150 likes | 338 Views
How to talk to the business that feeds you. Selling security. Cost and benefit in security. Risk analysis Risk = Asset Cost X Threat Probability Controls to prevent risks Cost of controls Not only direct cost of roll-out (license, installation) Employee’s burden to use control is also Cost
E N D
How to talk to the business that feeds you Selling security
Cost and benefit in security • Risk analysis • Risk = Asset Cost X Threat Probability • Controls to prevent risks Cost of controls • Not only direct cost of roll-out (license, installation) • Employee’s burden to use control is also Cost • Control Cost > Asset Cost doesn’t make much sense Pretty obvious for Business folks Not so obvious for Security folks
Security as a cost? • This is how it’s often seen by Bussiness • Security = Necessary evil, required by Regulators, waste of our hardly earned money Security folks know the truth here • Often they can’t properly express it Security is not a cost Security is an investment to prevent losses • Spend $100k to prevent losing $1m = 10x benefit • It’s not: „Security spent $100k” • It’s: „Security helped saving $1m for just $100k”
Two ways to enable security • Enforcement model • You have powers to enforceany control • Law, public administration, some corporate environments (financial, military) • If Asset Cost is HUGE, Security might take priority • YOU set the rules, and THEY must obey them • Soft model • You have little powers to enforce controls • Most private companies, most corporate environment • If Sales makes $5m revenue and Security makes $500k „loss” quarterly, you have to be very careful before trying to put a stick in their wheels • Your arms are: talk and listen – YOU must fit THEIR needs
Kids with guns • If you have powers to enforce any control... • You will be tempted to enforce even thedumbestones • Security vendors are good in overrating risks to sell stuff • Common approach among some regulators and governments • Example: qualified electronic signature for e-invoice in Poland • 5% usage since 2005 (mostly EDI) • Compare to Denmark’s 60% (mostly OCES)
Don’t turn shepherd into a policeman So even if you have powers... • Try to understand your client needs as much as possible • Client = your Sales dept, Citizens, National business • Perform as much real life risk analysis (including cost & benefit) • Make sure your controls help things instead of breaking things • Periodically perform a reality check – how does my security help business? • Otherwise you may destroy your organisation’s flexibility and competitive advantage • And lose your job – and make hundreds other people lose job as well
Most important control from ISO 27001 • „Obtain management support” • Everything starts here • If you won’t, business will ignore you, your controls or try to work around them How to obtain management support? • Talk to business • Talk to management • It’s the best reality check you can think of • To convince old sharks you must have really good arguments • Don’t get tempted to grab some scary number from vendor ordered „independent reports”
If you failed to obtain management support You may be wrong • Make sure you REALLY understand where does your salary come from Management may be wrong • You might be right but used wrong arguments – again, your fault • Management may already have selected controls using arguments other than rational risk analysis – you can’t do much about it
„Talking to Bussiness HOWTO” • Avoid „weasel talk” and buzzwords • Blacklist wording like: „some attacks exist that migh pose a risk” Use as much facts and numbers as possible • Do use industry reports • But always filter them through your company’s context • Learn from historic incidents in YOUR organisation • Single such incident is worth 10 industry reports Perform periodic reality checks on your arguments • If necessary drill down to a single specific incident • Build cause-reason trees • Make sure at the end the threat is still there!
Some examples - Ponemon Report (2006) • Direct cost to handle data breach incidents • On average 4,8 milion USD – from 226’000 to 22’000’000 Cost of controls implemented after the breach • On average 180’000 USD for one incident Data loss caused by organization internal factors • 70% cases caused by lack of data ownership, ignoring procedures and negligence Data loss during electronic data processing • 90% incidents caused by loss of laptop or electronic media
Threat analysis – case study • Real life incident from 2005 • Financial industry, event still remembered by some management people • One stolen laptop resulted in ~5000 affected clients • Handling of every record costed ~115 USD • It pretty much fits Ponemon’s estimate from 2008 ($100-200 per record) • Even if no actual loss was caused to the clients (laptop was lost without trace) How much this single incident costed organisation at the end of the day? $500k
Threat analysis – case study #2 • FSA fined HSBC Group for £3m, June 2009 • Public report on FSA website • Detailed list of issues found • How many of these you recognize in your organisation? • How close was the hit to your industry?
Control analysis – last example • Company deployed full-disk encryption (FDE) • All laptops covered, cost $100k Office break-in happens in 2009 • 4 laptops stolen • 2 contained sensitive client’s records Cost for organisation at the end of the day – close to ZERO • Hardware was covered by insurance • Data was backed up • Whole operating system was encrypted • You can prove this to client, because all laptops are encrypted
Questions? • Questions, comments • PAWEL.KRAWCZYK@HEWITT.COM • http://www.linkedin.com/in/pawelkrawczyk