ISSA WebConf Educating Sr Bus Mgt Sept 27 2011

8/2/2019 ISSA WebConf Educating Sr Bus Mgt Sept 27 2011

1/37

Educating Senior BusinessEducating Senior Business

anagemenanagemen Generously sponsored by:enerously sponsored by:

ISSA Web ConferenceISSA Web Conference,Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London

,

Start Time: 9 AM US Pacific, Noon US Eastern, 5 pm London


2/37

WelcomeWelcome

on erence o eratoron erence o erator--. ,

Treasurer/Chief Financial Officer

ISSA International Board

. ,Treasurer/Chief Financial Officer

ISSA International Board

2


3/37

AgendaAgenda

The Art of Selling Security to the BusinessRon Hardy - Vice President, Product Management and Marketing, NetIQ

The Art of Selling Security to the BusinessRon Hardy - Vice President, Product Management and Marketing, NetIQ

What Senior Management Needs to Know About Your SecurityBusiness Case

What Senior Management Needs to Know About Your SecurityBusiness Case

. , , - , ,

Pinehurst

The Emperor's New Clothes: Be Skeptical or Be Exposed

. , , - , ,

Pinehurst

The Emperor's New Clothes: Be Skeptical or Be Exposed

Michael Waters - Manager of Enterprise Information Security, Booz Allen Hamilton

Michael Waters - Manager of Enterprise Information Security, Booz Allen Hamilton

Closing Remarks

Closing Remarks

3


4/37

The Art of SellingThe Art of Selling

Ron Hardy

Vice President, Product Managementand Product Marketin NetIQ

Ron Hardy

Vice President, Product Managementand Product Marketin NetIQ

4


5/37

The State of Information ProtectionThe State of Information Protection

Spending on IT security Spending on IT security

moderately increasing Breach costs continue to

moderately increasing Breach costs continue to

exceed investments in

security

exceed investments in

security Six years, 900 million

records, $180 billion Six years, 900 million

records, $180 billion

2010 Verizon BusinessRisk Report

2010 Verizon Business

Risk Report

5


6/37

Pressure Has Increased on IT DepartmentsPressure Has Increased on IT Departments

6


7/37

Effective Communications are CriticalEffective Communications are Critical

Compliance mandates Compliance mandates

Corporate risk management

Corporate risk management ecur y an pera ons

Emerging technologies

ecur y an pera ons

Emerging technologies

SOX

7


8/37

Security 101: The Language of LeadershipSecurity 101: The Language of Leadership

Every day CEOs must assume the role of risk-takers.This is one component that defines a good CEO. What risks

it? The CISO must be able to contribute to the wider risk

discussion and help the company take the right risks.- Claudia Natanson,Chief Information Security Officer, Diageo

8


9/37

Evaluating the RiskEvaluating the Risk

You cannot counter threat,but you can mitigate theYou cannot counter threat,but you can mitigate thepotential for loss.

CEOs expect investment

potential for loss.

CEOs expect investment

to be justified by:

Risk assessment

to be justified by:

Risk assessment easona e re uc on

in risk easona e re uc on

in risk

9


10/37

It's All about BalanceIt's All about Balance

Cost

Control Effectiveand

Operational

Risk

10


11/37

Achieving Business AlignmentAchieving Business Alignment

Understand thebusiness.

Understand thebusiness.

Make risk mitigationa part of all new Make risk mitigationa part of all new.

Information protection

should not be an

.


should not be ana er oug .


a er oug .

Information protection,

not impede,innovation.

,not impede,innovation.

11


12/37

Making Information Protection StrategicMaking Information Protection Strategic

Communicate need for security investments in terms

Communicate need for security investments in terms .

Security is not the goal but a means to manage risk ofbusiness innovation.

.

Security is not the goal but a means to manage risk ofbusiness innovation.

Proactively work with the business to mitigate risk as

part of new initiatives.

Proactively work with the business to mitigate risk as

part of new initiatives. . Avoid layering security on after the fact.

Ensure com liance investments im rove securit .

.

Avoid layering security on after the fact.

Ensure com liance investments im rove securit . Minimize compliance for compliances sake.

Minimize compliance for compliances sake.

12


13/37

Learn More at NetIQ.comLearn More at NetIQ.com

Access analyst reports;gain insight.

Access analyst reports;gain insight.

Market Overview: PrivilegedIdentity Management, byAndras Cser, Forrester Research

Market Overview: PrivilegedIdentity Management, byAndras Cser, Forrester Research

No More Chewy Centers:Introducing The Zero Trust Model

Of Information Security, by John

No More Chewy Centers:Introducing The Zero Trust Model

Of Information Security, by John,

Continue the conversation!

Twitter.com/NetIQ

,

Continue the conversation!

Twitter.com/NetIQ tinyurl.com/ZeroTrust

tinyurl.com/PIMwhitepaper

Facebook.com/NetIQ

Community.Netiq.com

Facebook.com/NetIQ

Community.Netiq.com

13


14/37

..

NetIQ Worldwide Headquartersest oop out , u te

Houston, Texas 77027 USAWorldwide: 713.548.1700N. America Toll Free: [email protected]

.

