how to: find the right amount of security spend

© Third Defense Inc.

How To: Find The Right Amount Of Security Spend

Jared Pfost

jared@thirddefense.comthirddefense.wordpress.com

@JaredPfost

© Third Defense Inc.

Outline - 30 minutes!

• Are You Ready To Find the Answer?• Tools & Techniques• Inspiration

2

© Third Defense Inc.

Cheap & Easy

Spend to Comply

Fix Gaps Now!

Ok, how much do we really need...

Are You Ready?

3

Motivating Event

© Third Defense Inc.

4

Business Drivers

Service Maturity

Regulatory Requirements

Work we must do

Work we should do

Work we could do

Manage Compliant- Ready Services

“Legally Defensible” Security

Risk-Based Decisions to Achieve Business Goals

Formalize mandatory vs. discretionary spend

© Third Defense Inc.

Define Services

Align Capacity &

Demand

Service SLAs & Metrics

In vs. Out Source

5

Identify & Prioritize

Assets

Prioritize Risks

Spend or owner

accepts risk

Control effectiveness

metrics

Are we as efficient as possible?Are we operating at acceptable risk?

© Third Defense Inc.

Identify & Prioritize Assets

• Leverage Business Continuity Team– Business Process Recovery & Ownership– Good GRC platform scenario

• Add– Regulated– Data Classification– Assessment Frequency

6

© Third Defense Inc.

7

Threat Based vs. Control BasedConstruct a Top-Down Story

Evidence Driven Define Formal Decision RolesImpact Ranges

Calibrate Monetary Impact with Owners

Likelihood Ranges Use Evidence for Occurrence

RatesUse Culture to Select Model

Strive for Consistency

Prioritize Risks

© Third Defense Inc.

8

Prioritize Risks (alt.)Threat Based vs. Control BasedConstruct a Top-Down Story

Evidence Driven Define Formal Decision RolesImpact Ranges

Calibrate Monetary Impact with Owners

Likelihood Ranges Use Evidence for Occurrence

RatesUse Culture to Select Model

Strive for Consistency

© Third Defense Inc.

• Prioritize by Business Value– Risk Priority– IT Capability– Business Support– Political Reality– Cost

• Document Decision for Posterity

9

Efficiency Gain Save

$110K

Spend Or Owner Accepts Risk

Mandatory vs. Discretionary

© Third Defense Inc.

Control Effectiveness Metrics

10

• Use Targets to Define “Acceptable Risk”• Start Small

© Third Defense Inc.

Define Services

Align Capacity &

Demand

Metrics & SLAs

In vs. Out Source

Are we as efficient as possible?

© Third Defense Inc.

Define Services & Align Demand

• What is 100% of Security Services

• Foundation to manage Tradeoffs– Business As Usual– Short Term Efforts– Long Term Projects

• Set Maturity Expectations– Actual vs. Target

12

Mandatory vs. Discretionary

© Third Defense Inc.

Service Metrics & SLAs

• Transparency Will Set You Free

• Start Small– % Role Definitions– % Project Performance– % Business Risk

Assessments

13

© Third Defense Inc.

In vs. Out Source

• Define Internal Process Flow Before Outsourcing• Require Metrics in Contract• Accountability Through Visibility

14Attribution: http://www.hotsocialbuzz.com/wp-content/uploads/2010/09/outsource-cartoon.jpg

© Third Defense Inc.

Take Action

• Determine if your Leadership is Ready• Start small• Quick Wins• Enjoy your career like never before!

• Start, Advance, Share

15

© Third Defense Inc.

Questions & Resources

• SIRA: http://societyinforisk.org/• New School: http://newschoolsecurity.com• Falcon’s View: http://www.secureconsulting.net/• Our Blog: http://thirddefense.wordpress.com/• Perspective: http://dilbert.com/

16

© Third Defense Inc.

Appendix

17

© Third Defense Inc.

Breaking Down The Risk Statement

18

(qualitative assessment)