• Trends that you must get in front of
• What is SecaaS?
• Why do we need this methodology?
• How do I use it?
• War Stories
• Ask Questions
Who am I?
• Michael A. Davis
– CEO of Savid Technologies
• IT Security Consulting
• Risk Assessments/Auditing
• Security Remediation
– Speaker at Major Security Conferences
• Defcon, CanSecWest, Toorcon, Hack In The Box
– Open Source Software Developer
Where we got our data
» March 2012 And November 2011 Survey
» Over 1,100 Security Professionals
» Follow-up Interviews With Fortune 1000 CSO/CISOs
» Wide Variety Of Industries
– Business Services
What is everyone concerned
Source: Savid/Information Week Data Survey, 2011
Complexity is everywhere
Computer Network Storage
Network & Systems
Source: CA, 2009
Complex IT Projects Fail - A lot
Out Of 200 Multi-nationals:
• 67% Failed To Terminate Unsuccessful Projects
• 61% Reported Major Conflicts
• 34% Of Projects Were Not Aligned With Strategy
• 32% Performed Redundant Work
1 In 6 Projects Had A Cost Overrun Of 200%!
Source: 2011 Harvard Business Review – Berlin Univ Technical survey
• Too many areas to audit
• Security can’t keep up either
• Velocity of change is high
• Audit or Security isn’t involved in the critical
How do we handle a high velocity of change while
providing a high level of assurance that controls
are being implemented?
What This Means To Security
Amazon EC2 - IaaS
The lower down the stack the Cloud provider
stops, the more security you are tactically
responsible for assessing and implementing
Salesforce - SaaS
Google AppEngine - PaaS
Build It InBuild It In
Future of Audit and Security
Adequacy = Compliance
Effectiveness = Consultancy
Audit As a Service
• Be Relevant Not Redundant
• Partner with other risk functions in company
• Focus on start-up/future activities
• Be flexible, don’t limit to the annual plan
• Our recommendation is to stop trying to make
everyone a security expert and instead
• Focus on educating people so they know when to
ask for expertise
To be successful IT Audit’s fundamental VALUE
proposition MUST SHIFT
The Services Menu
• Risk Assessments
– NOT CONTROL ASSESSMENTS
• Guidance without risk levels
– Areas of concern, “pre-audit”
• Cloud Vendor Selection Analysis
• Advisory Services
• Metric/KRI Development
Why This Works
• Providing real value – Audit is asked to be involved
• Communication increases helping develop your team
• Customers understand what services are available
• Audit understands which services are being requested
and which are not as popular. This allows for growth
• Customers understand how service consumption
affects their budgets.
• Increased accountability
• Closer to continuous monitoring/auditing!
How To Implement
• Approach each as an customer engagement
– Why are we performing this engagement?
– What value can we provide back?
– Can we provide value to another group?
– “On a scale of one to 10, how likely is it that you
would recommend us to a colleague?”
– Promoters = 9 to 10.
Passive = 7 to 8, satisfied but enthusiastic about
Detractors = 0 to 6, unhappy with the service and will
damage teams reputation through word of month.
How To Implement
• Customize your deliverables!
– Not everything needs to be a finding/risk ranking
– What is valuable to the project?
• What other value can we derive from our
– Data Collection
• Augment Security As a Service too!
• Metrics and Transparency are essential
• We want to provide consistency
• Reduce one-off high likelihood risks.
• Work with PMO, if you have one.
• Track adoption rates
• Provide incentives to adopt services
Security Services Menu
• Ensure Controls map to technologies being
• Traditionally you see items such as:
• Content security, Antivirus/Anti-malware,
• Email encryption, DLP for outbound email,
Web mail, Anti-phishing
A Better Security Menu
• Focus on Services! Not Technologies!
• Internal and / or external penetration test,
Application penetration test
• Host and guest assessments, Firewall / IPS
(security components of the infrastructure)
• Virtual infrastructure assessment
• THEN provide technology options