Downloaded 16 times
Uploaded byLaura Vanassche
IT Security Strategy
This document discusses establishing an IT security strategy to protect a company's key assets. It outlines introducing the parties and their roles, explaining why security is important to protect valuable business data and systems from threats. The document discusses assessing the company's security needs and vulnerabilities, creating a security policy, and developing a remediation plan. It proposes next steps of scheduling a security assessment and follow-up meetings to review findings and determine next steps for the company's IT security.
More Related Content
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
IT Security Strategy
- 1. IT Security Strategy: ProtectingYour Key Corporate Assets Tech Data
- 2. Non-Disclosure • This discussionis under our mutual nondisclosure agreement.
- 3. Purpose of OurDiscussion • Decide if we should expand our relationship • Identify your questions and concerns about your IT security • Identify whether your issues are within our expertise • Report our findings about security issues • Establish next-step recommendations based on your situation • Create an action plan for your consideration.
- 4. Introductions • Your team •Role, responsibility, experience • What would make this a valuable meeting for you? • Our team • Role, responsibility, experience
- 5. Why Security? • ITis the engine of your business: When it’s compromised, you’re at risk • Your assets have value that bad guys want.
- 6. Why Our CustomersChoose Us • Local, responsive and concerned means we’ll be there when called • Experienced in delivering and securing IT in all varieties: traditional, cloud, blended systems, mobile • Deep network of resources to solve unique situations • We work until the the problem is resolved • We take a holistic view and focus on growing our customer’s business by judicious application of IT.
- 7. What Gets Secured…? •What do you want to protect? • How much do you want to protect it? • What’s vulnerable? • Human failure • Equipment failure • Malicious attack.
- 8. What Gets Secured…? •What’s valuable? • What can and can’t you live without? • What are you legally required to protect? • Defend this first or you could go to jail • What do you need to operate your business? • Defend that next or you could go out of business.
- 9. What Gets Secured? •What is impossible to replace and what can be covered by insurance? • What’s a trade secret and what’s common knowledge?
- 10. Your Key Assets: •People – employees, customers, key vendors and stakeholders • Property – physical, electronic and intellectual • Processes – the procedures used to successfully conduct business • Proprietary data – trade secrets, confidential information and personal data.
- 11. The Outcome ofSecurity • Availability of corporate assets • Integrity of those assets • Confidentiality of assets that are private • Accountability, making those who access the data responsible for their behavior.
- 12. The Value ofSecurity… • Increases staff efficiencies from not having to individually deal with security issues like spam, viruses and rogue email • Increases in systems efficiency created by the security system because of upgraded technology • Eliminates cost of security breaches from unpatched software.
- 13. Security is aReal Challenge • New IT threats every second • High-profile attacks • New attack points • Mobile devices • Data leakage • Social engineering.
- 14. Seven Security Layers 1.Access control 2. Deter intrusion 3. Detect intrusion 4. Determine attack nature 5. Delay further access 6. Defend 7. Recover.
- 15. The Value ofSecurity • Reduces legal exposure from unsecured premises and computer systems • Increases sales based on improved security and stability • Reduces business interruptions caused by security breaches.
- 16. Your Security Concerns •What do you need to secure? • What would it be worth to secure that? • What would it cost if it wasn’t secured? • What is your security policy?
- 17. What Would YouLike to Have Happen? • What would it be like if everything worked correctly? • How will you know who to choose?
- 18. Our Recommendations • Assessment •Security policy • Remediation plan • Policy audit and implementation • Bring compliance up-to-date • Adjust implementation of policies.
- 19. Assessment • Review yoursituation using the seven layer security model • Identify any issues • Recommend any specific actions with cost/risk analysis • If we find nothing, you’re just being cautious.
- 20. Security Policy • Reviewyour security policy • Look for completeness • Look for areas that have changed • Mobile • New compliance mandates.
- 21. Remediation Plan • Ifrequired
- 22. Policy Audit andImplementation • Audit for compliance • Education where needed • Help your team with enforcement strategies.
