SlideShare a Scribd company logo

2005 issa journal-risk-management

A
asundaram1
1 of 3
Download to read offline
Risk Management Returns Results By Aurobindo Sundaram and Michelle Ward Introduction Sometimes, support is shown by the reporting structure and the power given to the CISO. This can involve reporting up to business operations so Information security practitioners in organizations of all sizes have long that the traditional problem of CISOs (security department is stigmatized struggled to successfully implement and gain support for their programs. as a “technology cost center”) is somewhat mitigated. A major bank which Commonly reporting up to a technology officer, security is often viewed as one of us worked for expanded the scope of the formerly “technical” secu- very expensive and existing only to react to a negative security event that rity department to include physical security, business continuity, fraud, net- may never occur. Clearly, it is difficult to secure executive buy-in for secu- work security, computer forensics, application assessments, governance rity programs when the management team maintains this limited per- and more, empowering the CISO to really manage corporate risk rather spective. However, many security officers neglect to communicate the than simply focus on technology threats. value of corporate security programs to business managers. Positioning the Obviously, federally regulated organizations are able to achieve execu- security team as a “risk management service provider” to the internal tive support for security programs because they are required to demon- organization allows business managers and executives to understand the strate high-level buy-off on initiatives that are outlined by federal auditors. benefit of implementing specific security polices and programs. Facing costly fines for violating regulations or being presented with the In the following sections, we’ll attempt to give the security practitioner option of having your bank shut down because you did not comply with tips about how to align herself in the organization, how to build a security federal standards makes it very easy for CISOs to secure support for their program that will weather budget cuts, how to ensure that business man- programs. Enterprises that are not heavily regulated are presented with a agement is aware of the value that her programs create, and how to meas- decision to accept a certain amount of risk and mitigate what executives ure and prime her programs for success. believe are minimal requirements to maintain a positive corporate image. For these CISOs, it is much more difficult to gain the executive support Organization and Support required to implement successful, comprehensive security programs. This is when it’s time to exercise those “sales skills” and demonstrate value to There are various thoughts on how security should report into manage- the business that will be added by each service offered by the security ment, most expounded by people who’ve tried and failed at other organi- department. Allow business units to accept risk on an individual basis by zation methods. While there is no sure way to gain the support of your signing “risk acceptance” forms that outline security concerns and recom- management, here are some myths and associated actions for the security mendations from the security team. The business unit will then certify that practitioner to understand: it is declining to implement necessary controls to mitigate a specified risk. Business mangers become much more interested in resolving a security Myth: Security must report to business management to be effective issue when they are required to sign a document stating they knowingly Corollary: Security is best served by reporting to Information Technology accepted a potentially significant risk to the organization. “Risk assessment” forms demonstrate that the CISO is performing due diligence by informing These are both somewhat inaccurate. It is certainly advantageous to business units of risk but allows the business managers to make the final report to business management, but without business management sup- decision on what risk can be accepted and what must be mitigated. port, this is not useful. There is also sometimes the perception that secu- rity is a pure IT play as well. Actions: Truth: Reporting is not as important as support and high-level commitment ▲ Try to gain the support that you need from at least one key figure in the organization. We have been at different organizations where support has been demon- ▲ Try to set risk management objectives and metrics for the business. strated in different ways. At a large oilfield services firm that one of us worked at (in IT, no less!), commitment was shown by setting information Program Positioning security objectives from the CEO down (accounting for 20% of their annual bonus). This executive support allowed for the successful implementation of Myth: Obtain funding for security projects annually a mandatory security awareness testing for 75,000 users, vulnerability reme- diation for over 2500 systems, placement and training for 400 security coor- Position your security team as a service provider rather than a cost dinators internationally, and updated anti-virus software for 75,000 desktops. center. It is much easier to increase the size of your budget and head THE ISSA JOURNAL ◆ July 2005 ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
