This talk focuses on gathering metrics and building a security program - one that actually solves real business security/risk problems. I walk the reader through the process of identifying key risks and actually measuring the problems, helping pin-point focus for the security organization. A must-read if you work in InfoSec!

1. 1 22 May 2009 Solving Problems That Don’t Exist! building better security practices Rafal M. Los Solutions Specialist, HP ASC

2. Session Overview In today's enterprise, Web Application Security has come front and center for security managers as well as the business. The reason many well-funded, well-backed programs fail is because they miss the fundamental rule of problem solving – understand the problem. The secret to success is simple – understand your business context and build a program around that. How can you develop an actionable, business-risk driven program for your enterprise? Understanding your role within the business is key, followed by successful identification of a cornerstone upon which to base the program. Evaluating data value, application visibility and business exposure one step at-a-time, and assigning real, measurable risk are the necessary steps to making sure your program is well-grounded in business value. Participants will be given a strong foundation to succeed, so they don't end up solving problems the business doesn't have.

3. Fundamentals Security is all about mitigating risk Risk is a high-complexity problem IT alonecan not eliminate risk Security must work through the business

4. Knowing Your Role Role is fundamental to problem solving Where you report into your organization makes a big difference Identify your function and capacity Is security tactical or strategic? Is security a business stake-holder?

5. Identifying a Cornerstone Build your program on a key principle You must answer this question: “Why does the business care about security?” External compliance or regulations Internal governance requirements Competitive differentiator/advantage Incident prevention

6. Security Program Charter Publish a charter document Apply these 5 key knowledge points Focus on the cornerstone Use content & context for business metrics Publish the risk profile components Emphasize transparency Focus on building business value This is your road map to success

7. Business Value Metrics Definition: metrics which can meaningfully quantify the business value proposition of risk mitigation Keys to good metrics: Must be business-input driven Uniformity of perspective Must never allow for “maybe”

8. Context & Content Assign concrete values to $Rn and $V Content – Monetary value of data asset ($V) Context – Assign asset value relative to environment Value Ratio: Data Value Asset ($Vn) = $Rn total assets ($Vt)

10. example: company storefront

11. Moderate – Indexed, searchable, sparsely linked

12. Low – Non-indexed, private, non-linkedContent – How desired is the data in the site?

13. Context & Content Business Exposure (Exp): Public business risk profile derived from the dynamics of the business unit High | Moderate | Low Context – What line of business is the company/unit in? How does the line of business contribute to the amount of risk the company undertakes in daily operations? Consider your business’s risk management group your best ally Business Exposure

14. Context & Content Acme Credit Company Acme Credit Company processes credit card transactions, and thus stores and processes hundreds of millions of credit cards weekly. Web site An is a portal for merchant processing of credit and debit payments, temporarily storing as many as one million credit cards for processing per day; this is the Acme Co’s primary business. $Rn = .8 (most of the company’s total assets are here) $V = $10,000,000 (business value of 1 million records) Vis = Moderate (indexed, searchable, but non-publicized site) Exp = High (credit card processors are a big target) Case Study

15. Building Risk Profiles Allows for mathematically derived priorities based on business-driven input Goals: Transparency: formula for deriving priority metric is published Objectivity: real numbers remove bias Each site must have a risk profile Prioritization Matrix

16. Building Risk Profiles Prioritization Matrix Assigning Values to the Matrix $V = Direct dollar-value of asset $R = Computed ratio Vis values Exp values

17. Building Risk Profiles How does priority get computed? Priority = Log10 ($V x $R x Vis x Exp) Heavily weighted to data value Rightfully so! Data value is important $R works to segregate sites within a business Vis and Exp work to distinguish between multiple businesses The Formula

18. Building Risk Profiles The formula is not a Silver Bullet Prioritization addresses business value (of a site) objectively Addressing business value increases the chance of your program’s success Your Goal: risk reduction and business value The Formula

19. Executing Demonstrate business understanding Continue a two-way conversation Be ready to change strategies with the business

20. Questions? Click on the questions tab on your screen, type in your question (and name if you wish) and hit submit.