SlideShare a Scribd company logo

How To: Find The Right Amount Of Security Spend

Download as PPTX, PDF
Source Conference
Source Conference

SOURCE Seattle 2011 - Jared Pfost

1 of 18
How To: Find The Right Amount Of Security Spend Jared Pfost jared@thirddefense.com thirddefense.wordpress.com @JaredPfost
Outline - 30 minutes! Are You Ready To Find the Answer? Tools & Techniques Inspiration 2
Are You Ready? 3 Motivating Event
4 Formalize mandatory vs. discretionary spend Work we could do Risk-Based Decisions to Achieve Business Goals Work we should do “Legally Defensible” Security Work we must do Manage Compliant- Ready Services
5 Are we as efficient as possible? Are we operating at acceptable risk?
Identify & Prioritize Assets Leverage Business Continuity Team Business Process Recovery & Ownership Good GRC platform scenario Add Regulated Data Classification Assessment Frequency 6
Prioritize Risks Threat Based vs. Control Based Construct a Top-Down Story Evidence Driven Define Formal Decision Roles Impact Ranges Calibrate Monetary Impact with Owners Likelihood Ranges Use Evidence for Occurrence Rates Use Culture to Select Model Strive for Consistency 7
Prioritize Risks (alt.) Threat Based vs. Control Based Construct a Top-Down Story Evidence Driven Define Formal Decision Roles Impact Ranges Calibrate Monetary Impact with Owners Likelihood Ranges Use Evidence for Occurrence Rates Use Culture to Select Model Strive for Consistency 8
Spend Or Owner Accepts Risk Prioritize by Business Value Risk Priority IT Capability Business Support Political Reality Cost Document Decision for Posterity Efficiency Gain Save $110K Mandatory vs. Discretionary 9
Control Effectiveness Metrics 10 Use Targets to Define “Acceptable Risk” Start Small
Are we as efficient as possible?
Define Services & Align Demand What is 100% of Security Services Foundation to manage Tradeoffs Business As Usual Short Term Efforts Long Term Projects Set Maturity Expectations Actual vs. Target 12 Mandatory vs. Discretionary
Service Metrics & SLAs Transparency Will Set You Free Start Small % Role Definitions % Project Performance % Business Risk Assessments 13
In vs. Out Source Define Internal Process Flow Before Outsourcing Require Metrics in Contract Accountability Through Visibility 14 Attribution: http://www.hotsocialbuzz.com/wp-content/uploads/2010/09/outsource-cartoon.jpg
Take Action Determine if your Leadership is Ready Start small Quick Wins Enjoy your career like never before! Start, Advance, Share 15
Questions & Resources SIRA: http://societyinforisk.org/ New School: http://newschoolsecurity.com Falcon’s View: http://www.secureconsulting.net/ Our Blog: http://thirddefense.wordpress.com/ Perspective: http://dilbert.com/ 16
Appendix 17
Breaking Down The Risk Statement 18 (qualitative assessment)

Recommended

The Intersection of Risk, Security, and Performance
The Intersection of Risk, Security, and PerformanceThe Intersection of Risk, Security, and Performance
The Intersection of Risk, Security, and PerformanceResolver Inc.
 
The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field Resolver Inc.
 
Introduction to Core Assessments
Introduction to Core AssessmentsIntroduction to Core Assessments
Introduction to Core AssessmentsResolver Inc.
 
Integrated Risk Management 101
Integrated Risk Management 101Integrated Risk Management 101
Integrated Risk Management 101Resolver Inc.
 
The Security Practitioner of the Future
The Security Practitioner of the FutureThe Security Practitioner of the Future
The Security Practitioner of the FutureResolver Inc.
 
Understanding risk analysis and risk management with net zealous llc services...
Understanding risk analysis and risk management with net zealous llc services...Understanding risk analysis and risk management with net zealous llc services...
Understanding risk analysis and risk management with net zealous llc services...NetZealous LLC
 
Employee Engagement and Your Enterprise Security Risk Management Strategy
Employee Engagement and Your Enterprise Security Risk Management StrategyEmployee Engagement and Your Enterprise Security Risk Management Strategy
Employee Engagement and Your Enterprise Security Risk Management StrategyResolver Inc.
 
