1 / 14

Selling security

How to talk to the business that feeds you. Selling security. Cost and benefit in security. Risk analysis Risk = Asset Cost X Threat Probability Controls to prevent risks Cost of controls Not only direct cost of roll-out (license, installation) Employee’s burden to use control is also Cost

Télécharger la présentation

Selling security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. How to talk to the business that feeds you Selling security

  2. Cost and benefit in security • Risk analysis • Risk = Asset Cost X Threat Probability • Controls to prevent risks Cost of controls • Not only direct cost of roll-out (license, installation) • Employee’s burden to use control is also Cost • Control Cost > Asset Cost doesn’t make much sense Pretty obvious for Business folks Not so obvious for Security folks

  3. Security as a cost? • This is how it’s often seen by Bussiness • Security = Necessary evil, required by Regulators, waste of our hardly earned money Security folks know the truth here • Often they can’t properly express it Security is not a cost Security is an investment to prevent losses • Spend $100k to prevent losing $1m = 10x benefit • It’s not: „Security spent $100k” • It’s: „Security helped saving $1m for just $100k”

  4. Two ways to enable security • Enforcement model • You have powers to enforceany control • Law, public administration, some corporate environments (financial, military) • If Asset Cost is HUGE, Security might take priority • YOU set the rules, and THEY must obey them • Soft model • You have little powers to enforce controls • Most private companies, most corporate environment • If Sales makes $5m revenue and Security makes $500k „loss” quarterly, you have to be very careful before trying to put a stick in their wheels • Your arms are: talk and listen – YOU must fit THEIR needs

  5. Kids with guns • If you have powers to enforce any control... • You will be tempted to enforce even thedumbestones • Security vendors are good in overrating risks to sell stuff • Common approach among some regulators and governments • Example: qualified electronic signature for e-invoice in Poland • 5% usage since 2005 (mostly EDI) • Compare to Denmark’s 60% (mostly OCES)

  6. Don’t turn shepherd into a policeman So even if you have powers... • Try to understand your client needs as much as possible • Client = your Sales dept, Citizens, National business • Perform as much real life risk analysis (including cost & benefit) • Make sure your controls help things instead of breaking things • Periodically perform a reality check – how does my security help business? • Otherwise you may destroy your organisation’s flexibility and competitive advantage • And lose your job – and make hundreds other people lose job as well

  7. Most important control from ISO 27001 • „Obtain management support” • Everything starts here • If you won’t, business will ignore you, your controls or try to work around them How to obtain management support? • Talk to business • Talk to management • It’s the best reality check you can think of • To convince old sharks you must have really good arguments • Don’t get tempted to grab some scary number from vendor ordered „independent reports”

  8. If you failed to obtain management support You may be wrong • Make sure you REALLY understand where does your salary come from Management may be wrong • You might be right but used wrong arguments – again, your fault • Management may already have selected controls using arguments other than rational risk analysis – you can’t do much about it

  9. „Talking to Bussiness HOWTO” • Avoid „weasel talk” and buzzwords • Blacklist wording like: „some attacks exist that migh pose a risk” Use as much facts and numbers as possible • Do use industry reports • But always filter them through your company’s context • Learn from historic incidents in YOUR organisation • Single such incident is worth 10 industry reports Perform periodic reality checks on your arguments • If necessary drill down to a single specific incident • Build cause-reason trees • Make sure at the end the threat is still there!

  10. Some examples - Ponemon Report (2006) • Direct cost to handle data breach incidents • On average 4,8 milion USD – from 226’000 to 22’000’000 Cost of controls implemented after the breach • On average 180’000 USD for one incident Data loss caused by organization internal factors • 70% cases caused by lack of data ownership, ignoring procedures and negligence Data loss during electronic data processing • 90% incidents caused by loss of laptop or electronic media

  11. Threat analysis – case study • Real life incident from 2005 • Financial industry, event still remembered by some management people • One stolen laptop resulted in ~5000 affected clients • Handling of every record costed ~115 USD • It pretty much fits Ponemon’s estimate from 2008 ($100-200 per record) • Even if no actual loss was caused to the clients (laptop was lost without trace) How much this single incident costed organisation at the end of the day? $500k

  12. Threat analysis – case study #2 • FSA fined HSBC Group for £3m, June 2009 • Public report on FSA website • Detailed list of issues found • How many of these you recognize in your organisation? • How close was the hit to your industry?

  13. Control analysis – last example • Company deployed full-disk encryption (FDE) • All laptops covered, cost $100k Office break-in happens in 2009 • 4 laptops stolen • 2 contained sensitive client’s records Cost for organisation at the end of the day – close to ZERO • Hardware was covered by insurance • Data was backed up • Whole operating system was encrypted • You can prove this to client, because all laptops are encrypted

  14. Questions? • Questions, comments • PAWEL.KRAWCZYK@HEWITT.COM • http://www.linkedin.com/in/pawelkrawczyk

More Related