SlideShare ist ein Scribd-Unternehmen logo

Cost Justifying IT Security

‱
‱
Michael Davis
Michael Davis

My presentation at SuperStrategies on how to justify the cost of IT security. The key? Focus on how security can help reduce speculative risk instead of hazard risk.

Technologie
1 von 24
Downloaden Sie, um offline zu lesen
Cost Justifying Security Session #C3 Tuesday, April 24, 2012 3:45-5:00PM Michael A. Davis CEO, Savid Technologies
MIS Training Institute Session #C3 - Slide 2 © Savid Technologies Who am I? » Michael A. Davis – CEO of Savid Technologies IT Security, Risk Assessment, Penetration Testing – Speaker Blackhat, Defcon, CanSecWest, Toorcon, Hack In The Box – Open Source Software Developer Snort Nmap Dsniff » Savid Technologies – Risk Assessments, IT Security Consulting, Audit and Compliance
MIS Training Institute Session #C3 - Slide 3 © Savid Technologies Author
MIS Training Institute Session #C3 - Slide 4 © Savid Technologies The Issue “Single biggest security related problem is a lack of Senior Level commitment to enterprise wide security policies.“
MIS Training Institute Session #C3 - Slide 5 © Savid Technologies Execs Are Paying Attention ‱Source: Information Week Data Survey, 2011
MIS Training Institute Session #C3 - Slide 6 © Savid Technologies We Protect, They Are Criticized According to Bloomberg News, Sony has been subpoenaed by New York attorney general Eric Schneiderman, who is "seeking information on what Sony told customers about the security of their networks, as part of a consumer protection inquiry." (Source: informationweek.com) Rep. Mary Bono Mack (R-Calif.), the subcommittee chair, said that Sony should have informed its consumers of the breach earlier and said its efforts were “half-hearted, half-baked.” She was particularly critical of Sony’s decision to first notify customers of the attack via its company blog, leaving it up to customers to search for information on the breach. (Source: washingtonpost.com)
MIS Training Institute Session #C3 - Slide 7 © Savid Technologies Metrics, We need metrics!
MIS Training Institute Session #C3 - Slide 8 © Savid Technologies We All Do Them ‱Source: 2011 InformationWeek Analytics Strategic Security Survey
MIS Training Institute Session #C3 - Slide 9 © Savid Technologies The Reality ‱Source: 2011 InformationWeek Analytics Strategic Security Survey
MIS Training Institute Session #C3 - Slide 10 © Savid Technologies Complex IT Projects Fail - A lot Out Of 200 Multi-nationals: 67% Failed To Terminate Unsuccessful Projects 61% Reported Major Conflicts 34% Of Projects Were Not Aligned With Strategy 32% Performed Redundant Work 1 In 6 Projects Had A Cost Overrun Of 200%! ‱2011 Harvard Business Review – Berlin Univ Technical survey
MIS Training Institute Session #C3 - Slide 11 © Savid Technologies T-Mobile CISO On Metrics “Security experts can't measure their success without security metrics, and what can't be measured can't be effectively managed.” ~ Bill Boni, VP of IS, T-Mobile USA
MIS Training Institute Session #C3 - Slide 12 © Savid Technologies Why Do We Care? Management Asks: “Are We Secure?” Without Metrics: “Depends How You Look At It” With Metrics: “Look At Our Risk Score Before This Project, It Dropped 15%. We Are More Secure Today Than Yesterday”
MIS Training Institute Session #C3 - Slide 13 © Savid Technologies Where/What to measure Strategy/Governance Code Reviews, Project Risk Assessments, Exceptions/Waivers Tactical/Sec Ops Vuln Management, Patch Management, Incidents, etc IS Budget Spending/employee Policy gaps in existence Industry Standards Adopted Awareness Plan % projects going through assessment process # of policy exceptions # of risk acceptances % project doing code reviews Error rates Freq of vuln assessment # outstanding vulns Rate of fixing Trend of incident response losses
MIS Training Institute Session #C3 - Slide 14 © Savid Technologies Who are you? TCO Patch Latency SPAM/AV Stats
MIS Training Institute Session #C3 - Slide 15 © Savid Technologies Examples of metrics Baseline Defenses Coverage (AV, FW, etc) Measurement of how well you are protecting your enterprise against the most basic information security threats. 94% to 98%; less than 90% cause for concern Patch Latency Time between a patch’s release and your successful deployment of that patch. Express as averages and criticality Platform Security Scores Measures your hardening guidelines Compliance Measure departments against security standards Number of Linux servers at least 90% compliant with the Linux platform security standard
MIS Training Institute Session #C3 - Slide 16 © Savid Technologies Phishing Still Works
MIS Training Institute Session #C3 - Slide 17 © Savid Technologies Stop With The Confirmation Bias Risk Perception Is Bad Tornado V. Kitchen Fire Less Familiar Are Perceived As Greater Risk Favor Info That Match Preconceptions Cause And Effect Processing Correlation Does Not Equal Causation We Manage Risk Using Metrics That Don’t Matter
MIS Training Institute Session #C3 - Slide 18 © Savid Technologies It Is About Risk MANAGEMENT Effective Metrics Catalog Define: Category Metric How To Measure Purpose Of This Metric Target Audience Reporting Frequency/Period
MIS Training Institute Session #C3 - Slide 19 © Savid Technologies 5 Signs You Have a Confirmation Bias Using Quantitative Risk Scores To Make Decisions Look At Security Events Instead Of Probability Of Vulnerabilities Talk About Risk In Terms Of “Industry Data” Lack Of Risk Management Inability To Communicate Risk
MIS Training Institute Session #C3 - Slide 20 © Savid Technologies Security Metric Gotchas Not Tracking Visibility What % is the metric representing? Develop baseline for acceptance Not Trending Provide at least 4 previous periods and trend line Not Providing Forward Guidance Red, Green, Yellow (Worse, Better, Same) Not Mapping To A Business goal Focusing on Hazard Risk Not Using Qualitative Metrics
MIS Training Institute Session #C3 - Slide 21 © Savid Technologies Hazard vs Speculative Risk
MIS Training Institute Session #C3 - Slide 22 © Savid Technologies Linking to Business Goals
MIS Training Institute Session #C3 - Slide 23 © Savid Technologies Outcome Management
MIS Training Institute Session #C3 - Slide 24 © Savid Technologies Conclusion Contact Information Michael A. Davis mdavis@savidtech.com 708-532-2843 Twitter: @mdavisceo

