SlideShare a Scribd company logo

ISSA Phoenix Security Metrics... So What?

A
Allgress, Inc.

The document discusses techniques for communicating the value of security to business decision makers using metrics. It suggests gathering metrics on risk and business impact to demonstrate how security strategies minimize risk and maximize business value. Examples show how to present metrics on reducing vulnerabilities, compliance costs, and aligning security with business objectives. The goal is to translate technical security information for non-technical executives using relevant financial and risk terminology.

Technology
1 of 25
ISSA PHOENIX SECURITY METRICS – SO WHAT? WILLIAM TANG, CTO JULY 13, 2010 ALLGRESS, INC. © 2009 ALLGRESS, INC. 1 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
What You Will Learn? • Techniques to influence business decision makers. • Simple ways to demonstrate security value. • How to align security strategy with the business. ALLGRESS, INC. © 2009 ALLGRESS, INC. 2 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Security Metrics – So What? • Why are we gathering metrics? • Who are we gathering these metrics for? • What will we do with the metrics, once we have them? ALLGRESS, INC. © 2009 ALLGRESS, INC. 3 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
IT Security’s Job Description Minimize Security Risk & Maximize Business Value Business and security metrics are needed to demonstrate and communicate both objectives. ALLGRESS, INC. © 2009 ALLGRESS, INC. 4 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 5 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
If You Were a CFO, COO, or Exec… • This is the language you would speak: – Discount Rate – Leverage Ratio – Covenants – Net Debt Free Cash Flow – EBITDA, EPS, Beta, etc… If this sounds like a foreign language, imagine how they feel when we use IT security terms… ALLGRESS, INC. © 2009 ALLGRESS, INC. 6 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Which Statement for Exec Mgmt? A. We have 2,300 CVSS severity 4 and 5 vulnerabilities on our 400 Windows Servers. B. The IT systems that generate 30% of our revenue have critical security vulnerabilities. ALLGRESS, INC. © 2009 ALLGRESS, INC. 7 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 8 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Choose Wisely Security Business Metrics Metrics Useful Metrics (for your intended audience) ALLGRESS, INC. © 2009 ALLGRESS, INC. 9 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Risk & Revenue • ‘Bubbles’ represent business units (BU). This BU generates 30% of revenue, but it has high risk. • Size of the bubble represents the BU percentage revenue ($). • NIST Risk Methodology (tech scans & audits). IT systems that generate 30% revenue has critical vulnerabilities and risk. Does this make business sense? Low Risk Medium Risk High Risk ALLGRESS, INC. © 2009 ALLGRESS, INC. 10 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Escape Fire Fighting Mode • PCI compliance scans from Qualys. • Results grouped by operating system or asset type. For this client, the typical approach to PCI compliance is to mitigate each vulnerability one by one. ALLGRESS, INC. © 2009 ALLGRESS, INC. 11 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Escape Fire Fighting Mode • Same Qualys data as before, but now grouped by vulnerability type. Is there a strategic solution here? Can the client focus on preventing these common vulnerabilities from happening in the first place? ALLGRESS, INC. © 2009 ALLGRESS, INC. 12 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Naughty Business Unit • Wedges represent labor hours for fixing security vulnerabilities for each Business Unit. Los Angeles • Leverage any vulnerability scanning tool. New York • Link with estimates for remediation, Remedy trouble Austin tickets or a timesheet system. Boston If the LA Office has the most IT systems, why is so much time spent on Boston? Does it have more vulnerabilities? ALLGRESS, INC. © 2009 ALLGRESS, INC. 13 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 14 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Risk Reduction Per $ • ‘Bubble’ can represent any business metric. • Demonstrate changes Year 1 in risk over time (trending). We can calculate the Year 2 changes in risk and costs to show how effective Year 3 investments in security reduce risk. Or how reducing investments in security increase risk. ALLGRESS, INC. © 2009 ALLGRESS, INC. 15 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Risk Reduction Per $ Demo of Risk Trending ALLGRESS, INC. © 2009 ALLGRESS, INC. 16 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Prove Cost Savings • Web Servers required 1,034 labor hours to mitigate vulnerabilities. • Mail Service Web Servers vulnerabilities required 1,014 labor hours. Mail Services • Total is 2,048 hours. • Assume the average labor hour is $100/hr. ALLGRESS, INC. © 2009 ALLGRESS, INC. 17 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Prove Cost Savings October 2009 January 2010 Implement training and Scans for this quarter show awareness to system admins that vulnerability count has to prevent vulnerabilities with decreased by 40%. As a result change control and patching labor hours have also processes. decreased by approx 40% • Hours = 2,048 • Hours = 1,200 • Labor Cost = $100/hr • Labor Cost = $100/hr • Total Cost = $20,480 • Total Cost = $12,000 Estimated Cost Savings = $8,480 ALLGRESS, INC. © 2009 ALLGRESS, INC. 18 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Prove Cost Savings October 2009 January 2010 CLOSED PENDING OPEN NOTE: These graphs represent compliance findings and tasks. A similar exercise can be done to show improvements in compliance and audit mitigation costs. ALLGRESS, INC. © 2009 ALLGRESS, INC. 19 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Align With The Business ALLGRESS, INC. © 2009 ALLGRESS, INC. 20 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Example: Align With The Business ALLGRESS, INC. © 2009 ALLGRESS, INC. 21 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 22 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Allgress Solution Objectives Minimize Security Risk & Maximize Business Value Allgress Security Life Cycle Manager helps our customers meet these objectives quickly, with minimal cost and effort. ALLGRESS, INC. © 2009 ALLGRESS, INC. 23 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Parting Words of Wisdom Dave Cullinane CISO “Being able to demonstrate that we’re spending the money the right way, spending the money effectively, producing the results that are needed and ensuring that level of confidence in the marketplace we offer is really critical, and Allgress has been way beyond anything else I’ve seen at being able to do that.” Full webinar at http://www.allgress.com/webinars ALLGRESS, INC. © 2009 ALLGRESS, INC. 24 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
Q&A William Tang Chief Technology Officer Allgress, Inc. Email: william.tang@allgress.com Direct: 310.383.2783 FAX: 310.496.0426 www.allgress.com ALLGRESS, INC. © 2009 ALLGRESS, INC. 25 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com