count if you can demonstrate the VALUE of your services. By defining Create a relationship with the most powerful group of peo- your programs as services and developing tools that enable the busi- ple in the organization—the sales team. Many of us hate to admit ness to benefit from these services in a measurable way, the security it, but technology serves no purpose without someone successfully officer will begin walking into his boss’s office with confidence when selling our company’s product or service. It is vital for the security asking for money, as he will be able to demonstrate how many opera- officer to determine how his programs can help retain or secure new tional dollars will be saved as well as revenue secured because of his business by understanding customers through communication with security programs. Executives are always looking for ways to minimize sales. The sales team has the ear of the COO and the CEO, they see expenditures or secure new revenue with customers. The successful the customers every day, know what they want now and what they security officer will impress his executive management team when he will demand in the future. Security as a “business enabler” is com- can walk into their offices with numbers demonstrating cost savings or municated through metrics demonstrating the amount of revenue examples of customer contracts that were secured because of specific secured because of the security and risk management programs programs that are part of his security organization. Concentrating on implemented internally. A smart security officer will measure how how to quantitatively measure security programs will prove to be ulti- his programs have helped to secure customer revenue by meeting mately valuable to the security officer, as many internal operational minimum security requirements. These dollar figures can be more managers neglect to do this then complain later when they don’t easily understood by executives and business managers than a receive funding for their projects. description of a complex technology solution. The security officer will Example: Trying to add Intrusion Prevention System (IPS) functionality also align himself closely with the corporate legal department so to an already implemented defense-in-depth solution using Intrusion that he is aware of the language customers are trying to incorporate Detection Systems (IDS) into contracts. Customer demand obviously provides him with fuel The security executive should sell the benefits of the added (or replace- to his fire of pursuing new security programs that have not yet estab- ment) IPS service, using quantitative arguments, such as: lished in the organization. ▲ We detect 500 viruses propagating in our network every month using our IDS. Of these, we use IDS functionality to detect and Intelligent management of user access for an organization is simple—it resolve 495 of these incidents without significant harm being should rely more heavily on effective process than complicated technology done (mention cost savings of IDS here) solutions. User account provisioning should be fed from a single database ▲ Of the 5 remaining viruses, on average, 1 of them causes a $200K (often a human resources tool such as PeopleSoft) to prevent discrepan- outage every quarter to our enterprise cies that often occur when a variety of systems kick off the creation of user ▲ A properly configured IPS can detect and block these viruses. accounts. Finding a tool that allows security administrators to deprovision ▲ The IPS costs $100K annually (i.e. $8K a month). Doing nothing user accounts across multiple platforms when an individual is terminated costs us $66K a month on average. is vital. Systemically enforcing access controls such as password complex- ▲ In addition, an IPS can be used to detect, alert, and block other ity, expiration and length allows for better protection from hacking malicious activity, such as our employees scanning our HR systems, attempts. When these controls cannot be implemented systemically due to etc. (intangible benefits). platform limitations, they should be enforced through policy, regular audit- ing (such as running password crackers) and remediation. Truth: Programs get continued funding. Projects often don’t. The investment in making an access control solution work effectively is often in the initial setup of the provisioning tool, the systems that interface with it Action: Re-align your projects around scalable, repeatable service initiatives and setting up role-based user groups and policies. Security resources will that are long-lasting, provide value, and can be quantitatively measured for need to build relationships with human resources, payroll and operational sup- success. port teams that manage various authentication platforms across the organiza- tion to ensure that processes run smoothly, roles are defined correctly, and that The Risk Management Approach any changes are communicated to all groups who are impacted. It is important to use regulation and recent events in your planning and Myth: Fear, Uncertainty, and Doubt (FUD) is counter-productive selling efforts. For instance, you should use Sarbanes-Oxley requirements heavily when you try to sell your requirements for access control (provi- This is not always true. Although certain displays of FUD (“think of the sioning, directory services, headcount for security access control analysts, damage to your reputation if this were hacked”) are often overused and periodic role review, etc.). These requirements require resources (typically can be counterproductive, there are many situations in which practical junior-level analysts) and the appropriate tools to implement them. demonstrations of risks are extremely effective. Providing an example of In addition, you should use recent events in the press to make your the actual exploitation of vulnerabilities, we demonstrated to top man- point on needing strong access controls (e.g. heavily publicized identity agement how their retirement information and personal details could be theft instances in the news media). This is certainly one area where the accessed. This immediately resulted in a tripling of headcount for infor- “What if this were us?” FUD argument is actually beneficial, because, for mation security. almost every corporation, the risk of this is very real. Myth: Complex technology solutions will prevent exploitation of user accounts The Magic of Metrics Truth: Simple access control measures are often most effective in preventing How does a security officer sell his programs and demonstrate overall unauthorized access. value to the organization? Through metrics. Metrics empower security offi- ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ July 2005
