IT Security As A Service

600 views

Published on

Providing IT Security as a Service to internal stakeholders reduces risk while increasing audit ability. This is a presentation from the ISACA NACS 2012 conference.

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
600
On SlideShare
0
From Embeds
0
Number of Embeds
15
Actions
Shares
0
Downloads
36
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

IT Security As A Service

  1. 1. Copyright ©2011Savid Security As A Service The Future of Security Services Michael A. Davis Chief Executive Officer Savid Technologies, Inc. http://www.savidtech.com
  2. 2. Agenda • Trends that you must get in front of • What is SecaaS? • Why do we need this methodology? • How do I use it? • War Stories • Ask Questions
  3. 3. Who am I? • Michael A. Davis – CEO of Savid Technologies • IT Security Consulting • Risk Assessments/Auditing • Security Remediation – Speaker at Major Security Conferences • Defcon, CanSecWest, Toorcon, Hack In The Box – Open Source Software Developer • Snort • Nmap • Dsniff
  4. 4. Author
  5. 5. InformationWeek Contributor
  6. 6. Where we got our data » March 2012 And November 2011 Survey » Over 1,100 Security Professionals » Follow-up Interviews With Fortune 1000 CSO/CISOs » Wide Variety Of Industries – Financial – Healthcare – Business Services
  7. 7. What is everyone concerned with? Source: Savid/Information Week Data Survey, 2011
  8. 8. They are paying attention
  9. 9. Complexity is everywhere Application integration OS Database Collaboration Business intelligence/ Analytical applications Application development tools Hardware platform Applications Services Computer Network Storage FS Applications Security IDS Content Filtering Management AV/Spyware Anti-Spam Identity Management Regulatory Compliance Firewalls Vulnerability Assessment Monitoring Network & Systems Management Management Vendors Dynamic Provisioning Storage Source: CA, 2009
  10. 10. Complex IT Projects Fail - A lot Out Of 200 Multi-nationals: • 67% Failed To Terminate Unsuccessful Projects • 61% Reported Major Conflicts • 34% Of Projects Were Not Aligned With Strategy • 32% Performed Redundant Work 1 In 6 Projects Had A Cost Overrun Of 200%! Source: 2011 Harvard Business Review – Berlin Univ Technical survey
  11. 11. The Problem • Too many areas to audit • Security can’t keep up either • Velocity of change is high • Audit or Security isn’t involved in the critical projects How do we handle a high velocity of change while providing a high level of assurance that controls are being implemented?
  12. 12. The Future of IT Audit © PWC IA Audit 2012 Report
  13. 13. We All Do Them Source: 2011 InformationWeek Analytics Strategic Security Survey 0% 10% 20% 30% 40% 50% 60% 70% 80% Yes No Don't Know % that perform Risk Assessments 2012 2011
  14. 14. The Reality Source: 2011 InformationWeek Analytics Strategic Security Survey Very 30% Somewhat 67% Not At All 3% Risk Assessment Effectiveness
  15. 15. That Cloud Thingy
  16. 16. What This Means To Security Amazon EC2 - IaaS The lower down the stack the Cloud provider stops, the more security you are tactically responsible for assessing and implementing yourself. Salesforce - SaaS Google AppEngine - PaaS RFP/Contract It In RFP/Contract It In Build It InBuild It In
  17. 17. Future of Audit and Security Adequacy = Compliance Effectiveness = Consultancy
  18. 18. Audit As a Service • Be Relevant Not Redundant • Partner with other risk functions in company • Focus on start-up/future activities • Be flexible, don’t limit to the annual plan • Our recommendation is to stop trying to make everyone a security expert and instead • Focus on educating people so they know when to ask for expertise To be successful IT Audit’s fundamental VALUE proposition MUST SHIFT
  19. 19. Security Services?
  20. 20. The Services Menu • Risk Assessments – NOT CONTROL ASSESSMENTS • Guidance without risk levels – Areas of concern, “pre-audit” • Cloud Vendor Selection Analysis • Education • Advisory Services • Metric/KRI Development
  21. 21. Why This Works • Providing real value – Audit is asked to be involved • Communication increases helping develop your team talent • Customers understand what services are available • Audit understands which services are being requested and which are not as popular. This allows for growth planning. • Customers understand how service consumption affects their budgets. • Increased accountability • Closer to continuous monitoring/auditing!
  22. 22. How To Implement • Approach each as an customer engagement – Why are we performing this engagement? – What value can we provide back? – Can we provide value to another group? • Surveys/NetPromoter – “On a scale of one to 10, how likely is it that you would recommend us to a colleague?” – Promoters = 9 to 10. Passive = 7 to 8, satisfied but enthusiastic about service Detractors = 0 to 6, unhappy with the service and will damage teams reputation through word of month.
  23. 23. How To Implement • Customize your deliverables! – Not everything needs to be a finding/risk ranking – What is valuable to the project? • What other value can we derive from our process? – Interviews – Data Collection • Augment Security As a Service too!
  24. 24. Getting buy-in • Metrics and Transparency are essential • We want to provide consistency • Reduce one-off high likelihood risks. • Work with PMO, if you have one. • Track adoption rates • Provide incentives to adopt services
  25. 25. Security Services Menu • Ensure Controls map to technologies being deployed • Traditionally you see items such as: • Content security, Antivirus/Anti-malware, Spam filtering • Email encryption, DLP for outbound email, Web mail, Anti-phishing
  26. 26. A Better Security Menu • Focus on Services! Not Technologies! • Internal and / or external penetration test, Application penetration test • Host and guest assessments, Firewall / IPS (security components of the infrastructure) • Virtual infrastructure assessment • THEN provide technology options
  27. 27. A Case Study
  28. 28. The Formula Of Successful Risk Management PBL = λ1 x p1 + λ2 x p2 + λ3 x p3
  29. 29. Hazard vs. Speculative Risk
  30. 30. Linking to Business Goals Copyright Carnegie Mellon SETI MOSAIC Whitepaper
  31. 31. Outcome Management Copyright Carnegie Mellon SETI MOSAIC Whitepaper
  32. 32. Conclusion Contact Information Michael A. Davis mdavis@savidtech.com 708-532-2843 Twitter: @mdavisceo

×