Recommended

ISSA Sacramento: Security Metrics - So What?
ISSA Sacramento: Security Metrics - So What?ISSA Sacramento: Security Metrics - So What?
ISSA Sacramento: Security Metrics - So What?
Allgress, Inc.
 
Valuendo 25 Things Not To Do (March 2009) Handout
Valuendo 25 Things Not To Do (March 2009) HandoutValuendo 25 Things Not To Do (March 2009) Handout
Valuendo 25 Things Not To Do (March 2009) Handout
Marc Vael
 
Roots of scrum 2011_Jeff Sutherland氏
Roots of scrum 2011_Jeff Sutherland氏Roots of scrum 2011_Jeff Sutherland氏
Roots of scrum 2011_Jeff Sutherland氏
InnovationSprint2011
 
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
NJVC, LLC
 
Safewall - Staying ahead of the threat
Safewall - Staying ahead of the threatSafewall - Staying ahead of the threat
Safewall - Staying ahead of the threat
Vincent Kwon
 
iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)
Prabir Saha
 
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons CornerCleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
ClearedJobs.Net
 
Failure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS SystemsFailure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS Systems
Amazon Web Services
 

Recommended

ISSA Sacramento: Security Metrics - So What?
ISSA Sacramento: Security Metrics - So What?ISSA Sacramento: Security Metrics - So What?
ISSA Sacramento: Security Metrics - So What?
Allgress, Inc.
 