cers in many ways, but most importantly, they help to communicate busi- Risk Management MAGIC ness risk to managers who could care very little about technology. Quantitative metrics are appreciated by business unit leaders who view ▲ Measure Program Parameters them as meaningful measurements that provide them with insight ▲ Appropriate Organizational Alignment required to make intelligent risk acceptance decisions. By consistently ▲ Generate Value to Organization through Services communicating solid risk metrics internally, security officers can begin to ▲ Internal Relationship Building reform executives who may have previously believed these programs were ▲ Communication of Programs to Customers necessary but added little value to the business. The hardest problem for a security officer is to create the appropriate Security officers must master the art of “selling” their programs metrics for use in his organization. Here are some simple metrics that internally. They must translate costly expenditures related to tech- immediately bring value: nology solutions into methods for managing risks to information assets in an organization. Security leaders must humanize potential ▲ Savings due to viruses blocked by implemented protections (pick a risk and give executives an accurate understanding of how the com- number for the potential loss due to a virus infection—say $100; if pany’s revenue and reputation can be negatively impacted by secu- you block 500 viruses, you just saved the company $50,000). The rity incidents. Business unit managers must be convinced that actual amount is not important; it’s important to pick a reasonable internal security services enable business, differentiating their number and be consistent. Technologists often fall into the trap of organization from competitors by allowing them to meet customer (“Well, our users wouldn’t click on every attachment that came in, demands for minimum protection of their data. anyway”). It doesn’t matter—measure it anyway. ▲ Savings due to spam blocked by implemented protections (we use Today (per month) With spam appliance 8 cents per spam blocked times 4 recipients for each message = Internet e-mails received per user: 100 Cost of spam appliance = 12K Number of users : 5000 Percentage of spam filtered = 95% 32c per spam blocked). Although it seems obvious now, 2 years Percentage of mail that is spam : 10% (say) Cost of spam : 32c ago, it was hard to get funding for spam-blocking devices. Our CISO used a calculation just like this one to convince the CEO that it was Total cost of spam = 5000 * 100 * .1 * .32 Savings: 16000 * .95 = 15200 = 16000 Savings due to appliance = 15200 – OK to spend $12K on a spam-filtering appliance. The ROI was less 1000 (per month for appliance cost) – than a month. A sample presentation is in Figure 1. This is the 2000 (per month for management, etc.) language of business—the quicker you can quantify savings and present it to management, the quicker you’ll be successful. Total savings: $12,200 PER MONTH ▲ Percentage of Internet facing systems with no vulnerabilities: This is typically done by using tools such as Nessus, etc. to continuously Figure 1: A sample calculation and measurement of ROI and savings measure, report, and remediate vulnerabilities. ▲ Percentage of users that have taken security awareness training Overall Vulnerability Security Physical Anti-virus Enablers Savings DR/BCP ▲ Percentage of systems with up-to-date patches North risk assessment awareness security America 3.5 74% 97% 80% 10.4M 1.5M 3 3 ▲ Percentage of systems with up-to-date anti-virus software US 3.8 88% 96% 85% 5.4M .75M 3 3 Canada 4.2 95% 94% 87% 3M .5M 2 4 Mexico 2.7 62% 91% 37% 2M .25M 2 3 Action: Create a risk metrics dashboard for the organization and manage Asia 1.2 97% 95% 87% 3.3M 0.6M 3 3 India 1.1 99% 96% 82% 1.7M 0.34M 2 1 against it. Ensure business management is aware of this dashboard; they China 2.1 94% 94% 84% 1.6M 0.26M 4 3 will appreciate it. Figure 2: Example of a risk dashboard Figure 2 is a simple example of a risk dashboard. You will no doubt want to specify your own variables and scores. Color coding helps the reader to Aurobindo Sundaram, CISSP, CISM, is Director of Network Security at ChoicePoint easily find problem points to remediate. You can do this in Excel or on a Web page for management to browse and drill down where necessary. Michelle Ward, CISSP/CIFI/CISM, is Director of Information Security at ChoicePoint. We’ve found it amazing how quickly a red tab on a business manager’s region will get them to take action on fixing it. Conclusion The next time you are planning how to spend your dollars on training, don’t look in the latest technology journal. Put your money and your mind on building business sense. Learn to design a service organization and support your programs with metrics that mean something to upper man- agement. Stop managing your team as a technology organization and invest in understanding how your programs are enhancing business objec- tives and helping secure future revenue, where possible. Mold your tech- nology group into a sales organization that does more than just implement secure technology solutions. ¡ THE ISSA JOURNAL ◆ July 2005 ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.

