3 tips to funding your security program
DESCRIPTION
How do you fund your security program? Here are simple ways to get management buy-in How do you enable the business? Speak in terms of risk. Show small winsTRANSCRIPT
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Fund Your Security InitiativesBy Leveraging Business Objectives
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Funding Your Security
InitiativesBy Leveraging Business Objectives
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3
It’s affecting the business
Security is not just an IT problem
CISO
Cyber threat 56% of organizations have
been the target of a cyber attack
Extended supply chain 44% of all data breach
involved third-party mistakes
Financial loss $8.6M average cost
associated with data breach
Cost of protection 11% of total IT budget spent
on security
Reputation damage 30% market cap reduction due
to recent events
Reactive vs. proactive 97% of data breaches could
have been avoided
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
Don’t Get
Hacked!!!
Problem: Barriers between Business & Security
Grow Revenues at 30%
Become more Agile
Improve Profitability
Improve Efficiency
99.999% Availability
Business Initiatives Security Initiatives
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5
Security breaches are a business issue
HP | Ponemon Study 2013
$11.6
million
2013
$8.9
millio
n
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
Security needs to look at how they enable
business?How do we add value?
How does the company make $?
How do we save $?
Competitive Advantage
Security
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
Social media
Audio
CRM Data
Word, Excel
Images
Financials
Legaldocuments
Call center
Cloud
Cloud
Archive
Laptop
Mobile phone
Partner
Data center
Remote office
Agreements
Our new style of working is exposing risk to the business
Got Risk?
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8
Create a burning need to do something
• Industry Regulations
• PCI
• HIPPAA
• SOX
• Use Audits to compel Action
Document Risk in language the
business can understand
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
Getting Buy-in from Management
Situation: Detail Current Situation
Complication: Explain Risk
Implication: Discuss results if Risk is
not Addressed
Position: Your advice
Action: Next Steps
Benefits: How you make your boss
look good?
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
The goal
• Clear investment strategy
• Understanding of Risk
• Plans to mitigate
• Show how Risk trends down
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11
Bring all the data together and create a context, in near real time
The solution seems obvious
Operations Security
Business
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12
TIP #1- Speak the Language of the Business
• Always tie the security issue. Be it real time threat, potential risk, lack of
compliance etc. to a language the business can understand.
• Identify the “crown jewels” in your infrastructure. Don’t try and identify
everything at first (see Tip # 3 )
• Connect those assets to the applications they support, and in turn the
business services, and then up to the lines of business / structure of your
organization.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
TIP #2- Leverage what you have
• A lot of the data you need exists.
• If you can, gather in your assets from a “source of truth” like your CMDB.
• Alternatively, if that isn’t feasible, leverage a monitoring tool alike ArcSight
ESM
• Pull in data from your vulnerability scanners
• Automation will save you
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
TIP #3: Start small
• Start small, work incrementally, don’t try and boil the ocean. Some visibility is
much better than zero visibility.
• Pick a subset of Compliance, Regulatory or Compliance controls that are
important and the value is understood. Model, implement and monitor those.
• Identify and monitor key Risk factors. Set a goal and track that progress as
an easy to understand KPI
• Don’t model your whole business. Start with the key business services.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15
Create a business centric view
• Assets from uCMDB
• Assets from HP ArcSight ESM/Express
• Model the business
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.16
Automate Compliance where possible
• uCMDB
• HP ArcSight ESM/Express/Logger
• Server Automation
• Third Party
Numerous data sources
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.17
Manage vulnerabilities
• Vulnerability Scanners
• Configurations Scanners
• Server Automation
• uCMDB
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.18
Bring it all together
• Create “risk factors”, set goals/KPIs
• Trend your progress
• Focus on “upper right”/red zone
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.19
How do we protect our assets?
Intrusion prevention
Security research and threat intelligence
Secure design and implementation
Quarantine
Threat
Intelligence
Our
enterprise
Their
ecosystem
Intrusion
Prevention
Secure
Software
DLP
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Thank you