Valuendo 25 Things Not To Do (March 2009) Handout
Valuendo 25 Things Not To Do (March 2009) HandoutValuendo 25 Things Not To Do (March 2009) Handout
Valuendo 25 Things Not To Do (March 2009) Handout
Marc Vael
 
Roots of scrum 2011_Jeff Sutherland氏
Roots of scrum 2011_Jeff Sutherland氏Roots of scrum 2011_Jeff Sutherland氏
Roots of scrum 2011_Jeff Sutherland氏
InnovationSprint2011
 
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
Health IT Cyber Security HIPAA Summit Presentation: Metrics and Continuous Mo...
NJVC, LLC
 
Safewall - Staying ahead of the threat
Safewall - Staying ahead of the threatSafewall - Staying ahead of the threat
Safewall - Staying ahead of the threat
Vincent Kwon
 
iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)iSecureCyber (Long Pitch Deck)
iSecureCyber (Long Pitch Deck)
Prabir Saha
 
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons CornerCleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
Cleared Job Fair Job Seeker Handbook Oct 21 Westin Tysons Corner
ClearedJobs.Net
 
Failure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS SystemsFailure is not an Option - Designing Highly Resilient AWS Systems
Failure is not an Option - Designing Highly Resilient AWS Systems
Amazon Web Services
 
Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!
Dahamoo GmbH
 
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS SystemsScale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Amazon Web Services
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
Internap
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
Interop
 
Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)
John Dillard
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
justinkallhoff
 
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18thClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net
 
IT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of SurvivalIT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of Survival
Michael Krigsman
 
Creating effective security controls
Creating effective security controlsCreating effective security controls
Creating effective security controls
Interop
 
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
Thomas Gross
 
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VACleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
ClearedJobs.Net
 
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons CornerCleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
ClearedJobs.Net
 
TMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentationTMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentation
KJR
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Jason Clark
 
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionTop 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
Enterprise Management Associates
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
Amazon Web Services
 
Cloud Computing 28 Oct09 Research
Cloud Computing 28 Oct09 ResearchCloud Computing 28 Oct09 Research
Cloud Computing 28 Oct09 Research
Rugby7277
 
Fad final print
Fad final printFad final print
Fad final print
avelinakauffman
 
iSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch DeckiSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch Deck
Prabir Saha
 
Financial Analyst Day 2013
Financial Analyst Day 2013Financial Analyst Day 2013
Financial Analyst Day 2013
avelinakauffman
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 

More Related Content

Similar to ISSA Phoenix Security Metrics... So What?

Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!
Dahamoo GmbH
 
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS SystemsScale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Amazon Web Services
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
Internap
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
Interop
 
Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)
John Dillard
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
justinkallhoff
 
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18thClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net
 
IT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of SurvivalIT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of Survival
Michael Krigsman
 
Creating effective security controls
Creating effective security controlsCreating effective security controls
Creating effective security controls
Interop
 
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
Thomas Gross
 
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VACleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
ClearedJobs.Net
 
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons CornerCleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
ClearedJobs.Net
 
TMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentationTMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentation
KJR
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Jason Clark
 
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionTop 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
Enterprise Management Associates
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
Amazon Web Services
 
Cloud Computing 28 Oct09 Research
Cloud Computing 28 Oct09 ResearchCloud Computing 28 Oct09 Research
Cloud Computing 28 Oct09 Research
Rugby7277
 
Fad final print
Fad final printFad final print
Fad final print
avelinakauffman
 
iSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch DeckiSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch Deck
Prabir Saha
 
Financial Analyst Day 2013
Financial Analyst Day 2013Financial Analyst Day 2013
Financial Analyst Day 2013
avelinakauffman
 

Similar to ISSA Phoenix Security Metrics... So What? (20)

Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!Helicopter Assessments - Improve your Customer Data Security!
Helicopter Assessments - Improve your Customer Data Security!
 
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS SystemsScale - Failure is not an Option: Designing Highly Resilient AWS Systems
Scale - Failure is not an Option: Designing Highly Resilient AWS Systems
 
Cloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. RealityCloud Security: Perception Vs. Reality
Cloud Security: Perception Vs. Reality
 
Data security in cloud
Data security in cloudData security in cloud
Data security in cloud
 
Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)Insider Threats (RIMS 2012)
Insider Threats (RIMS 2012)
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18thClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
ClearedJobs.Net Cleared Job Fair Job Seeker's Handbook March 18th
 
IT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of SurvivalIT Failures Town Hall: Risks of Survival
IT Failures Town Hall: Risks of Survival
 
Creating effective security controls
Creating effective security controlsCreating effective security controls
Creating effective security controls
 
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
CRYPTO\'10: Credential Authenticated Identification and Key Exchange - Thomas...
 
