cost justifying it security
DESCRIPTION
My presentation at SuperStrategies on how to justify the cost of IT security. The key? Focus on how security can help reduce speculative risk instead of hazard risk.TRANSCRIPT
Cost Justifying Security
Session #C3
Tuesday, April 24, 2012
3:45-5:00PM
Michael A. Davis
CEO, Savid Technologies
MIS Training Institute Session #C3 - Slide 2© Savid Technologies
Who am I?
» Michael A. Davis
– CEO of Savid Technologies
� IT Security, Risk Assessment, Penetration Testing
– Speaker
� Blackhat, Defcon, CanSecWest, Toorcon, Hack In The Box
– Open Source Software Developer
� Snort
� Nmap
� Dsniff
» Savid Technologies
– Risk Assessments, IT Security Consulting, Audit and Compliance
MIS Training Institute Session #C3 - Slide 3© Savid Technologies
Author
MIS Training Institute Session #C3 - Slide 4© Savid Technologies
The Issue
“Single biggest security related problem is a lack of Senior Level commitment to enterprise wide
security policies.“
MIS Training Institute Session #C3 - Slide 5© Savid Technologies
Execs Are Paying Attention
•Source: Information Week Data Survey, 2011
MIS Training Institute Session #C3 - Slide 6© Savid Technologies
We Protect, They Are Criticized
According to Bloomberg News, Sony has been subpoenaed by New
York attorney general Eric Schneiderman, who is "seeking information
on what Sony told customers about the security of their networks, as
part of a consumer protection inquiry." (Source: informationweek.com)
Rep. Mary Bono Mack (R-Calif.), the subcommittee chair, said that
Sony should have informed its consumers of the breach earlier and
said its efforts were “half-hearted, half-baked.” She was particularly
critical of Sony’s decision to first notify customers of the attack via its
company blog, leaving it up to customers to search for information on
the breach. (Source: washingtonpost.com)
MIS Training Institute Session #C3 - Slide 7© Savid Technologies
Metrics, We need metrics!
MIS Training Institute Session #C3 - Slide 8© Savid Technologies
We All Do Them
•Source: 2011 InformationWeek Analytics Strategic Security Survey
MIS Training Institute Session #C3 - Slide 9© Savid Technologies
The Reality
•Source: 2011 InformationWeek Analytics Strategic Security Survey
MIS Training Institute Session #C3 - Slide 10© Savid Technologies
Complex IT Projects Fail - A lot
Out Of 200 Multi-nationals:
� 67% Failed To Terminate Unsuccessful Projects
� 61% Reported Major Conflicts
� 34% Of Projects Were Not Aligned With Strategy
� 32% Performed Redundant Work
1 In 6 Projects Had A Cost Overrun Of 200%!
•2011 Harvard Business Review – Berlin Univ Technical survey
MIS Training Institute Session #C3 - Slide 11© Savid Technologies
T-Mobile CISO On Metrics
� “Security experts can't measure their success without security metrics, and what can't be measured can't be effectively managed.”
~ Bill Boni, VP of IS, T-Mobile USA
MIS Training Institute Session #C3 - Slide 12© Savid Technologies
Why Do We Care?
� Management Asks:
� “Are We Secure?”
� Without Metrics:
� “Depends How You Look At It”
� With Metrics:
� “Look At Our Risk Score Before This Project, It Dropped 15%. We Are More Secure Today Than Yesterday”
MIS Training Institute Session #C3 - Slide 13© Savid Technologies
Where/What to measure
Strategy/Governance
Code Reviews, Project Risk Assessments,
Exceptions/Waivers
Tactical/Sec Ops
Vuln Management, Patch Management, Incidents, etc
IS Budget
Spending/employee
Policy gaps in existence
Industry Standards Adopted
Awareness Plan
% projects going through assessment process
# of policy exceptions
# of risk acceptances
% project doing code reviews
Error rates
Freq of vuln assessment
# outstanding vulns
Rate of fixing
Trend of incident response losses
MIS Training Institute Session #C3 - Slide 14© Savid Technologies
Who are you?
TCO
Patch
Latency
SPAM/AV Stats
MIS Training Institute Session #C3 - Slide 15© Savid Technologies
Examples of metrics
� Baseline Defenses Coverage (AV, FW, etc)
� Measurement of how well you are protecting your enterprise against the most basic information security threats.
� 94% to 98%; less than 90% cause for concern
� Patch Latency
� Time between a patch’s release and your successful deployment of that patch.
� Express as averages and criticality
� Platform Security Scores
� Measures your hardening guidelines
� Compliance
� Measure departments against security standards
� Number of Linux servers at least 90% compliant with the Linux platform security standard
MIS Training Institute Session #C3 - Slide 16© Savid Technologies
Phishing Still Works
MIS Training Institute Session #C3 - Slide 17© Savid Technologies
Stop With The Confirmation Bias
� Risk Perception Is Bad
� Tornado V. Kitchen Fire
� Less Familiar Are Perceived As Greater Risk
� Favor Info That Match Preconceptions
� Cause And Effect Processing
� Correlation Does Not Equal Causation
� We Manage Risk Using Metrics That Don’t Matter
MIS Training Institute Session #C3 - Slide 18© Savid Technologies
It Is About Risk MANAGEMENT
Effective Metrics Catalog Define:
� Category
� Metric
� How To Measure
� Purpose Of This Metric
� Target Audience
� Reporting Frequency/Period
MIS Training Institute Session #C3 - Slide 19© Savid Technologies
5 Signs You Have a Confirmation Bias
� Using Quantitative Risk Scores To Make Decisions
� Look At Security Events Instead Of Probability Of Vulnerabilities
� Talk About Risk In Terms Of “Industry Data”
� Lack Of Risk Management
� Inability To Communicate Risk
MIS Training Institute Session #C3 - Slide 20© Savid Technologies
Security Metric Gotchas
� Not Tracking Visibility
� What % is the metric representing?
� Develop baseline for acceptance
� Not Trending
� Provide at least 4 previous periods and trend line
� Not Providing Forward Guidance
� Red, Green, Yellow (Worse, Better, Same)
� Not Mapping To A Business goal
� Focusing on Hazard Risk
� Not Using Qualitative Metrics
MIS Training Institute Session #C3 - Slide 21© Savid Technologies
Hazard vs Speculative Risk
MIS Training Institute Session #C3 - Slide 22© Savid Technologies
Linking to Business Goals
MIS Training Institute Session #C3 - Slide 23© Savid Technologies
Outcome Management
MIS Training Institute Session #C3 - Slide 24© Savid Technologies
Conclusion
Contact Information
Michael A. Davis
708-532-2843
Twitter: @mdavisceo