KYS - Instead of surprises know your suppliers (Compliance Series)
KYS - Instead of surprises know your suppliers (Compliance Series)KYS - Instead of surprises know your suppliers (Compliance Series)
KYS - Instead of surprises know your suppliers (Compliance Series)IgorMate
 

Recommended

The Intersection of Risk, Security, and Performance
The Intersection of Risk, Security, and PerformanceThe Intersection of Risk, Security, and Performance
The Intersection of Risk, Security, and PerformanceResolver Inc.
 
The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field The Journey to Integrated Risk Management: Lessons from the Field
The Journey to Integrated Risk Management: Lessons from the Field Resolver Inc.
 
Introduction to Core Assessments
Introduction to Core AssessmentsIntroduction to Core Assessments
Introduction to Core AssessmentsResolver Inc.
 
Integrated Risk Management 101
Integrated Risk Management 101Integrated Risk Management 101
Integrated Risk Management 101Resolver Inc.
 
The Security Practitioner of the Future
The Security Practitioner of the FutureThe Security Practitioner of the Future
The Security Practitioner of the FutureResolver Inc.
 
Understanding risk analysis and risk management with net zealous llc services...
Understanding risk analysis and risk management with net zealous llc services...Understanding risk analysis and risk management with net zealous llc services...
Understanding risk analysis and risk management with net zealous llc services...NetZealous LLC
 
Employee Engagement and Your Enterprise Security Risk Management Strategy
Employee Engagement and Your Enterprise Security Risk Management StrategyEmployee Engagement and Your Enterprise Security Risk Management Strategy
Employee Engagement and Your Enterprise Security Risk Management StrategyResolver Inc.
 
KYS - Instead of surprises know your suppliers (Compliance Series)
KYS - Instead of surprises know your suppliers (Compliance Series)KYS - Instead of surprises know your suppliers (Compliance Series)
KYS - Instead of surprises know your suppliers (Compliance Series)IgorMate
 
The Case of the Plucky Promise
The Case of the Plucky PromiseThe Case of the Plucky Promise
The Case of the Plucky PromisePhilip DiPastena
 
Risk Analysis & Risk Management
Risk Analysis & Risk ManagementRisk Analysis & Risk Management
Risk Analysis & Risk ManagementGrafic.guru
 
Ballot: Risk Assessments Made Simple
Ballot: Risk Assessments Made SimpleBallot: Risk Assessments Made Simple
Ballot: Risk Assessments Made SimpleResolver Inc.
 
Hello ERM - It's Time to Go
Hello ERM - It's Time to GoHello ERM - It's Time to Go
Hello ERM - It's Time to GoResolver Inc.
 
App Showcase: Retail Loss Prevention
App Showcase: Retail Loss PreventionApp Showcase: Retail Loss Prevention
App Showcase: Retail Loss PreventionResolver Inc.
 
An Intro to Core
An Intro to CoreAn Intro to Core
An Intro to CoreResolver Inc.
 
Improve Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsImprove Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsResolver Inc.
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
011918 incident analytics_service_fact_sheet_rs
011918 incident analytics_service_fact_sheet_rs011918 incident analytics_service_fact_sheet_rs
011918 incident analytics_service_fact_sheet_rsRichard Smiraldi
 
Seguridad Lógica y Cibercrimen
Seguridad Lógica y CibercrimenSeguridad Lógica y Cibercrimen
Seguridad Lógica y CibercrimenBBVAtech
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...RootedCON
 
Open source malware analysis
Open source malware analysisOpen source malware analysis
Open source malware analysisS21Sec
 
iPhone + Botnets = Fun
iPhone + Botnets = FuniPhone + Botnets = Fun
iPhone + Botnets = FunDavid Barroso
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineSource Conference
 
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...RootedCON
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best PracticesSource Conference
 
Banking Fraud Evolution
Banking Fraud EvolutionBanking Fraud Evolution
Banking Fraud EvolutionSource Conference
 
