SlideShare une entreprise Scribd logo

Justifying Security Investment

Télécharger en tant que PPTX, PDF
Jojo Colina
Jojo Colina
1  sur  23
Justifying your Security Spend Presented by: Jojo Colina Head, Product Management & Development Privileged and Confidential. NDA Required for External Disclosure.
Justifying your Security Investment Presented by: Jojo Colina Head, Product Management & Development Privileged and Confidential. NDA Required for External Disclosure.
“Security Problems are never truly solved. The bad guys are always waiting for an opportunity...”
“Security Problems are never truly solved. The bad guys are always waiting for an opportunity...” And they are getting better all the time!
Risk can never be Eliminated! “There is no ‘right’ amount of money to spend on IT infrastructure.” No matter how much money you spend on infrastructure, you’ll never be totally safe and secure.  So the “right” amount of money for a company to spend on IT infrastructure — whether it’s for security or for something else like database reliability or resilient servers — depends on the amount of risk that the company is willing to tolerate.
Good Security is Invisible It’s difficult to justify security when it’s working.
The biggest investments in security usually come right after a security breach A government website is defaced and makes the news. Suddenly that agency and others make inquiries about Web Security products and services. Local BPO is infected with Conficker worm Review and upgrade of Endpoint Security is undertaken
Making People Dissatisfied is the Only Way to Justify Investment Dissatisfaction with the status quo is most important when you’re trying to sell security investment. To justify additional security investment you have to convince the business that your current security infrastructure is inadequate.
Three challenges to Security Make your end users “feel” secure
Three challenges to Security Make your end users “feel” secure Implement an infrastructure with a reasonable level of security for the amount of money the company is willing to invest
Victim of your own success “Security to your end users is a state of mind. One which you created by your success in solving security challenges.”
Victim of your own success “Security to your end users is a state of mind. One which you created by your success in solving security challenges.” Now that they feel secure, how do you justify additional security expense?
Three challenges to Security Make your end users “feel” secure Implement an infrastructure with a reasonable level of security for the amount of money the company is willing to invest Recommend the right level of infrastructure security investment and getting agreement from the business
How to determine the right level of Investment What are other companies doing who have a similar risk tolerance to your company? Does your company deal with confidential information from your customers? Does your company differentiate itself from its competition based on an enhanced level of trust or risk avoidance? Does your company hold a proprietary advantage over its competition which could be lost if confidential company information was revealed?
Justify the Need Enterprise Objectives for Security Obtain Blueprint documents from CTO/CIO to understand roadmap for technology growth in hardware/software/network Regulatory Mandates Contact Compliance, Legal and industry groups to understand immediate and short-term/long-term regulatory requirements Risk Analysis Understand your risks in cyber/physical security, disaster recovery/business continuation and compliance to data protection/data sharing regulations Quantify the impacts wherever possible; per incident, per potential loss Probability of Occurrence Be realistic; Pull industry trend information; poll industry alliances; previous internal loss Impact of Occurrence Be realistic; compute hard financial impacts, estimate soft financial impact based on real industry losses/settlements/pay-outs; poll industry vendors Benefit to Enterprise Avoidance is one benefit but weak justification for getting approved funds Tie to hard savings/loss reduction
Build a Business Case Understand TCO Total Cost of Ownership – use Finance to assist; plan across next 5 fiscal years [understand where you can cut if necessary] Use this TCO in your ROSI Calculations
Build a Business Case Timelines and Resource Requirements Articulate inter-dependencies between security initiatives Speak to the large plan; cross-utilize resources Use compliance requirements to your advantage Make contact with industry firms early to determine resource availability Try to MINIMIZE EXPENSES [save up for future battles]
Build a Business Case Use Financial Metrics Build metrics that can reflect your project progress Always be ready to estimate financial cost avoidance from a deterred incident Provides immediate feedback of success and hardened evidence of ROSI for future projects/enhancements
ROI and ROSI To calculate ROI, the cost of a purchase is weighed against the expected returns over the life of the item. Ex: if a new production facility will cost $1M and is expected to bring in $5M over the course of three years, the ROI for the three year period is 400% (4x the initial investment of net earnings). ROI(Return on Investment) ROSI (Return on Security Investment) ViriCorp has gotten viruses before. It estimates that the average cost in damages and lost productivity due to a virus infection is $25,000. Currently, ViriCorp gets four of these viruses per year. ViriCorp expects to catch at least 3 of the 4 viruses per year by implementing a $25,000 virus scanner.
Build a Business Case Articulate Impact – Piggyback You have to be able to articulate what the umbrella benefit is, what the specific impact potential might be, and the specific benefits of each project Piggyback related projects to provide ‘value-added’ benefit. Meet Stakeholders Expectations Write the narrative to the expectations of your project stakeholders Know what they need to accomplish within their realm [financial, organizational, resource management, bonus structure, etc]
Justifying your Investment– Key points Security Investment is hard to quantify The need for security is obvious Impact of a security breach is real Justification ahead of time is difficult Accurate Risk Analysis Accurately determine your risk profile Financial Analysis ROI/ROSI Determine impact and loss deference of investing Create a sound business plan Instrument your projects Create metrics which highlight success/failure Document performance to refine your ROSI model Roadmap your security plan
References Return On Security Investment (ROSI): A Practical Quantitative Model http://www.infosecwriters.com/text_resources/pdf/ROSI-Practical_Model.pdf Three things your CEO wants to Know http://blog.makingitclear.com/2008/06/10/ceowantstoknow/ Trial by Fire - Price Waterhouse Coopers Advisory Services http://www.pwc.com/en_GX/gx/information-security-survey/pdf/pwcsurvey2010_report.pdf CSI Computer Crime and Security Survey 2009 http://gocsi.com/survey Performance Measurement Guide for Information Security http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf
Thank you Presentation can be viewed at: http://www.slideshare.net/du1jec/justifying-security-investment

