SlideShare a Scribd company logo

Prof m02 v2

S
SelectedPresentations

This document discusses how information security professionals can better convey their value proposition to management. It argues that security's value is in managing risk by reducing the frequency and impact of losses. However, common misconceptions about quantifying risk must be addressed. The document provides examples of how to package risk information clearly and concisely for decisions around spending, prioritization, and multi-year strategies. Effectively communicating value can increase influence, but also brings new challenges like politics and decisions you may not agree with. Overall it emphasizes quantifying risk to reduce losses in a way that is clear, concise and defensible to management.

1 of 37
Download to read offline
Session ID: Session Classification: PROF-­‐M02 General  Interest Will They EVER “Get” Security? CXOWARE Jack Jones
News Flash... Management doesn’t care about security
Question... How are 1/4” drill bits similar to security?
What we’ll cover... ► Infosec’s value proposition ► Crippling misconceptions ► Packaging and conveying our value prop ► Be careful what you wish for... ► Q&A
Infosec’s Value Proposition
Remember my question... How are 1/4” drill bits similar to security?
Infosec’s Value Proposition Its affect on the frequency and magnitude of loss (i.e., managing risk)
Which is likely to be more meaningful? We need to implement security technology/process/ policy X because it’s best practice or... If we implement security technology/process/policy X it will take us from a level 4 (high) risk to a level 2 (medium) risk or...
Which is likely to be more meaningful? If we implement security technology/process/policy X at a cost of $120k, we’ll reduce our average annualized loss exposure from $1.5M to $200k $1,500,000& $200,000& Before& A.er& Annualized*Loss*Exposure*(avg)*
News flash... Management cares about exposure to loss
Crippling Misconceptions
Crippling misconceptions ► Risk can’t be measured ► There isn’t enough data for quantitative analysis ► Quantitative analysis is impractical ► Infosec risk is different from other forms of risk ► Business people will always accept risk ► You can do meaningful math on ordinal values
Risk can’t can be measured ...but first you have to define it and understand it ► From a practical perspective, risk boils down to “exposure to loss” ► If you can estimate/measure the probable frequency of a loss event and the probable impact of that event, then you are measuring the risk associated with the event
A common problem though... Recently reviewed an organization’s risk register and found things like: ► Failure to patch vulnerabilities ► Default passwords ► Failure to make system backups ► Disgruntled employees ► Unencrypted laptops Problem: These aren’t loss events, so you can’t assign a meaningful frequency and magnitude of loss to them
There isn’t enough data ► You have more data than you think you do, and you need less data than you think you do ► You just have to know where to look and how to make the best use of what you have ► Book: How to Measure Anything - by Douglas Hubbard ► Leverage ranges, distributions, and Monte Carlo
There isn’t enough data
Quantitative analysis is impractical ► Quantitative analysis does NOT have to require a lot of research and data ► Quick and dirty is often good enough ► A lot of data is reusable across similar scenarios ▶ Effective use of ranges and distribution can faithfully represent the quality of your data
Infosec risk is different than other forms of risk ► Boiled down, risk is simple “exposure to loss” ► Exposure to loss is fundamentally the same in principle whether we’re dealing with armed conflict, personal injury, investments, or data breaches NO ^
Business people will always accept risk ► When presented with good quantitative analysis, I’ve found business leaders to be remarkably risk averse ► The key is that the information we provide them has to be rational and defensible NOT ^
You can can’t do math on ordinal values Qualitative Scale (Ordinal) What does x equal? What does + equal? Very High High Moderate Low Very Low 5 4 3 2 1
Packaging and conveying our value proposition
