Download - Selling Data Security Technology
![Page 1: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/1.jpg)
Licensed under the Creative Commons Attribution LicenseDanny Lieberman
[email protected] http://www.controlpolicy.com/
Selling Data security to the CEO
![Page 2: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/2.jpg)
Sell high
“it's a lot easier to manage a big project than a small one”
Boaz Dotan – Founder of Amdocs (NYSE:DOX), $5.3BN Cap.
![Page 3: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/3.jpg)
Agenda
• Introduction and welcome
• What is data security?
• Defining the problem
• After Enron
• Weak sales strategy
• The valley of death
• Strong sales strategy
• Execution
![Page 4: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/4.jpg)
Introduction
• Our mission today– How to sell data security to the CEO
![Page 5: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/5.jpg)
What the heck is data security?
• Security– Ensure we can survive & add value
• Physical, information, systems, people
• Data security– Protect data directly in all realms
![Page 6: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/6.jpg)
Defining the problem
• You can't sell to a need that's never been observed(*)
– Little or no monitoring of data theft/abuse
• Perimeter protection, access control– Firewall/IPS/AV/Content/AD
(*) Paraphrase of Lord Kelvin
![Page 7: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/7.jpg)
What happened since Enron
• Threat scenario circa 1999– Bad guys outside– Lots of proprietary protocols– IT decides
• Threat scenario circa 2009– Bad guys inside– Everything on HTTP– Vendors decide
![Page 8: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/8.jpg)
Weak sales strategy
IT – data security is “very important”...Forrester
Management board – fraud/data theft can maim or destroy the company...SarbanesOxley
![Page 9: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/9.jpg)
Mind the gap
IT – We can get DLP technology for 100K and the first 6 months are free....Websense
Management board – We have Euro 100M VaR...PwC
![Page 10: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/10.jpg)
The valley of death
Month 1 Month 1218Month 5
Logical &rational
Emotional & Political
IT Requirements
CapabilitiesPresentation
Compliance requirements
Evaluatealternatives
Close
Project
Meetvendors
Talk toanalysts
Losing control
![Page 11: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/11.jpg)
Why you lose control
• Issues shift– Several vendors have technology
• Non-product differentiation
• Divided camps– Nobody answers all requirements
• Need a political sponsor
• Loss of momentum– No business pain– No power sponsors
![Page 12: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/12.jpg)
Strong sales strategy
• Build business pain– Focus on biggest threat to the firm– Rational
• Get a power sponsor– CEO,COO, CFO,CIO– Personal
![Page 13: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/13.jpg)
Close the gap
Toxic customer data VaR: 100M VaR reducation: 20M Cost: 1M over 3 years...Security & Risk
Management board – We have 100M VaR...PwC
![Page 14: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/14.jpg)
Execution – building business pain
• Prove 2 hypotheses:– Data loss is happening now.– A cost effective solution exists that
reduces risk to acceptable levels.
![Page 15: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/15.jpg)
H1: Data loss is happening
• What keeps you awake at night?
• What data types and volumes of data leave the network?
• Who is sending sensitive information out of the company?
• Where is the data going?
• What network protocols have the most events?
• What are the current violations of company AUP?
![Page 16: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/16.jpg)
H2: A cost effective solution exists
• Value of information assets on PCs, servers & mobile devices?
• What is the Value at Risk?
• Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)
• How much do your current security controls cost?
• How do you compare with other companies in your industry?
• How would risk change if you added, modified or dropped security controls?
![Page 17: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/17.jpg)
What keeps you awake at night
Asset has value, fixed over time or variablePlans to privatize, sell 50% of equity
Threat exploits vulnerabilities & damages assets. IT staff read emails and files of management board
Employee leaks plans to pressBuyer sues for breach of contract.
Vulnerability is a state of weakness mitigated by a
countermeasure.IT staff
have accessto mail/file servers
Countermeasure has a costfixed over time or recurring.
Monitor abuse of privilege & Prevent leakage of
management board documentson all channels.
![Page 18: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/18.jpg)
Calculating Value at Risk
MetricsAsset value, Threat damage to asset,Threat probability
Value at Risk=Threat Damage to Asset x Asset Value x Threat Probability
(*)PTA Practical threat analysis risk model
![Page 19: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/19.jpg)
Coming attractions
• Sep 17: Selling data security technology• Sep 24: Write a 2 page procedure• Oct 1: Home(land) security• Oct 8: SME data security
http://www.controlpolicy.com/workshops
![Page 20: Selling Data Security Technology](https://reader033.vdocument.in/reader033/viewer/2022050919/547bf392b4af9fef158b4f6b/html5/thumbnails/20.jpg)
Learn more
• Presentation materials and resourceshttp://www.controlpolicy.com/workshops/data-security-workshops/
• Software to calculate Value at RiskPTA Professionalhttp://www.software.co.il/pta