how to: find the right amount of security spend
DESCRIPTION
SOURCE Seattle 2011 - Jared PfostTRANSCRIPT
© Third Defense Inc.
How To: Find The Right Amount Of Security Spend
Jared Pfost
@JaredPfost
© Third Defense Inc.
Outline - 30 minutes!
• Are You Ready To Find the Answer?• Tools & Techniques• Inspiration
2
© Third Defense Inc.
Cheap & Easy
Spend to Comply
Fix Gaps Now!
Ok, how much do we really need...
Are You Ready?
3
Motivating Event
© Third Defense Inc.
4
Business Drivers
Service Maturity
Regulatory Requirements
Work we must do
Work we should do
Work we could do
Manage Compliant- Ready Services
“Legally Defensible” Security
Risk-Based Decisions to Achieve Business Goals
Formalize mandatory vs. discretionary spend
© Third Defense Inc.
Define Services
Align Capacity &
Demand
Service SLAs & Metrics
In vs. Out Source
5
Identify & Prioritize
Assets
Prioritize Risks
Spend or owner
accepts risk
Control effectiveness
metrics
Are we as efficient as possible?Are we operating at acceptable risk?
© Third Defense Inc.
Identify & Prioritize Assets
• Leverage Business Continuity Team– Business Process Recovery & Ownership– Good GRC platform scenario
• Add– Regulated– Data Classification– Assessment Frequency
6
© Third Defense Inc.
7
Threat Based vs. Control BasedConstruct a Top-Down Story
Evidence Driven Define Formal Decision RolesImpact Ranges
Calibrate Monetary Impact with Owners
Likelihood Ranges Use Evidence for Occurrence
RatesUse Culture to Select Model
Strive for Consistency
Prioritize Risks
© Third Defense Inc.
8
Prioritize Risks (alt.)Threat Based vs. Control BasedConstruct a Top-Down Story
Evidence Driven Define Formal Decision RolesImpact Ranges
Calibrate Monetary Impact with Owners
Likelihood Ranges Use Evidence for Occurrence
RatesUse Culture to Select Model
Strive for Consistency
© Third Defense Inc.
• Prioritize by Business Value– Risk Priority– IT Capability– Business Support– Political Reality– Cost
• Document Decision for Posterity
9
Efficiency Gain Save
$110K
Spend Or Owner Accepts Risk
Mandatory vs. Discretionary
© Third Defense Inc.
Control Effectiveness Metrics
10
• Use Targets to Define “Acceptable Risk”• Start Small
© Third Defense Inc.
Define Services
Align Capacity &
Demand
Metrics & SLAs
In vs. Out Source
Are we as efficient as possible?
© Third Defense Inc.
Define Services & Align Demand
• What is 100% of Security Services
• Foundation to manage Tradeoffs– Business As Usual– Short Term Efforts– Long Term Projects
• Set Maturity Expectations– Actual vs. Target
12
Mandatory vs. Discretionary
© Third Defense Inc.
Service Metrics & SLAs
• Transparency Will Set You Free
• Start Small– % Role Definitions– % Project Performance– % Business Risk
Assessments
13
© Third Defense Inc.
In vs. Out Source
• Define Internal Process Flow Before Outsourcing• Require Metrics in Contract• Accountability Through Visibility
14Attribution: http://www.hotsocialbuzz.com/wp-content/uploads/2010/09/outsource-cartoon.jpg
© Third Defense Inc.
Take Action
• Determine if your Leadership is Ready• Start small• Quick Wins• Enjoy your career like never before!
• Start, Advance, Share
15
© Third Defense Inc.
Questions & Resources
• SIRA: http://societyinforisk.org/• New School: http://newschoolsecurity.com• Falcon’s View: http://www.secureconsulting.net/• Our Blog: http://thirddefense.wordpress.com/• Perspective: http://dilbert.com/
16
© Third Defense Inc.
Appendix
17
© Third Defense Inc.
Breaking Down The Risk Statement
18
(qualitative assessment)