Informe sobre Redes Sociales en España
Informe sobre Redes Sociales en EspañaInforme sobre Redes Sociales en España
Informe sobre Redes Sociales en EspañaIAB Spain
 
Enterprise security incident management
Enterprise security incident managementEnterprise security incident management
Enterprise security incident managementzapp0
 
Pragmatic CyberSecurity and Risk Reduction
Pragmatic CyberSecurity and Risk ReductionPragmatic CyberSecurity and Risk Reduction
Pragmatic CyberSecurity and Risk ReductionBruce Hafner
 

More Related Content

What's hot

The Case of the Plucky Promise
The Case of the Plucky PromiseThe Case of the Plucky Promise
The Case of the Plucky PromisePhilip DiPastena
 
Risk Analysis & Risk Management
Risk Analysis & Risk ManagementRisk Analysis & Risk Management
Risk Analysis & Risk ManagementGrafic.guru
 
Ballot: Risk Assessments Made Simple
Ballot: Risk Assessments Made SimpleBallot: Risk Assessments Made Simple
Ballot: Risk Assessments Made SimpleResolver Inc.
 
Hello ERM - It's Time to Go
Hello ERM - It's Time to GoHello ERM - It's Time to Go
Hello ERM - It's Time to GoResolver Inc.
 
App Showcase: Retail Loss Prevention
App Showcase: Retail Loss PreventionApp Showcase: Retail Loss Prevention
App Showcase: Retail Loss PreventionResolver Inc.
 
Improve Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsImprove Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsResolver Inc.
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability Resolver Inc.
 
011918 incident analytics_service_fact_sheet_rs
011918 incident analytics_service_fact_sheet_rs011918 incident analytics_service_fact_sheet_rs
011918 incident analytics_service_fact_sheet_rsRichard Smiraldi
 

What's hot (9)

The Case of the Plucky Promise
The Case of the Plucky PromiseThe Case of the Plucky Promise
The Case of the Plucky Promise
 
Risk Analysis & Risk Management
Risk Analysis & Risk ManagementRisk Analysis & Risk Management
Risk Analysis & Risk Management
 
Ballot: Risk Assessments Made Simple
Ballot: Risk Assessments Made SimpleBallot: Risk Assessments Made Simple
Ballot: Risk Assessments Made Simple
 
Hello ERM - It's Time to Go
Hello ERM - It's Time to GoHello ERM - It's Time to Go
Hello ERM - It's Time to Go
 
App Showcase: Retail Loss Prevention
App Showcase: Retail Loss PreventionApp Showcase: Retail Loss Prevention
App Showcase: Retail Loss Prevention
 
An Intro to Core
An Intro to CoreAn Intro to Core
An Intro to Core
 
Improve Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsImprove Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 Steps
 
Relating Risk to Vulnerability
Relating Risk to Vulnerability Relating Risk to Vulnerability
Relating Risk to Vulnerability
 
011918 incident analytics_service_fact_sheet_rs
011918 incident analytics_service_fact_sheet_rs011918 incident analytics_service_fact_sheet_rs
011918 incident analytics_service_fact_sheet_rs
 

Viewers also liked

Seguridad Lógica y Cibercrimen
Seguridad Lógica y CibercrimenSeguridad Lógica y Cibercrimen
Seguridad Lógica y CibercrimenBBVAtech
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...RootedCON
 
Open source malware analysis
Open source malware analysisOpen source malware analysis
Open source malware analysisS21Sec
 
iPhone + Botnets = Fun
iPhone + Botnets = FuniPhone + Botnets = Fun
iPhone + Botnets = FunDavid Barroso
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineSource Conference
 
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...RootedCON
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best PracticesSource Conference
 
Informe sobre Redes Sociales en España
Informe sobre Redes Sociales en EspañaInforme sobre Redes Sociales en España
Informe sobre Redes Sociales en EspañaIAB Spain
 

Viewers also liked (11)

Seguridad Lógica y Cibercrimen
Seguridad Lógica y CibercrimenSeguridad Lógica y Cibercrimen
Seguridad Lógica y Cibercrimen
 
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files ...
 