Recommandé

cyber security
cyber securitycyber security
cyber securityBasineniUdaykumar
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and SecurityChitra Mudunuru
 
Cyber Security Presentation
Cyber Security PresentationCyber Security Presentation
Cyber Security PresentationHaniyaMaha
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationParab Mishra
 
CyberSecurity
CyberSecurityCyberSecurity
CyberSecuritydivyanshigarg4
 
Introduction to cyber security
Introduction to cyber security Introduction to cyber security
Introduction to cyber security RaviPrashant5
 
Overview on healthcare applications
Overview on healthcare applicationsOverview on healthcare applications
Overview on healthcare applicationsVishal Bhatia, Mobile and Web Apps
 
Cyber security analysis presentation
Cyber security analysis presentationCyber security analysis presentation
Cyber security analysis presentationVaibhav R
 

Recommandé

cyber security
cyber securitycyber security
cyber securityBasineniUdaykumar
 
Cyber Crime and Security
Cyber Crime and SecurityCyber Crime and Security
Cyber Crime and SecurityChitra Mudunuru
 
Cyber Security Presentation
Cyber Security PresentationCyber Security Presentation
Cyber Security PresentationHaniyaMaha
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentationParab Mishra
 
CyberSecurity
CyberSecurityCyberSecurity
CyberSecuritydivyanshigarg4
 
Introduction to cyber security
Introduction to cyber security Introduction to cyber security
Introduction to cyber security RaviPrashant5
 
Overview on healthcare applications
Overview on healthcare applicationsOverview on healthcare applications
Overview on healthcare applicationsVishal Bhatia, Mobile and Web Apps
 
Cyber security analysis presentation
Cyber security analysis presentationCyber security analysis presentation
Cyber security analysis presentationVaibhav R
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITYVaishak Chandran
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and securitysanjana mun
 
Cyber security
Cyber security Cyber security
Cyber security Sachith Lekamge
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security introAbhilash Ak
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber SecurityNikunj Thakkar
 