Empfohlen

Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenPriyanka Aash
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Demonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDemonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDoug Copley
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?John Gilligan
 
Security Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecuritySecurity Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecurityDoug Copley
 
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24
 
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...Citrin Cooperman
 
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique SingerLet's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique SingerSaraPia5
 

Empfohlen

Vendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenVendor Security Practices: Turn the Rocks Over Early and Often
Vendor Security Practices: Turn the Rocks Over Early and OftenPriyanka Aash
 
Cybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceCybersecurity for Energy: Moving Beyond Compliance
Cybersecurity for Energy: Moving Beyond ComplianceEnergySec
 
Demonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDemonstrating Information Security Program Effectiveness
Demonstrating Information Security Program EffectivenessDoug Copley
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?John Gilligan
 
Security Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecuritySecurity Program Guidance and Establishing a Culture of Security
Security Program Guidance and Establishing a Culture of SecurityDoug Copley
 
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24
 
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...
Cybersecurity Disrupters and Cybersecurity Insurance in the COVID-19 Era – Is...Citrin Cooperman
 
Let's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique SingerLet's TOC: Navigate the Cybersecurity Conversation with Dominique Singer
Let's TOC: Navigate the Cybersecurity Conversation with Dominique SingerSaraPia5
 
What your scanner isn't telling you
What your scanner isn't telling youWhat your scanner isn't telling you
What your scanner isn't telling youCore Security
 
Cybersecurity During the COVID Era
Cybersecurity During the COVID EraCybersecurity During the COVID Era
Cybersecurity During the COVID EraCitrin Cooperman
 
MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...
MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...
MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...Citrin Cooperman
 
Cyber-attacks
Cyber-attacksCyber-attacks
Cyber-attacksThe Economist Media Businesses
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber ResiliencePeter Wood
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?John D. Johnson
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayEnergySec
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 ThreatscapePeter Wood
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
 
Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesLiberteks
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing OCTF Industry Engagement
 
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...Citrin Cooperman
 
Resilience is the new cyber security
Resilience is the new cyber securityResilience is the new cyber security
Resilience is the new cyber securityPhil Huggins FBCS CITP
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...EC-Council
 
EVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEC-Council
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...EC-Council
 
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityMT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityDell EMC World
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 
Outpost24 webinar - A day in the life of an information security professional
Outpost24 webinar - A day in the life of an information security professional Outpost24 webinar - A day in the life of an information security professional
Outpost24 webinar - A day in the life of an information security professional Outpost24
 
Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksMichael Davis
 
Michael Davis Bio
Michael Davis BioMichael Davis Bio
Michael Davis BioMichael Davis
 

Weitere Àhnliche Inhalte

Was ist angesagt?

What your scanner isn't telling you
What your scanner isn't telling youWhat your scanner isn't telling you
What your scanner isn't telling youCore Security
 
Cybersecurity During the COVID Era
Cybersecurity During the COVID EraCybersecurity During the COVID Era
Cybersecurity During the COVID EraCitrin Cooperman
 
MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...
MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...
MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...Citrin Cooperman
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber ResiliencePeter Wood
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?John D. Johnson
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayEnergySec
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 ThreatscapePeter Wood
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
 
Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesLiberteks
 
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...Citrin Cooperman
 
Resilience is the new cyber security
Resilience is the new cyber securityResilience is the new cyber security
Resilience is the new cyber securityPhil Huggins FBCS CITP
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezEC-Council
 
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...EC-Council
 
EVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEC-Council
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...EC-Council
 
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityMT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityDell EMC World
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksPhil Huggins FBCS CITP
 
Outpost24 webinar - A day in the life of an information security professional
Outpost24 webinar - A day in the life of an information security professional Outpost24 webinar - A day in the life of an information security professional
Outpost24 webinar - A day in the life of an information security professional Outpost24
 

Was ist angesagt? (20)

What your scanner isn't telling you
What your scanner isn't telling youWhat your scanner isn't telling you
What your scanner isn't telling you
 
Cybersecurity During the COVID Era
Cybersecurity During the COVID EraCybersecurity During the COVID Era
Cybersecurity During the COVID Era
 
MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...
MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...
MasterSnacks: Cybersecurity - Playing Offense: A Proactive Approach to Cybers...
 
Cyber-attacks
Cyber-attacksCyber-attacks
Cyber-attacks
 
Introduction to Cyber Resilience
Introduction to Cyber ResilienceIntroduction to Cyber Resilience
Introduction to Cyber Resilience
 
Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?Managing Enterprise Risk: Why U No Haz Metrics?
Managing Enterprise Risk: Why U No Haz Metrics?
 
Integrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator DisplayIntegrating Cyber Security Alerts into the Operator Display
Integrating Cyber Security Alerts into the Operator Display
 
The 2018 Threatscape
The 2018 ThreatscapeThe 2018 Threatscape
The 2018 Threatscape
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve Howse
 
Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for Dummies
 
CRI Cyber Board Briefing
CRI Cyber Board Briefing CRI Cyber Board Briefing
CRI Cyber Board Briefing
 
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
MasterSnacks: Cybersecurity - Third-Party Crashers: Avoiding Service Provider...
 
Resilience is the new cyber security
Resilience is the new cyber securityResilience is the new cyber security
Resilience is the new cyber security
 
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby DominguezThe Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
The Cloud 9 - Threat & Solutions 2016 by Bobby Dominguez
 
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
Breach Fixation: How Breaches Distort Reality And How We Should Respond- John...
 
EVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor VolovichEVOLVE to demand. demand to evolve by Igor Volovich
EVOLVE to demand. demand to evolve by Igor Volovich
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
 
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in CybersecurityMT118 Risk Intelligence - Making the Right Choices in Cybersecurity
MT118 Risk Intelligence - Making the Right Choices in Cybersecurity
 
Cyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber ShocksCyber Resilience: Managing Cyber Shocks
Cyber Resilience: Managing Cyber Shocks
 
Outpost24 webinar - A day in the life of an information security professional
Outpost24 webinar - A day in the life of an information security professional Outpost24 webinar - A day in the life of an information security professional
Outpost24 webinar - A day in the life of an information security professional
 

Andere mochten auch

Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksMichael Davis
 
Michael Davis Bio
Michael Davis BioMichael Davis Bio
Michael Davis BioMichael Davis
 
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't WorkConfirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't WorkMichael Davis
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMichael Davis
 
Confirmation Bias & its applications in Marketing
Confirmation Bias & its applications in MarketingConfirmation Bias & its applications in Marketing
Confirmation Bias & its applications in MarketingKashyap Shah
 
Project 2 : Confirmation Bias
Project 2 : Confirmation BiasProject 2 : Confirmation Bias
Project 2 : Confirmation BiasAzeem Banatwala
 

Andere mochten auch (6)

Can You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security RisksCan You Steal From Me Now? Mobile and BYOD Security Risks
Can You Steal From Me Now? Mobile and BYOD Security Risks
 
Michael Davis Bio
Michael Davis BioMichael Davis Bio
Michael Davis Bio
 
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't WorkConfirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
Confirmation Bias - How To Stop Doing The Things In IT Security That Don't Work
 
Make Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile SecurityMake Mobilization Work - Properly Implementing Mobile Security
Make Mobilization Work - Properly Implementing Mobile Security
 
Confirmation Bias & its applications in Marketing
Confirmation Bias & its applications in MarketingConfirmation Bias & its applications in Marketing
Confirmation Bias & its applications in Marketing
 
Project 2 : Confirmation Bias
Project 2 : Confirmation BiasProject 2 : Confirmation Bias
Project 2 : Confirmation Bias
 

Ähnlich wie Cost Justifying IT Security

Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomIBM Security
 
Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Symptai Consulting Limited
 
Vulnerability Voodoo and the Convergence of Foundational Security Controls
Vulnerability Voodoo and the Convergence of Foundational Security ControlsVulnerability Voodoo and the Convergence of Foundational Security Controls
Vulnerability Voodoo and the Convergence of Foundational Security ControlsTripwire
 
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemCybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemIBM Security
 
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach OccursHow to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach OccursSurfWatch Labs
 
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...SolarWinds
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should KnowIBM Security
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxControlCase
 
Embracing the Risk and Opportunity of AI & Cloud.pptx
Embracing the Risk and Opportunity of AI & Cloud.pptxEmbracing the Risk and Opportunity of AI & Cloud.pptx
Embracing the Risk and Opportunity of AI & Cloud.pptxSymptai Consulting Limited
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfMetaorange
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxMetaorange
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Cristian Garcia G.
 
What's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix ItWhat's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix ItSkybox Security
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...International Federation of Accountants
 

Ähnlich wie Cost Justifying IT Security (20)

Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the BoardroomSecuring the C-Suite: Cybersecurity Perspectives from the Boardroom
Securing the C-Suite: Cybersecurity Perspectives from the Boardroom
 
Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...Integrated Security for Software Development and Advanced Penetration Testing...
Integrated Security for Software Development and Advanced Penetration Testing...
 