Open source malware analysis
Open source malware analysisOpen source malware analysis
Open source malware analysis
 
iPhone + Botnets = Fun
iPhone + Botnets = FuniPhone + Botnets = Fun
iPhone + Botnets = Fun
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual Machine
 
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
 
Banking Fraud Evolution
Banking Fraud EvolutionBanking Fraud Evolution
Banking Fraud Evolution
 
Informe sobre Redes Sociales en España
Informe sobre Redes Sociales en EspañaInforme sobre Redes Sociales en España
Informe sobre Redes Sociales en España
 

Similar to How To: Find The Right Amount Of Security Spend

Enterprise security incident management
Enterprise security incident managementEnterprise security incident management
Enterprise security incident managementzapp0
 
Pragmatic CyberSecurity and Risk Reduction
Pragmatic CyberSecurity and Risk ReductionPragmatic CyberSecurity and Risk Reduction
Pragmatic CyberSecurity and Risk ReductionBruce Hafner
 
Getting in the Game
Getting in the Game Getting in the Game
Getting in the Game DiscoverOrg
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxinfosec train
 
Presenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamPresenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamJohn D. Johnson
 
Prospection_Business_Intelligence[1]
Prospection_Business_Intelligence[1]Prospection_Business_Intelligence[1]
Prospection_Business_Intelligence[1]Tuong Do, MBA
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of securityciso_insights
 
The 7 Factors of CISO Impact
The 7 Factors of CISO ImpactThe 7 Factors of CISO Impact
The 7 Factors of CISO ImpactIANS
 
The 7 Factors of CISO Impact
The 7 Factors of CISO ImpactThe 7 Factors of CISO Impact
The 7 Factors of CISO ImpactAndrew Sanders
 
5 steps for better risk assessment
5 steps for better risk assessment5 steps for better risk assessment
5 steps for better risk assessmentDrMohammedFarid
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017zapp0
 
Business model innovation by experimentation
Business model innovation by experimentationBusiness model innovation by experimentation
Business model innovation by experimentationEnergized Work
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke PatchlinkBen Rothke
 
Giving Organisations new capabilities to ask the right business questions 1.7
Giving Organisations new capabilities to ask the right business questions 1.7Giving Organisations new capabilities to ask the right business questions 1.7
Giving Organisations new capabilities to ask the right business questions 1.7OReillyStrata
 
Allgress High Level Presentation
Allgress High Level PresentationAllgress High Level Presentation
Allgress High Level Presentatione9128
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic ManagementMarcelo Martins
 
DeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItDeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItEmerson Exchange
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?John D. Johnson
 
20th March Session Five by Ramesh Shanmughanathan
20th March Session Five by Ramesh Shanmughanathan20th March Session Five by Ramesh Shanmughanathan
20th March Session Five by Ramesh ShanmughanathanSharath Kumar
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 

Similar to How To: Find The Right Amount Of Security Spend (20)

Enterprise security incident management
Enterprise security incident managementEnterprise security incident management
Enterprise security incident management
 
Pragmatic CyberSecurity and Risk Reduction
Pragmatic CyberSecurity and Risk ReductionPragmatic CyberSecurity and Risk Reduction
Pragmatic CyberSecurity and Risk Reduction
 
Getting in the Game
Getting in the Game Getting in the Game
Getting in the Game
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptx
 
Presenting Metrics to the Executive Team
Presenting Metrics to the Executive TeamPresenting Metrics to the Executive Team
Presenting Metrics to the Executive Team
 
Prospection_Business_Intelligence[1]
Prospection_Business_Intelligence[1]Prospection_Business_Intelligence[1]
Prospection_Business_Intelligence[1]
 
Convergence innovative integration of security
Convergence innovative integration of securityConvergence innovative integration of security
Convergence innovative integration of security
 
The 7 Factors of CISO Impact
The 7 Factors of CISO ImpactThe 7 Factors of CISO Impact
The 7 Factors of CISO Impact
 
The 7 Factors of CISO Impact
The 7 Factors of CISO ImpactThe 7 Factors of CISO Impact
The 7 Factors of CISO Impact
 
5 steps for better risk assessment
5 steps for better risk assessment5 steps for better risk assessment
5 steps for better risk assessment
 
