SlideShare a Scribd company logo

[EB100510] Jojo Colina: Justifying IT Security Spend

Computerworld Philippines
Computerworld Philippines

Jojo Colina's presentation on "Justifying IT Spend on Security" during Computerworld Philippines' Executive Briefing on Information Security in October.

Technology
1 of 19
Justifying your Security Spend Presented by: Jojo Colina Head, Product Management & Development Privileged and Confidential. NDA Required for External Disclosure.
“Security Problems are never truly solved. The bad guys are always waiting for an opportunity...”
“Security Problems are never truly solved. The bad guys are always waiting for an opportunity...” And they are getting better all the time!
Risk can never be Eliminated! “There is no ‘right’ amount of money to spend on IT infrastructure.” No matter how much money you spend on infrastructure, you’ll never be totally safe and secure.  So the “right” amount of money for a company to spend on IT infrastructure — whether it’s for security or for something else like database reliability or resilient servers — depends on the amount of risk that the company is willing to tolerate.
Good Security is Invisible It’s difficult to justify security when it’s working.
The biggest investments in security usually come right after a security breach One in the news or a breach in your own company’s security
Making People Dissatisfied is the Only Way to Justify Investment Dissatisfaction with the status quo is most important when you’re trying to sell security investment. To justify additional security investment you have to convince the business that your current security infrastructure is inadequate.
Three challenges to Security Make your end users “feel” secure
Three challenges to Security Make your end users “feel” secure Implement an infrastructure with a reasonable level of security for the amount of money the company is willing to invest
Victim of your own success “Security to your end users is a state of mind. One which you created by your success in solving security challenges.”
Victim of your own success “Security to your end users is a state of mind. One which you created by your success in solving security challenges.” Now that they feel secure, how do you justify additional security expense?
Three challenges to Security Make your end users “feel” secure Implement an infrastructure with a reasonable level of security for the amount of money the company is willing to invest Recommend the right level of infrastructure security investment and getting agreement from the business
How to determine the right level of Investment What are other companies doing who have a similar risk tolerance to your company? Does your company deal with confidential information from your customers? Does your company differentiate itself from its competition based on an enhanced level of trust or risk avoidance? Does your company hold a proprietary advantage over its competition which could be lost if confidential company information was revealed?
Justify the Need Enterprise Objectives for Security Obtain Blueprint documents from CTO/CIO to understand roadmap for technology growth in hardware/software/network Regulatory Mandates Contact Compliance, Legal and industry groups to understand immediate and short-term/long-term regulatory requirements Risk Analysis Understand your risks in cyber/physical security, disaster recovery/business continuation and compliance to data protection/data sharing regulations Quantify the impacts wherever possible; per incident, per potential loss Probability of Occurrence Be realistic; Pull industry trend information; poll industry alliances; previous internal loss Impact of Occurrence Be realistic; compute hard financial impacts, estimate soft financial impact based on real industry losses/settlements/pay-outs; poll industry vendors Benefit to Enterprise Avoidance is one benefit but weak justification for getting approved funds Tie to hard savings/loss reduction
Build a Business Case Understand TCO Total Cost of Ownership – use Finance to assist; plan across next 5 fiscal years [understand where you can cut if necessary] Timelines and Resource Requirements Articulate inter-dependencies between security initiatives Speak to the large plan; cross-utilize resources Use compliance requirements to your advantage Make contact with industry firms early to determine resource availability Try to MINIMIZE EXPENSES [save up for future battles] Use Financial Metrics Build metrics that can reflect your project progress Always be ready to estimate financial cost avoidance from a deterred incident Provides immediate feedback of success and hardened evidence of ROSI for future projects/enhancements
Build a Business Case Articulate Impact – Piggyback You have to be able to articulate what the umbrella benefit is, what the specific impact potential might be, and the specific benefits of each project Piggyback related projects to provide ‘value-added’ benefit. Meet Stakeholders Expectations Write the narrative to the expectations of your project stakeholders Know what they need to accomplish within their realm [financial, organizational, resource management, bonus structure, etc]
ROI and ROSI To calculate ROI, the cost of a purchase is weighed against the expected returns over the life of the item. Ex: if a new production facility will cost $1M and is expected to bring in $5M over the course of three years, the ROI for the three year period is 400% (4x the initial investment of net earnings). ROI(Return on Investment) ROSI (Return on Security Investment) ViriCorp has gotten viruses before. It estimates that the average cost in damages and lost productivity due to a virus infection is $25,000. Currently, ViriCorp gets four of these viruses per year. ViriCorp expects to catch at least 3 of the 4 viruses per year by implementing a $25,000 virus scanner.
Justifying your Investment– Key points Security Investment is hard to quantify The need for security is obvious Impact of a security breach is real Justification ahead of time is difficult Accurate Risk Analysis Accurately determine your risk profile Financial Analysis ROI/ROSI Determine impact and loss deference of investing Create a sound business plan Instrument your projects Create metrics which highlight success/failure Roadmap your security plan
References Return On Security Investment (ROSI): A Practical Quantitative Model http://www.infosecwriters.com/text_resources/pdf/ROSI-Practical_Model.pdf Three things your CEO wants to Know http://blog.makingitclear.com/2008/06/10/ceowantstoknow/ Trial by Fire - Price Waterhouse Coopers Advisory Services http://www.pwc.com/en_GX/gx/information-security-survey/pdf/pwcsurvey2010_report.pdf