What’s the purpose? ► The purpose is to support well-informed decisions ► Understand what decisions are at stake and focus on providing only what’s required to support those decisions ► This is also NOT about “convincing” executives to see things our way.
My criteria for communications: ► Clear - Simple terminology, no infosec/IT acronyms ► Concise - Less is more ► Accurate - Absent bias and hyperbole ► Useful - Meaningful and actionable
Keys to packaging and communicating Above all, be able to defend what you present
Examples...
Spending decision example ! Current State: Before additional controls ! Future State: After additional controls
Prioritization example $- $5,000,000 $10,000,000 $15,000,000 $20,000,000 $25,000,000 $30,000,000 $35,000,000 $40,000,000 PersonalSystems MidrangeDatabases CustCareInfoApps TransactionalPharmaApps InternetApplications WindowsDatabases DataWarehouses AdjudicationApplications MobileMedia MainframeDatabases Internet-facingUnix Internet-facingWindows iSeriesSystems MainframeSystems BusinessPartnerNetwork LDAPStorage Internet-facingNetwork PrintDisposal BackupTapes ExternalTransmission RemoteAccessDevices OpenVMS UnixIntranetSystems IntranetNetworkDevices WindowsIntranetServers CorpFinancialApplications CredentialProcess Loss Exposure by Asset Category $2,588 $- $10,000,000 $20,000,000 $30,000,000 $40,000,000 $50,000,000 $60,000,000 $70,000,000 Privileged Insiders Cyber Criminals Non-Privileged Insiders Malware* Exposure by Threat Community The$most$recent$enterprise$risk$assessment$found$ that$insiders$represent$the$most$significant$threat$ community$(by$35%$over$cyber$criminals),$and$ that$personal$systems$(desktops$&$laptops)$ represent$the$most$significant$point$of$exposure.$
Multi-year strategy example 2009 Current EOY12 EOY13 EOY14 EOY15 Customer   Information   Compromise Corporate   Information   Compromise Online  Fraud Denial  of  Service Regulatory   Non-­‐Compliance Loss Exposure  Perspective Risk  Level Timeframe •  Improved)worksta/on)protec/on)and)malware)controls) account)for)the)significant)reduc/on)in)loss)exposure) between)2009)and))2013.) •  Data)leakage))controls,)combined)with)worksta/on)and) malware)controls))men/oned)above)have)driven)the) reduc/on)in)loss)exposure)for)sensi/ve)corporate) informa/on.) •  Implementa/on)of)advanced)an/Cfraud)measures)in)2010) and)2011)have))significantly)reduced)the)volume)of)online) fraud)losses.) •  Denial)of)service)exposure)was)reduced)in)2010)thru)an) upgrade)in)the)network)architecture.))Future)loss)exposure) will)be)further)reduced)in)2013)with)a)change)in)Internet) service)providers.) •  Regulatory)requirements)con/nue)to)s/ffen,)which)has) slowed)progress)in)reducing)this)exposure.))Plans)for)2012) and)2013)should)result)in)addi/onal)loss)exposure)reduc/on.)
Keys to packaging
Other suggestions: ► Match the form of your message to what your stakeholders are used to (PowerPoints? Text? Charts? Numbers? Colors?) ► Limit “eye candy”. The use of colors should be strategic and intentional. Don’t overdo it!
Be careful what you wish for...
Be careful what you wish for... So, you’ve demonstrated that you deserve a seat at the table. Now what?
Things to be prepared for... ► A thirst for more... ► Politics (oh joy) ► Decisions you don’t agree with
Wrapping up...
Summary ► Infosec’s value proposition is its effect on the frequency and magnitude of loss. We’re missing the target unless/ until we articulate it in those terms ► Misconceptions about risk and quantitative analysis seriously impede our ability to represent our value proposition effectively ► Effectively packaging and conveying our value proposition requires focus, clarity, brevity, and controlling our personal biases ► Successfully representing our value proposition can put us at the “big person table” - with all that entails
Resources ► How to Measure Anything - by Douglas Hubbard ► The Failure of Risk Management - by Douglas Hubbard ► Introduction to Factor Analysis of Information Risk (FAIR) - by Jack Jones ► Coming soon - a series of updated resources to help prepare for the The Open Group FAIR certification exam
Questions For more information: URL: www.cxoware.com E-mail: info@CXOWARE.com Phone: 866.936.0191

