secureworld - communicating with your cfo
DESCRIPTION
Three tools and techniques I wish I had learned ten years ago to help enlist the CFO in the infosec mission.TRANSCRIPT
@RealGeneKim, [email protected]
Session ID:
Gene Kim
SecureWorld Dallas
October 10, 2012
Effectively Communicating With Your CFO
@RealGeneKim, [email protected]
You are only as smart as theaverage
of the top 5 people you hang out with
2
@RealGeneKim, [email protected]
Visible Ops: Playbook of High Performers
The IT Process Institute has been studying high-performing organizations since 1999 What is common to all the high
performers? What is different between them
and average and low performers?
How did they become great? Answers have been codified in
the Visible Ops Methodology
www.ITPI.org
@RealGeneKim, [email protected]
Agenda
Introductions Results of the “marriage counseling” questioning
(10m) Share with you my “top things I wish someone
showed me ten years ago” ITPI: IT Controls Benchmark Results: controls vs.
performance (5m) Gartner: Paul Proctor/Michael Smith Risk Adjusted Value
Model: KPIs, KRIs and information security linkage (5m) Ebay: Dave Cullinane: Infosec risk management (5m)
Open up for what works for you
5
@RealGeneKim, [email protected]
The Marriage Counseling Questions
What about the business view of IT causes you to feel uncomfortable?
In your interactions with the business, what situations don’t feel right to you?
@RealGeneKim, [email protected]
Since 1999, We’ve Benchmarked 1500+ IT Organizations
Source: IT Process Institute (2008)
Source: EMA (2009)
@RealGeneKim, [email protected]
High Performing IT Organizations
High performers maintain a posture of compliance Fewest number of repeat audit findings One-third amount of audit preparation effort
High performers find and fix security breaches faster 5 times more likely to detect breaches by automated control 5 times less likely to have breaches result in a loss event
When high performers implement changes… 14 times more changes One-half the change failure rate One-quarter the first fix failure rate 10x faster MTTR for Sev 1 outages
When high performers manage IT resources… One-third the amount of unplanned work 8 times more projects and IT services 6 times more applications
Source: IT Process Institute, 2008
@RealGeneKim, [email protected]
2007: Three Controls Predict 60% Of Performance
To what extent does an organization define, monitor and enforce the following? Standardized configuration strategy Process discipline Controlled access to production systems
Source: IT Process Institute, 2008
@RealGeneKim, [email protected]
The Marriage Counseling Questions
What about the business view of IT causes you to feel uncomfortable?
In your interactions with the business, what situations don’t feel right to you?
Source: Gene Kim 2012
@RealGeneKim, [email protected]
CEO Pains
If IT fails I don't know why, if IT succeeds I don't know why.By managing inputs and outputs, I can hold any area of the business
accountable – except for IT I have difficulties holding IT accountable -- IT is often “slippery” (blaming
everyone, especially vendors and suppliers) I do not have a detailed understanding around the ROI of the IT
investments I make. I need more assurance than my trust in the IT managers.Failures in IT are often catastrophic and are followed by expensive new
projects.When catastrophic failures in IT happen, I hear “I told you so” I have no insight into IT productivity or human resource utilization (aside: Waiting projects imply that service delivery is too slow).Large investments in IT projects that eventual fail; without warning. I need data to make informed decisions about IT. I do not think IT knows how to manage risk well.
13
Source: Gene Kim 2012
@RealGeneKim, [email protected]
CIO Pains
No visibility into what is actually going on in IT, have to rely on rumors (word on the street).
No sense of security; events in IT seem random that could cause me to lose my job.
The complexity of IT defies detailed understanding; as a result decisions are often made based on trust or "the best story"
Can communicate expense of IT but cannot calculate value. Product managers and business people control/drive IT projects with
inadequate technical knowledge. Cannot isolate who is responsible for IT failures; is it the business, IT, or the
tools. I often have to rely on the CEO trust to decide to "pitch" a project. I have to rely on my credibility to get projects funded. Uncoordinated dependencies CIOs has reverse leverage :everyone can make a mistake so big that can is
small to them, but huge to you – one DBA can light fuses that take years to detonate and destroy the business (accidentally have reliance on a report that turns into a journal entry)
14
Source: Gene Kim 2012
@RealGeneKim, [email protected]
CISO Pains
Growing compliance requirements consumes more cycles every day. Management seems to make poor decisions despite the risks I articulate Insufficient resources/Cannot respond quickly enough Need more data to communicate up succinctly I am perceived to slow down business agility I have to get projects approved with persuasion rather than data/facts Last minute projects are able to bypass controls (implies that doing it with controls takes too long) Cannot isolate the real risk areas We find more than can be fixed Management falsely believes that compliance equals security Seems like revenue trumps controls When we apply risk management processes, the probability of bad things
happening are so low that management always chooses to "accept the risk" -- and therefore we can't get budget.
