Your SlideShare is downloading. ×
Solving Non Existant Problems v1.2
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Solving Non Existant Problems v1.2


Published on

This talk focuses on gathering metrics and building a security program - one that actually solves real business security/risk problems. I walk the reader through the process of identifying key risks …

This talk focuses on gathering metrics and building a security program - one that actually solves real business security/risk problems. I walk the reader through the process of identifying key risks and actually measuring the problems, helping pin-point focus for the security organization.

A must-read if you work in InfoSec!

Published in: Technology, Business

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. 1
    22 May 2009
    Solving Problems That Don’t Exist!
    building better security practices
    Rafal M. Los
    Solutions Specialist, HP ASC
  • 2. Session Overview
    In today's enterprise, Web Application Security has come front and center for security managers as well as the business. The reason many well-funded, well-backed programs fail is because they miss the fundamental rule of problem solving – understand the problem. The secret to success is simple – understand your business context and build a program around that.
    How can you develop an actionable, business-risk driven program for your enterprise? Understanding your role within the business is key, followed by successful identification of a cornerstone upon which to base the program. Evaluating data value, application visibility and business exposure one step at-a-time, and assigning real, measurable risk are the necessary steps to making sure your program is well-grounded in business value. Participants will be given a strong foundation to succeed, so they don't end up solving problems the business doesn't have.
  • 3. Fundamentals
    Security is all about mitigating risk
    Risk is a high-complexity problem
    IT alonecan not eliminate risk
    Security must work through the business
  • 4. Knowing Your Role
    Role is fundamental to problem solving
    Where you report into your organization makes a big difference
    Identify your function and capacity
    Is security tactical or strategic?
    Is security a business stake-holder?
  • 5. Identifying a Cornerstone
    Build your program on a key principle
    You must answer this question:
    “Why does the business care about security?”
    External compliance or regulations
    Internal governance requirements
    Competitive differentiator/advantage
    Incident prevention
  • 6. Security Program Charter
    Publish a charter document
    Apply these 5 key knowledge points
    Focus on the cornerstone
    Use content & context for business metrics
    Publish the risk profile components
    Emphasize transparency
    Focus on building business value
    This is your road map to success
  • 7. Business Value Metrics
    Definition: metrics which can meaningfully quantify the business value proposition of risk mitigation
    Keys to good metrics:
    Must be business-input driven
    Uniformity of perspective
    Must never allow for “maybe”
  • 8. Context & Content
    Assign concrete values to $Rn and $V
    Content –
    Monetary value of data asset ($V)
    Context –
    Assign asset value relative to environment
    Value Ratio:
    Data Value
    Asset ($Vn)
    = $Rn
    total assets ($Vt)
  • 9. Context & Content
    Site Visibility
    Site Visibility (Vis): Metric derived from an identification of the public awareness of the site
    Context –
    3 Categories
    • High – Publicized, indexed, well-linked
    • 10. example: company storefront
    • 11. Moderate – Indexed, searchable, sparsely linked
    • 12. Low – Non-indexed, private, non-linked
    Content –
    How desired is the data in the site?
  • 13. Context & Content
    Business Exposure (Exp): Public business risk profile derived from the dynamics of the business unit
    High | Moderate | Low
    Context –
    What line of business is the company/unit in?
    How does the line of business contribute to the amount of risk the company undertakes in daily operations?
    Consider your business’s risk management group your best ally
    Business Exposure
  • 14. Context & Content
    Acme Credit Company
    Acme Credit Company processes credit card transactions, and thus stores and processes hundreds of millions of credit cards weekly. Web site An is a portal for merchant processing of credit and debit payments, temporarily storing as many as one million credit cards for processing per day; this is the Acme Co’s primary business.
    $Rn = .8 (most of the company’s total assets are here)
    $V = $10,000,000 (business value of 1 million records)
    Vis = Moderate (indexed, searchable, but non-publicized site)
    Exp = High (credit card processors are a big target)
    Case Study
  • 15. Building Risk Profiles
    Allows for mathematically derived priorities based on business-driven input
    Transparency: formula for deriving priority metric is published
    Objectivity: real numbers remove bias
    Each site must have a risk profile
    Prioritization Matrix
  • 16. Building Risk Profiles
    Prioritization Matrix
    Assigning Values to the Matrix
    $V = Direct dollar-value of asset
    $R = Computed ratio
    Vis values
    Exp values
  • 17. Building Risk Profiles
    How does priority get computed?
    Priority = Log10 ($V x $R x Vis x Exp)
    Heavily weighted to data value
    Rightfully so! Data value is important
    $R works to segregate sites within a business
    Vis and Exp work to distinguish between multiple businesses
    The Formula
  • 18. Building Risk Profiles
    The formula is not a Silver Bullet
    Prioritization addresses business value (of a site) objectively
    Addressing business value increases the chance of your program’s success
    Your Goal: risk reduction and business value
    The Formula
  • 19. Executing
    Demonstrate business understanding
    Continue a two-way conversation
    Be ready to change strategies with the business
  • 20. Questions?
    Click on the questions tab on your screen, type in your question (and name if you wish) and hit submit.