Cyber Security
Cyber SecurityCyber Security
Cyber SecurityBhandari Hìmáñßhü
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and SecurityNoushad Hasan
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeGrant Thornton Bangladesh
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeMuhammad Osama Khalid
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber CrimeRamesh Upadhaya
 
Cyber security
Cyber securityCyber security
Cyber securityPihu Goel
 
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...Avantika University
 
Phishing ppt
Phishing pptPhishing ppt
Phishing pptSanjay Kumar
 
Cyber crime
Cyber crimeCyber crime
Cyber crimeToniMichelleBrewer
 
Computer & internet Security
Computer & internet SecurityComputer & internet Security
Computer & internet SecurityGerard Lamusse
 
Cyber Security 03
Cyber Security 03Cyber Security 03
Cyber Security 03Home
 
Cyber security & Importance of Cyber Security
Cyber security & Importance of Cyber SecurityCyber security & Importance of Cyber Security
Cyber security & Importance of Cyber SecurityMohammed Adam
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and securitySharath Raj
 
Cyber-Security in Education
Cyber-Security in EducationCyber-Security in Education
Cyber-Security in EducationTyrone Grandison
 
Cyber security
Cyber securityCyber security
Cyber securityChethanMp7
 
Green v Gold Open Access
Green v Gold Open AccessGreen v Gold Open Access
Green v Gold Open AccessLa Trobe University Library - College of SHE
 
How is Buying a Home Like Justifying Data Security Investments? Developing Re...
How is Buying a Home Like Justifying Data Security Investments? Developing Re...How is Buying a Home Like Justifying Data Security Investments? Developing Re...
How is Buying a Home Like Justifying Data Security Investments? Developing Re...CA Technologies
 

Contenu connexe

Tendances

Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and securitysanjana mun
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security introAbhilash Ak
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber SecurityNikunj Thakkar
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and SecurityNoushad Hasan
 
Cyber security
Cyber securityCyber security
Cyber securityPihu Goel
 
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...Avantika University
 
Computer & internet Security
Computer & internet SecurityComputer & internet Security
Computer & internet SecurityGerard Lamusse
 
Cyber Security 03
Cyber Security 03Cyber Security 03
Cyber Security 03Home
 
Cyber security & Importance of Cyber Security
Cyber security & Importance of Cyber SecurityCyber security & Importance of Cyber Security
Cyber security & Importance of Cyber SecurityMohammed Adam
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and securitySharath Raj
 
Cyber-Security in Education
Cyber-Security in EducationCyber-Security in Education
Cyber-Security in EducationTyrone Grandison
 
Cyber security
Cyber securityCyber security
Cyber securityChethanMp7
 

Tendances (20)

CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and security
 
Cyber security
Cyber security Cyber security
Cyber security
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security intro
 
Basics of Cyber Security
Basics of Cyber SecurityBasics of Cyber Security
Basics of Cyber Security
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and Security
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Cyber Crime
Cyber CrimeCyber Crime
Cyber Crime
 
Cyber security
Cyber securityCyber security
Cyber security
 
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
Why is Cyber Security Important - Importance of Cyber Security - Avantika Uni...
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
Cyber crime
Cyber crimeCyber crime
Cyber crime
 
Computer & internet Security
Computer & internet SecurityComputer & internet Security
Computer & internet Security
 
Cyber Security 03
Cyber Security 03Cyber Security 03
Cyber Security 03
 
Cyber security & Importance of Cyber Security
Cyber security & Importance of Cyber SecurityCyber security & Importance of Cyber Security
Cyber security & Importance of Cyber Security
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and security
 
Cyber-Security in Education
Cyber-Security in EducationCyber-Security in Education
Cyber-Security in Education
 
