Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How To: Find The Right Amount Of Security Spend

1,964 views

Published on

SOURCE Seattle 2011 - Jared Pfost

  • Be the first to comment

  • Be the first to like this

How To: Find The Right Amount Of Security Spend

  1. 1. How To: Find The Right Amount Of Security Spend<br />Jared Pfost<br />jared@thirddefense.com<br />thirddefense.wordpress.com<br />@JaredPfost<br />
  2. 2. Outline - 30 minutes!<br />Are You Ready To Find the Answer?<br />Tools & Techniques<br />Inspiration<br />2<br />
  3. 3. Are You Ready?<br />3<br />Motivating Event<br />
  4. 4. 4<br />Formalize mandatory vs. discretionary spend<br />Work we could do<br />Risk-Based Decisions to Achieve Business Goals<br />Work we should do<br />“Legally Defensible” Security<br />Work we must do<br />Manage Compliant- Ready Services<br />
  5. 5. 5<br />Are we as efficient as possible?<br />Are we operating at acceptable risk?<br />
  6. 6. Identify & Prioritize Assets<br />Leverage Business Continuity Team<br />Business Process Recovery & Ownership<br />Good GRC platform scenario<br />Add<br />Regulated<br />Data Classification<br />Assessment Frequency<br />6<br />
  7. 7. Prioritize Risks<br />Threat Based vs. Control Based<br />Construct a Top-Down Story <br />Evidence Driven <br />Define Formal Decision Roles<br />Impact Ranges <br />Calibrate Monetary Impact with Owners<br />Likelihood Ranges <br />Use Evidence for Occurrence Rates<br />Use Culture to Select Model<br />Strive for Consistency<br />7<br />
  8. 8. Prioritize Risks (alt.)<br />Threat Based vs. Control Based<br />Construct a Top-Down Story <br />Evidence Driven <br />Define Formal Decision Roles<br />Impact Ranges <br />Calibrate Monetary Impact with Owners<br />Likelihood Ranges <br />Use Evidence for Occurrence Rates<br />Use Culture to Select Model<br />Strive for Consistency<br />8<br />
  9. 9. Spend Or Owner Accepts Risk<br />Prioritize by Business Value<br />Risk Priority<br />IT Capability<br />Business Support<br />Political Reality<br />Cost<br />Document Decision for Posterity<br />Efficiency Gain Save $110K <br />Mandatory vs. Discretionary<br />9<br />
  10. 10. Control Effectiveness Metrics<br />10<br />Use Targets to Define “Acceptable Risk”<br />Start Small<br />
  11. 11. Are we as efficient as possible?<br />
  12. 12. Define Services & Align Demand<br />What is 100% of Security Services<br />Foundation to manage Tradeoffs<br />Business As Usual<br />Short Term Efforts<br />Long Term Projects<br />Set Maturity Expectations<br />Actual vs. Target<br />12<br />Mandatory vs. Discretionary<br />
  13. 13. Service Metrics & SLAs<br />Transparency Will Set You Free<br />Start Small<br />% Role Definitions<br />% Project Performance<br />% Business Risk Assessments<br />13<br />
  14. 14. In vs. Out Source<br />Define Internal Process Flow Before Outsourcing<br />Require Metrics in Contract<br />Accountability Through Visibility<br />14<br />Attribution: http://www.hotsocialbuzz.com/wp-content/uploads/2010/09/outsource-cartoon.jpg<br />
  15. 15. Take Action<br />Determine if your Leadership is Ready<br />Start small<br />Quick Wins<br />Enjoy your career like never before!<br />Start, Advance, Share<br />15<br />
  16. 16. Questions & Resources<br />SIRA: http://societyinforisk.org/<br />New School: http://newschoolsecurity.com<br />Falcon’s View: http://www.secureconsulting.net/<br />Our Blog: http://thirddefense.wordpress.com/<br />Perspective: http://dilbert.com/<br />16<br />
  17. 17. Appendix<br />17<br />
  18. 18. Breaking Down The Risk Statement<br />18<br />(qualitative assessment)<br />

×