Vulnerability Voodoo and the Convergence of Foundational Security Controls
Vulnerability Voodoo and the Convergence of Foundational Security ControlsVulnerability Voodoo and the Convergence of Foundational Security Controls
Vulnerability Voodoo and the Convergence of Foundational Security Controls
 
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune SystemCybersecurity In The Cognitive Era: Priming Your Digital Immune System
Cybersecurity In The Cognitive Era: Priming Your Digital Immune System
 
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach OccursHow to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
 
ISAA
ISAAISAA
ISAA
 
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
Federal Webinar: Leverage IT Operations Monitoring and Log Data to Reduce Ins...
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
 
Webinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptxWebinar-MSP+ Cyber Insurance Fina.pptx
Webinar-MSP+ Cyber Insurance Fina.pptx
 
Embracing the Risk and Opportunity of AI & Cloud.pptx
Embracing the Risk and Opportunity of AI & Cloud.pptxEmbracing the Risk and Opportunity of AI & Cloud.pptx
Embracing the Risk and Opportunity of AI & Cloud.pptx
 
How to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdfHow to assess your Cybersecurity Vulnerability_.pdf
How to assess your Cybersecurity Vulnerability_.pdf
 
How to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptxHow to assess your Cybersecurity Vulnerability_.pptx
How to assess your Cybersecurity Vulnerability_.pptx
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital age
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
Nube, Cumplimiento y Amenazas avanzadas: Consideraciones de Seguridad para la...
 
What's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix ItWhat's Wrong with Vulnerability Management & How Can We Fix It
What's Wrong with Vulnerability Management & How Can We Fix It
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
2017 Cybersecurity Report
2017 Cybersecurity Report 2017 Cybersecurity Report
2017 Cybersecurity Report
 
16231
1623116231
16231
 
Check Point SMB Proposition
Check Point SMB PropositionCheck Point SMB Proposition
Check Point SMB Proposition
 

