This document provides guidance on how to determine the right amount to spend on security. It recommends first formalizing mandatory, discretionary, and risk-based security spending. Prioritize assets and risks using a structured process involving business owners. Consider likelihood and impact ranges to evaluate risks. Prioritize risks based on business value and cost. Define security services and align spending with maturity targets. Start with quick wins and metrics to gain support for an ongoing process.

1. How To: Find The Right Amount Of Security SpendJared Pfostjared@thirddefense.comthirddefense.wordpress.com@JaredPfost

2. Outline - 30 minutes!Are You Ready To Find the Answer?Tools & TechniquesInspiration2

3. Are You Ready?3Motivating Event

4. 4Formalize mandatory vs. discretionary spendWork we could doRisk-Based Decisions to Achieve Business GoalsWork we should do“Legally Defensible” SecurityWork we must doManage Compliant- Ready Services

5. 5Are we as efficient as possible?Are we operating at acceptable risk?

6. Identify & Prioritize AssetsLeverage Business Continuity TeamBusiness Process Recovery & OwnershipGood GRC platform scenarioAddRegulatedData ClassificationAssessment Frequency6

7. Prioritize RisksThreat Based vs. Control BasedConstruct a Top-Down Story Evidence Driven Define Formal Decision RolesImpact Ranges Calibrate Monetary Impact with OwnersLikelihood Ranges Use Evidence for Occurrence RatesUse Culture to Select ModelStrive for Consistency7

8. Prioritize Risks (alt.)Threat Based vs. Control BasedConstruct a Top-Down Story Evidence Driven Define Formal Decision RolesImpact Ranges Calibrate Monetary Impact with OwnersLikelihood Ranges Use Evidence for Occurrence RatesUse Culture to Select ModelStrive for Consistency8

9. Spend Or Owner Accepts RiskPrioritize by Business ValueRisk PriorityIT CapabilityBusiness SupportPolitical RealityCostDocument Decision for PosterityEfficiency Gain Save $110K Mandatory vs. Discretionary9

10. Control Effectiveness Metrics10Use Targets to Define “Acceptable Risk”Start Small

11. Are we as efficient as possible?

12. Define Services & Align DemandWhat is 100% of Security ServicesFoundation to manage TradeoffsBusiness As UsualShort Term EffortsLong Term ProjectsSet Maturity ExpectationsActual vs. Target12Mandatory vs. Discretionary

13. Service Metrics & SLAsTransparency Will Set You FreeStart Small% Role Definitions% Project Performance% Business Risk Assessments13

14. In vs. Out SourceDefine Internal Process Flow Before OutsourcingRequire Metrics in ContractAccountability Through Visibility14Attribution: http://www.hotsocialbuzz.com/wp-content/uploads/2010/09/outsource-cartoon.jpg

15. Take ActionDetermine if your Leadership is ReadyStart smallQuick WinsEnjoy your career like never before!Start, Advance, Share15

16. Questions & ResourcesSIRA: http://societyinforisk.org/New School: http://newschoolsecurity.comFalcon’s View: http://www.secureconsulting.net/Our Blog: http://thirddefense.wordpress.com/Perspective: http://dilbert.com/16

17. Appendix17

18. Breaking Down The Risk Statement18(qualitative assessment)