Are you a top manager, business owner, or CISO, responsible for your company’s information security? Do you want to understand how much you should invest in cybersecurity, and what is more important – how to measure the efficiency of security investment (ROSI)? Do you want to know how much other organizations invest in a corporate security of small, medium, and enterprise businesses in Ukraine and the world? And what are the indicators you should follow when evaluating your company’s security program? We will help you deal with these and other difficult questions, different points of view and find some answers on the webinar by Berezha Security Group professionals. The VIDEO WITH WEBINAR in English is by the link: https://youtu.be/IVCVpi8Eo6g Questions to discuss: 1. What should CISOs and top managers know about Return on Security Investment? 2. Average costs of corporate security for small, medium, and enterprise businesses. 3. Investing in cybersecurity: how to showcase the effectiveness? 4. Leading indicators of cybersecurity investment effectiveness on practice. 5. Are there any “secrets” of effective cybersecurity investment? 6. What cybersecurity strategy will bring the best Return on Security Investment? 7. Strategic services for planning a cybersecurity program. 8. Questions and Answers. Our speakers -Vlad Styran, CISSP CISA, Co-founder & CEO, BSG Vlad is an internationally known cybersecurity expert with over 15+ years of experience in Penetration Testing, Social Engineering, and Security Awareness. He is a BSG Co-founder & CEO and responsible for business and cybersecurity strategies. He could help businesses with consulting services in software security, cybersecurity awareness, strategy, and investment. Also, he acts as a speaker, blogger, podcaster in his volunteer activities. - Andriy Varusha, CISSP, Co-founder & CSO, BSG Andriy is an experienced top manager in IT-audit, consulting, and IT project management by leading outsourcing teams in Ukraine, Poland, and the USA. He also is keen on building customer relationships within the US, UK, and Western Europe geographies. At BSG, he leads the BSG advisory practice and consults development teams in all aspects of cybersecurity. Who we are? Berezha Security Group (BSG) is a Ukrainian consulting company focused on application security and penetration testing. Our job is to help companies in all aspects of cybersecurity. We complete more than 50 Penetration Testing and Application Security projects yearly, so we know the business security vulnerabilities across the verticals. We help our customers address their future security challenges: prevent data breaches and achieve compliance. Our contacts: hello@bsg.tech ; https://bsg.tech

1. How to Invest Efficiently in
Cybersecurity?
(Return on Security Investment)
https://bsg.tech
hello@bsg.tech

2. Over 15 years in cybersecurity
OSCP, CISSP, CISA
Blogger, podcaster, and conference speaker
Provides consulting services in software security,
cybersecurity awareness, strategy, and
investment.
sapran@bsg.tech
Vlad
Styran

3. 10+ years of experience in IT-audit and
consulting, IT project management
Experiences in leading large outsourcing
teams in Ukraine, Poland, and USA
Experiences in building customer
relationships within the US, UK, and
Western Europe geographies.
Leads the BSG advisory practice and consults
large development teams in all aspects of
cybersecurity. varusha@bsg.tech
Andriy
Varusha

4. Our job is to help companies in all
aspects of cybersecurity. We
complete more than 50 security
projects yearly. And we are aware of
the business security vulnerabilities
across the verticals.
We help our customers address their
future security challenges: prevent
data breaches and achieve
compliance.
About BSG

5. What should CISOs and top managers know about ROSI?
Investing in cybersecurity: how to showcase the effectiveness?
Leading indicators of cybersecurity investment effectiveness on practice.
Are there any "secrets" of effective cybersecurity investment?
What cybersecurity strategy will bring the best ROSI?
Strategic services for planning a cybersecurity program.
Questions and Answers.
1.
2.
3.
4.
5.
6.
7.
Plan for Today

6. What should CISOs and Top Managers
know about Return on Security Investment?
1.

7. Is it the same thing?
Effectiveness vs Efficiency
of Security Investment

8. *ROI measures the amount of return on a particular investment, relative to the investment’s cost.
ROI vs ROSI in Cybersecurity:
How to Calculate?
Gain from investment – Cost of investment
ROI = _____________________________________________
Cost of investment
ALE * mitigation ratio – Cost of solution
ROSI = _____________________________________________
Cost of Solution
*ROSI integrates the risks and costs associated with a security incident, combines that with the
impact of a security solution.

