• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
[EB100510] Jojo Colina: Justifying IT Security Spend
 

[EB100510] Jojo Colina: Justifying IT Security Spend

on

  • 1,085 views

Jojo Colina's presentation on "Justifying IT Spend on Security" during Computerworld Philippines' Executive Briefing on Information Security in October.

Jojo Colina's presentation on "Justifying IT Spend on Security" during Computerworld Philippines' Executive Briefing on Information Security in October.

Statistics

Views

Total Views
1,085
Views on SlideShare
1,085
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    [EB100510] Jojo Colina: Justifying IT Security Spend [EB100510] Jojo Colina: Justifying IT Security Spend Presentation Transcript

    • Justifying your Security Spend
      Presented by: Jojo Colina
      Head, Product Management & Development
      Privileged and Confidential. NDA Required for External Disclosure.
    • “Security Problems are never truly solved. The bad guys are always waiting for an opportunity...”
    • “Security Problems are never truly solved. The bad guys are always waiting for an opportunity...”
      And they are getting better all the time!
    • Risk can never be Eliminated!
      “There is no ‘right’ amount of money to spend on IT infrastructure.” No matter how much money you spend on infrastructure, you’ll never be totally safe and secure.  So the “right” amount of money for a company to spend on IT infrastructure — whether it’s for security or for something else like database reliability or resilient servers — depends on the amount of risk that the company is willing to tolerate.
    • Good Security is Invisible
      It’s difficult to justify security when it’s working.
    • The biggest investments in security usually come right after a security breach
      One in the news or a breach in your own company’s security
    • Making People Dissatisfied is the Only Way to Justify Investment
      Dissatisfaction with the status quo is most important when you’re trying to sell security investment.
      To justify additional security investment you have to convince the business that your current security infrastructure is inadequate.
    • Three challenges to Security
      Make your end users “feel” secure
    • Three challenges to Security
      Make your end users “feel” secure
      Implement an infrastructure with a reasonable level of security for the amount of money the company is willing to invest
    • Victim of your own success
      “Security to your end users is a state of mind. One which you created by your success in solving security challenges.”
    • Victim of your own success
      “Security to your end users is a state of mind. One which you created by your success in solving security challenges.”
      Now that they feel secure, how do you justify additional security expense?
    • Three challenges to Security
      Make your end users “feel” secure
      Implement an infrastructure with a reasonable level of security for the amount of money the company is willing to invest
      Recommend the right level of infrastructure security investment and getting agreement from the business
    • How to determine the right level of Investment
      What are other companies doing who have a similar risk tolerance to your company?
      Does your company deal with confidential information from your customers?
      Does your company differentiate itself from its competition based on an enhanced level of trust or risk avoidance?
      Does your company hold a proprietary advantage over its competition which could be lost if confidential company information was revealed?
    • Justify the Need
      Enterprise Objectives for Security
      Obtain Blueprint documents from CTO/CIO to understand roadmap for technology growth in hardware/software/network
      Regulatory Mandates
      Contact Compliance, Legal and industry groups to understand immediate and short-term/long-term regulatory requirements
      Risk Analysis
      Understand your risks in cyber/physical security, disaster recovery/business continuation and compliance to data protection/data sharing regulations
      Quantify the impacts wherever possible; per incident, per potential loss
      Probability of Occurrence
      Be realistic; Pull industry trend information; poll industry alliances; previous internal loss
      Impact of Occurrence
      Be realistic; compute hard financial impacts, estimate soft financial impact based on real industry losses/settlements/pay-outs; poll industry vendors
      Benefit to Enterprise
      Avoidance is one benefit but weak justification for getting approved funds
      Tie to hard savings/loss reduction
    • Build a Business Case
      Understand TCO
      Total Cost of Ownership – use Finance to assist; plan across next 5 fiscal years [understand where you can cut if necessary]
      Timelines and Resource Requirements
      Articulate inter-dependencies between security initiatives
      Speak to the large plan; cross-utilize resources
      Use compliance requirements to your advantage
      Make contact with industry firms early to determine resource availability
      Try to MINIMIZE EXPENSES [save up for future battles]
      Use Financial Metrics
      Build metrics that can reflect your project progress
      Always be ready to estimate financial cost avoidance from a deterred incident
      Provides immediate feedback of success and hardened evidence of ROSI for future projects/enhancements
    • Build a Business Case
      Articulate Impact – Piggyback
      You have to be able to articulate what the umbrella benefit is, what the specific impact potential might be, and the specific benefits of each project
      Piggyback related projects to provide ‘value-added’ benefit.
      Meet Stakeholders Expectations
      Write the narrative to the expectations of your project stakeholders
      Know what they need to accomplish within their realm [financial, organizational, resource management, bonus structure, etc]
    • ROI and ROSI
      To calculate ROI, the cost of a purchase is weighed against the expected returns over the life of the item.
      Ex: if a new production facility will cost $1M and
      is expected to bring in $5M over the course of three years, the ROI for the three year period is 400% (4x the initial investment of net earnings).
      ROI(Return on Investment)
      ROSI (Return on Security Investment)
      ViriCorp has gotten viruses before. It estimates that the average cost in damages and lost productivity due to a virus infection is $25,000. Currently, ViriCorp gets four of these viruses per year. ViriCorp expects to catch at least 3 of the 4 viruses per year by implementing a $25,000 virus scanner.
    • Justifying your Investment– Key points
      Security Investment is hard to quantify
      The need for security is obvious
      Impact of a security breach is real
      Justification ahead of time is difficult
      Accurate Risk Analysis
      Accurately determine your risk profile
      Financial Analysis
      ROI/ROSI
      Determine impact and loss deference of investing
      Create a sound business plan
      Instrument your projects
      Create metrics which highlight success/failure
      Roadmap your security plan
    • References
      Return On Security Investment (ROSI): A Practical Quantitative Model
      http://www.infosecwriters.com/text_resources/pdf/ROSI-Practical_Model.pdf
      Three things your CEO wants to Know
      http://blog.makingitclear.com/2008/06/10/ceowantstoknow/
      Trial by Fire - Price Waterhouse Coopers Advisory Services
      http://www.pwc.com/en_GX/gx/information-security-survey/pdf/pwcsurvey2010_report.pdf