Recommended

Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
Enterprise Security Risk Management
 
Swenson Group Vvma
Swenson Group VvmaSwenson Group Vvma
Swenson Group Vvma
mhunter22
 
Mc Gladrey Financial Institutions Services
Mc Gladrey Financial Institutions ServicesMc Gladrey Financial Institutions Services
Mc Gladrey Financial Institutions Services
LinkedInLeo
 
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
asundaram1
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2
Carl Booth
 
Risk Taker Product Presentation V1.0 7th January 2008
Risk Taker Product Presentation V1.0 7th January 2008Risk Taker Product Presentation V1.0 7th January 2008
Risk Taker Product Presentation V1.0 7th January 2008
Carl Booth
 
Security operations center inhouse vs outsource
Security operations center inhouse vs outsourceSecurity operations center inhouse vs outsource
Security operations center inhouse vs outsource
Netmagic Solutions Pvt. Ltd.
 
Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...
IBM Banking
 

Recommended

Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
Enterprise Security Risk Management
 
Swenson Group Vvma
Swenson Group VvmaSwenson Group Vvma
Swenson Group Vvma
mhunter22
 
Mc Gladrey Financial Institutions Services
Mc Gladrey Financial Institutions ServicesMc Gladrey Financial Institutions Services
Mc Gladrey Financial Institutions Services
LinkedInLeo
 
2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess2006 issa journal-organizingand-managingforsuccess
2006 issa journal-organizingand-managingforsuccess
asundaram1
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2
Carl Booth
 
Risk Taker Product Presentation V1.0 7th January 2008
Risk Taker Product Presentation V1.0 7th January 2008Risk Taker Product Presentation V1.0 7th January 2008
Risk Taker Product Presentation V1.0 7th January 2008
Carl Booth
 
Security operations center inhouse vs outsource
Security operations center inhouse vs outsourceSecurity operations center inhouse vs outsource
Security operations center inhouse vs outsource
Netmagic Solutions Pvt. Ltd.
 
Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...Financial Risk Management: Integrated Solutions to Help Financial Institution...
Financial Risk Management: Integrated Solutions to Help Financial Institution...
IBM Banking
 
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecXavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Laura Tibbo
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber Security
Stacy Willis
 
Risk as a Service – The Next Thing in Affordable Corporate Risk Management?
Risk as a Service – The Next Thing in Affordable Corporate Risk Management?Risk as a Service – The Next Thing in Affordable Corporate Risk Management?
Risk as a Service – The Next Thing in Affordable Corporate Risk Management?
CTRM Center
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity Model
CSCJournals
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
Conferencias FIST
 
Riskpro information risk management 2013
Riskpro information risk management 2013Riskpro information risk management 2013
Riskpro information risk management 2013
Rahul Bhan (CA, CIA, MBA)
 
Dynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value SheetDynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value Sheet
Clear Technologies
 
CNAM-PRODUCT DATASHEET
CNAM-PRODUCT DATASHEETCNAM-PRODUCT DATASHEET
CNAM-PRODUCT DATASHEET
Shomiron Das Gupta
 
Risk Management
Risk ManagementRisk Management
Risk Management
robertgk00
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcing
Raghuraman Ramamurthy
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
IBM
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed Proba
James McDonald
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
Jorge Sebastiao
 
Assess Your Business Continuity Management Process
Assess Your Business Continuity Management ProcessAssess Your Business Continuity Management Process
Assess Your Business Continuity Management Process
Anand Subramaniam
 
Exploring the link between Organsiational Resilience and Crisis Management
Exploring the link between Organsiational Resilience and Crisis ManagementExploring the link between Organsiational Resilience and Crisis Management
Exploring the link between Organsiational Resilience and Crisis Management
Alex Serrano
 
Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11
Joseph Schorr
 
Unlocking the Performance Levers of Commercial Underwriting
Unlocking the Performance Levers of Commercial UnderwritingUnlocking the Performance Levers of Commercial Underwriting
Unlocking the Performance Levers of Commercial Underwriting
Cognizant
 
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
Mitchell Grooms
 
MitKat Ad
MitKat AdMitKat Ad
MitKat Ad
manojajgaonkar
 
Valleyview01
Valleyview01Valleyview01
Valleyview01
gbolles
 
Cybersecurity – best practices for protecting identities and assets
Cybersecurity – best practices for protecting identities and assetsCybersecurity – best practices for protecting identities and assets
Cybersecurity – best practices for protecting identities and assets
michael hsieh
 
Social Development for Girls
Social Development for GirlsSocial Development for Girls
Social Development for Girls
Rosetta Eun Ryong Lee
 

More Related Content

What's hot

Risk as a Service – The Next Thing in Affordable Corporate Risk Management?
Risk as a Service – The Next Thing in Affordable Corporate Risk Management?Risk as a Service – The Next Thing in Affordable Corporate Risk Management?
Risk as a Service – The Next Thing in Affordable Corporate Risk Management?
CTRM Center
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity Model
CSCJournals
 
Dynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value SheetDynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value Sheet
Clear Technologies
 
Risk Management
Risk ManagementRisk Management
Risk Management
robertgk00
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
Jorge Sebastiao
 
Exploring the link between Organsiational Resilience and Crisis Management
Exploring the link between Organsiational Resilience and Crisis ManagementExploring the link between Organsiational Resilience and Crisis Management
Exploring the link between Organsiational Resilience and Crisis Management
Alex Serrano
 
Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11
Joseph Schorr
 
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
Mitchell Grooms
 

What's hot (19)

Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecXavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber Security
 
Risk as a Service – The Next Thing in Affordable Corporate Risk Management?
Risk as a Service – The Next Thing in Affordable Corporate Risk Management?Risk as a Service – The Next Thing in Affordable Corporate Risk Management?
Risk as a Service – The Next Thing in Affordable Corporate Risk Management?
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity Model
 
