1. The Fallacy of Risk Analysis
M. Raposo
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
2. If Curriculums have the ability to speak….
“As a Senior Credit Risk Manager in Citigroup,
I was able to sustain billions in financial
losses and bankrupt a centenary institution”
Citigroup Acknowledges Poor Risk Management
New York Times, October 16, 2007
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
3. Some Security Trends in Recent Years
Quality of Service growing importance
27001 Moving towards 2700x family
Cloud Security arising
Focus on Business Continuity Management
Response towards prevention (ex: Data Loss
Prevention )
Growing focus on Governance, Risk management and
Compliance (GRC)
Security Issues moving up in OSI Layer
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
4. The Focus on the RA and on Standards
Risk Analysis has been positioned on the market as
the cost rational tool
Standards as the right security approach
27001 leveraged as the maximum exponent of
security
223M € - BSI Group Financial Performance in 2008
Bulk training from several organizations (BSI, ISC2,
ISACA, SANS, VISA, etc)
Certifications: Too Much noise and unbalanced
value
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
5. The Limitations
RA approach is similar to one-to-one marketing
RA in the enterprise micro system is effective
However, it only acts within boundaries
With changing trends, Internet and information
ubiquity, the boundaries are diffuse
RA approaches within certifications are in fact a
“global” response strategy
Standards are just standards. Doesn’t say “When”
and “Why”
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
6. National Landscape
Portuguese Market*
99,6% SMBs
SMBs represent 75% of employment
56,4% of PIB
* IAPMEU feb 2008
Our Addressable Market is
Smaller
Our Long Tail is bigger
Models/Investments profitable in other environment might not be
profitable in local market
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
7. Question?
Q: Do we need perform Risk Analysis to cross the street?
A: NO. We use a set of simple rules
Q: Do we need perform Risk Analysis to cross a street full
of traffic while a dog is chasing us?
A: Yes.
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
8. Back to the Basics
• Do we need Risk Analysis to set priorities?
* ISACA Journal Jan 2010
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
9. Risk Analysis Approaches vs Baseline
Security
TCS(RA) = Sunk Costs + Security Implementation – Avoided Loss
Expectacy(RA)
TCS(BS) = Security Implementation – Avoided Loss
Expectacy(BS)
If ( Avoided Loss Expectancy (RA-BS) > Sunk Costs)
{
Risk Analysis is effective
}
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
10. The 27001 Business Case
• Brand
• New Business Enabling
• Security Savings
• Insurance Reduction
• Incident Response
• Potential Savings
• Very hard to
quantify due to
event correlation
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
11. Expected Financial Impact per
Company
• Monetary impact of security incidents is decreasing
Expected Loss Per Company
250.000 €
Side Note:
On 2009 report
200.000 €
the number of
150.000 €
incidents raised
100.000 € together with
50.000 €
financial impact
0€
* CSI/FBI COMPUTER CRIME AND SECURITY SURVEY 2008
Currently each company is faced with a potential loss of 110k per year (Worst case
scenario). Solutions should be cost effective and long term.
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
12. Risk Analysis Approaches vs Baseline
Security
• Top-Down Approach • Bottom-Up Approach
• Cost Effective
Security
• Simplicity
• Maintenance efforts • Fast Deployment
(scenario based • Suitable for SMBs
approach) and low CMM
• Bigger Maintenance • Effective in
efforts (Residual Risk turbulence
Risk approach) Analysis
• Sunk Costs Approach
• Complexity
Baseline Security
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
13. The Missing Link
Security By Design
• Only effective approach in long term is to
complement “security by design” with Top-
down approached
• Security by design will create a “Stable
equilibrium” with auto correcting properties
• Community should leverage “Security by
Design”
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
14. “The Security Guerilla” Concept
• The “security guerrila” approach is effective
with SMBs
• 80% of common risks are mitigated with 20%
controls (Pareto’s principle)
• Pace of change with many SMBs does not have
a significant impact
• Very cost effective approach
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
15. Open Debate (3 min)
Q: What is security value proposition?
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
16. Back to the Basics – Strategic
Alignment
• What does it mean alignment ?
• What is your company/customer generic competitive
strategy?
• What is your company/customer directional strategies?
• What are the Business Compelling Events
– Losing customers to the competition
– Exploiting new market opportunities
– Pressure to reduce cost
– New regulatory requirements
• How does security contributes to it?
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
17. Back to the Basics - The Enabler Role
• Security must respond to compelling events
and existing strategies
• Risk Analysis should be a tool and Risk
Management a good practice
• Certification must be a byproduct of security
• Security must be a byproduct of Business
• Standards are not a religion (many diverge)
• From Strategy to Tactics and Operational:
Were is the security plan?
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
18. Back to the Basics - The Security
Practitioner
• Adopt pragmatic perspectives
• Key role on the “Why” and “When”
• Focus on business, not in security
• Develop negotiation, communication and
management skills
• Balance all parts of security
• Acronyms are not security (CISSP, CISM, CISA, ISO LA,
etc)
• Adopt out-of-the box thinking
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
19. Food for Thought
• Who does better manages security?
– A security Manager
– A General Manager
• Many managers have a great perception of risk (Give me a manager that has
ensured positive P&L in a turbulent market or recession)
• Security Practitioners are often to biased ( no thinking out of the box, no
systemic view of problems)
• Technically focused people normally have strong technical skills and limited
communication or negotiation skills
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
20. Some Closing Remarks
• Security , standards and methodologies are many times
applied blindly by the community
• No Political, Sociological, Economical or Technological
environment is accounted
• As everything, security has trade offs and a break even point
• Not all security is controls, frameworks and methodologies
• Security is more business and less security
• Every time that you fail to properly demonstrate security
added value, you are contributing negatively
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
21. Were to Go?
• Security must run the “extra mile” to meet business
needs in efficient and effective ways
• Security should adapt to environment
• Resources in security are sparse. Prioritize them.
• For any given option, clearly state the “break even”
and the compromises
• Practitioners must bet in soft skills
• Switch from worn out and cliché messages
• Back to the Plan: A good management practice is to
have a plan. Put it in place. Prioritize it, assign
resources, deploy, measure results
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.
22. Discussion
marco.raposo@alcatel-lucent.com
M: +351 968779278
Marco Raposo 2010 http://pt.linkedin.com/in/marcoraposo
Free to copy, distribute. You must attribute the work in the manner specified by the author. You may not use this work for commercial purposes.