• Like
Selling Data Security Technology
Upcoming SlideShare
Loading in...5

Selling Data Security Technology

Uploaded on

In this Security technology workshop designed specially for senior IT and business line executives, we will show you how to navigate the “valley of death” of the complex sale of enterprise information …

In this Security technology workshop designed specially for senior IT and business line executives, we will show you how to navigate the “valley of death” of the complex sale of enterprise information protection and make or break the business justification with your management board. Through specific Business Threat Modeling(TM) tactical methods we will show you how to discover current data loss violations, quantify threats and valuate your risk in order to select the most cost-effective security technologies to protect your enterprise information.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Selling Data security to the CEO Licensed under the Creative Commons Attribution License Danny Lieberman dannyl@controlpolicy.com http://www.controlpolicy.com/     
  • 2. Sell high “it's a lot easier to manage a  big project than a small one” Boaz Dotan – Founder of Amdocs (NYSE:DOX), $5.3BN Cap.    
  • 3. Agenda • Introduction and welcome • What is data security? • Defining the problem • After Enron • Weak sales strategy • The valley of death • Strong sales strategy • Execution    
  • 4. Introduction • Our mission today – How to sell data security to the CEO    
  • 5. What the heck is data security? • Security – Ensure we can survive & add value • Physical, information, systems, people • Data security – Protect data directly in all realms    
  • 6. Defining the problem • You can't sell to a need that's never been  observed(*) – Little or no monitoring of data theft/abuse • Perimeter protection, access control – Firewall/IPS/AV/Content/AD     Lord Kelvin (*) Paraphrase of 
  • 7. What happened since Enron • Threat scenario circa 1999 – Bad guys outside – Lots of proprietary protocols – IT decides • Threat scenario circa 2009 – Bad guys inside – Everything on HTTP – Vendors decide    
  • 8. Weak sales strategy IT –  data security is  “very important” ...Forrester Management board –  fraud/data theft can maim or  destroy the company ...Sarbanes­Oxley    
  • 9. Mind the gap IT –  We can get DLP  technology for 100K  and the first 6  months are free. ...Websense Management board – We  have Euro 100M VaR ...PwC    
  • 10. The valley of death Logical &rational Emotional & Political IT Requirements  Compliance  requirements Meet Close vendors Evaluate alternatives Capabilities Project Presentation Talk to analysts Losing control Month 1 Month 5 Month 12­18    
  • 11. Why you lose control • Issues shift – Several vendors have technology • Non-product differentiation • Divided camps – Nobody answers all requirements • Need a political sponsor • Loss of momentum – No business pain – No power sponsors    
  • 12. Strong sales strategy • Build business pain – Focus on biggest threat to the firm – Rational • Get a power sponsor – CEO,COO, CFO,CIO – Personal    
  • 13. Close the gap Toxic customer data  ­ VaR: 100M ­ VaR reducation: 20M ­ Cost: 1M over 3 years ...Security & Risk Management board – We  have 100M VaR ...PwC    
  • 14. Execution – building business pain • Prove 2 hypotheses: – Data loss is happening now. – A cost effective solution exists that reduces risk to acceptable levels.    
  • 15. H1: Data loss is happening • What keeps you awake at night? • What data types and volumes of data leave the network? • Who is sending sensitive information out of the company? • Where is the data going? • What network protocols have the most events? • What are the current violations of company AUP?    
  • 16. H2: A cost effective solution exists • Value of information assets on PCs, servers & mobile devices? • What is the Value at Risk? • Are security controls supporting the information behavior you want  (sensitive assets stay inside, public assets flow freely, controlled  assets flow quickly) • How much do your current security controls cost? • How do you compare with other companies in your industry? • How would risk change if you added, modified or dropped security  controls?    
  • 17. What keeps you awake at night Asset has value, fixed over time or variable Plans to privatize, sell 50% of equity Threat exploits vulnerabilities & damages assets.  IT staff read emails and files of management board Employee leaks plans to press Buyer  sues for breach of contract. Vulnerability is a state of  Countermeasure has a cost weakness mitigated by a fixed over time or recurring. countermeasure. Monitor abuse of privilege & IT staff  Prevent leakage of have access management board documents to mail/file servers on all channels.    
  • 18. Calculating Value at Risk Value at Risk Metrics =Threat Damage to  Asset value,  Asset x Asset Value x  Threat damage to asset, Threat Probability Threat probability      (*)PTA ­Practical threat analysis risk model
  • 19. Coming attractions • Sep 17: Selling data security technology • Sep 24: Write a 2 page procedure • Oct 1: Home(land) security • Oct 8: SME data security http://www.controlpolicy.com/workshops     
  • 20. Learn more • Presentation materials and resources http://www.controlpolicy.com/workshops/data-security-workshops/ • Software to calculate Value at Risk PTA Professional http://www.software.co.il/pta