- 23. Proposed Next Steps •Agree to an assessment • Our security team will perform this • Meet for a review of findings • Decide the next step, if any.
- 24. Schedule the NextMeetings • Assessment • Who and when • Report of findings • Executive team • Two weeks later.
Editor's Notes
- #2 Do not hand out copies of the presentation nor make the presentation available to the customers. This is only designed for leading discussions and not meant as reference material. You want to control the timing and questions. If your customer has a copy of this presentation, you relinquish that control. If the prospect requests a copy, say, “I’d love to, but this is proprietary to our company. You’re welcome to take notes.” Only reveal one bullet at a time. This is designed to walk your prospect through the thought process in a psychologically correct way. Like baking a cake, if you skip a step or don’t follow the recipe, it won’t turn out the way you want. Note that if the headers end in an ellipsis or three dots (…) there are more points on this topic on the next slide. In general, the last bullet on the slide ends with a period so that you know to make the transition to the next slide. The most legible slides are black type on white background. This can be seen with the lights full on. You do not want a dark conference room. You want everyone to see everyone and stay awake. Notice that the scripting is in present tense, as if you are doing these things for them now. Think of this as describing how you’re doing it for other customers and you’re exploring if it’s right for these people. From a psychological view, you are asking them to consider it as already in process, substantially increasing their likelihood to agree to your next step. There are 24 slides in this presentation. Cover most slides in 15-30 seconds with the discussion slides taking more time. Don’t belabor the points because your audience is intelligent and savvy. Make your point and move on. If you use PowerPoint in the presenter mode, you’ll have access to these notes, so position your computer so that your prospect can’t see the screen.
- #3 “Before I begin our discussion, I’d like to remind you that we may ask you questions of a sensitive nature that we will not disclose to others and we’ll discuss methods that we consider to be proprietary. This security meeting is covered by our mutual non-disclosure agreement. Will you agree to that?” [Get agreement from all involved in the meeting. If someone doesn’t agree, say, “I cannot proceed until we all agree.”]
- #4 [Objective: Identify the customer’s desired outcomes in 3 minutes] “The second agreement I need from you is that you be willing to make a decision at the end of this discussion about whether to expand our relationship or not. We don’t want to waste your time or our time. We only work with people who want to work with us. Are you willing to do that?” If they are unable to do this, you have the wrong people in the room and this presentation has little effectiveness. You may choose to end the discussion at this time and reschedule with the right people, so you do not waste your time. Go through these items one at a time and get agreement. Don’t rush through these because agreement on this agenda sets up the meetings success. “We want to identify your questions and concerns about your IT security to identify if your issues are within our expertise. If not, we’ll say so and may make recommendations where you can get help for these issues.” “Then we’ll report our findings about current security issues and what we’ve learned about managing them.” “After discussing your situation, we’ll then establish a high-level set of recommendations on what to do next and create an action plan for your consideration if you like what you experience here in the next 30 minutes.” “Does this meet your needs for this meeting?”
- #5 [Objective: Establish relationships and set the customer’s agenda. Go around the room and get acquainted.] “Great! Let’s get a feeling for who’s here and what they want. Would you introduce yourself and tell me about your role, responsibility and experience? And let us know what you want so that our discussion is completely relevant to you.” [Everyone introduces themselves] “Thank you. Here’s our team…”
- #6 [Objective: Establish a basic understanding of security principles.] “So, why security? IT is the engine of your business: When it’s compromised, you’re at risk. Let’s face it, when your computers are compromised or non-operational, you can’t sell, ship, bill, or collect money. You’re out of business.” “And to make things worse, your assets have value that bad guys want.”
- #7 [Objective: Create credibility in 2 minutes. About our company. Tell short war stories that connect with this customer using the formula: scenario, problem, solution.] “Let me tell you a little about our company. Our customers tell us that they choose us because we are local – we’ve been here for 15 years – responsive – we have a 24-hour tech team – and we are concerned for our customers. All of this means we’ll be there when you need us. “We are experienced in delivering and securing IT of all varieties, such as traditional computers, cloud-based solutions, blended systems and mobile devices. “Our customers like that we have a deep network of resources to solve unique situations. We know who knows. “This means we have never had a problem that we couldn’t solve. We stay with it until it’s fixed.” “Our customers like that we take a holistic view of their business, helping them with the systems they need to grow their business securely with careful applications of IT. “Which of these characteristics are most interesting to you?”
