• Save
Making Measurable Gains - Contextualizing 'Secure' in Business
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Making Measurable Gains - Contextualizing 'Secure' in Business

on

  • 1,068 views

What does ‘secure’ mean? Many security professionals work in information security for a large portion of their careers without ever being able to contextualize what they contribute to the ...

What does ‘secure’ mean? Many security professionals work in information security for a large portion of their careers without ever being able to contextualize what they contribute to the businesses they work for - a crying shame. Being able to make sense of all the security-related process changes, widgets, technology and testing is critical to not only being successful at changing the mindset and culture of your business - but to actually making a lasting long-term impression. The only way to do this is to find ways to add business-context to security metrics - creating pseudo-business/security KPIs. This talk focuses not on how to ‘hack’ but how to effectively protect… and to make it relevant to your business so that it matters.

Statistics

Views

Total Views
1,068
Views on SlideShare
1,051
Embed Views
17

Actions

Likes
1
Downloads
0
Comments
0

3 Embeds 17

http://paper.li 13
http://a0.twimg.com 2
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Please adjust confidentiality notice accordingly

Making Measurable Gains - Contextualizing 'Secure' in Business Presentation Transcript

  • 1. Making Measureable Gains …contextualizing „secure‟ in business.Rafal Los – „Wh1t3Rabbit“ – Enterprise & Cloud Security Strategist – HP SoftwareBayThreat 2011© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goeshere
  • 2. Follow me down the rabbithole© Copyright 2011 Hewlett-Packard Development Company, L.P. The informationcontained herein is subject to change without notice. Confidentiality label goes here
  • 3. “Security” is estranged from businessWhy?A vast amount of IT Security professionals are distant from their business.• Why is this? –what are some of the reasons you think this is true?• What are the results? –what are some of the observed results?3 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 4. Answer:Information Security often fails, even when itsucceeds. Why? We can‟t show how or why we succeeded.4 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 5. Security incidents hurt.5 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 6. This is an … business goals6 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 7. And this is an … ‘Security’ goals7 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 8. Let‟s start here…8 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 9. Your Organization does not exist to be secure.9 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 10. Why shouldthey care?1. Will the company stop existing?2. Will there be loss of life?3. What‟s the worst that can happen? 10 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 11. But if organization‟s done care about security… …then why do you have a job?you can either resign to the fact that you‟re there tocheck a box … OR…you can contribute meaningfully to your organization.11 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 12. (Obligatory “bridge is out” slide)12 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 13. We speak “security talk” vulnerabilities SQL Injection, XSS, … 0-day attacks hacking critical, high, medium…13 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 14. “The business” speaks a different language Leveraged risks Business exposuresCost of capital Velocity of change Shareholder value14 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 15. Creating meaningful security impact is not a trivial exercise.15 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 16. 2 Ways to Approachfrom organizational or securityOrganizational• Start with organizational objectives• Works well for starting „over‟ (new)• Work your way towards IT SecSecurity• Start with existing security, work back• Works well for „re-aligning‟ security• Start in tech, align to business or …16 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 17. Security Centricapproach Task Goal 1 Goal 2 Goal 31. List out all „security‟ Task 1 y n n activities, tasks, processes, projects Activity 1 n n n and purchases Purchase n n y2. Attempt to map the above to Project 1 y n y „organizational goals‟ Activity 2 n n y3. Where there is no direct correlation: • discontinue activity Goal 1: Meet compliance requirement A • re-align to fit one of org. goals Goal 2: Decrease fraud due to X by 1.25% Goal 3: Increase employee productivity 4%4. Repeat for all security activity17 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 18. Organization Centricapproach1. Understand the organization‟s goals (as in previous approach)2. Develop security activities, processes, projects, tasks , purchases to align3. Solve only organizational problems – “through the lens of the org”4. Hint: You may have to be creative18 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 19. 19 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 20. Measurable Gains in Security? It is possible to serve both the organization, and security goals simultaneously. 1. Identify business objectives 2. Create tactical & strategic KPIs 3. Execute against KPIs 4. Measure to ensure positive impact against KPIs20 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 21. Step 1: Identify business objectivesGet answers to these 3 categories:• How does existing IT process hinder business excellence?• What is the organization‟s current biggest challenges?• What are the organization‟s 6, 12, 18 month goals?21 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 22. Step 2: Create tactical & strategic KPIs• Hinder • How can you measure improvement to hindrance • What is bad, how bad is it, how much better should it be?• Challenges • Should we measure challenges as binary (met/failed)? • Can we measure „overcoming a challenge‟?• Goals • Measuring goal acceleration/achievement should be easiest • Understand org‟s objective, attempt to accelerate by X%22 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 23. Step 3: Execute against KPIsGo do it.Execute projects, purchases, activities and processes in thename of organizational excellence – tell everyone this.Constantly measure your improvement of KPIs.23 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 24. Step 4: Measure to ensure positive impactHave you helped accelerate organizational goals, whileimproving security posture?Keep KPIs simple, with lots of supporting data.24 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 25. Ultimately “IT Security” will evolve25 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 26. It is possible to do both “Serve the business” Reduce IT vulnerabilities26 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here
  • 27. Thanks for learning something. Follow me on Twitter: @Wh1t3Rabbit Read my blog: hp.com/go/white-rabbit Listen to the podcast: podcast.wh1t3rabbit.net (or iTunes)27 © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Confidentiality label goes here Discuss on LinkedIn: Join the „SecBiz‟ group