0
How To: Find The Right Amount Of Security Spend<br />Jared Pfost<br />jared@thirddefense.com<br />thirddefense.wordpress.c...
Outline - 30 minutes!<br />Are You Ready To Find the Answer?<br />Tools & Techniques<br />Inspiration<br />2<br />
Are You Ready?<br />3<br />Motivating Event<br />
4<br />Formalize mandatory vs. discretionary spend<br />Work we could do<br />Risk-Based Decisions to Achieve Business Goa...
5<br />Are we as efficient as possible?<br />Are we operating at acceptable risk?<br />
Identify & Prioritize Assets<br />Leverage Business Continuity Team<br />Business Process Recovery & Ownership<br />Good G...
Prioritize Risks<br />Threat Based vs. Control Based<br />Construct a Top-Down Story <br />Evidence Driven <br />Define Fo...
Prioritize Risks (alt.)<br />Threat Based vs. Control Based<br />Construct a Top-Down Story <br />Evidence Driven <br />De...
Spend Or Owner Accepts Risk<br />Prioritize by Business Value<br />Risk Priority<br />IT Capability<br />Business Support<...
Control Effectiveness Metrics<br />10<br />Use Targets to Define “Acceptable Risk”<br />Start Small<br />
Are we as efficient as possible?<br />
Define Services & Align Demand<br />What is 100% of Security Services<br />Foundation to manage Tradeoffs<br />Business As...
Service Metrics & SLAs<br />Transparency Will Set You Free<br />Start Small<br />% Role Definitions<br />% Project Perform...
In vs. Out Source<br />Define Internal Process Flow Before Outsourcing<br />Require Metrics in Contract<br />Accountabilit...
Take Action<br />Determine if your Leadership is Ready<br />Start small<br />Quick Wins<br />Enjoy your career like never ...
Questions & Resources<br />SIRA: http://societyinforisk.org/<br />New School: http://newschoolsecurity.com<br />Falcon’s V...
Appendix<br />17<br />
Breaking Down The Risk Statement<br />18<br />(qualitative assessment)<br />
Upcoming SlideShare
Loading in...5
×

How To: Find The Right Amount Of Security Spend

1,426

Published on

SOURCE Seattle 2011 - Jared Pfost

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,426
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "How To: Find The Right Amount Of Security Spend"

  1. 1. How To: Find The Right Amount Of Security Spend<br />Jared Pfost<br />jared@thirddefense.com<br />thirddefense.wordpress.com<br />@JaredPfost<br />
  2. 2. Outline - 30 minutes!<br />Are You Ready To Find the Answer?<br />Tools & Techniques<br />Inspiration<br />2<br />
  3. 3. Are You Ready?<br />3<br />Motivating Event<br />
  4. 4. 4<br />Formalize mandatory vs. discretionary spend<br />Work we could do<br />Risk-Based Decisions to Achieve Business Goals<br />Work we should do<br />“Legally Defensible” Security<br />Work we must do<br />Manage Compliant- Ready Services<br />
  5. 5. 5<br />Are we as efficient as possible?<br />Are we operating at acceptable risk?<br />
  6. 6. Identify & Prioritize Assets<br />Leverage Business Continuity Team<br />Business Process Recovery & Ownership<br />Good GRC platform scenario<br />Add<br />Regulated<br />Data Classification<br />Assessment Frequency<br />6<br />
  7. 7. Prioritize Risks<br />Threat Based vs. Control Based<br />Construct a Top-Down Story <br />Evidence Driven <br />Define Formal Decision Roles<br />Impact Ranges <br />Calibrate Monetary Impact with Owners<br />Likelihood Ranges <br />Use Evidence for Occurrence Rates<br />Use Culture to Select Model<br />Strive for Consistency<br />7<br />
  8. 8. Prioritize Risks (alt.)<br />Threat Based vs. Control Based<br />Construct a Top-Down Story <br />Evidence Driven <br />Define Formal Decision Roles<br />Impact Ranges <br />Calibrate Monetary Impact with Owners<br />Likelihood Ranges <br />Use Evidence for Occurrence Rates<br />Use Culture to Select Model<br />Strive for Consistency<br />8<br />
  9. 9. Spend Or Owner Accepts Risk<br />Prioritize by Business Value<br />Risk Priority<br />IT Capability<br />Business Support<br />Political Reality<br />Cost<br />Document Decision for Posterity<br />Efficiency Gain Save $110K <br />Mandatory vs. Discretionary<br />9<br />
  10. 10. Control Effectiveness Metrics<br />10<br />Use Targets to Define “Acceptable Risk”<br />Start Small<br />
  11. 11. Are we as efficient as possible?<br />
  12. 12. Define Services & Align Demand<br />What is 100% of Security Services<br />Foundation to manage Tradeoffs<br />Business As Usual<br />Short Term Efforts<br />Long Term Projects<br />Set Maturity Expectations<br />Actual vs. Target<br />12<br />Mandatory vs. Discretionary<br />
  13. 13. Service Metrics & SLAs<br />Transparency Will Set You Free<br />Start Small<br />% Role Definitions<br />% Project Performance<br />% Business Risk Assessments<br />13<br />
  14. 14. In vs. Out Source<br />Define Internal Process Flow Before Outsourcing<br />Require Metrics in Contract<br />Accountability Through Visibility<br />14<br />Attribution: http://www.hotsocialbuzz.com/wp-content/uploads/2010/09/outsource-cartoon.jpg<br />
  15. 15. Take Action<br />Determine if your Leadership is Ready<br />Start small<br />Quick Wins<br />Enjoy your career like never before!<br />Start, Advance, Share<br />15<br />
  16. 16. Questions & Resources<br />SIRA: http://societyinforisk.org/<br />New School: http://newschoolsecurity.com<br />Falcon’s View: http://www.secureconsulting.net/<br />Our Blog: http://thirddefense.wordpress.com/<br />Perspective: http://dilbert.com/<br />16<br />
  17. 17. Appendix<br />17<br />
  18. 18. Breaking Down The Risk Statement<br />18<br />(qualitative assessment)<br />
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×