Educating Senior Business Management M t

Generously sponsored by:

ISSA Web Conference

September 27, 2011 27 Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London

Welcome Conference Moderator C f M d t

Kevin D. Spease, CISSP ISSEP CISSP-ISSEP Treasurer/Chief Financial Officer ISSA International Board

Agenda
The Art of Selling Security to the Business
Ron Hardy - Vice President, Product Management and Marketing, NetIQ

What Senior Management Needs to Know About Your Security Business Case
James M. Anderson CISSP, CISM, CGEIT - President Professional Assurance LLC M CISSP CISM President, Assurance, Pinehurst

The Emperor's New Clothes: Be Skeptical or Be Exposed p p p

Michael Waters - Manager of Enterprise Information Security, Booz Allen Hamilton

Open Panel with Audience Q&A Closing Remarks

3

The Art of Selling Security to the Business

Ron Hardy
Vice President, Product Management and Product Marketing, NetIQ g, Q

The State of Information Protection

Spending on IT security projects is stable or moderately increasing Breach costs continue to exceed investments in security Six years, 900 million records, $180 billion in costs
2010 Verizon Business Risk Report
5

Pressure Has Increased on IT Departments

Effective Communications are Critical

Compliance mandates Business objectives Corporate risk management S Security and IT Operations it d O ti Emerging technologies
SOX
7

Security 101: The Language of Leadership

Every day CEOs must assume the role of risk-takers. This is one component that defines a good CEO. What risks should he take on behalf of the company in order to grow it? The CISO must be able to contribute to the wider risk discussion and help the company take the right risks.
- Claudia Natanson, Chief Information Security Officer, Diageo

Evaluating the Risk

You cannot counter threat, but you can mitigate the potential for loss. CEOs expect investment in IT information protection to be justified by:
Risk assessment R Reasonable reduction bl d ti in risk

It's All about Balance

Cost Effective and Flexible

Control
Operational Risk

10

Achieving Business Alignment

Understand the business. Make risk mitigation a part of all new project requirements requirements. Information protection should not be an afterthought. ft th ht Information protection teams should enable enable, not impede, innovation.
11

Making Information Protection Strategic

Recommendations

Communicate need for security investments in terms of acceptable business risk the right balance. balance
Security is not the goal but a means to manage risk of business innovation.

Proactively work with the business to mitigate risk as part of new initiatives.
Security becomes part of the project investment investment. Avoid layering security on after the fact.

Ensure compliance investments improve security.

Minimize compliance for compliances sake.

12

Learn More at NetIQ.com

Access analyst reports; gain insight.
Market Overview: Privileged Identity Management, by Andras Cser, Forrester Research No More Chewy Centers: Introducing The Zero Trust Model Of Information Security, by John Kindervag, Kindervag Forrester Research

tinyurl.com/PIMwhitepaper

Continue the conversation!

Twitter.com/NetIQ Facebook.com/NetIQ Community.Netiq.com
13
tinyurl.com/ZeroTrust y

Thank You for Your Time Time.

NetIQ Worldwide Headquarters

1233 West Loop South, S it 810 W tL S th Suite Houston, Texas 77027 USA Worldwide: 713.548.1700 N. America Toll Free: 1.888.323.6768 Info@NetIQ.com NetIQ.com NetIQ com
Follow NetIQ:

14

Question and Answer

Ron Hardy Vice President, Product M Vi P id t P d t Management t and Product Marketing, NetIQ

15

What Senior Management Needs to Know about Your Security Business Case
James Anderson Professional Assurance
janderson@profassure.com

Insert Photo Here

16

Senior Management Needs to Know

The scope and cost of your plan How it fits with the business and technology How it fits with the current security situation What are the risks being addressed How will implementation success be measured
SubstantiveconcernsthatSr.Mgmtis responsiblefor

17

What Senior Management Expects to Hear

A frightening story Were not doing best practices We re best practices We have no alternative but to do this project

Thesearenegativemessagesthatcan These are negative messages that can Createproblemsforyoulater

18

Reverse Engineering a Successful Security Business Case S it B i C

Draft the business case so it fits with this approach Outline and plan the pre-work
Components and costs in or out, timeline, etc. Necessary cross functional support needed cross-functional Availability of metrics before or after Issues and obstacles

P Preparing th ground phase ( i the d h (may t k months) take th ) Identify company bus case templates, procedures Complete and pitch the business case Follow-ups and after action analysis
19

Preparation and Process

The single most important phase of the overall business case process. p Develops the relationships in facts, plans and organizational functions
find out friends and enemies Understand the key obstacles and challenges

D l and l rollingnecessary? Deals d log lli ? Business Case Process: forms, schedules, committees
NPV or IRR? Cost Thressholds?