Recommended

Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Tony Martin-Vegue
 
Collaborative Defence
Collaborative DefenceCollaborative Defence
Collaborative Defence
Lilian Schaffer
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Open Security Summit
 
Security risk
Security riskSecurity risk
Security risk
Randy Tamoria
 
Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)
Alex Yates
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security Defense
Roger Grimes
 
Risk Analysis Webinar
Risk Analysis WebinarRisk Analysis Webinar
Risk Analysis Webinar
Jody Keyser
 

Recommended

Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
Sarah Clarke
 
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information RiskMeasuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Measuring DDoS Risk using FAIR (Factor Analysis of Information Risk
Tony Martin-Vegue
 
Collaborative Defence
Collaborative DefenceCollaborative Defence
Collaborative Defence
Lilian Schaffer
 
w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018w-cyber-risk-modeling Owasp cyber risk quantification 2018
w-cyber-risk-modeling Owasp cyber risk quantification 2018
Open Security Summit
 
Security risk
Security riskSecurity risk
Security risk
Randy Tamoria
 
Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)Cyber risk-overview-wtw (1)
Cyber risk-overview-wtw (1)
Alex Yates
 
Intro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security DefenseIntro to a Data-Driven Computer Security Defense
Intro to a Data-Driven Computer Security Defense
Roger Grimes
 
Risk Analysis Webinar
Risk Analysis WebinarRisk Analysis Webinar
Risk Analysis Webinar
Jody Keyser
 
Information Security Risk Quantification
Information Security Risk QuantificationInformation Security Risk Quantification
Information Security Risk Quantification
Joel Baese
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk program
Priyanka Aash
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
Levi Shapiro
 
Sensible defence
Sensible defenceSensible defence
Sensible defence
Koen Maris
 
Cyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planningCyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planning
PECB
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
Eric Jernigan MSIA, CISSP, CISM, CRISC
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
Hinne Hettema
 
Опасная разработка. Дорожная карта движения к катастрофе
Опасная разработка. Дорожная карта движения к катастрофеОпасная разработка. Дорожная карта движения к катастрофе
Опасная разработка. Дорожная карта движения к катастрофе
SelectedPresentations
 
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
SelectedPresentations
 
Exp w25
Exp w25Exp w25
Exp w25
SelectedPresentations
 
Современные технические средства защиты от инсайдеров российской разработки
Современные технические средства защиты от инсайдеров российской разработкиСовременные технические средства защиты от инсайдеров российской разработки
Современные технические средства защиты от инсайдеров российской разработки
SelectedPresentations
 
Безопасность в сервисной модели: за и против.
Безопасность в сервисной модели: за и против.Безопасность в сервисной модели: за и против.
Безопасность в сервисной модели: за и против.
SelectedPresentations
 
Mbs w21
Mbs w21Mbs w21
Mbs w21
SelectedPresentations
 
Stu r37 a
Stu r37 aStu r37 a
Stu r37 a
SelectedPresentations
 
Spo1 t17
Spo1 t17Spo1 t17
Spo1 t17
SelectedPresentations
 
Grc t18
Grc t18Grc t18
Grc t18
SelectedPresentations
 
Mbs r35 b
Mbs r35 bMbs r35 b
Mbs r35 b
SelectedPresentations
 
Sect f41
Sect f41Sect f41
Sect f41
SelectedPresentations
 
Tech f42
Tech f42Tech f42
Tech f42
SelectedPresentations
 
Семь лет поиска. Что, как и зачем мы проверяем
Семь лет поиска. Что, как и зачем мы проверяемСемь лет поиска. Что, как и зачем мы проверяем
Семь лет поиска. Что, как и зачем мы проверяем
SelectedPresentations
 
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
SelectedPresentations
 
Mbs r33 b
Mbs r33 bMbs r33 b
Mbs r33 b
SelectedPresentations
 

More Related Content

What's hot

Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
Eric Jernigan MSIA, CISSP, CISM, CRISC
 

What's hot (7)

Information Security Risk Quantification
Information Security Risk QuantificationInformation Security Risk Quantification
Information Security Risk Quantification
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk program
 
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
mHealth Israel_Cyber Risk in Healthcare_Mary Alice Annecharico_CIO Henry Ford...
 
