secureworld - communicating with your cfo

@RealGeneKim, [email protected]

Session ID:

Gene Kim

SecureWorld Dallas

October 10, 2012

Effectively Communicating With Your CFO


You are only as smart as theaverage

of the top 5 people you hang out with

2


My Background

3


Visible Ops: Playbook of High Performers

The IT Process Institute has been studying high-performing organizations since 1999 What is common to all the high

performers? What is different between them

and average and low performers?

How did they become great? Answers have been codified in

the Visible Ops Methodology

www.ITPI.org


Agenda

Introductions Results of the “marriage counseling” questioning

(10m) Share with you my “top things I wish someone

showed me ten years ago” ITPI: IT Controls Benchmark Results: controls vs.

performance (5m) Gartner: Paul Proctor/Michael Smith Risk Adjusted Value

Model: KPIs, KRIs and information security linkage (5m) Ebay: Dave Cullinane: Infosec risk management (5m)

Open up for what works for you

5


The Marriage Counseling Questions

What about the business view of IT causes you to feel uncomfortable?

In your interactions with the business, what situations don’t feel right to you?


Gene’s Study of High Performing IT Organizations

7


Since 1999, We’ve Benchmarked 1500+ IT Organizations

Source: IT Process Institute (2008)

Source: EMA (2009)


High Performing IT Organizations

High performers maintain a posture of compliance Fewest number of repeat audit findings One-third amount of audit preparation effort

High performers find and fix security breaches faster 5 times more likely to detect breaches by automated control 5 times less likely to have breaches result in a loss event

When high performers implement changes… 14 times more changes One-half the change failure rate One-quarter the first fix failure rate 10x faster MTTR for Sev 1 outages

When high performers manage IT resources… One-third the amount of unplanned work 8 times more projects and IT services 6 times more applications

Source: IT Process Institute, 2008


2007: Three Controls Predict 60% Of Performance

To what extent does an organization define, monitor and enforce the following? Standardized configuration strategy Process discipline Controlled access to production systems

Source: IT Process Institute, 2008


“Marriage Counseling” Questions to CEOs, CIOs,

CISOs

11


The Marriage Counseling Questions

What about the business view of IT causes you to feel uncomfortable?

In your interactions with the business, what situations don’t feel right to you?

Source: Gene Kim 2012


CEO Pains

If IT fails I don't know why, if IT succeeds I don't know why.By managing inputs and outputs, I can hold any area of the business

accountable – except for IT I have difficulties holding IT accountable -- IT is often “slippery” (blaming

everyone, especially vendors and suppliers) I do not have a detailed understanding around the ROI of the IT

investments I make. I need more assurance than my trust in the IT managers.Failures in IT are often catastrophic and are followed by expensive new

projects.When catastrophic failures in IT happen, I hear “I told you so” I have no insight into IT productivity or human resource utilization (aside: Waiting projects imply that service delivery is too slow).Large investments in IT projects that eventual fail; without warning. I need data to make informed decisions about IT. I do not think IT knows how to manage risk well.

13



CIO Pains

No visibility into what is actually going on in IT, have to rely on rumors (word on the street).

No sense of security; events in IT seem random that could cause me to lose my job.

The complexity of IT defies detailed understanding; as a result decisions are often made based on trust or "the best story"

Can communicate expense of IT but cannot calculate value. Product managers and business people control/drive IT projects with

inadequate technical knowledge. Cannot isolate who is responsible for IT failures; is it the business, IT, or the

tools. I often have to rely on the CEO trust to decide to "pitch" a project. I have to rely on my credibility to get projects funded. Uncoordinated dependencies CIOs has reverse leverage :everyone can make a mistake so big that can is

small to them, but huge to you – one DBA can light fuses that take years to detonate and destroy the business (accidentally have reliance on a report that turns into a journal entry)

14



CISO Pains

Growing compliance requirements consumes more cycles every day. Management seems to make poor decisions despite the risks I articulate Insufficient resources/Cannot respond quickly enough Need more data to communicate up succinctly I am perceived to slow down business agility I have to get projects approved with persuasion rather than data/facts Last minute projects are able to bypass controls (implies that doing it with controls takes too long) Cannot isolate the real risk areas We find more than can be fixed Management falsely believes that compliance equals security Seems like revenue trumps controls When we apply risk management processes, the probability of bad things

happening are so low that management always chooses to "accept the risk" -- and therefore we can't get budget.