Recommended

Brainstorm USA
Brainstorm USABrainstorm USA
Brainstorm USAbrainstormusa
 
Purple cow 2012 (dental button)
Purple cow 2012 (dental button)Purple cow 2012 (dental button)
Purple cow 2012 (dental button)thepurplecowph
 
Spelling words wk13
Spelling words wk13Spelling words wk13
Spelling words wk13summercamp44e
 
Moderator - Dr. Umesh Shukla (s03-0-1)
Moderator - Dr. Umesh Shukla (s03-0-1)Moderator - Dr. Umesh Shukla (s03-0-1)
Moderator - Dr. Umesh Shukla (s03-0-1)VHP-America
 
Aktuell Cc Agency Profil Short 2009 Juli 09weiß [KompatibilitäTsmodus]
Aktuell Cc Agency Profil Short 2009 Juli 09weiß [KompatibilitäTsmodus]Aktuell Cc Agency Profil Short 2009 Juli 09weiß [KompatibilitäTsmodus]
Aktuell Cc Agency Profil Short 2009 Juli 09weiß [KompatibilitäTsmodus]guest3a55cb
 
T.I.C
T.I.CT.I.C
T.I.CVane Love
 
3t Med
3t Med3t Med
3t MedBombshell Recordings
 
Bahasa indonesia
Bahasa indonesiaBahasa indonesia
Bahasa indonesiawida_widaningsih
 

Recommended

Brainstorm USA
Brainstorm USABrainstorm USA
Brainstorm USAbrainstormusa
 
Purple cow 2012 (dental button)
Purple cow 2012 (dental button)Purple cow 2012 (dental button)
Purple cow 2012 (dental button)thepurplecowph
 
Spelling words wk13
Spelling words wk13Spelling words wk13
Spelling words wk13summercamp44e
 
Moderator - Dr. Umesh Shukla (s03-0-1)
Moderator - Dr. Umesh Shukla (s03-0-1)Moderator - Dr. Umesh Shukla (s03-0-1)
Moderator - Dr. Umesh Shukla (s03-0-1)VHP-America
 
Aktuell Cc Agency Profil Short 2009 Juli 09weiß [KompatibilitäTsmodus]
Aktuell Cc Agency Profil Short 2009 Juli 09weiß [KompatibilitäTsmodus]Aktuell Cc Agency Profil Short 2009 Juli 09weiß [KompatibilitäTsmodus]
Aktuell Cc Agency Profil Short 2009 Juli 09weiß [KompatibilitäTsmodus]guest3a55cb
 
T.I.C
T.I.CT.I.C
T.I.CVane Love
 
3t Med
3t Med3t Med
3t MedBombshell Recordings
 
Bahasa indonesia
Bahasa indonesiaBahasa indonesia
Bahasa indonesiawida_widaningsih
 
Los gatos
Los gatosLos gatos
Los gatosdhahyi
 
Zac Franks3
Zac Franks3Zac Franks3
Zac Franks3Zac Franks
 
7 In 7 on 7
7 In 7 on 77 In 7 on 7
7 In 7 on 7olidud
 
Estacion 5
Estacion 5Estacion 5
Estacion 5lulylucero
 
B.v.doshi
B.v.doshiB.v.doshi
B.v.doshiparshwa shah
 
K&n's Food
K&n's Food K&n's Food
K&n's Food Mudassar Iqbal
 
Investigación
InvestigaciónInvestigación
Investigacióncharito ybarra
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 

More Related Content

Viewers also liked

Los gatos
Los gatosLos gatos
Los gatosdhahyi
 
7 In 7 on 7
7 In 7 on 77 In 7 on 7
7 In 7 on 7olidud
 

Viewers also liked (7)