Sensible defence
Sensible defenceSensible defence
Sensible defence
 
Cyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planningCyber security incidents implications in business continuity planning
Cyber security incidents implications in business continuity planning
 
Using the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modelingUsing the Threat Agent Library to improve threat modeling
Using the Threat Agent Library to improve threat modeling
 
NZISF Talk: Six essential security services
NZISF Talk: Six essential security servicesNZISF Talk: Six essential security services
NZISF Talk: Six essential security services
 

Viewers also liked

Viewers also liked (15)

Опасная разработка. Дорожная карта движения к катастрофе
Опасная разработка. Дорожная карта движения к катастрофеОпасная разработка. Дорожная карта движения к катастрофе
Опасная разработка. Дорожная карта движения к катастрофе
 
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
Современные технологии контроля и защиты мобильных устройств, тенденции рынка...
 
Exp w25
Exp w25Exp w25
Exp w25
 
Современные технические средства защиты от инсайдеров российской разработки
Современные технические средства защиты от инсайдеров российской разработкиСовременные технические средства защиты от инсайдеров российской разработки
Современные технические средства защиты от инсайдеров российской разработки
 
Безопасность в сервисной модели: за и против.
Безопасность в сервисной модели: за и против.Безопасность в сервисной модели: за и против.
Безопасность в сервисной модели: за и против.
 
Mbs w21
Mbs w21Mbs w21
Mbs w21
 
Stu r37 a
Stu r37 aStu r37 a
Stu r37 a
 
Spo1 t17
Spo1 t17Spo1 t17
Spo1 t17
 
Grc t18
Grc t18Grc t18
Grc t18
 
Mbs r35 b
Mbs r35 bMbs r35 b
Mbs r35 b
 
Sect f41
Sect f41Sect f41
Sect f41
 
Tech f42
Tech f42Tech f42
Tech f42
 
Семь лет поиска. Что, как и зачем мы проверяем
Семь лет поиска. Что, как и зачем мы проверяемСемь лет поиска. Что, как и зачем мы проверяем
Семь лет поиска. Что, как и зачем мы проверяем
 
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
О профессиональных стандартах по группе занятий (профессий) «Специалисты в об...
 
Mbs r33 b
Mbs r33 bMbs r33 b
Mbs r33 b
 

Similar to Prof m02 v2

How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
PECB
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
Dominic Vogel
 
Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem Space
Jack Whitsitt
 
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
NRBsanv
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
MITRE - ATT&CKcon
 

Similar to Prof m02 v2 (20)

Data Driven Risk Management
Data Driven Risk ManagementData Driven Risk Management
Data Driven Risk Management
 
Risk Analysis for Dummies
Risk Analysis for DummiesRisk Analysis for Dummies
Risk Analysis for Dummies
 
R af d
R af dR af d
R af d
 
Risksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability ManagementRisksense: 7 Experts on Threat and Vulnerability Management
Risksense: 7 Experts on Threat and Vulnerability Management
 
Protecting the Core of Your Network
Protecting the Core of Your Network Protecting the Core of Your Network
Protecting the Core of Your Network
 
Stu r35 b
Stu r35 bStu r35 b
Stu r35 b
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing business
 
Rothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizationsRothke rsa 2013 - the five habits of highly secure organizations
Rothke rsa 2013 - the five habits of highly secure organizations
 
The Black Report - Hackers
The Black Report - HackersThe Black Report - Hackers
The Black Report - Hackers
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?How to Boost your Cyber Risk Management Program and Capabilities?
How to Boost your Cyber Risk Management Program and Capabilities?
 
CounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementCounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat Management
 
Tech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event RecapTech Talent Meetup Hacking Security Event Recap
Tech Talent Meetup Hacking Security Event Recap
 
Yours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem SpaceYours Anecdotally: Developing a Cybersecurity Problem Space
Yours Anecdotally: Developing a Cybersecurity Problem Space
 
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
Cyber innovation without a new product to buy-Michael Boeckx - cybersec europ...
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdfStephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdf
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
Ht t17
Ht t17Ht t17
Ht t17
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?
 