- #8 [Objective: Educate the customer on what needs to be secured. This is a multi slide segment.] “What should you secure? While we’ll work on your specifics later, here are general principles we use to help identify where to focus. “What do you want to protect and how much do you want to protect it? We’ll go into more details in a moment. “What’s vulnerable? And how is it vulnerable? Most common causes of security problems come from these three vectors: human failure – for example, someone leaves a door unlocked or a computer logged on; equipment failure – such as a lock breaks or a security device stops working; or malicious attack – for example, a competitor or organized crime ring attempts to steal from you.”
- #9 [Continued] “The next questions is, what’s valuable? What can and can’t you live without? If you can’t live without it, we apply our best security practices to keep it safe. “We can break this down further into: What are you legally required to protect? Defend this first or you could go to jail. If there is anything like this for your business, we focus on that. You don’t have to tell me right now. “Next, what do you need to operate your business? We defend that next or you could go out of business. We work with your team to identify and protect those elements.”
- #10 [Continued] “Next, what is impossible to replace and what can be covered by insurance? We apply high levels of security to your most scarce resources or assets. Often these are overlooked, yet when they’re damaged, compromised or stolen, you can be severely impacted. “And finally, what’s a trade secret and what’s common knowledge? We’ll make sure that your trade secrets are appropriately protected. If something is common knowledge, then we make sure that you’re not wasting money protecting that. “Which of these elements are you most concerned about right now?”
- #11 [Objective: Discuss the state of security in 5 minutes over the next four slides] “Now let’s talk about the key assets you need to protect. As we go through these, identify which are most important to you so that we get an idea about prioritizing your security plan. “People – employees, customers, key vendors and stakeholders all need to be protected from harm. This is frequently accomplished by locks, security cameras, email protection and so forth. “Property – physical, electronic and intellectual property. We’ll protect this in similar ways to protecting people along with data leak protection. “Processes – the procedures used to successfully conduct business. We protect this with access control and accountability enforcement along with other methods. “And Proprietary data – trade secrets, confidential information and personal data. We figure out the best way to protect these critical assets. “Tell me about your priorities on these assets?”
- #12 [Objective: Define the desired outcomes of a properly implemented security strategy and identify if they have these elements in place.] “A properly designed and implemented security strategy protects your assets and delivers these four outcomes. “Availability of corporate assets so that you can use them when you want. If your systems are off-line or your assets disappear, you’re in trouble. “Integrity of those assets, meaning that data hasn’t been tampered with or physical assets haven’t been watered down. “Confidentiality of assets that are private so that you can maintain compliance and protect your secrets and the secrets of your customers. “And Accountability, making those who access the data responsible for their behavior so that you can prevent and prosecute bad behavior. “Do you know if you have all of these important elements covered in your security strategy?
- #13 [Objective: Identify the value beyond protection of a well designed and implemented security strategy.] “Yet a well-designed and implemented security strategy delivers more than just asset protection. “For example, it increases staff efficiencies from not having to individually deal with security issues like spam, viruses and rogue email and other security-related problems. “It increases in systems efficiency created by the security system because of upgraded technology that implements your security policies. “It eliminates cost of security breaches from unpatched software, one of the biggest problems we see that’s also one of the easiest to fix.”
- #14 [Objective: Educate about security threats. Yes, the photo is meant to shock. It’s what bad guys do. If you have recent news about a high-profile attack, mention it along with the company name. “If ______ can’t do it, how can you expect to do it without help?”] “Security is a real challenge. Keeping up with all of the emerging threats is more than a full-time job. For example, there is a new IT threat about every second. “The result is we read about high-profile attacks in the news every week. And if the big companies can’t keep up, how are you supposed to? We partner with vendors and companies who completely focus on dealing with the rapidly changing threats and bring that protection to you so that you don’t have to worry about it. “And there are always new attack points such as mobile devices, a very real problem today, data leakage – both unintentional and malicious – and social engineering such as phishing attacks and malicious websites. “Do you have systems, policies and education in places to manage these threats?”
