Rethinking Security to Enable Business

LJ JohnsonNike’s Global Information Security Officer

August 16, 2005

Agenda

Today’s Security Realities Perception of Security Showing the business value of

Security The 3 R’s Seeing Security Differently Retooling to leverage the Value

Today’s security realities…

Threats are on the rise Time to respond has decreased Regulatory pressures are on

the rise Business integration has

eroded the network perimeter Spending more on security

doesn’t equate to better protection

When we think of Security

Guns - Guards - Geeks Keeping bad guys out Cost center focused Poorly defined metrics Lost in translation Out of alignment with

business drivers Unable to show business

value

Traditional Security Approaches

Infrastructure security point solutions Firewalls VPN Antivirus Software

Security operations Account creation Passwords

Application Security Authorization policies

What’s the impact?

Technology focus Higher TCO

Long and costly cycles System access Application development Provisioning

Inconsistent policies Focused on threat Avoidance vs. Risk

Management Perceived as inflexible Not seen as a ‘value add’

Showing the value of Security

Instead of Threats – focus on the 3 R’s Revenue

How can security increase revenue opportunities?

Can security help to reduce or avoid costs? What are your key information assets?

Reputation What is the your brand worth? What are your relationships worth?

Regulations What are you required to do?

Revenue Opportunities

Efficiency Gains and Reduced Costs Centralized identity controls Self Registration Automated password resets Spam filtering Outsourcing Early Risk Assessments Lower TCO

New market opportunities Could security be a market

differentiator? Secure ebiz strategy

Barriers to entry Patents

Speed to Market initiatives Business process improvements Shortened development cycles Automated provisioning

Revenue Opportunities

Information Asset Protection Protect what matters most Apply the same principles as

insuring your physical assets Could you lower your insurance

premiums by implementing stronger security?

“Intangible assets such as intellectual property represent approximately 60% to 80% of a company’s assets.”

– Accenture Survey 2004

Revenue Opportunities

Security as a Differentiator

Reputation

What’s your Brand Equity value?

What do you spend on demand creation to grow your market?

What would be the impact to your stock price if your customer database were hacked?

Examples of reputation damage

Regulations

SOX, GLBA, HIPAA, EU Privacy…. What regulations are relevant to

your industry? What are your local and overseas

requirements? Are your service providers also in

compliance? Are there competitive advantages to

anticipating the next set of regulations?

Retooling your organization Gain Business Ownership

Move security to an advisory role & let the business decide

Seek new Funding Models Tie key security operational costs to

IT but push more security costs out to business units

Restructure to deliver the right services

Develop an IP Protection Strategy Define what’s most important to

protect

Retooling your organization

Improve Communications Focus on Risk Management rather than threats

and vulnerabilities Measure and communicate biz value

Expand Team Skills ALL personnel should be security literate Require security personnel to understand the

business Improve processes

Tie security & risk to procurement, SDLC, operational processes

Focus more on Value Proposition and less on ROI Establish Accountability

Tie performance reviews and merit increases to compliance and awareness levels

Questions / Comments?

Changing the Paradigm

Stop seeing Security as only technology

Require your security teams to talk “Business”

Determine the right level of risk Focus on process improvements Communicate the value security

brings to the business – the 3 R’s Faster to market Improved productivity New revenue streams Stronger brand

“It’s not the strongest species that survives, nor the most intelligent, but the ones most responsive to change…”

Charles Darwin