More from SelectedPresentations

More from SelectedPresentations (20)

Длительное архивное хранение ЭД: правовые аспекты и технологические решения
Длительное архивное хранение ЭД: правовые аспекты и технологические решенияДлительное архивное хранение ЭД: правовые аспекты и технологические решения
Длительное архивное хранение ЭД: правовые аспекты и технологические решения
 
Трансграничное пространство доверия. Доверенная третья сторона.
Трансграничное пространство доверия. Доверенная третья сторона.Трансграничное пространство доверия. Доверенная третья сторона.
Трансграничное пространство доверия. Доверенная третья сторона.
 
Варианты реализации атак через мобильные устройства
Варианты реализации атак через мобильные устройстваВарианты реализации атак через мобильные устройства
Варианты реализации атак через мобильные устройства
 
Новые технологические возможности и безопасность мобильных решений
Новые технологические возможности и безопасность мобильных решенийНовые технологические возможности и безопасность мобильных решений
Новые технологические возможности и безопасность мобильных решений
 
Управление безопасностью мобильных устройств
Управление безопасностью мобильных устройствУправление безопасностью мобильных устройств
Управление безопасностью мобильных устройств
 
Кадровое агентство отрасли информационной безопасности
Кадровое агентство отрасли информационной безопасностиКадровое агентство отрасли информационной безопасности
Кадровое агентство отрасли информационной безопасности
 
Основное содержание профессионального стандарта «Специалист по безопасности и...
Основное содержание профессионального стандарта «Специалист по безопасности и...Основное содержание профессионального стандарта «Специалист по безопасности и...
Основное содержание профессионального стандарта «Специалист по безопасности и...
 
Основное содержание профессионального стандарта «Специалист по безопасности а...
Основное содержание профессионального стандарта «Специалист по безопасности а...Основное содержание профессионального стандарта «Специалист по безопасности а...
Основное содержание профессионального стандарта «Специалист по безопасности а...
 
Основное содержание профессионального стандарта «Специалист по технической за...
Основное содержание профессионального стандарта «Специалист по технической за...Основное содержание профессионального стандарта «Специалист по технической за...
Основное содержание профессионального стандарта «Специалист по технической за...
 
Основное содержание профессионального стандарта «Специалист по безопасности т...
Основное содержание профессионального стандарта «Специалист по безопасности т...Основное содержание профессионального стандарта «Специалист по безопасности т...
Основное содержание профессионального стандарта «Специалист по безопасности т...
 
Запись активности пользователей с интеллектуальным анализом данных
Запись активности пользователей с интеллектуальным анализом данныхЗапись активности пользователей с интеллектуальным анализом данных
Запись активности пользователей с интеллектуальным анализом данных
 
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
Импортозамещение в системах ИБ банков. Практические аспекты перехода на росси...
 
Обеспечение защиты информации на стадиях жизненного цикла ИС
Обеспечение защиты информации на стадиях жизненного цикла ИСОбеспечение защиты информации на стадиях жизненного цикла ИС
Обеспечение защиты информации на стадиях жизненного цикла ИС
 
Документ, как средство защиты: ОРД как основа обеспечения ИБ
Документ, как средство защиты: ОРД как основа обеспечения ИБДокумент, как средство защиты: ОРД как основа обеспечения ИБ
Документ, как средство защиты: ОРД как основа обеспечения ИБ
 
Чего не хватает в современных ids для защиты банковских приложений
Чего не хватает в современных ids для защиты банковских приложенийЧего не хватает в современных ids для защиты банковских приложений
Чего не хватает в современных ids для защиты банковских приложений
 
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
Об участии МОО «АЗИ» в разработке профессиональных стандартов в области инфор...
 
