2. Jeff Sieben,
BSc, CPP, CISSP
IT Security Council Chair
Product Manager, Corporate Security Division
Resolver Inc
Tim McCreight,
MSc, CPP, CISSP
ASIS Board of Directors
Manager of Corporate Security – Cyber
The City of Calgary

4. ▪ Knowledge
▪ Experience
▪ Tactics

5. ▪ Knowledge
▪ Experience
▪ Tactics
The business cares about achieving their objectives.

6. 1. Understanding the Business Environment
2. Identifying Key Capabilities
3. Making the Business Case

7. Question 1: Have you read through your
organization’s strategic plans by department?

9. ▪ Where does security fit?
▪ How does the organization benefit from security?
▪ Do you talk to business leaders and department managers?
▪ Have you read the business/strategic plan for the company or individual
departments?

10. Who owns each of these?
▪ OBJECTIVES: goals the organization is trying to achieve
▪ ASSETS: to help achieve objectives (i.e. increase profit, provide services)
▪ MANAGEMENT: the team who plans and executes to achieve objectives
▪ RISKS: the effect of uncertainty on objectives (positive or negative)
▪ MITIGATIONS: safeguards that help reduce risks (i.e. controls)

11. Mitigate
Prioritized
Risks
Identify
& Prioritize
Risks
Identify
& Prioritize
Assets

12. Improve
& Advance
Root
Cause
Analysis
Incident
Response
Ongoing
Risk
Assessment
Mitigate
Prioritized
Risks
Identify
& Prioritize
Risks
Identify
& Prioritize
Assets

13. Question 2: How often do you inventory your
team’s capabilities?

15. PERSONAL
COMMUNITY
BUSINESSORGANIZATION

16. KEY CAPABILITIES:
▪ Tracking negative events by business unit (and their impact)
▪ Finding out what really happened (i.e. root cause, investigations)
▪ Good soft skills (i.e. communicating value, working with vendors)
▪ Tying new tools to business objectives (i.e. buying a camera system)
▪ Responding well (i.e. drills, incident response)
▪ Uncovering new vulnerabilities and threats (i.e. ongoing risk assessments)

17. Improve
& Advance
Root
Cause
Analysis
Incident
Response
Ongoing
Risk
Assessment
Mitigate
Prioritized
Risks
Identify
& Prioritize
Risks
Identify
& Prioritize
Assets

18. Improve
& Advance
Root
Cause
Analysis
Incident
Response
Ongoing
Risk
Assessment
Mitigate
Prioritized
Risks
Identify
& Prioritize
Risks
Identify
& Prioritize
Assets

19. Ongoing
Risk
Assessment
Improve
& Advance
Root
Cause
Analysis
Incident
Response
Ongoing
Risk
Assessment
Identify
& Prioritize
Assets
Mitigate
Prioritized
Risks
Identify
& Prioritize
Risks

20. Ongoing
Risk
Assessment
Improve
& Advance
Root
Cause
Analysis
Incident
Response
Ongoing
Risk
Assessment
Identify
& Prioritize
Assets
Mitigate
Prioritized
Risks
Identify
& Prioritize
Risks

21. Impact of
Incidents
Frequency over Time
Current State Reduction
New Mitigation Investment
ROI
Projected Impact

22. Question 3: How far in advance do you prepare for
your company budgeting cycle?

24. METHODS OF NEGATIVE INFLUENCE METHODS OF POSITIVE INFLUENCE
▪ Fear, Uncertainty and Doubt (FUD)
▪ Data without context
▪ Blaming others
▪ Collaborative (i.e. not siloed)
▪ Bring business solutions, not technical
security problems
▪ How are you going to reduce risk?

25. Business context is essential when making a case for security investment.
METHODS OF NEGATIVE INFLUENCE METHODS OF POSITIVE INFLUENCE
▪ Fear, Uncertainty and Doubt (FUD)
▪ Data without context
▪ Blaming others
▪ Collaborative (i.e. not siloed)
▪ Bring business solutions, not technical
security problems
▪ How are you going to reduce risk?

26. STARTING FROM SCRATCH HOW TO IMPROVE & ADVANCE
▪ Perform inventory of your business
assets
▪ Track current/past events by
department
▪ Perform inventory of current
mitigations and capabilities
▪ Talk to industry peers (i.e. ASIS
Chapters, Councils)
▪ Get better at working with
department heads
▪ Get better at communicating using
business language
▪ Get better at risk mitigation (this is
our specialty)

27. MAKING THE BUSINESS CASE
▪ Articulate the business problem(s)
▪ Cost/Benefit Analysis ADD (risk-based)
▪ Anticipate the outcomes (tell the
before/after story)
▪ Identify organizational impact and key risks
▪ Use data (and dollar values) to help the
business make a decision

28. 1. Business managers need to hear how you can help
2. You need to learn more about your business
3. Craft a strong business case
▪ Show you understand the business
▪ Find the right data
▪ Tell the story of current to future state with data to back it up

29. 1. Business managers need to hear how you can help
2. You need to learn more about your business
3. Craft a strong business case
▪ Show you understand the business
▪ Find the right data
▪ Tell the story of current to future state with data to back it up
You already run a business unit, it just happens to be “security”.

32. Jeff Sieben
jeff.sieben@resolver.com
Tim McCreight
timothy.mccreight@calgary.ca