Security Maturity Model
Security Maturity ModelSecurity Maturity Model
Security Maturity Model
 
Riskpro information risk management 2013
Riskpro information risk management 2013Riskpro information risk management 2013
Riskpro information risk management 2013
 
Dynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value SheetDynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value Sheet
 
CNAM-PRODUCT DATASHEET
CNAM-PRODUCT DATASHEETCNAM-PRODUCT DATASHEET
CNAM-PRODUCT DATASHEET
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Whitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcingWhitepaper - Data Security while outsourcing
Whitepaper - Data Security while outsourcing
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
 
Massbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed ProbaMassbiz Consulting Crede Sed Proba
Massbiz Consulting Crede Sed Proba
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed Services
 
Assess Your Business Continuity Management Process
Assess Your Business Continuity Management ProcessAssess Your Business Continuity Management Process
Assess Your Business Continuity Management Process
 
Exploring the link between Organsiational Resilience and Crisis Management
Exploring the link between Organsiational Resilience and Crisis ManagementExploring the link between Organsiational Resilience and Crisis Management
Exploring the link between Organsiational Resilience and Crisis Management
 
Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11Security awarenesspreso draft-v-11
Security awarenesspreso draft-v-11
 
Unlocking the Performance Levers of Commercial Underwriting
Unlocking the Performance Levers of Commercial UnderwritingUnlocking the Performance Levers of Commercial Underwriting
Unlocking the Performance Levers of Commercial Underwriting
 
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
BDQCRM Cyber Risk Management Intelligence Top 12 Final 080216
 
MitKat Ad
MitKat AdMitKat Ad
MitKat Ad
 

Viewers also liked

Valleyview01
Valleyview01Valleyview01
Valleyview01
gbolles
 
Cybersecurity – best practices for protecting identities and assets
Cybersecurity – best practices for protecting identities and assetsCybersecurity – best practices for protecting identities and assets
Cybersecurity – best practices for protecting identities and assets
michael hsieh
 
Multimedia
MultimediaMultimedia
Multimedia
Kypie
 
2005 issa journal-simsevaluation
2005 issa journal-simsevaluation2005 issa journal-simsevaluation
2005 issa journal-simsevaluation
asundaram1
 
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
asundaram1
 

Viewers also liked (9)

Valleyview01
Valleyview01Valleyview01
Valleyview01
 
Cybersecurity – best practices for protecting identities and assets
Cybersecurity – best practices for protecting identities and assetsCybersecurity – best practices for protecting identities and assets
Cybersecurity – best practices for protecting identities and assets
 
Social Development for Girls
Social Development for GirlsSocial Development for Girls
Social Development for Girls
 
Multimedia
MultimediaMultimedia
Multimedia
 
2005 issa journal-simsevaluation
2005 issa journal-simsevaluation2005 issa journal-simsevaluation
2005 issa journal-simsevaluation
 
Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...Raleigh issa chapter april meeting - managing a security & privacy governan...
Raleigh issa chapter april meeting - managing a security & privacy governan...
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009
 
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
 
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012 Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
Cloudy with a Chance of Privacy Compliance - Reboot Ottawa 2012
 

Similar to 2005 issa journal-risk-management

Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
Ayham Kochaji
 
EB - Five Forces That Drive a Successful Managed Security Services Offering -...
EB - Five Forces That Drive a Successful Managed Security Services Offering -...EB - Five Forces That Drive a Successful Managed Security Services Offering -...
EB - Five Forces That Drive a Successful Managed Security Services Offering -...
ssuser2d55aa
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaper
Bilha Diaz
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
John Budriss
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
EMC
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
Scott Smith
 
CISO as a service in India | Senselearner
CISO as a service in India | SenselearnerCISO as a service in India | Senselearner
CISO as a service in India | Senselearner
Sense Learner Technologies Pvt Ltd
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
Daren Dunkel
 

Similar to 2005 issa journal-risk-management (20)

7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security Plan7 Steps To Developing A Cloud Security Plan
7 Steps To Developing A Cloud Security Plan
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
 
Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015Cyber risk management-white-paper-v8 (2) 2015
Cyber risk management-white-paper-v8 (2) 2015
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Four Key Attributes of a Successful CISO.pdf
Four Key Attributes of a Successful CISO.pdfFour Key Attributes of a Successful CISO.pdf
Four Key Attributes of a Successful CISO.pdf
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor upload
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chain
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
 
Security Hurts Business - Don't Let It
Security Hurts Business - Don't Let ItSecurity Hurts Business - Don't Let It
Security Hurts Business - Don't Let It
 
