Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
UNDERSTANDING RISK CAN
FUND TRANSFORMATION
Dan Barker
Chief Architect - RSA Archer
@barkerd427
2
“When you take risks you learn that there will be
times when you succeed and there will be times
when you fail, and both...
3
A transformation that
almost wasn’t
@barkerd427
4
Many ways to sell transformation (or any project)
▪ Increased revenue (highly speculative)
▪ Increased savings (also spe...
5
https://pxhere.com/en/photo/779994
@barkerd427
6
https://www.maxpixel.net/Recruit-Hiring-Recruitment-Job-Hire-Employer-1977803
@barkerd427
7
https://pxhere.com/en/photo/624482
@barkerd427
8
Quantifying Risk
The simple way
@barkerd427
9
The data
▪ Average data breach = $7.3M (IBM and Ponemon Institute)
▪ Third-parties raise the cost (IBM and Ponemon Insti...
10
Our facts
▪ Hundreds of millions of records
▪ Financial/Health data (highest cost)
▪ Limited patching capabilities (man...
11
Our facts
▪ We had some protections
▪ Focused on fixing patching
▪ Analyzed our riskiest apps
▪ Calculated the risk
@ba...
12
Our facts
▪ How many likely records x number of
vulnerabilities x average cost per
record x average likelihood
▪ 50,000...
13
A better way
Factor Analysis of Information Risk (FAIR)
@barkerd427
14
FAIR
▪ The Open Group
− Open FAIR
▪ The FAIR Institute
▪ Free to use on your own
▪ License to use with another company
...
15
Dan Barker
dan@danbarker.codes
danbarker.codes
dan.barker@rsa.com
rsa.com
@barkerd427
Upcoming SlideShare
Loading in …5
×

Understanding Risk Can Fund Transformation - DOD Dallas

35 views

Published on

Risk quantification can be a valuable tool for selling transformation to executives. It’s also important to understand how your company looks at risk. Most CEOs will have a certain amount of risk they’re willing to take called their risk tolerance. This will help you to understand if your project is worth pursuing. If your project won’t offset more risk than the risk tolerance, then it’s unlikely to be funded if it’s not a new feature or product.

We’ll explore how we can go about quantifying risk in real-world situations I’ve faced in presenting transformation initiatives. This information will help you to understand how a business looks at risk and the associated value of mitigating that risk. Want to start a new CI/CD initiative, bake in the risk averted by putting SAST and DAST in your pipeline. This would have helped Equifax avoid their breach and the risk of such a breach is very high and carries a very large cost.

We’ll also take a look at some additional resources to help you assess risk such as data on breaches, attacks, the FAIR tool, and other resources you can use once you leave the session.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Understanding Risk Can Fund Transformation - DOD Dallas

  1. 1. 1 UNDERSTANDING RISK CAN FUND TRANSFORMATION Dan Barker Chief Architect - RSA Archer @barkerd427
  2. 2. 2 “When you take risks you learn that there will be times when you succeed and there will be times when you fail, and both are equally important.” Ellen DeGeneres @barkerd427
  3. 3. 3 A transformation that almost wasn’t @barkerd427
  4. 4. 4 Many ways to sell transformation (or any project) ▪ Increased revenue (highly speculative) ▪ Increased savings (also speculative) ▪ Decreased risk @barkerd427
  5. 5. 5 https://pxhere.com/en/photo/779994 @barkerd427
  6. 6. 6 https://www.maxpixel.net/Recruit-Hiring-Recruitment-Job-Hire-Employer-1977803 @barkerd427
  7. 7. 7 https://pxhere.com/en/photo/624482 @barkerd427
  8. 8. 8 Quantifying Risk The simple way @barkerd427
  9. 9. 9 The data ▪ Average data breach = $7.3M (IBM and Ponemon Institute) ▪ Third-parties raise the cost (IBM and Ponemon Institute) ▪ 668 breaches in 2018 (Privacy Rights Clearinghouse) ▪ 1,369,452,404 records stolen in 2018 (Privacy Rights Clearinghouse) ▪ 71% increase OSS breaches from 2014 (State of the Software Supply Chain) ▪ 57% of proprietary applications are OSS (helpnetsecurity.com) ▪ Equifax = over $700M ▪ Our base risk was ~$14.4B @barkerd427
  10. 10. 10 Our facts ▪ Hundreds of millions of records ▪ Financial/Health data (highest cost) ▪ Limited patching capabilities (manual) ▪ Hundreds of different applications ▪ $50M risk budget for CEO ▪ $14.4B didn’t seem reasonable @barkerd427
  11. 11. 11 Our facts ▪ We had some protections ▪ Focused on fixing patching ▪ Analyzed our riskiest apps ▪ Calculated the risk @barkerd427
  12. 12. 12 Our facts ▪ How many likely records x number of vulnerabilities x average cost per record x average likelihood ▪ 50,000,000 x 7 x 144 x 1% = $504M ▪ Investment to fix the issues = $100M ▪ $500M - $100M = $400M @barkerd427
  13. 13. 13 A better way Factor Analysis of Information Risk (FAIR) @barkerd427
  14. 14. 14 FAIR ▪ The Open Group − Open FAIR ▪ The FAIR Institute ▪ Free to use on your own ▪ License to use with another company ▪ RiskLens and RSA Archer @barkerd427
  15. 15. 15 Dan Barker dan@danbarker.codes danbarker.codes dan.barker@rsa.com rsa.com @barkerd427

×