Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cost Justifying IT Security

599 views

Published on

My presentation at SuperStrategies on how to justify the cost of IT security. The key? Focus on how security can help reduce speculative risk instead of hazard risk.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Cost Justifying IT Security

  1. 1. Cost Justifying Security Session #C3 Tuesday, April 24, 2012 3:45-5:00PM Michael A. Davis CEO, Savid Technologies
  2. 2. MIS Training Institute Session #C3 - Slide 2 © Savid Technologies Who am I? » Michael A. Davis – CEO of Savid Technologies IT Security, Risk Assessment, Penetration Testing – Speaker Blackhat, Defcon, CanSecWest, Toorcon, Hack In The Box – Open Source Software Developer Snort Nmap Dsniff » Savid Technologies – Risk Assessments, IT Security Consulting, Audit and Compliance
  3. 3. MIS Training Institute Session #C3 - Slide 3 © Savid Technologies Author
  4. 4. MIS Training Institute Session #C3 - Slide 4 © Savid Technologies The Issue “Single biggest security related problem is a lack of Senior Level commitment to enterprise wide security policies.“
  5. 5. MIS Training Institute Session #C3 - Slide 5 © Savid Technologies Execs Are Paying Attention •Source: Information Week Data Survey, 2011
  6. 6. MIS Training Institute Session #C3 - Slide 6 © Savid Technologies We Protect, They Are Criticized According to Bloomberg News, Sony has been subpoenaed by New York attorney general Eric Schneiderman, who is "seeking information on what Sony told customers about the security of their networks, as part of a consumer protection inquiry." (Source: informationweek.com) Rep. Mary Bono Mack (R-Calif.), the subcommittee chair, said that Sony should have informed its consumers of the breach earlier and said its efforts were “half-hearted, half-baked.” She was particularly critical of Sony’s decision to first notify customers of the attack via its company blog, leaving it up to customers to search for information on the breach. (Source: washingtonpost.com)
  7. 7. MIS Training Institute Session #C3 - Slide 7 © Savid Technologies Metrics, We need metrics!
  8. 8. MIS Training Institute Session #C3 - Slide 8 © Savid Technologies We All Do Them •Source: 2011 InformationWeek Analytics Strategic Security Survey
  9. 9. MIS Training Institute Session #C3 - Slide 9 © Savid Technologies The Reality •Source: 2011 InformationWeek Analytics Strategic Security Survey
  10. 10. MIS Training Institute Session #C3 - Slide 10 © Savid Technologies Complex IT Projects Fail - A lot Out Of 200 Multi-nationals: 67% Failed To Terminate Unsuccessful Projects 61% Reported Major Conflicts 34% Of Projects Were Not Aligned With Strategy 32% Performed Redundant Work 1 In 6 Projects Had A Cost Overrun Of 200%! •2011 Harvard Business Review – Berlin Univ Technical survey
  11. 11. MIS Training Institute Session #C3 - Slide 11 © Savid Technologies T-Mobile CISO On Metrics “Security experts can't measure their success without security metrics, and what can't be measured can't be effectively managed.” ~ Bill Boni, VP of IS, T-Mobile USA
  12. 12. MIS Training Institute Session #C3 - Slide 12 © Savid Technologies Why Do We Care? Management Asks: “Are We Secure?” Without Metrics: “Depends How You Look At It” With Metrics: “Look At Our Risk Score Before This Project, It Dropped 15%. We Are More Secure Today Than Yesterday”
  13. 13. MIS Training Institute Session #C3 - Slide 13 © Savid Technologies Where/What to measure Strategy/Governance Code Reviews, Project Risk Assessments, Exceptions/Waivers Tactical/Sec Ops Vuln Management, Patch Management, Incidents, etc IS Budget Spending/employee Policy gaps in existence Industry Standards Adopted Awareness Plan % projects going through assessment process # of policy exceptions # of risk acceptances % project doing code reviews Error rates Freq of vuln assessment # outstanding vulns Rate of fixing Trend of incident response losses
  14. 14. MIS Training Institute Session #C3 - Slide 14 © Savid Technologies Who are you? TCO Patch Latency SPAM/AV Stats
  15. 15. MIS Training Institute Session #C3 - Slide 15 © Savid Technologies Examples of metrics Baseline Defenses Coverage (AV, FW, etc) Measurement of how well you are protecting your enterprise against the most basic information security threats. 94% to 98%; less than 90% cause for concern Patch Latency Time between a patch’s release and your successful deployment of that patch. Express as averages and criticality Platform Security Scores Measures your hardening guidelines Compliance Measure departments against security standards Number of Linux servers at least 90% compliant with the Linux platform security standard
  16. 16. MIS Training Institute Session #C3 - Slide 16 © Savid Technologies Phishing Still Works
  17. 17. MIS Training Institute Session #C3 - Slide 17 © Savid Technologies Stop With The Confirmation Bias Risk Perception Is Bad Tornado V. Kitchen Fire Less Familiar Are Perceived As Greater Risk Favor Info That Match Preconceptions Cause And Effect Processing Correlation Does Not Equal Causation We Manage Risk Using Metrics That Don’t Matter
  18. 18. MIS Training Institute Session #C3 - Slide 18 © Savid Technologies It Is About Risk MANAGEMENT Effective Metrics Catalog Define: Category Metric How To Measure Purpose Of This Metric Target Audience Reporting Frequency/Period
  19. 19. MIS Training Institute Session #C3 - Slide 19 © Savid Technologies 5 Signs You Have a Confirmation Bias Using Quantitative Risk Scores To Make Decisions Look At Security Events Instead Of Probability Of Vulnerabilities Talk About Risk In Terms Of “Industry Data” Lack Of Risk Management Inability To Communicate Risk
  20. 20. MIS Training Institute Session #C3 - Slide 20 © Savid Technologies Security Metric Gotchas Not Tracking Visibility What % is the metric representing? Develop baseline for acceptance Not Trending Provide at least 4 previous periods and trend line Not Providing Forward Guidance Red, Green, Yellow (Worse, Better, Same) Not Mapping To A Business goal Focusing on Hazard Risk Not Using Qualitative Metrics
  21. 21. MIS Training Institute Session #C3 - Slide 21 © Savid Technologies Hazard vs Speculative Risk
  22. 22. MIS Training Institute Session #C3 - Slide 22 © Savid Technologies Linking to Business Goals
  23. 23. MIS Training Institute Session #C3 - Slide 23 © Savid Technologies Outcome Management
  24. 24. MIS Training Institute Session #C3 - Slide 24 © Savid Technologies Conclusion Contact Information Michael A. Davis mdavis@savidtech.com 708-532-2843 Twitter: @mdavisceo

×