EB - Five Forces That Drive a Successful Managed Security Services Offering -...
EB - Five Forces That Drive a Successful Managed Security Services Offering -...EB - Five Forces That Drive a Successful Managed Security Services Offering -...
EB - Five Forces That Drive a Successful Managed Security Services Offering -...
 
speaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaperspeaking-to-board-securiity-whitepaper
speaking-to-board-securiity-whitepaper
 
Security Metrics
Security MetricsSecurity Metrics
Security Metrics
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected WorldRSA Security Brief : Taking Charge of Security in a Hyperconnected World
RSA Security Brief : Taking Charge of Security in a Hyperconnected World
 
Rogers eBook Security
Rogers eBook SecurityRogers eBook Security
Rogers eBook Security
 
CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015CISO_Paper_Oct27_2015
CISO_Paper_Oct27_2015
 
CISO as a service in India | Senselearner
CISO as a service in India | SenselearnerCISO as a service in India | Senselearner
CISO as a service in India | Senselearner
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 

2005 issa journal-risk-management

  • 1. Risk Management Returns Results By Aurobindo Sundaram and Michelle Ward Introduction Sometimes, support is shown by the reporting structure and the power given to the CISO. This can involve reporting up to business operations so Information security practitioners in organizations of all sizes have long that the traditional problem of CISOs (security department is stigmatized struggled to successfully implement and gain support for their programs. as a “technology cost center”) is somewhat mitigated. A major bank which Commonly reporting up to a technology officer, security is often viewed as one of us worked for expanded the scope of the formerly “technical” secu- very expensive and existing only to react to a negative security event that rity department to include physical security, business continuity, fraud, net- may never occur. Clearly, it is difficult to secure executive buy-in for secu- work security, computer forensics, application assessments, governance rity programs when the management team maintains this limited per- and more, empowering the CISO to really manage corporate risk rather spective. However, many security officers neglect to communicate the than simply focus on technology threats. value of corporate security programs to business managers. Positioning the Obviously, federally regulated organizations are able to achieve execu- security team as a “risk management service provider” to the internal tive support for security programs because they are required to demon- organization allows business managers and executives to understand the strate high-level buy-off on initiatives that are outlined by federal auditors. benefit of implementing specific security polices and programs. Facing costly fines for violating regulations or being presented with the In the following sections, we’ll attempt to give the security practitioner option of having your bank shut down because you did not comply with tips about how to align herself in the organization, how to build a security federal standards makes it very easy for CISOs to secure support for their program that will weather budget cuts, how to ensure that business man- programs. Enterprises that are not heavily regulated are presented with a agement is aware of the value that her programs create, and how to meas- decision to accept a certain amount of risk and mitigate what executives ure and prime her programs for success. believe are minimal requirements to maintain a positive corporate image. For these CISOs, it is much more difficult to gain the executive support Organization and Support required to implement successful, comprehensive security programs. This is when it’s time to exercise those “sales skills” and demonstrate value to There are various thoughts on how security should report into manage- the business that will be added by each service offered by the security ment, most expounded by people who’ve tried and failed at other organi- department. Allow business units to accept risk on an individual basis by zation methods. While there is no sure way to gain the support of your signing “risk acceptance” forms that outline security concerns and recom- management, here are some myths and associated actions for the security mendations from the security team. The business unit will then certify that practitioner to understand: it is declining to implement necessary controls to mitigate a specified risk. Business mangers become much more interested in resolving a security Myth: Security must report to business management to be effective issue when they are required to sign a document stating they knowingly Corollary: Security is best served by reporting to Information Technology accepted a potentially significant risk to the organization. “Risk assessment” forms demonstrate that the CISO is performing due diligence by informing These are both somewhat inaccurate. It is certainly advantageous to business units of risk but allows the business managers to make the final report to business management, but without business management sup- decision on what risk can be accepted and what must be mitigated. port, this is not useful. There is also sometimes the perception that secu- rity is a pure IT play as well. Actions: Truth: Reporting is not as important as support and high-level commitment ▲ Try to gain the support that you need from at least one key figure in the organization. We have been at different organizations where support has been demon- ▲ Try to set risk management objectives and metrics for the business. strated in different ways. At a large oilfield services firm that one of us worked at (in IT, no less!), commitment was shown by setting information Program Positioning security objectives from the CEO down (accounting for 20% of their annual bonus). This executive support allowed for the successful implementation of Myth: Obtain funding for security projects annually a mandatory security awareness testing for 75,000 users, vulnerability reme- diation for over 2500 systems, placement and training for 400 security coor- Position your security team as a service provider rather than a cost dinators internationally, and updated anti-virus software for 75,000 desktops. center. It is much easier to increase the size of your budget and head THE ISSA JOURNAL ◆ July 2005 ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.