- #15 [Objective: Educate on the multi-layer security model and identify potential holes.] “No single security system is 100 percent reliable. For this reason, we use a multi-layer approach to your security. “Access control is exactly that: Controlling who gets access to what with an emphasis on minimum required access. “Deter intrusion is usually what people think of when they here the word security. It’s things like locks and passwords. “Detect intrusion is what people think when they hear the word alarm system. It’s an alert that someone or something has gotten passed the locks or computer firewall. “Determine the attack nature helps us decide what to do right now. Typical solutions include video cameras and computer intrusion systems. “Delay further access is designed to slow down the bad guys. This is why you put valuable things in a safe that’s locked in a room that’s locked in the building. We can also do this with computer systems through multi-layer protection and multi-factor authentication. “Defend is what we do when the guards or police arrive. We can also do this with computers by cutting off access to the outside world if necessary. “Recover. If the worst happens and the bad guys are successful, we’ll have to clean up afterwards. This means restoring data and so forth. “Do you have all of these layers in place as part of your security strategy? “Which of these layers do you have in place? We can help with each of them.”
- #16 [Continued] “Furthermore, it reduces legal exposure from unsecured premises and computer systems. “We see increases in sales based on improved security and stability that increases customer confidence and competitive advantage. “It also reduces business interruptions caused by security breaches. For example, when you have a system outage, you may never know if it was a computer problem or an attack without the right systems in place. “Which of these improvements appeals to you most?”
- #17 [Objective: Discover what they want to secure in 5 minutes.] “With that discussion about security, let’s talk about your specific concerns to understand if we can address them to your satisfaction. [Ask and discuss the following questions for a minute or so each] “What do you need to secure? “What would it be worth to secure that? “What would it cost if it wasn’t secured? “What is your security policy?”
- #18 [Objective: Determine their specific objective.] “Thinking about your company and your security strategy, what would it be like if everything worked correctly? “How will you know who to choose to help you do this?”
- #19 [Objective: Offer high-level recommendations. This is an overview with details on following slides. 30 seconds.] “Based on what you’ve told us so far, I recommend exploring four steps. Do an assessment to identify what you have and what’s missing, review or create your security policy, identify a remediation plan to bring you into compliance, if necessary, and perform routine policy audits to make sure that you have correct implementation. Let’s look at each of these closer.”
- #20 “First, we start with an assessment. We review your situation using the seven layer security model and identify any issues. We will then recommend any specific actions with cost/risk analysis for your decision. If we find nothing, you’re just being cautious. And our customers tell us that counts in security!”
- #21 “Next, we review your security policy, looking for completeness and, more important, looking for areas that have changed, such as mobile devices and new compliance mandates. We are going to look for what you didn’t realize that you don’t know. “Our customers tell us that this gives them peace of mind.”
- #22 “Next, we’ll create a remediation plan, if required. This brings your compliance up-to-date and then we implement any adjustment to your policies.”
- #23 “And the last step that we recommend right now is to perform regular policy audits to make sure that you stay in compliance. “We educate your people when needed to minimize or eliminate issues such as social engineering. “And we can help your team with enforcement. Our customers tell us that they like for us to be the heavy when it comes to enforcing policies.”
- #24 [Objective: Get agreement to an assessment.] “Now it’s time for you to decided what you want to do next. I highly recommend that you agree to an assessment. Our expert security team will perform this. We then meet with you to review our findings and decide what the next steps will be. “Our assessment and review of findings is only $_______. “On a scale of one to 10, how confident are you that you need this assessment? [If they say anything less than a ten ask, “What do you need to get to a (their number plus one)]
- #25 [Objective: set details for the next meeting.] “Who on your team will be responsible for working with our people? “When can we get this on our schedule? “Let’s schedule a time to deliver our report of findings two weeks after that. “Perfect. Let’s get started!”