Download to read offline
Uploaded byCloudBees
3 tips to funding your security program
The document discusses the importance of integrating security initiatives with business objectives, emphasizing that cybersecurity is a crucial business issue rather than just an IT concern. It highlights the significant costs associated with data breaches and outlines strategies for aligning security efforts with organizational goals, including effective communication of risk in business terms. The document also provides actionable tips for improving security posture through small, incremental improvements and leveraging existing data.
More Related Content
![Ies Axcient E Ufocuspreso[1]](https://cdn.slidesharecdn.com/ss_thumbnails/iesaxcienteufocuspreso1-12834471374955-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to 3 tips to funding your security program
![Operationalizing Security Intelligence [ InfoSec World 2014 ]](https://cdn.slidesharecdn.com/ss_thumbnails/infosecworld2014-operationalizingsecurityintelligencev2-140416103116-phpapp01-thumbnail.jpg?width=640&height=640&fit=bounds)
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
3 tips to funding your security program
- 1. Fund Your SecurityInitiatives By Leveraging Business Objectives © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
- 2. Funding Your Security © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Initiatives By Leveraging Business Objectives
- 3. Security is notjust an IT problem It’s affecting the business CISO Cyber threat 56% of organizations have Reputation damage 30% market cap reduction due © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 3 to change without notice. been the target of a cyber attack Extended supply chain 44% of all data breach involved third-party mistakes Financial loss $8.6M average cost associated with data breach to recent events Cost of protection 11% of total IT budget spent on security Reactive vs. proactive 97% of data breaches could have been avoided
- 4. Problem: Barriers betweenBusiness & Security Business Initiatives Security Initiatives © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 4 to change without notice. Don’t Get Hacked!!! Grow Revenues at 30% Become more Agile Improve Profitability Improve Efficiency 99.999% Availability
- 5. Security breaches area business issue © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 5 to change without notice. HP | Ponemon Study 2013 $11.6 million 2013 $8.9 millio n
- 6. Security needs tolook at how they enable business? How do we add value? How does the company make $? How do we save $? Securit Competitive Advantage y © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 6 to change without notice.
- 7. Our new styleof working is exposing risk to the business Social media Audio Cloud © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 7 to change without notice. CRM Data Word, Excel Images Email Financials Legal documents Call center Cloud Archive Laptop Mobile phone Partner Data center Remote office Agreements Got Risk?
- 8. Create a burningneed to do something • Industry Regulations • PCI • HIPPAA • SOX • Use Audits to compel Action Document Risk in language the business can understand © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 8 to change without notice.
- 9. Getting Buy-in fromManagement Situation: Detail Current Situation Complication: Explain Risk Implication: Discuss results if Risk is not Addressed Position: Your advice Action: Next Steps Benefits: How you make your boss look good? © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 9 to change without notice.
- 10. The goal •Clear investment strategy • Understanding of Risk • Plans to mitigate • Show how Risk trends down © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 10 to change without notice.
- 11. The solution seemsobvious Bring all the data together and create a context, in near real time Business Operations Security © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 11 to change without notice.
- 12. TIP #1- Speakthe Language of the Business • Always tie the security issue. Be it real time threat, potential risk, lack of compliance etc. to a language the business can understand. • Identify the “crown jewels” in your infrastructure. Don’t try and identify everything at first (see Tip # 3 ) • Connect those assets to the applications they support, and in turn the business services, and then up to the lines of business / structure of your organization. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 12 to change without notice.
- 13. TIP #2- Leveragewhat you have • A lot of the data you need exists. • If you can, gather in your assets from a “source of truth” like your CMDB. • Alternatively, if that isn’t feasible, leverage a monitoring tool alike ArcSight ESM • Pull in data from your vulnerability scanners • Automation will save you © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 13 to change without notice.
- 14. TIP #3: Startsmall • Start small, work incrementally, don’t try and boil the ocean. Some visibility is much better than zero visibility. • Pick a subset of Compliance, Regulatory or Compliance controls that are important and the value is understood. Model, implement and monitor those. • Identify and monitor key Risk factors. Set a goal and track that progress as an easy to understand KPI • Don’t model your whole business. Start with the key business services. © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 14 to change without notice.
- 15. Create a businesscentric view • Assets from uCMDB • Assets from HP ArcSight ESM/Express • Model the business © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 15 to change without notice.
- 16. Automate Compliance wherepossible Numerous data sources • uCMDB • HP ArcSight ESM/Express/Logger • Server Automation • Third Party © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 16 to change without notice.
- 17. Manage vulnerabilities •Vulnerability Scanners • Configurations Scanners • Server Automation • uCMDB © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 17 to change without notice.
- 18. Bring it alltogether • Create “risk factors”, set goals/KPIs • Trend your progress • Focus on “upper right”/red zone © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 18 to change without notice.
- 19. How do weprotect our assets? Intrusion prevention Security research and threat intelligence Secure design and implementation © Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject 19 to change without notice. Quarantine Threat Intelligence Our enterprise Their ecosystem Intrusion Prevention Secure Software DLP
- 20. Thank you ©Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Editor's Notes
- #4 Yes, you are under attack now, your organization is under attack, your personal computer and mobile devices are under attack now. Your data is no longer secure. Your privacy may be breached. Security is a board level discussion now. The Chief Information Security Officer sits at the heart of the response to the growing threat. They have increased budgets now to address the growing threat and to keep the IT organizations safe. 56% ORGANIZATIONS HAVE BEEN THE TARGET OF NATION-STATE CYBER ATTACK – so there is a 50% chance that your organization may be attacked CLICK Also, Gartner survey of Enterprise CIO’s the 5 biggest challenges that enterprise faced in Security and risk were: Managing Risk Reduce CAPEX Fill Security Gaps Optimize security gaps Adapt to changing regulations
- #5 Key Points Why is Processing Human Information Different? Human Information is made up of ideas, is diverse, and has context. Ideas don’t exactly match like data does; they have distance. Human Information is not static – it’s dynamic and lives everywhere. Legacy / Past techniques have all fallen short.
- #6 Average annual cost of cyber crime in 2012 to individual businesses in the U.S. The Open Source Vulnerability Database reported 7,477 vulnerabilities in 2011, and reported 7,998 before the end of November, 2012. More than 20 per day Point in time review is essential, but that is today. What about tomorrow?
- #8 Key Points Lots of data, lots of opportunity Data lives within and outside your company in various places and formats Opportunity has to overcome the challenge Using ‘systems thinking’ to convince mgmt they need to do something