9. IT doesn’t speak the same
language as business
What is the primary value of cybersecurity for business?

10. Business Mindset vs CISO Mindset
How bad the outcome of the attack,
its frequency and probability
in dollars?
What the best I can do
to minimize risks
and get the best value
per dollar invested?

11. The Gordon Loeb Model

12. The Gordon Loeb Rule
Never spend on security more than 37% of your
expected loss without the security investment

13. 2. Investing in Cybersecurity:
How to Showcase the Effectiveness?

14. The Gordon Loeb Rule
Never spend on security more than 37% of your
expected loss without the security investment
Asset worth $1,000,000
Probability of attack 0.07
Probability of the attack's success 0.42
Optimal security investment:
1,000,000 x 0.07 x 0.42 x 0.37 = 10,878

15. Don't move the ball in one direction

16. Security Productivity and Cost of Security
1.Secon101x
https://www.edx.org/course/cyber-security-economics-delftx-secon101x-0
2. Ross Anderson’s Economics and Security resource page
http://www.cl.cam.ac.uk/%7Erja14/econsec.html
3. Bruce Schneier on Economics of Security
https://www.schneier.com/essays/economics/
4. Vlad Styran - Security Economics@ OWASP Kyiv Winter 2017
https://www.youtube.com/watch?v=vZAldeJ-_rw

17. 3. Indicators of Cybersecurity Investment
Effectiveness on practice

18. Everyone gets hacked, and you don’t
1.
How to demonstrate the Return on
Security Investment?
2. You look for the signs of getting hacked,
and can`t find them.
3. You pay others to hack you, and they
have a hard time doing it.
4. Everyone pays high insurance
premiums and you don’t.
5. When you finally get hacked,
it is not a big deal.

19. 4. Are there any "Secrets" of Effective
Cybersecurity Investment?

20. Informationisbeautiful:
World's Biggest Data Breaches & Hacks
https://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

21. Statista: Statistics of Cyber Crime and Security
https://www.statista.com/statistics/273550/data-breaches-recorded-in-the-united-states-by-number-of-breaches-and-records-exposed/

22. CSIS: Statistics of Cyber Crime and Security
https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents

23. EnforcementTracker: GDPR Enforcement Tracker
https://www.enforcementtracker.com/

24. Verizon: Data Breach Investigations Report
https://enterprise.verizon.com/resources/reports/dbir/

25. National Vulnerability Database
https://nvd.nist.gov/vuln

26. CISA (USA)
https://www.cisa.gov/

27. Forrester
https://go.forrester.com/blogs/category/cybersecurity/

28. Gartner
https://www.gartner.com/en/information-technology/insights/cybersecurity

29. 5. What Cybersecurity Strategy will bring
the best Return on Security Investment?

30. Find out what your company do and what is
important for clients in terms of security
1.
Building a Strategic Cybersecurity Plan
2. Determine ways how cybercriminals can
disrupt your business activity a cause harm
3. Plan actions of how to prevent and
mitigate cyber incidents
4. Review and test your chosen strategy by
hiring a pentest firm or internally

31. 6. Strategic Services for Planning a
Cybersecurity Program

32. Security Consulting
Governance, Risk & Compliance
Application Security
Penetration Testing
Security Awareness
Security Program Services

33. Projects and Clients
Review
BSG Security
Findings
https://bit.ly/bsg2020report

34. Questions and Answers

35. Stay in Touch With
If you have any questions,
please contact us at:
https://bsg.tech
hello@bsg.tech