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VACleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
Cleared Job Fair Job Seeker Handbook Feb 7, 2013, Tysons Corner, VA
 
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons CornerCleared Job Fair Handbook February 25, 2010 Tysons Corner
Cleared Job Fair Handbook February 25, 2010 Tysons Corner
 
TMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentationTMF2014 C Birmele-Microsoft Azure presentation
TMF2014 C Birmele-Microsoft Azure presentation
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management SolutionTop 10 Tips for Selecting a Threat and Vulnerability Management Solution
Top 10 Tips for Selecting a Threat and Vulnerability Management Solution
 
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
The evolution of continuous cloud security and compliance - DEM05-S - New Yor...
 
Cloud Computing 28 Oct09 Research
Cloud Computing 28 Oct09 ResearchCloud Computing 28 Oct09 Research
Cloud Computing 28 Oct09 Research
 
Fad final print
Fad final printFad final print
Fad final print
 
iSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch DeckiSecureCyber - Short Pitch Deck
iSecureCyber - Short Pitch Deck
 
Financial Analyst Day 2013
Financial Analyst Day 2013Financial Analyst Day 2013
Financial Analyst Day 2013
 

Recently uploaded

20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 

Recently uploaded (20)

20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 

ISSA Phoenix Security Metrics... So What?