  • 2. count if you can demonstrate the VALUE of your services. By defining Create a relationship with the most powerful group of peo- your programs as services and developing tools that enable the busi- ple in the organization—the sales team. Many of us hate to admit ness to benefit from these services in a measurable way, the security it, but technology serves no purpose without someone successfully officer will begin walking into his boss’s office with confidence when selling our company’s product or service. It is vital for the security asking for money, as he will be able to demonstrate how many opera- officer to determine how his programs can help retain or secure new tional dollars will be saved as well as revenue secured because of his business by understanding customers through communication with security programs. Executives are always looking for ways to minimize sales. The sales team has the ear of the COO and the CEO, they see expenditures or secure new revenue with customers. The successful the customers every day, know what they want now and what they security officer will impress his executive management team when he will demand in the future. Security as a “business enabler” is com- can walk into their offices with numbers demonstrating cost savings or municated through metrics demonstrating the amount of revenue examples of customer contracts that were secured because of specific secured because of the security and risk management programs programs that are part of his security organization. Concentrating on implemented internally. A smart security officer will measure how how to quantitatively measure security programs will prove to be ulti- his programs have helped to secure customer revenue by meeting mately valuable to the security officer, as many internal operational minimum security requirements. These dollar figures can be more managers neglect to do this then complain later when they don’t easily understood by executives and business managers than a receive funding for their projects. description of a complex technology solution. The security officer will Example: Trying to add Intrusion Prevention System (IPS) functionality also align himself closely with the corporate legal department so to an already implemented defense-in-depth solution using Intrusion that he is aware of the language customers are trying to incorporate Detection Systems (IDS) into contracts. Customer demand obviously provides him with fuel The security executive should sell the benefits of the added (or replace- to his fire of pursuing new security programs that have not yet estab- ment) IPS service, using quantitative arguments, such as: lished in the organization. ▲ We detect 500 viruses propagating in our network every month using our IDS. Of these, we use IDS functionality to detect and Intelligent management of user access for an organization is simple—it resolve 495 of these incidents without significant harm being should rely more heavily on effective process than complicated technology done (mention cost savings of IDS here) solutions. User account provisioning should be fed from a single database ▲ Of the 5 remaining viruses, on average, 1 of them causes a $200K (often a human resources tool such as PeopleSoft) to prevent discrepan- outage every quarter to our enterprise cies that often occur when a variety of systems kick off the creation of user ▲ A properly configured IPS can detect and block these viruses. accounts. Finding a tool that allows security administrators to deprovision ▲ The IPS costs $100K annually (i.e. $8K a month). Doing nothing user accounts across multiple platforms when an individual is terminated costs us $66K a month on average. is vital. Systemically enforcing access controls such as password complex- ▲ In addition, an IPS can be used to detect, alert, and block other ity, expiration and length allows for better protection from hacking malicious activity, such as our employees scanning our HR systems, attempts. When these controls cannot be implemented systemically due to etc. (intangible benefits). platform limitations, they should be enforced through policy, regular audit- ing (such as running password crackers) and remediation. Truth: Programs get continued funding. Projects often don’t. The investment in making an access control solution work effectively is often in the initial setup of the provisioning tool, the systems that interface with it Action: Re-align your projects around scalable, repeatable service initiatives and setting up role-based user groups and policies. Security resources will that are long-lasting, provide value, and can be quantitatively measured for need to build relationships with human resources, payroll and operational sup- success. port teams that manage various authentication platforms across the organiza- tion to ensure that processes run smoothly, roles are defined correctly, and that The Risk Management Approach any changes are communicated to all groups who are impacted. It is important to use regulation and recent events in your planning and Myth: Fear, Uncertainty, and Doubt (FUD) is counter-productive selling efforts. For instance, you should use Sarbanes-Oxley requirements heavily when you try to sell your requirements for access control (provi- This is not always true. Although certain displays of FUD (“think of the sioning, directory services, headcount for security access control analysts, damage to your reputation if this were hacked”) are often overused and periodic role review, etc.). These requirements require resources (typically can be counterproductive, there are many situations in which practical junior-level analysts) and the appropriate tools to implement them. demonstrations of risks are extremely effective. Providing an example of In addition, you should use recent events in the press to make your the actual exploitation of vulnerabilities, we demonstrated to top man- point on needing strong access controls (e.g. heavily publicized identity agement how their retirement information and personal details could be theft instances in the news media). This is certainly one area where the accessed. This immediately resulted in a tripling of headcount for infor- “What if this were us?” FUD argument is actually beneficial, because, for mation security. almost every corporation, the risk of this is very real. Myth: Complex technology solutions will prevent exploitation of user accounts The Magic of Metrics Truth: Simple access control measures are often most effective in preventing How does a security officer sell his programs and demonstrate overall unauthorized access. value to the organization? Through metrics. Metrics empower security offi- ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited. THE ISSA JOURNAL ◆ July 2005