Оценка состояния, меры формирования индустрии информационной безопасности Рос...
Оценка состояния, меры формирования индустрии информационной безопасности Рос...Оценка состояния, меры формирования индустрии информационной безопасности Рос...
Оценка состояния, меры формирования индустрии информационной безопасности Рос...
 
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
Об угрозах информационной безопасности, актуальных для разработчика СЗИОб угрозах информационной безопасности, актуальных для разработчика СЗИ
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
 
Exp r35
Exp r35Exp r35
Exp r35
 
Exp t18
Exp t18Exp t18
Exp t18
 

Prof m02 v2

  • 1. Session ID: Session Classification: PROF-­‐M02 General  Interest Will They EVER “Get” Security? CXOWARE Jack Jones
  • 3. Question... How are 1/4” drill bits similar to security?
  • 4. What we’ll cover... ► Infosec’s value proposition ► Crippling misconceptions ► Packaging and conveying our value prop ► Be careful what you wish for... ► Q&A
  • 6. Remember my question... How are 1/4” drill bits similar to security?
  • 7. Infosec’s Value Proposition Its affect on the frequency and magnitude of loss (i.e., managing risk)
  • 8. Which is likely to be more meaningful? We need to implement security technology/process/ policy X because it’s best practice or... If we implement security technology/process/policy X it will take us from a level 4 (high) risk to a level 2 (medium) risk or...
  • 9. Which is likely to be more meaningful? If we implement security technology/process/policy X at a cost of $120k, we’ll reduce our average annualized loss exposure from $1.5M to $200k $1,500,000& $200,000& Before& A.er& Annualized*Loss*Exposure*(avg)*
  • 10. News flash... Management cares about exposure to loss
  • 12. Crippling misconceptions ► Risk can’t be measured ► There isn’t enough data for quantitative analysis ► Quantitative analysis is impractical ► Infosec risk is different from other forms of risk ► Business people will always accept risk ► You can do meaningful math on ordinal values
  • 13. Risk can’t can be measured ...but first you have to define it and understand it ► From a practical perspective, risk boils down to “exposure to loss” ► If you can estimate/measure the probable frequency of a loss event and the probable impact of that event, then you are measuring the risk associated with the event
  • 14. A common problem though... Recently reviewed an organization’s risk register and found things like: ► Failure to patch vulnerabilities ► Default passwords ► Failure to make system backups ► Disgruntled employees ► Unencrypted laptops Problem: These aren’t loss events, so you can’t assign a meaningful frequency and magnitude of loss to them
  • 15. There isn’t enough data ► You have more data than you think you do, and you need less data than you think you do ► You just have to know where to look and how to make the best use of what you have ► Book: How to Measure Anything - by Douglas Hubbard ► Leverage ranges, distributions, and Monte Carlo
  • 17. Quantitative analysis is impractical ► Quantitative analysis does NOT have to require a lot of research and data ► Quick and dirty is often good enough ► A lot of data is reusable across similar scenarios ▶ Effective use of ranges and distribution can faithfully represent the quality of your data
  • 18. Infosec risk is different than other forms of risk ► Boiled down, risk is simple “exposure to loss” ► Exposure to loss is fundamentally the same in principle whether we’re dealing with armed conflict, personal injury, investments, or data breaches NO ^
  • 19. Business people will always accept risk ► When presented with good quantitative analysis, I’ve found business leaders to be remarkably risk averse ► The key is that the information we provide them has to be rational and defensible NOT ^
  • 20. You can can’t do math on ordinal values Qualitative Scale (Ordinal) What does x equal? What does + equal? Very High High Moderate Low Very Low 5 4 3 2 1
  • 22. What’s the purpose? ► The purpose is to support well-informed decisions ► Understand what decisions are at stake and focus on providing only what’s required to support those decisions ► This is also NOT about “convincing” executives to see things our way.