  • 1. ISSA PHOENIX SECURITY METRICS – SO WHAT? WILLIAM TANG, CTO JULY 13, 2010 ALLGRESS, INC. © 2009 ALLGRESS, INC. 1 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 2. What You Will Learn? • Techniques to influence business decision makers. • Simple ways to demonstrate security value. • How to align security strategy with the business. ALLGRESS, INC. © 2009 ALLGRESS, INC. 2 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 3. Security Metrics – So What? • Why are we gathering metrics? • Who are we gathering these metrics for? • What will we do with the metrics, once we have them? ALLGRESS, INC. © 2009 ALLGRESS, INC. 3 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 4. IT Security’s Job Description Minimize Security Risk & Maximize Business Value Business and security metrics are needed to demonstrate and communicate both objectives. ALLGRESS, INC. © 2009 ALLGRESS, INC. 4 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 5. Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 5 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 6. If You Were a CFO, COO, or Exec… • This is the language you would speak: – Discount Rate – Leverage Ratio – Covenants – Net Debt Free Cash Flow – EBITDA, EPS, Beta, etc… If this sounds like a foreign language, imagine how they feel when we use IT security terms… ALLGRESS, INC. © 2009 ALLGRESS, INC. 6 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 7. Which Statement for Exec Mgmt? A. We have 2,300 CVSS severity 4 and 5 vulnerabilities on our 400 Windows Servers. B. The IT systems that generate 30% of our revenue have critical security vulnerabilities. ALLGRESS, INC. © 2009 ALLGRESS, INC. 7 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 8. Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 8 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 9. Choose Wisely Security Business Metrics Metrics Useful Metrics (for your intended audience) ALLGRESS, INC. © 2009 ALLGRESS, INC. 9 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 10. Example: Risk & Revenue • ‘Bubbles’ represent business units (BU). This BU generates 30% of revenue, but it has high risk. • Size of the bubble represents the BU percentage revenue ($). • NIST Risk Methodology (tech scans & audits). IT systems that generate 30% revenue has critical vulnerabilities and risk. Does this make business sense? Low Risk Medium Risk High Risk ALLGRESS, INC. © 2009 ALLGRESS, INC. 10 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 11. Example: Escape Fire Fighting Mode • PCI compliance scans from Qualys. • Results grouped by operating system or asset type. For this client, the typical approach to PCI compliance is to mitigate each vulnerability one by one. ALLGRESS, INC. © 2009 ALLGRESS, INC. 11 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 12. Example: Escape Fire Fighting Mode • Same Qualys data as before, but now grouped by vulnerability type. Is there a strategic solution here? Can the client focus on preventing these common vulnerabilities from happening in the first place? ALLGRESS, INC. © 2009 ALLGRESS, INC. 12 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 13. Example: Naughty Business Unit • Wedges represent labor hours for fixing security vulnerabilities for each Business Unit. Los Angeles • Leverage any vulnerability scanning tool. New York • Link with estimates for remediation, Remedy trouble Austin tickets or a timesheet system. Boston If the LA Office has the most IT systems, why is so much time spent on Boston? Does it have more vulnerabilities? ALLGRESS, INC. © 2009 ALLGRESS, INC. 13 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 14. Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 14 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 15. Example: Risk Reduction Per $ • ‘Bubble’ can represent any business metric. • Demonstrate changes Year 1 in risk over time (trending). We can calculate the Year 2 changes in risk and costs to show how effective Year 3 investments in security reduce risk. Or how reducing investments in security increase risk. ALLGRESS, INC. © 2009 ALLGRESS, INC. 15 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 16. Example: Risk Reduction Per $ Demo of Risk Trending ALLGRESS, INC. © 2009 ALLGRESS, INC. 16 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 17. Example: Prove Cost Savings • Web Servers required 1,034 labor hours to mitigate vulnerabilities. • Mail Service Web Servers vulnerabilities required 1,014 labor hours. Mail Services • Total is 2,048 hours. • Assume the average labor hour is $100/hr. ALLGRESS, INC. © 2009 ALLGRESS, INC. 17 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 18. Example: Prove Cost Savings October 2009 January 2010 Implement training and Scans for this quarter show awareness to system admins that vulnerability count has to prevent vulnerabilities with decreased by 40%. As a result change control and patching labor hours have also processes. decreased by approx 40% • Hours = 2,048 • Hours = 1,200 • Labor Cost = $100/hr • Labor Cost = $100/hr • Total Cost = $20,480 • Total Cost = $12,000 Estimated Cost Savings = $8,480 ALLGRESS, INC. © 2009 ALLGRESS, INC. 18 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 19. Example: Prove Cost Savings October 2009 January 2010 CLOSED PENDING OPEN NOTE: These graphs represent compliance findings and tasks. A similar exercise can be done to show improvements in compliance and audit mitigation costs. ALLGRESS, INC. © 2009 ALLGRESS, INC. 19 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 20. Example: Align With The Business ALLGRESS, INC. © 2009 ALLGRESS, INC. 20 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 21. Example: Align With The Business ALLGRESS, INC. © 2009 ALLGRESS, INC. 21 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 22. Presentation Outline • Introduction Exercise • Be More Effective • Demonstrate Security Value • Conclusion ALLGRESS, INC. © 2009 ALLGRESS, INC. 22 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 23. Allgress Solution Objectives Minimize Security Risk & Maximize Business Value Allgress Security Life Cycle Manager helps our customers meet these objectives quickly, with minimal cost and effort. ALLGRESS, INC. © 2009 ALLGRESS, INC. 23 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 24. Parting Words of Wisdom Dave Cullinane CISO “Being able to demonstrate that we’re spending the money the right way, spending the money effectively, producing the results that are needed and ensuring that level of confidence in the marketplace we offer is really critical, and Allgress has been way beyond anything else I’ve seen at being able to do that.” Full webinar at http://www.allgress.com/webinars ALLGRESS, INC. © 2009 ALLGRESS, INC. 24 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com
  • 25. Q&A William Tang Chief Technology Officer Allgress, Inc. Email: william.tang@allgress.com Direct: 310.383.2783 FAX: 310.496.0426 www.allgress.com ALLGRESS, INC. © 2009 ALLGRESS, INC. 25 2600 Kitty Hawk Road ∙ Suite 109 ∙ Livermore, CA 94551 ∙ www.allgress.com