  • 3. cers in many ways, but most importantly, they help to communicate busi- Risk Management MAGIC ness risk to managers who could care very little about technology. Quantitative metrics are appreciated by business unit leaders who view ▲ Measure Program Parameters them as meaningful measurements that provide them with insight ▲ Appropriate Organizational Alignment required to make intelligent risk acceptance decisions. By consistently ▲ Generate Value to Organization through Services communicating solid risk metrics internally, security officers can begin to ▲ Internal Relationship Building reform executives who may have previously believed these programs were ▲ Communication of Programs to Customers necessary but added little value to the business. The hardest problem for a security officer is to create the appropriate Security officers must master the art of “selling” their programs metrics for use in his organization. Here are some simple metrics that internally. They must translate costly expenditures related to tech- immediately bring value: nology solutions into methods for managing risks to information assets in an organization. Security leaders must humanize potential ▲ Savings due to viruses blocked by implemented protections (pick a risk and give executives an accurate understanding of how the com- number for the potential loss due to a virus infection—say $100; if pany’s revenue and reputation can be negatively impacted by secu- you block 500 viruses, you just saved the company $50,000). The rity incidents. Business unit managers must be convinced that actual amount is not important; it’s important to pick a reasonable internal security services enable business, differentiating their number and be consistent. Technologists often fall into the trap of organization from competitors by allowing them to meet customer (“Well, our users wouldn’t click on every attachment that came in, demands for minimum protection of their data. anyway”). It doesn’t matter—measure it anyway. ▲ Savings due to spam blocked by implemented protections (we use Today (per month) With spam appliance 8 cents per spam blocked times 4 recipients for each message = Internet e-mails received per user: 100 Cost of spam appliance = 12K Number of users : 5000 Percentage of spam filtered = 95% 32c per spam blocked). Although it seems obvious now, 2 years Percentage of mail that is spam : 10% (say) Cost of spam : 32c ago, it was hard to get funding for spam-blocking devices. Our CISO used a calculation just like this one to convince the CEO that it was Total cost of spam = 5000 * 100 * .1 * .32 Savings: 16000 * .95 = 15200 = 16000 Savings due to appliance = 15200 – OK to spend $12K on a spam-filtering appliance. The ROI was less 1000 (per month for appliance cost) – than a month. A sample presentation is in Figure 1. This is the 2000 (per month for management, etc.) language of business—the quicker you can quantify savings and present it to management, the quicker you’ll be successful. Total savings: $12,200 PER MONTH ▲ Percentage of Internet facing systems with no vulnerabilities: This is typically done by using tools such as Nessus, etc. to continuously Figure 1: A sample calculation and measurement of ROI and savings measure, report, and remediate vulnerabilities. ▲ Percentage of users that have taken security awareness training Overall Vulnerability Security Physical Anti-virus Enablers Savings DR/BCP ▲ Percentage of systems with up-to-date patches North risk assessment awareness security America 3.5 74% 97% 80% 10.4M 1.5M 3 3 ▲ Percentage of systems with up-to-date anti-virus software US 3.8 88% 96% 85% 5.4M .75M 3 3 Canada 4.2 95% 94% 87% 3M .5M 2 4 Mexico 2.7 62% 91% 37% 2M .25M 2 3 Action: Create a risk metrics dashboard for the organization and manage Asia 1.2 97% 95% 87% 3.3M 0.6M 3 3 India 1.1 99% 96% 82% 1.7M 0.34M 2 1 against it. Ensure business management is aware of this dashboard; they China 2.1 94% 94% 84% 1.6M 0.26M 4 3 will appreciate it. Figure 2: Example of a risk dashboard Figure 2 is a simple example of a risk dashboard. You will no doubt want to specify your own variables and scores. Color coding helps the reader to Aurobindo Sundaram, CISSP, CISM, is Director of Network Security at ChoicePoint easily find problem points to remediate. You can do this in Excel or on a Web page for management to browse and drill down where necessary. Michelle Ward, CISSP/CIFI/CISM, is Director of Information Security at ChoicePoint. We’ve found it amazing how quickly a red tab on a business manager’s region will get them to take action on fixing it. Conclusion The next time you are planning how to spend your dollars on training, don’t look in the latest technology journal. Put your money and your mind on building business sense. Learn to design a service organization and support your programs with metrics that mean something to upper man- agement. Stop managing your team as a technology organization and invest in understanding how your programs are enhancing business objec- tives and helping secure future revenue, where possible. Mold your tech- nology group into a sales organization that does more than just implement secure technology solutions. ¡ THE ISSA JOURNAL ◆ July 2005 ©2005 Technical Enterprises, Inc. Reproduction of this document without permission is prohibited.