  • 23. My criteria for communications: ► Clear - Simple terminology, no infosec/IT acronyms ► Concise - Less is more ► Accurate - Absent bias and hyperbole ► Useful - Meaningful and actionable
  • 24. Keys to packaging and communicating Above all, be able to defend what you present
  • 26. Spending decision example ! Current State: Before additional controls ! Future State: After additional controls
  • 27. Prioritization example $- $5,000,000 $10,000,000 $15,000,000 $20,000,000 $25,000,000 $30,000,000 $35,000,000 $40,000,000 PersonalSystems MidrangeDatabases CustCareInfoApps TransactionalPharmaApps InternetApplications WindowsDatabases DataWarehouses AdjudicationApplications MobileMedia MainframeDatabases Internet-facingUnix Internet-facingWindows iSeriesSystems MainframeSystems BusinessPartnerNetwork LDAPStorage Internet-facingNetwork PrintDisposal BackupTapes ExternalTransmission RemoteAccessDevices OpenVMS UnixIntranetSystems IntranetNetworkDevices WindowsIntranetServers CorpFinancialApplications CredentialProcess Loss Exposure by Asset Category $2,588 $- $10,000,000 $20,000,000 $30,000,000 $40,000,000 $50,000,000 $60,000,000 $70,000,000 Privileged Insiders Cyber Criminals Non-Privileged Insiders Malware* Exposure by Threat Community The$most$recent$enterprise$risk$assessment$found$ that$insiders$represent$the$most$significant$threat$ community$(by$35%$over$cyber$criminals),$and$ that$personal$systems$(desktops$&$laptops)$ represent$the$most$significant$point$of$exposure.$
  • 28. Multi-year strategy example 2009 Current EOY12 EOY13 EOY14 EOY15 Customer   Information   Compromise Corporate   Information   Compromise Online  Fraud Denial  of  Service Regulatory   Non-­‐Compliance Loss Exposure  Perspective Risk  Level Timeframe •  Improved)worksta/on)protec/on)and)malware)controls) account)for)the)significant)reduc/on)in)loss)exposure) between)2009)and))2013.) •  Data)leakage))controls,)combined)with)worksta/on)and) malware)controls))men/oned)above)have)driven)the) reduc/on)in)loss)exposure)for)sensi/ve)corporate) informa/on.) •  Implementa/on)of)advanced)an/Cfraud)measures)in)2010) and)2011)have))significantly)reduced)the)volume)of)online) fraud)losses.) •  Denial)of)service)exposure)was)reduced)in)2010)thru)an) upgrade)in)the)network)architecture.))Future)loss)exposure) will)be)further)reduced)in)2013)with)a)change)in)Internet) service)providers.) •  Regulatory)requirements)con/nue)to)s/ffen,)which)has) slowed)progress)in)reducing)this)exposure.))Plans)for)2012) and)2013)should)result)in)addi/onal)loss)exposure)reduc/on.)
  • 30. Other suggestions: ► Match the form of your message to what your stakeholders are used to (PowerPoints? Text? Charts? Numbers? Colors?) ► Limit “eye candy”. The use of colors should be strategic and intentional. Don’t overdo it!
  • 31. Be careful what you wish for...
  • 32. Be careful what you wish for... So, you’ve demonstrated that you deserve a seat at the table. Now what?
  • 33. Things to be prepared for... ► A thirst for more... ► Politics (oh joy) ► Decisions you don’t agree with
  • 35. Summary ► Infosec’s value proposition is its effect on the frequency and magnitude of loss. We’re missing the target unless/ until we articulate it in those terms ► Misconceptions about risk and quantitative analysis seriously impede our ability to represent our value proposition effectively ► Effectively packaging and conveying our value proposition requires focus, clarity, brevity, and controlling our personal biases ► Successfully representing our value proposition can put us at the “big person table” - with all that entails
  • 36. Resources ► How to Measure Anything - by Douglas Hubbard ► The Failure of Risk Management - by Douglas Hubbard ► Introduction to Factor Analysis of Information Risk (FAIR) - by Jack Jones ► Coming soon - a series of updated resources to help prepare for the The Open Group FAIR certification exam
  • 37. Questions For more information: URL: www.cxoware.com E-mail: info@CXOWARE.com Phone: 866.936.0191