20

Sr. Mgmt. Perspective -- Costs

Out of pocket vs. soft Capital vs. expense vs Headcount is special How to handle the benefit of productivity gains How to deal with the benefit of reduced risk
Hint: its not a savings

21

Sr. Mgmt. Perspective Bus & Tech Fit

Do you use existing technology? Can your proposal be implemented on existing platforms? Will you be retiring other components no longer needed? Does your proposal disrupt existing functional boundaries? Does it enable the business? Do you meet a need demanded by customers or businesses? or that will be demanded shortly?
22

Sr. Mgmt. Perspective Security and Risk Situation Sit ti

Where does your p p y proposal fit in the overall security y and risk picture?
Address well-known gap? Address audit or regulatory findings? Deal with a recently discovered problem

Does your proposal address risk in just one part of the business? Or across multiple parts? How does this proposal fit with other initiatives p , p p past, present of planned?

23

Sr. Mgmt. Perspective Risks, contd

Do you have a way to see that the risk reduction p promises are being fulfilled? g Have you researched the risk retention profile ? Do you have a way to scan the horizon for new scan horizon threats
Your assumptions change External threats escalate Internal vulnerabilities change

..doyouhaveawaytogetonthesenior managementradarscreenwhenwarranted?
24

Sr. Mgmt. Perspective -- Metrics

Are there good before and after metrics around the p p proposed new facility? y
Risk Input Process Outcome

Is there a company metrics initiative you are (or will be) hooked into? How close are your metrics to the revenue-producing y p g side of the business?

25

Conclusion Your Security Business Case Case

Is not o y well researched, bu well soc a ed s o only e esea c ed, but e socialized Makes sense in the context of the business Fits with other company initiatives and the culture Can be measured through non-controversial metrics Succeeds on multiple levels
..andwillbecomeamodelforyouand and will become a model for you and forothersforlateruse!
26

Question and Answer

James Anderson Professional Assurance P f i lA janderson@profassure.com

27

The Emperor's New Clothes

Be Skeptical or Be Exposed
Michael Waters Manager of Enterprise Information Security Booz Allen Hamilton

28

Three types of firms

Those that have been compromised Those that will be compromised Those that have been compromised but dont know it Recognizing and defending against noisy threats like viruses, spam, and script kiddies is basic. Most firms do this and consider themselves safe. Advanced attackers the adversary are stealthy, p persistent and almost certainly in y y your environment right now

29

Potential impact of compromise is huge

For compromises that are made public
Loss of reputation / client confidence lost future revenue p Loss of shareholder confidence decreased market cap Contractual remedies loss of revenue + loss of clients Civil actions loss of capital + distractions from revenue revenuegenerating activities Regulatory penalties state privacy legislation, HIPAA, etc.

For compromises by stealthy adversaries, not public

Loss of Intellectual Capital loss of competitive edge Loss of financial information market manipulation Plus all the impacts of public compromises if it becomes public

30

Steps you need to take to defend yourself

Many firms still dont get the basics right
Patch user systems and servers y Challenge and validate security at each step in system development / acquisition lifecycle. Strong password policies especially for privileged accounts Web proxy to prevent access to dangerous sites

Stepping it up pp g p
Two factor authentication to replace passwords Internet isolation White listing / black listing of programs on servers and desktops Network Access Control (NAC)
31

What you need to check and protect

Systems you build or buy for internal use Outsourced services for internal use Systems you build or buy to sell to your clients Outsourced services you resell to your clients Systems you had no idea were associated with your firm b t fi but were bought by B b i A b ht b Bob in Accounting fi years ti five ago from a cousin of his that now sits unprotected on the Internet serving up y g p your sensitive information to any script kiddie with an Internet connection

32

Trust, but verify

Establish internal standards, then check to ensure they are being followed y g Outsourced service providers that do not provide validation of the security status of their offerings should b subject to additional scrutiny h ld be bj ddi i l i An unverified promise that a third party will protect your information is cold comfort in the event of a breach

33

Question and Answer

Michael Waters Manager of E t M f Enterprise Information Security i I f ti S it Booz Allen Hamilton

34

Open Discussion
Kevin D. Spease, CISSP-ISSEP Treasurer/Chief Financial Officer, ISSA I t Offi Internationall B d ti Board Ron Hardy - Vice President, Product Management and Marketing, NetIQ Michael Waters - Manager of Enterprise Information Security, Booz Allen Hamilton James M. Anderson CISSP, CISM, CGEIT - President President, Professional Assurance, LLC Pinehurst

CPE Credit
Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference q p quiz. http://www.surveygizmo.com/s3/649201/ISSA-WebConference-Educating-Senior-Business-Management After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.

36

Closing Remarks
Thank you to our Sponsor

Thank you to Citrix for donating this Webcast service

Online Meetings Made Easy

37