Enterprise incident response 2017
Enterprise incident response 2017Enterprise incident response 2017
Enterprise incident response 2017
 
Business model innovation by experimentation
Business model innovation by experimentationBusiness model innovation by experimentation
Business model innovation by experimentation
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
 
Giving Organisations new capabilities to ask the right business questions 1.7
Giving Organisations new capabilities to ask the right business questions 1.7Giving Organisations new capabilities to ask the right business questions 1.7
Giving Organisations new capabilities to ask the right business questions 1.7
 
Allgress High Level Presentation
Allgress High Level PresentationAllgress High Level Presentation
Allgress High Level Presentation
 
Information Security Strategic Management
Information Security Strategic ManagementInformation Security Strategic Management
Information Security Strategic Management
 
DeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItDeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without It
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?
 
20th March Session Five by Ramesh Shanmughanathan
20th March Session Five by Ramesh Shanmughanathan20th March Session Five by Ramesh Shanmughanathan
20th March Session Five by Ramesh Shanmughanathan
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 

More from Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsSource Conference
 

More from Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
Keynote
KeynoteKeynote
Keynote
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet Blacklists
 

How To: Find The Right Amount Of Security Spend

  • 1. How To: Find The Right Amount Of Security Spend Jared Pfost jared@thirddefense.com thirddefense.wordpress.com @JaredPfost
  • 2. Outline - 30 minutes! Are You Ready To Find the Answer? Tools & Techniques Inspiration 2
  • 3. Are You Ready? 3 Motivating Event
  • 4. 4 Formalize mandatory vs. discretionary spend Work we could do Risk-Based Decisions to Achieve Business Goals Work we should do “Legally Defensible” Security Work we must do Manage Compliant- Ready Services
  • 5. 5 Are we as efficient as possible? Are we operating at acceptable risk?
  • 6. Identify & Prioritize Assets Leverage Business Continuity Team Business Process Recovery & Ownership Good GRC platform scenario Add Regulated Data Classification Assessment Frequency 6
  • 7. Prioritize Risks Threat Based vs. Control Based Construct a Top-Down Story Evidence Driven Define Formal Decision Roles Impact Ranges Calibrate Monetary Impact with Owners Likelihood Ranges Use Evidence for Occurrence Rates Use Culture to Select Model Strive for Consistency 7
  • 8. Prioritize Risks (alt.) Threat Based vs. Control Based Construct a Top-Down Story Evidence Driven Define Formal Decision Roles Impact Ranges Calibrate Monetary Impact with Owners Likelihood Ranges Use Evidence for Occurrence Rates Use Culture to Select Model Strive for Consistency 8
  • 9. Spend Or Owner Accepts Risk Prioritize by Business Value Risk Priority IT Capability Business Support Political Reality Cost Document Decision for Posterity Efficiency Gain Save $110K Mandatory vs. Discretionary 9
  • 10. Control Effectiveness Metrics 10 Use Targets to Define “Acceptable Risk” Start Small
  • 11. Are we as efficient as possible?
  • 12. Define Services & Align Demand What is 100% of Security Services Foundation to manage Tradeoffs Business As Usual Short Term Efforts Long Term Projects Set Maturity Expectations Actual vs. Target 12 Mandatory vs. Discretionary
  • 13. Service Metrics & SLAs Transparency Will Set You Free Start Small % Role Definitions % Project Performance % Business Risk Assessments 13
  • 14. In vs. Out Source Define Internal Process Flow Before Outsourcing Require Metrics in Contract Accountability Through Visibility 14 Attribution: http://www.hotsocialbuzz.com/wp-content/uploads/2010/09/outsource-cartoon.jpg
  • 15. Take Action Determine if your Leadership is Ready Start small Quick Wins Enjoy your career like never before! Start, Advance, Share 15
  • 16. Questions & Resources SIRA: http://societyinforisk.org/ New School: http://newschoolsecurity.com Falcon’s View: http://www.secureconsulting.net/ Our Blog: http://thirddefense.wordpress.com/ Perspective: http://dilbert.com/ 16
  • 18. Breaking Down The Risk Statement 18 (qualitative assessment)