The document discusses trends in security services, specifically focusing on Security as a Service (SECaaS) and the challenges faced by IT audits in a rapidly changing environment. It emphasizes the need for a shift in the fundamental value proposition of IT audits, advocating for a more flexible and customer-focused approach. Key recommendations include enhancing communication, customizing deliverables, and ensuring metrics and transparency to improve security service adoption.

1. Copyright ©2011Savid
Security As A Service
The Future of Security Services
Michael A. Davis
Chief Executive Officer
Savid Technologies, Inc.
http://www.savidtech.com

2. Agenda
• Trends that you must get in front of
• What is SecaaS?
• Why do we need this methodology?
• How do I use it?
• War Stories
• Ask Questions

3. Who am I?
• Michael A. Davis
– CEO of Savid Technologies
• IT Security Consulting
• Risk Assessments/Auditing
• Security Remediation
– Speaker at Major Security Conferences
• Defcon, CanSecWest, Toorcon, Hack In The Box
– Open Source Software Developer
• Snort
• Nmap
• Dsniff

4. Author

5. InformationWeek Contributor

6. Where we got our data
» March 2012 And November 2011 Survey
» Over 1,100 Security Professionals
» Follow-up Interviews With Fortune 1000 CSO/CISOs
» Wide Variety Of Industries
– Financial
– Healthcare
– Business Services

7. What is everyone concerned
with?
Source: Savid/Information Week Data Survey, 2011

8. They are paying attention

9. Complexity is everywhere
Application
integration
OS
Database
Collaboration
Business
intelligence/
Analytical
applications
Application
development
tools
Hardware
platform
Applications
Services
Computer Network Storage
FS Applications
Security
IDS
Content Filtering
Management
AV/Spyware Anti-Spam
Identity Management
Regulatory Compliance
Firewalls
Vulnerability Assessment
Monitoring
Network & Systems
Management
Management Vendors
Dynamic Provisioning
Storage
Source: CA, 2009

10. Complex IT Projects Fail - A lot
Out Of 200 Multi-nationals:
• 67% Failed To Terminate Unsuccessful Projects
• 61% Reported Major Conflicts
• 34% Of Projects Were Not Aligned With Strategy
• 32% Performed Redundant Work
1 In 6 Projects Had A Cost Overrun Of 200%!
Source: 2011 Harvard Business Review – Berlin Univ Technical survey

11. The Problem
• Too many areas to audit
• Security can’t keep up either
• Velocity of change is high
• Audit or Security isn’t involved in the critical
projects
How do we handle a high velocity of change while
providing a high level of assurance that controls
are being implemented?

12. The Future of IT Audit
© PWC IA Audit 2012 Report

13. We All Do Them
Source: 2011 InformationWeek Analytics Strategic Security Survey
0%
10%
20%
30%
40%
50%
60%
70%
80%
Yes No Don't Know
% that perform Risk Assessments
2012
2011

14. The Reality
Source: 2011 InformationWeek Analytics Strategic Security Survey
Very
30%
Somewhat
67%
Not At All
3%
Risk Assessment
Effectiveness

15. That Cloud Thingy

16. What This Means To Security
Amazon EC2 - IaaS
The lower down the stack the Cloud provider
stops, the more security you are tactically
responsible for assessing and implementing
yourself.
Salesforce - SaaS
Google AppEngine - PaaS
RFP/Contract
It In
RFP/Contract
It In
Build It InBuild It In

17. Future of Audit and Security
Adequacy = Compliance
Effectiveness = Consultancy

18. Audit As a Service
• Be Relevant Not Redundant
• Partner with other risk functions in company
• Focus on start-up/future activities
• Be flexible, don’t limit to the annual plan
• Our recommendation is to stop trying to make
everyone a security expert and instead
• Focus on educating people so they know when to
ask for expertise
To be successful IT Audit’s fundamental VALUE
proposition MUST SHIFT

19. Security Services?

20. The Services Menu
• Risk Assessments
– NOT CONTROL ASSESSMENTS
• Guidance without risk levels
– Areas of concern, “pre-audit”
• Cloud Vendor Selection Analysis
• Education
• Advisory Services
• Metric/KRI Development

21. Why This Works
• Providing real value – Audit is asked to be involved
• Communication increases helping develop your team
talent
• Customers understand what services are available
• Audit understands which services are being requested
and which are not as popular. This allows for growth
planning.
• Customers understand how service consumption
affects their budgets.
• Increased accountability
• Closer to continuous monitoring/auditing!

22. How To Implement
• Approach each as an customer engagement
– Why are we performing this engagement?
– What value can we provide back?
– Can we provide value to another group?
• Surveys/NetPromoter
– “On a scale of one to 10, how likely is it that you
would recommend us to a colleague?”
– Promoters = 9 to 10.
Passive = 7 to 8, satisfied but enthusiastic about
service
Detractors = 0 to 6, unhappy with the service and will
damage teams reputation through word of month.

23. How To Implement
• Customize your deliverables!
– Not everything needs to be a finding/risk ranking
– What is valuable to the project?
• What other value can we derive from our
process?
– Interviews
– Data Collection
• Augment Security As a Service too!

24. Getting buy-in
• Metrics and Transparency are essential
• We want to provide consistency
• Reduce one-off high likelihood risks.
• Work with PMO, if you have one.
• Track adoption rates
• Provide incentives to adopt services

25. Security Services Menu
• Ensure Controls map to technologies being
deployed
• Traditionally you see items such as:
• Content security, Antivirus/Anti-malware,
Spam filtering
• Email encryption, DLP for outbound email,
Web mail, Anti-phishing

26. A Better Security Menu
• Focus on Services! Not Technologies!
• Internal and / or external penetration test,
Application penetration test
• Host and guest assessments, Firewall / IPS
(security components of the infrastructure)
• Virtual infrastructure assessment
• THEN provide technology options

28. A Case Study

29. The Formula Of Successful Risk
Management
PBL = λ1 x p1 + λ2 x p2 + λ3 x p3

30. Hazard vs. Speculative Risk

31. Linking to Business Goals
Copyright Carnegie Mellon SETI MOSAIC Whitepaper

32. Outcome Management
Copyright Carnegie Mellon SETI MOSAIC Whitepaper

33. Conclusion
Contact Information
Michael A. Davis
mdavis@savidtech.com
708-532-2843
Twitter: @mdavisceo