Cyber security
Cyber securityCyber security
Cyber security
 

En vedette

How is Buying a Home Like Justifying Data Security Investments? Developing Re...
How is Buying a Home Like Justifying Data Security Investments? Developing Re...How is Buying a Home Like Justifying Data Security Investments? Developing Re...
How is Buying a Home Like Justifying Data Security Investments? Developing Re...CA Technologies
 
Open access resources
Open access resourcesOpen access resources
Open access resourcesAkshay Kumar
 
Network Security
Network SecurityNetwork Security
Network SecurityManoj Singh
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Software As A Service Presentation
Software As A Service PresentationSoftware As A Service Presentation
Software As A Service Presentational95iii
 
Network security ppt
Network security pptNetwork security ppt
Network security pptshashi712
 
Network Security
Network SecurityNetwork Security
Network SecurityMAJU
 
Investment Planning
Investment PlanningInvestment Planning
Investment PlanningJohn Daniel
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 

En vedette (15)

Green v Gold Open Access
Green v Gold Open AccessGreen v Gold Open Access
Green v Gold Open Access
 
How is Buying a Home Like Justifying Data Security Investments? Developing Re...
How is Buying a Home Like Justifying Data Security Investments? Developing Re...How is Buying a Home Like Justifying Data Security Investments? Developing Re...
How is Buying a Home Like Justifying Data Security Investments? Developing Re...
 
Network Security
Network SecurityNetwork Security
Network Security
 
Open access resources
Open access resourcesOpen access resources
Open access resources
 
Network Security
Network SecurityNetwork Security
Network Security
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Iaas.paas.saas
Iaas.paas.saasIaas.paas.saas
Iaas.paas.saas
 
An introduction and overview to Software as a Service
An introduction and overview to Software as a Service An introduction and overview to Software as a Service
An introduction and overview to Software as a Service
 
investment
investmentinvestment
investment
 
Software As A Service Presentation
Software As A Service PresentationSoftware As A Service Presentation
Software As A Service Presentation
 
Network security ppt
Network security pptNetwork security ppt
Network security ppt
 
Network Security
Network SecurityNetwork Security
Network Security
 
Investment Planning
Investment PlanningInvestment Planning
Investment Planning
 
Network security
Network securityNetwork security
Network security
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security Strategy
 

Similaire à Justifying Security Investment

Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Richard Brzakala
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceNational Retail Federation
 
Cyber Insurance - What you need to know
Cyber Insurance - What you need to knowCyber Insurance - What you need to know
Cyber Insurance - What you need to knowFitCEO, Inc. (FCI)
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!topseowebmaster
 
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourEXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourYasser Mohammed
 
A Beginner's Guide To Cybersecurity For Startups
A Beginner's Guide To Cybersecurity For StartupsA Beginner's Guide To Cybersecurity For Startups
A Beginner's Guide To Cybersecurity For StartupsInvoZone
 
Carbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityCarbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityMighty Guides, Inc.
 
Ri cyber-security-for-your-small-business
Ri cyber-security-for-your-small-businessRi cyber-security-for-your-small-business
Ri cyber-security-for-your-small-businessMeg Weber
 
Cyber Risks & Liabilities - Cyber Security for Small Businesses
Cyber Risks & Liabilities - Cyber Security for Small BusinessesCyber Risks & Liabilities - Cyber Security for Small Businesses
Cyber Risks & Liabilities - Cyber Security for Small Businessesntoscano50
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan
 
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...Scalar Decisions
 
The Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsThe Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsBrian Rushton-Phillips
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsSarah Cirelli
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity EssayMichael Solomon
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks- Mark - Fullbright
 

Similaire à Justifying Security Investment (20)

Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals Law Firm Hacked by Cyber Criminals
Law Firm Hacked by Cyber Criminals
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business Experience
 
Information Security and your Business
Information Security and your BusinessInformation Security and your Business
Information Security and your Business
 
Cyber Insurance - What you need to know
Cyber Insurance - What you need to knowCyber Insurance - What you need to know
Cyber Insurance - What you need to know
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!
 