Los gatos
Los gatosLos gatos
Los gatos
 
Zac Franks3
Zac Franks3Zac Franks3
Zac Franks3
 
7 In 7 on 7
7 In 7 on 77 In 7 on 7
7 In 7 on 7
 
Estacion 5
Estacion 5Estacion 5
Estacion 5
 
B.v.doshi
B.v.doshiB.v.doshi
B.v.doshi
 
K&n's Food
K&n's Food K&n's Food
K&n's Food
 
Investigación
InvestigaciónInvestigación
Investigación
 

Recently uploaded

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

[EB100510] Jojo Colina: Justifying IT Security Spend

  • 1. Justifying your Security Spend Presented by: Jojo Colina Head, Product Management & Development Privileged and Confidential. NDA Required for External Disclosure.
  • 2. “Security Problems are never truly solved. The bad guys are always waiting for an opportunity...”
  • 3. “Security Problems are never truly solved. The bad guys are always waiting for an opportunity...” And they are getting better all the time!
  • 4. Risk can never be Eliminated! “There is no ‘right’ amount of money to spend on IT infrastructure.” No matter how much money you spend on infrastructure, you’ll never be totally safe and secure.  So the “right” amount of money for a company to spend on IT infrastructure — whether it’s for security or for something else like database reliability or resilient servers — depends on the amount of risk that the company is willing to tolerate.
  • 5. Good Security is Invisible It’s difficult to justify security when it’s working.
  • 6. The biggest investments in security usually come right after a security breach One in the news or a breach in your own company’s security
  • 7. Making People Dissatisfied is the Only Way to Justify Investment Dissatisfaction with the status quo is most important when you’re trying to sell security investment. To justify additional security investment you have to convince the business that your current security infrastructure is inadequate.
  • 8. Three challenges to Security Make your end users “feel” secure
  • 9. Three challenges to Security Make your end users “feel” secure Implement an infrastructure with a reasonable level of security for the amount of money the company is willing to invest
  • 10. Victim of your own success “Security to your end users is a state of mind. One which you created by your success in solving security challenges.”
  • 11. Victim of your own success “Security to your end users is a state of mind. One which you created by your success in solving security challenges.” Now that they feel secure, how do you justify additional security expense?
  • 12. Three challenges to Security Make your end users “feel” secure Implement an infrastructure with a reasonable level of security for the amount of money the company is willing to invest Recommend the right level of infrastructure security investment and getting agreement from the business
  • 13. How to determine the right level of Investment What are other companies doing who have a similar risk tolerance to your company? Does your company deal with confidential information from your customers? Does your company differentiate itself from its competition based on an enhanced level of trust or risk avoidance? Does your company hold a proprietary advantage over its competition which could be lost if confidential company information was revealed?
  • 14. Justify the Need Enterprise Objectives for Security Obtain Blueprint documents from CTO/CIO to understand roadmap for technology growth in hardware/software/network Regulatory Mandates Contact Compliance, Legal and industry groups to understand immediate and short-term/long-term regulatory requirements Risk Analysis Understand your risks in cyber/physical security, disaster recovery/business continuation and compliance to data protection/data sharing regulations Quantify the impacts wherever possible; per incident, per potential loss Probability of Occurrence Be realistic; Pull industry trend information; poll industry alliances; previous internal loss Impact of Occurrence Be realistic; compute hard financial impacts, estimate soft financial impact based on real industry losses/settlements/pay-outs; poll industry vendors Benefit to Enterprise Avoidance is one benefit but weak justification for getting approved funds Tie to hard savings/loss reduction
  • 15. Build a Business Case Understand TCO Total Cost of Ownership – use Finance to assist; plan across next 5 fiscal years [understand where you can cut if necessary] Timelines and Resource Requirements Articulate inter-dependencies between security initiatives Speak to the large plan; cross-utilize resources Use compliance requirements to your advantage Make contact with industry firms early to determine resource availability Try to MINIMIZE EXPENSES [save up for future battles] Use Financial Metrics Build metrics that can reflect your project progress Always be ready to estimate financial cost avoidance from a deterred incident Provides immediate feedback of success and hardened evidence of ROSI for future projects/enhancements
  • 16. Build a Business Case Articulate Impact – Piggyback You have to be able to articulate what the umbrella benefit is, what the specific impact potential might be, and the specific benefits of each project Piggyback related projects to provide ‘value-added’ benefit. Meet Stakeholders Expectations Write the narrative to the expectations of your project stakeholders Know what they need to accomplish within their realm [financial, organizational, resource management, bonus structure, etc]
  • 17. ROI and ROSI To calculate ROI, the cost of a purchase is weighed against the expected returns over the life of the item. Ex: if a new production facility will cost $1M and is expected to bring in $5M over the course of three years, the ROI for the three year period is 400% (4x the initial investment of net earnings). ROI(Return on Investment) ROSI (Return on Security Investment) ViriCorp has gotten viruses before. It estimates that the average cost in damages and lost productivity due to a virus infection is $25,000. Currently, ViriCorp gets four of these viruses per year. ViriCorp expects to catch at least 3 of the 4 viruses per year by implementing a $25,000 virus scanner.
  • 18. Justifying your Investment– Key points Security Investment is hard to quantify The need for security is obvious Impact of a security breach is real Justification ahead of time is difficult Accurate Risk Analysis Accurately determine your risk profile Financial Analysis ROI/ROSI Determine impact and loss deference of investing Create a sound business plan Instrument your projects Create metrics which highlight success/failure Roadmap your security plan
  • 19. References Return On Security Investment (ROSI): A Practical Quantitative Model http://www.infosecwriters.com/text_resources/pdf/ROSI-Practical_Model.pdf Three things your CEO wants to Know http://blog.makingitclear.com/2008/06/10/ceowantstoknow/ Trial by Fire - Price Waterhouse Coopers Advisory Services http://www.pwc.com/en_GX/gx/information-security-survey/pdf/pwcsurvey2010_report.pdf