KĂŒrzlich hochgeladen

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

KĂŒrzlich hochgeladen (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

Cost Justifying IT Security

  • 1. Cost Justifying Security Session #C3 Tuesday, April 24, 2012 3:45-5:00PM Michael A. Davis CEO, Savid Technologies
  • 2. MIS Training Institute Session #C3 - Slide 2 © Savid Technologies Who am I? » Michael A. Davis – CEO of Savid Technologies IT Security, Risk Assessment, Penetration Testing – Speaker Blackhat, Defcon, CanSecWest, Toorcon, Hack In The Box – Open Source Software Developer Snort Nmap Dsniff » Savid Technologies – Risk Assessments, IT Security Consulting, Audit and Compliance
  • 3. MIS Training Institute Session #C3 - Slide 3 © Savid Technologies Author
  • 4. MIS Training Institute Session #C3 - Slide 4 © Savid Technologies The Issue “Single biggest security related problem is a lack of Senior Level commitment to enterprise wide security policies.“
  • 5. MIS Training Institute Session #C3 - Slide 5 © Savid Technologies Execs Are Paying Attention ‱Source: Information Week Data Survey, 2011
  • 6. MIS Training Institute Session #C3 - Slide 6 © Savid Technologies We Protect, They Are Criticized According to Bloomberg News, Sony has been subpoenaed by New York attorney general Eric Schneiderman, who is "seeking information on what Sony told customers about the security of their networks, as part of a consumer protection inquiry." (Source: informationweek.com) Rep. Mary Bono Mack (R-Calif.), the subcommittee chair, said that Sony should have informed its consumers of the breach earlier and said its efforts were “half-hearted, half-baked.” She was particularly critical of Sony’s decision to first notify customers of the attack via its company blog, leaving it up to customers to search for information on the breach. (Source: washingtonpost.com)
  • 7. MIS Training Institute Session #C3 - Slide 7 © Savid Technologies Metrics, We need metrics!
  • 8. MIS Training Institute Session #C3 - Slide 8 © Savid Technologies We All Do Them ‱Source: 2011 InformationWeek Analytics Strategic Security Survey
  • 9. MIS Training Institute Session #C3 - Slide 9 © Savid Technologies The Reality ‱Source: 2011 InformationWeek Analytics Strategic Security Survey
  • 10. MIS Training Institute Session #C3 - Slide 10 © Savid Technologies Complex IT Projects Fail - A lot Out Of 200 Multi-nationals: 67% Failed To Terminate Unsuccessful Projects 61% Reported Major Conflicts 34% Of Projects Were Not Aligned With Strategy 32% Performed Redundant Work 1 In 6 Projects Had A Cost Overrun Of 200%! ‱2011 Harvard Business Review – Berlin Univ Technical survey
  • 11. MIS Training Institute Session #C3 - Slide 11 © Savid Technologies T-Mobile CISO On Metrics “Security experts can't measure their success without security metrics, and what can't be measured can't be effectively managed.” ~ Bill Boni, VP of IS, T-Mobile USA
  • 12. MIS Training Institute Session #C3 - Slide 12 © Savid Technologies Why Do We Care? Management Asks: “Are We Secure?” Without Metrics: “Depends How You Look At It” With Metrics: “Look At Our Risk Score Before This Project, It Dropped 15%. We Are More Secure Today Than Yesterday”
  • 13. MIS Training Institute Session #C3 - Slide 13 © Savid Technologies Where/What to measure Strategy/Governance Code Reviews, Project Risk Assessments, Exceptions/Waivers Tactical/Sec Ops Vuln Management, Patch Management, Incidents, etc IS Budget Spending/employee Policy gaps in existence Industry Standards Adopted Awareness Plan % projects going through assessment process # of policy exceptions # of risk acceptances % project doing code reviews Error rates Freq of vuln assessment # outstanding vulns Rate of fixing Trend of incident response losses
  • 14. MIS Training Institute Session #C3 - Slide 14 © Savid Technologies Who are you? TCO Patch Latency SPAM/AV Stats
  • 15. MIS Training Institute Session #C3 - Slide 15 © Savid Technologies Examples of metrics Baseline Defenses Coverage (AV, FW, etc) Measurement of how well you are protecting your enterprise against the most basic information security threats. 94% to 98%; less than 90% cause for concern Patch Latency Time between a patch’s release and your successful deployment of that patch. Express as averages and criticality Platform Security Scores Measures your hardening guidelines Compliance Measure departments against security standards Number of Linux servers at least 90% compliant with the Linux platform security standard
  • 16. MIS Training Institute Session #C3 - Slide 16 © Savid Technologies Phishing Still Works
  • 17. MIS Training Institute Session #C3 - Slide 17 © Savid Technologies Stop With The Confirmation Bias Risk Perception Is Bad Tornado V. Kitchen Fire Less Familiar Are Perceived As Greater Risk Favor Info That Match Preconceptions Cause And Effect Processing Correlation Does Not Equal Causation We Manage Risk Using Metrics That Don’t Matter
  • 18. MIS Training Institute Session #C3 - Slide 18 © Savid Technologies It Is About Risk MANAGEMENT Effective Metrics Catalog Define: Category Metric How To Measure Purpose Of This Metric Target Audience Reporting Frequency/Period
  • 19. MIS Training Institute Session #C3 - Slide 19 © Savid Technologies 5 Signs You Have a Confirmation Bias Using Quantitative Risk Scores To Make Decisions Look At Security Events Instead Of Probability Of Vulnerabilities Talk About Risk In Terms Of “Industry Data” Lack Of Risk Management Inability To Communicate Risk
  • 20. MIS Training Institute Session #C3 - Slide 20 © Savid Technologies Security Metric Gotchas Not Tracking Visibility What % is the metric representing? Develop baseline for acceptance Not Trending Provide at least 4 previous periods and trend line Not Providing Forward Guidance Red, Green, Yellow (Worse, Better, Same) Not Mapping To A Business goal Focusing on Hazard Risk Not Using Qualitative Metrics
  • 21. MIS Training Institute Session #C3 - Slide 21 © Savid Technologies Hazard vs Speculative Risk
  • 22. MIS Training Institute Session #C3 - Slide 22 © Savid Technologies Linking to Business Goals
  • 23. MIS Training Institute Session #C3 - Slide 23 © Savid Technologies Outcome Management
  • 24. MIS Training Institute Session #C3 - Slide 24 © Savid Technologies Conclusion Contact Information Michael A. Davis mdavis@savidtech.com 708-532-2843 Twitter: @mdavisceo