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero HourEXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
EXTERNAL - Whitepaper - 5 Steps to Weather the Zero Hour
 
Cyber Security and Data Protection
Cyber Security and Data ProtectionCyber Security and Data Protection
Cyber Security and Data Protection
 
A Beginner's Guide To Cybersecurity For Startups
A Beginner's Guide To Cybersecurity For StartupsA Beginner's Guide To Cybersecurity For Startups
A Beginner's Guide To Cybersecurity For Startups
 
Carbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint SecurityCarbon Black: Justifying the Value of Endpoint Security
Carbon Black: Justifying the Value of Endpoint Security
 
Ri cyber-security-for-your-small-business
Ri cyber-security-for-your-small-businessRi cyber-security-for-your-small-business
Ri cyber-security-for-your-small-business
 
Cyber Risks & Liabilities - Cyber Security for Small Businesses
Cyber Risks & Liabilities - Cyber Security for Small BusinessesCyber Risks & Liabilities - Cyber Security for Small Businesses
Cyber Risks & Liabilities - Cyber Security for Small Businesses
 
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - DubaiAftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
Aftab Hasan Speaking at Cyber Security in Banking Conference - Dubai
 
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
2016 Scalar Security Study: The Cyber Security Readiness of Canadian Organiza...
 
The Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian OrganizationsThe Cyber Security Readiness of Canadian Organizations
The Cyber Security Readiness of Canadian Organizations
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
Untitled document.otd
Untitled document.otdUntitled document.otd
Untitled document.otd
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
 
Cover and CyberSecurity Essay
Cover and CyberSecurity EssayCover and CyberSecurity Essay
Cover and CyberSecurity Essay
 
Before the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracksBefore the Breach: Using threat intelligence to stop attackers in their tracks
Before the Breach: Using threat intelligence to stop attackers in their tracks
 