I have to get projects approved with persuasion rather than data/facts15



Paul Proctor, Michael Smith

GartnerRisk-Adjusted Value

Model

16


Want more information on RVM?

Contact Paul Proctor, Chief of Research, Risk and Security, Gartner, Inc. (mailto:[email protected])

or your Gartner rep

21

mailto:[email protected]


Dave Cullinane’sSecurity IRM Slides

22


Risk Grid CalculationIm

pac

t

Probability

Low <33%

Low<$50M

Medium 33-66%

Medium$50-$100M

High >66%

High> $100M

Regulatory Action

Significant DR Event

SW / Site Security

Criminal Activity

Operations Security

Audit Failure

Data Breach

Source: David Cullinane


Risk

Investment

Information Security Risk

Security Risk Curve



Risk

$10M25HC

Investment

$300M

Information Security Risk Tolerance

Security Risk Curve

Initial Risk Profile



Risk

$10M25HC

Investment

$300M

$140M

$20M50HC


Security Risk Curve

Adjusted Risk Profile with new funding levels

initial Risk Profile



Incr

easin

g

Risk

Risk

$10M25HC

Investment

$300M

$140M

$20M50HC


China

Russia (RBN)

E. Europe

Brazil

eCrime Threat Surface/Attacks

Security Risk Curve



Risk

$10M25HC

Investment

$300M

$140M

$20M50HC


China

Russia (RBN)

E. Europe

Brazil


Security Risk Curve

Added Savings from Process improvement

Incr

easin

g

Risk



Incr

easin

g

Risk

Risk

$10M25HC

Investment

$300M

$140M

$20M50HC


China

Russia (RBN)

E. Europe

Brazil


Security Risk Curve

Added Savings from Process improvement

$60M

2009 Target Risk Profile



Risk of multiple businesses F

inan

cial

Im

pact

Data at Risk

C D

B

F

E

$100M

A

Legend: Size – Importance to companyColor – Effectiveness of

Security controls

Need to Focus Here



Next Generation IRM

31



Left Top: Current Controls Environment as noted using Cobit Assessment criteria. Scores reflect support levels based on existing budgets.

Left Bottom: Controls Environment as noted using Cobit Assessment criteria after budget cuts. Scores reflect decreased support levels due to less resources.

Effective Controls

No ControlsSource: David Cullinane


• Circles sized according to importance to company• Ability to measure control effectiveness and see impact• Ability to determine best expenditure of limited funds to maximize ROSI High

Medium

Low

Risk:



When IT Fails: The Novel and The DevOps Cookbook

Coming in July 2012

“In the tradition of the best MBA case studies, this book should be mandatory reading for business and IT graduates alike.”Paul Muller, VP Software Marketing, Hewlett-Packard

“The greatest IT management book of our generation.”Branden Williams, CTO Marketing, RSA

Gene Kim, Tripwire founder, Visible Ops co-author


When IT Fails: The Novel and The DevOps Cookbook

Our mission is to positively affect the lives of 1 million IT workers by 2017

If you would like the “Top 10 Things Infosec Needs To Know About DevOps,” sample chapters and updates on the book:

Sign up at http://itrevolution.com Email [email protected] Hand me a business card

Gene Kim, Tripwire founder, Visible Ops co-author

http://itrevolution.com/

mailto:[email protected]

secureworld - communicating with your cfo

Documents

organizations high performers

business view

business accountable

business agility

playbook of high performers

high performing

organizations source

business people controldrive