I have to get projects approved with persuasion rather than data/facts15
Source: Gene Kim 2012
@RealGeneKim, [email protected]
@RealGeneKim, [email protected]
@RealGeneKim, [email protected]
@RealGeneKim, [email protected]
@RealGeneKim, [email protected]
Want more information on RVM?
Contact Paul Proctor, Chief of Research, Risk and Security, Gartner, Inc. (mailto:[email protected])
or your Gartner rep
21
@RealGeneKim, [email protected]
Risk Grid CalculationIm
pac
t
Probability
Low <33%
Low<$50M
Medium 33-66%
Medium$50-$100M
High >66%
High> $100M
Regulatory Action
Significant DR Event
SW / Site Security
Criminal Activity
Operations Security
Audit Failure
Data Breach
Source: David Cullinane
@RealGeneKim, [email protected]
Risk
Investment
Information Security Risk
Security Risk Curve
Source: David Cullinane
@RealGeneKim, [email protected]
Risk
$10M25HC
Investment
$300M
Information Security Risk Tolerance
Security Risk Curve
Initial Risk Profile
Source: David Cullinane
@RealGeneKim, [email protected]
Risk
$10M25HC
Investment
$300M
$140M
$20M50HC
Information Security Risk Tolerance
Security Risk Curve
Adjusted Risk Profile with new funding levels
initial Risk Profile
Source: David Cullinane
@RealGeneKim, [email protected]
Incr
easin
g
Risk
Risk
$10M25HC
Investment
$300M
$140M
$20M50HC
Information Security Risk Tolerance
China
Russia (RBN)
E. Europe
Brazil
eCrime Threat Surface/Attacks
Security Risk Curve
Source: David Cullinane
@RealGeneKim, [email protected]
Risk
$10M25HC
Investment
$300M
$140M
$20M50HC
Information Security Risk Tolerance
China
Russia (RBN)
E. Europe
Brazil
eCrime Threat Surface/Attacks
Security Risk Curve
Added Savings from Process improvement
Incr
easin
g
Risk
Source: David Cullinane
@RealGeneKim, [email protected]
Incr
easin
g
Risk
Risk
$10M25HC
Investment
$300M
$140M
$20M50HC
Information Security Risk Tolerance
China
Russia (RBN)
E. Europe
Brazil
eCrime Threat Surface/Attacks
Security Risk Curve
Added Savings from Process improvement
$60M
2009 Target Risk Profile
Source: David Cullinane
@RealGeneKim, [email protected]
Risk of multiple businesses F
inan
cial
Im
pact
Data at Risk
C D
B
F
E
$100M
A
Legend: Size – Importance to companyColor – Effectiveness of
Security controls
Need to Focus Here
Source: David Cullinane
@RealGeneKim, [email protected]
Left Top: Current Controls Environment as noted using Cobit Assessment criteria. Scores reflect support levels based on existing budgets.
Left Bottom: Controls Environment as noted using Cobit Assessment criteria after budget cuts. Scores reflect decreased support levels due to less resources.
Effective Controls
No ControlsSource: David Cullinane
@RealGeneKim, [email protected]
• Circles sized according to importance to company• Ability to measure control effectiveness and see impact• Ability to determine best expenditure of limited funds to maximize ROSI High
Medium
Low
Risk:
Source: David Cullinane
@RealGeneKim, [email protected]
When IT Fails: The Novel and The DevOps Cookbook
Coming in July 2012
“In the tradition of the best MBA case studies, this book should be mandatory reading for business and IT graduates alike.”Paul Muller, VP Software Marketing, Hewlett-Packard
“The greatest IT management book of our generation.”Branden Williams, CTO Marketing, RSA
Gene Kim, Tripwire founder, Visible Ops co-author
@RealGeneKim, [email protected]
When IT Fails: The Novel and The DevOps Cookbook
Our mission is to positively affect the lives of 1 million IT workers by 2017
If you would like the “Top 10 Things Infosec Needs To Know About DevOps,” sample chapters and updates on the book:
Sign up at http://itrevolution.com Email [email protected] Hand me a business card
Gene Kim, Tripwire founder, Visible Ops co-author