Justifying Security Investment

  • 1. Justifying your Security Spend Presented by: Jojo Colina Head, Product Management & Development Privileged and Confidential. NDA Required for External Disclosure.
  • 2. Justifying your Security Investment Presented by: Jojo Colina Head, Product Management & Development Privileged and Confidential. NDA Required for External Disclosure.
  • 3. “Security Problems are never truly solved. The bad guys are always waiting for an opportunity...”
  • 4. “Security Problems are never truly solved. The bad guys are always waiting for an opportunity...” And they are getting better all the time!
  • 5. Risk can never be Eliminated! “There is no ‘right’ amount of money to spend on IT infrastructure.” No matter how much money you spend on infrastructure, you’ll never be totally safe and secure.  So the “right” amount of money for a company to spend on IT infrastructure — whether it’s for security or for something else like database reliability or resilient servers — depends on the amount of risk that the company is willing to tolerate.
  • 6. Good Security is Invisible It’s difficult to justify security when it’s working.
  • 7. The biggest investments in security usually come right after a security breach A government website is defaced and makes the news. Suddenly that agency and others make inquiries about Web Security products and services. Local BPO is infected with Conficker worm Review and upgrade of Endpoint Security is undertaken
  • 8. Making People Dissatisfied is the Only Way to Justify Investment Dissatisfaction with the status quo is most important when you’re trying to sell security investment. To justify additional security investment you have to convince the business that your current security infrastructure is inadequate.
  • 9. Three challenges to Security Make your end users “feel” secure
  • 10. Three challenges to Security Make your end users “feel” secure Implement an infrastructure with a reasonable level of security for the amount of money the company is willing to invest
  • 11. Victim of your own success “Security to your end users is a state of mind. One which you created by your success in solving security challenges.”
  • 12. Victim of your own success “Security to your end users is a state of mind. One which you created by your success in solving security challenges.” Now that they feel secure, how do you justify additional security expense?
  • 13. Three challenges to Security Make your end users “feel” secure Implement an infrastructure with a reasonable level of security for the amount of money the company is willing to invest Recommend the right level of infrastructure security investment and getting agreement from the business
  • 14. How to determine the right level of Investment What are other companies doing who have a similar risk tolerance to your company? Does your company deal with confidential information from your customers? Does your company differentiate itself from its competition based on an enhanced level of trust or risk avoidance? Does your company hold a proprietary advantage over its competition which could be lost if confidential company information was revealed?
  • 15. Justify the Need Enterprise Objectives for Security Obtain Blueprint documents from CTO/CIO to understand roadmap for technology growth in hardware/software/network Regulatory Mandates Contact Compliance, Legal and industry groups to understand immediate and short-term/long-term regulatory requirements Risk Analysis Understand your risks in cyber/physical security, disaster recovery/business continuation and compliance to data protection/data sharing regulations Quantify the impacts wherever possible; per incident, per potential loss Probability of Occurrence Be realistic; Pull industry trend information; poll industry alliances; previous internal loss Impact of Occurrence Be realistic; compute hard financial impacts, estimate soft financial impact based on real industry losses/settlements/pay-outs; poll industry vendors Benefit to Enterprise Avoidance is one benefit but weak justification for getting approved funds Tie to hard savings/loss reduction
  • 16. Build a Business Case Understand TCO Total Cost of Ownership – use Finance to assist; plan across next 5 fiscal years [understand where you can cut if necessary] Use this TCO in your ROSI Calculations
  • 17. Build a Business Case Timelines and Resource Requirements Articulate inter-dependencies between security initiatives Speak to the large plan; cross-utilize resources Use compliance requirements to your advantage Make contact with industry firms early to determine resource availability Try to MINIMIZE EXPENSES [save up for future battles]
  • 18. Build a Business Case Use Financial Metrics Build metrics that can reflect your project progress Always be ready to estimate financial cost avoidance from a deterred incident Provides immediate feedback of success and hardened evidence of ROSI for future projects/enhancements
  • 19. ROI and ROSI To calculate ROI, the cost of a purchase is weighed against the expected returns over the life of the item. Ex: if a new production facility will cost $1M and is expected to bring in $5M over the course of three years, the ROI for the three year period is 400% (4x the initial investment of net earnings). ROI(Return on Investment) ROSI (Return on Security Investment) ViriCorp has gotten viruses before. It estimates that the average cost in damages and lost productivity due to a virus infection is $25,000. Currently, ViriCorp gets four of these viruses per year. ViriCorp expects to catch at least 3 of the 4 viruses per year by implementing a $25,000 virus scanner.
  • 20. Build a Business Case Articulate Impact – Piggyback You have to be able to articulate what the umbrella benefit is, what the specific impact potential might be, and the specific benefits of each project Piggyback related projects to provide ‘value-added’ benefit. Meet Stakeholders Expectations Write the narrative to the expectations of your project stakeholders Know what they need to accomplish within their realm [financial, organizational, resource management, bonus structure, etc]
  • 21. Justifying your Investment– Key points Security Investment is hard to quantify The need for security is obvious Impact of a security breach is real Justification ahead of time is difficult Accurate Risk Analysis Accurately determine your risk profile Financial Analysis ROI/ROSI Determine impact and loss deference of investing Create a sound business plan Instrument your projects Create metrics which highlight success/failure Document performance to refine your ROSI model Roadmap your security plan
  • 22. References Return On Security Investment (ROSI): A Practical Quantitative Model http://www.infosecwriters.com/text_resources/pdf/ROSI-Practical_Model.pdf Three things your CEO wants to Know http://blog.makingitclear.com/2008/06/10/ceowantstoknow/ Trial by Fire - Price Waterhouse Coopers Advisory Services http://www.pwc.com/en_GX/gx/information-security-survey/pdf/pwcsurvey2010_report.pdf CSI Computer Crime and Security Survey 2009 http://gocsi.com/survey Performance Measurement Guide for Information Security http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf
  • 23. Thank you Presentation can be viewed at: http://www.slideshare.net/du1jec/justifying-security-investment