ‘Security’    ...
Let‟s start here…8   © Copyright 2011 Hewlett-Packard Development Company, L.P. The information    contained herein is sub...
Your                                                                                       Organization                   ...
Why shouldthey care?1. Will the company stop existing?2. Will there be loss of life?3. What‟s the worst that can happen? 1...
But if organization‟s done care about security…                                             …then why do you              ...
(Obligatory “bridge is out” slide)12   © Copyright 2011 Hewlett-Packard Development Company, L.P. The information     cont...
We speak “security talk”                                                                                                  ...
“The business” speaks a different language Leveraged risks   Business exposuresCost of capital       Velocity of change   ...
Creating meaningful security                       impact              is not a trivial exercise.15   © Copyright 2011 Hew...
2 Ways to Approachfrom organizational or securityOrganizational• Start with organizational objectives• Works well for star...
Security Centricapproach                                                                                             Task ...
Organization Centricapproach1. Understand the organization‟s goals   (as in previous approach)2. Develop security   activi...
19   © Copyright 2011 Hewlett-Packard Development Company, L.P. The information     contained herein is subject to change ...
Measurable Gains in Security? It is possible to serve both the organization, and security goals simultaneously. 1.        ...
Step 1: Identify business objectivesGet answers to these 3 categories:• How does existing IT process hinder business excel...
Step 2: Create tactical & strategic KPIs• Hinder • How can you measure improvement to hindrance • What is bad, how bad is ...
Step 3: Execute against KPIsGo do it.Execute projects, purchases, activities and processes in thename of organizational ex...
Step 4: Measure to ensure positive impactHave you helped accelerate organizational goals, whileimproving security posture?...
Ultimately “IT Security” will evolve25   © Copyright 2011 Hewlett-Packard Development Company, L.P. The information     co...
It is possible to do both                    “Serve the business”                                       Reduce IT vulnerab...
Thanks for learning something.                                                                                            ...
Upcoming SlideShare
Loading in...5
×

Making Measurable Gains - Contextualizing 'Secure' in Business

775

Published on

What does ‘secure’ mean? Many security professionals work in information security for a large portion of their careers without ever being able to contextualize what they contribute to the businesses they work for - a crying shame. Being able to make sense of all the security-related process changes, widgets, technology and testing is critical to not only being successful at changing the mindset and culture of your business - but to actually making a lasting long-term impression. The only way to do this is to find ways to add business-context to security metrics - creating pseudo-business/security KPIs. This talk focuses not on how to ‘hack’ but how to effectively protect… and to make it relevant to your business so that it matters.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
775
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Please adjust confidentiality notice accordingly
  • Transcript of "Making Measurable Gains - Contextualizing 'Secure' in Business"

    1. 1. Making Measureable Gains …contextualizing „secure‟ in business.Rafal Los – „Wh1t3Rabbit“ – Enterprise & Cloud Security Strategist – HP SoftwareBayThreat 2011© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goeshere
    2. 2. Follow me down the rabbithole© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
    3. 3. “Security” is estranged from businessWhy?A vast amount of IT Security professionals are distant from their business.• Why is this? –what are some of the reasons you think this is true?• What are the results? –what are some of the observed results?3 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    4. 4. Answer:Information Security often fails, even when itsucceeds. Why? We can‟t show how or why we succeeded.4 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    5. 5. Security incidents hurt.5 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    6. 6. This is an … business goals6 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    7. 7. And this is an … ‘Security’ goals7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    8. 8. Let‟s start here…8 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    9. 9. Your Organization does not exist to be secure.9 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    10. 10. Why shouldthey care?1. Will the company stop existing?2. Will there be loss of life?3. What‟s the worst that can happen? 10 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    11. 11. But if organization‟s done care about security… …then why do you have a job?you can either resign to the fact that you‟re there tocheck a box … OR…you can contribute meaningfully to your organization.11 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    12. 12. (Obligatory “bridge is out” slide)12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    13. 13. We speak “security talk” vulnerabilities SQL Injection, XSS, … 0-day attacks hacking critical, high, medium…13 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    14. 14. “The business” speaks a different language Leveraged risks Business exposuresCost of capital Velocity of change Shareholder value14 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    15. 15. Creating meaningful security impact is not a trivial exercise.15 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    16. 16. 2 Ways to Approachfrom organizational or securityOrganizational• Start with organizational objectives• Works well for starting „over‟ (new)• Work your way towards IT SecSecurity• Start with existing security, work back• Works well for „re-aligning‟ security• Start in tech, align to business or …16 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    17. 17. Security Centricapproach Task Goal 1 Goal 2 Goal 31. List out all „security‟ Task 1 y n n activities, tasks, processes, projects Activity 1 n n n and purchases Purchase n n y2. Attempt to map the above to Project 1 y n y „organizational goals‟ Activity 2 n n y3. Where there is no direct correlation: • discontinue activity Goal 1: Meet compliance requirement A • re-align to fit one of org. goals Goal 2: Decrease fraud due to X by 1.25% Goal 3: Increase employee productivity 4%4. Repeat for all security activity17 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    18. 18. Organization Centricapproach1. Understand the organization‟s goals (as in previous approach)2. Develop security activities, processes, projects, tasks , purchases to align3. Solve only organizational problems – “through the lens of the org”4. Hint: You may have to be creative18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    19. 19. 19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    20. 20. Measurable Gains in Security? It is possible to serve both the organization, and security goals simultaneously. 1. Identify business objectives 2. Create tactical & strategic KPIs 3. Execute against KPIs 4. Measure to ensure positive impact against KPIs20 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    21. 21. Step 1: Identify business objectivesGet answers to these 3 categories:• How does existing IT process hinder business excellence?• What is the organization‟s current biggest challenges?• What are the organization‟s 6, 12, 18 month goals?21 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    22. 22. Step 2: Create tactical & strategic KPIs• Hinder • How can you measure improvement to hindrance • What is bad, how bad is it, how much better should it be?• Challenges • Should we measure challenges as binary (met/failed)? • Can we measure „overcoming a challenge‟?• Goals • Measuring goal acceleration/achievement should be easiest • Understand org‟s objective, attempt to accelerate by X%22 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    23. 23. Step 3: Execute against KPIsGo do it.Execute projects, purchases, activities and processes in thename of organizational excellence – tell everyone this.Constantly measure your improvement of KPIs.23 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    24. 24. Step 4: Measure to ensure positive impactHave you helped accelerate organizational goals, whileimproving security posture?Keep KPIs simple, with lots of supporting data.24 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    25. 25. Ultimately “IT Security” will evolve25 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    26. 26. It is possible to do both “Serve the business” Reduce IT vulnerabilities26 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
    27. 27. Thanks for learning something. Follow me on Twitter: @Wh1t3Rabbit Read my blog: hp.com/go/white-rabbit Listen to the podcast: podcast.wh1t3rabbit.net (or iTunes)27 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Discuss on LinkedIn: Join the „SecBiz‟ group

    ×