Follow NetIQ:

14


15/37

ues on an nswerRon Hardyues on an nswerRon Hardyce res en , ro uc anagemen

and Product Marketing, NetIQ

ce res en , ro uc anagemen

and Product Marketing, NetIQ

15


16/37

Needs to Know about YourNeeds to Know about Your

Insert

Photo

James Anderson

Professional Assurance

James Anderson

Professional Assurance

Here

[email protected]@profassure.com

16


17/37

Senior Management Needs to KnowSenior Management Needs to Know

The scope and cost of your plan The scope and cost of your plan

How it fits with the current security situation

How it fits with the current security situation

What are the risks being addressed

How will implementation success be measured

What are the risks being addressed

How will implementation success be measured

SubstantiveconcernsthatSr.Mgmtisresponsiblefor

17


18/37

What Senior Management Expects to HearWhat Senior Management Expects to Hear

A frightening story

A frightening story

We have no alternative but to do this project

We have no alternative but to do this project

These are ne ative messa es that canCreateproblemsforyoulater

18


19/37

Reverse Engineering a SuccessfulReverse Engineering a Successful

ecur ty us ness aseecur ty us ness ase

Draft the business case so it fits with this approach Draft the business case so it fits with this approach

Outline and plan the pre-work Components and costs in or out, timeline, etc.

Outline and plan the pre-work Components and costs in or out, timeline, etc.

-

Availability of metrics before or after

Issues and obstacles

-

Availability of metrics before or after

Issues and obstacles

repar ng t e groun p ase may ta e mont s

Identify company bus case templates, procedures

repar ng t e groun p ase may ta e mont s

Identify company bus case templates, procedures

Complete and pitch the business case Follow-ups and after action analysis Complete and pitch the business case Follow-ups and after action analysis

19


20/37

Preparation and ProcessPreparation and Process

The single most important phase of the overallbusiness case rocess.

The single most important phase of the overallbusiness case rocess.

Develops the relationships in facts, plans andorganizational functions

Develops the relationships in facts, plans andorganizational functions find out friends and enemies

Understand the key obstacles and challenges

find out friends and enemies

Understand the key obstacles and challenges

ea s an og ro ngnecessary

Business Case Process: forms, schedules,

ea s an og ro ngnecessary

Business Case Process: forms, schedules,

NPV or IRR? Cost Thressholds? NPV or IRR? Cost Thressholds?

20


21/37

Sr. Mgmt. Perspective -- CostsSr. Mgmt. Perspective -- Costs

Out of pocket vs. soft Out of pocket vs. soft

.

Headcount is special

.

Headcount is special

How to handle the benefit of productivity gains

How to deal with the benefit of reduced risk

How to handle the benefit of productivity gains

How to deal with the benefit of reduced risk Hint: its not a savings Hint: its not a savings

21


22/37

Sr. Mgmt. Perspective Bus & Tech FitSr. Mgmt. Perspective Bus & Tech Fit

Do you use existing technology? Do you use existing technology?

platforms?

platforms?

needed?

Does our ro osal disru t existin functional

needed?

Does our ro osal disru t existin functionalboundaries?

Does it enable the business?

boundaries?

Does it enable the business?

Do you meet a need demanded by customers orbusinesses? or that willbe demanded shortly?

Do you meet a need demanded by customers orbusinesses? or that willbe demanded shortly?

22


23/37

Sr. Mgmt. Perspective Security and RiskSr. Mgmt. Perspective Security and Risk

tuat ontuat on

Where does our ro osal fit in the overall securit Where does our ro osal fit in the overall securit

and risk picture? Address well-known gap?and risk picture? Address well-known gap?

Deal with a recently discovered problem

Deal with a recently discovered problem

business? Or across multiple parts?

How does this ro osal fit with other initiatives ast,

business? Or across multiple parts?

How does this ro osal fit with other initiatives ast,

present of planned?present of planned?

23


24/37

Sr. Mgmt. Perspective Risks, contdSr. Mgmt. Perspective Risks, contd

Do you have a way to see that the risk reductionromises are bein fulfilled?

Do you have a way to see that the risk reductionromises are bein fulfilled?

Have you researched the risk retention profile ?

Have you researched the risk retention profile ?

threats

Your assumptions change

threats

Your assumptions change External threats escalate

Internal vulnerabilities change

External threats escalate

Internal vulnerabilities change

..doyouhaveawaytogetontheseniormanagementradarscreenwhenwarranted?

24


25/37

Sr. Mgmt. Perspective -- MetricsSr. Mgmt. Perspective -- Metrics

Are there good before and after metrics around thero osed new facilit ?

Are there good before and after metrics around thero osed new facilit ?

Risk

Input

Risk

Input

Outcome

Outcome

be) hooked into?

How close are our metrics to the revenue- roducin

be) hooked into?

How close are our metrics to the revenue- roducin

side of the business?side of the business?

25


26/37

Conclusion Your Security BusinessConclusion Your Security Business

asease

Is not onl well researched but well socialized Is not onl well researched but well socialized

Makes sense in the context of the business Makes sense in the context of the business

Can be measured through non-controversial metrics

Can be measured through non-controversial metrics

Succeeds on multiple levels Succeeds on multiple levels

.. forothersforlateruse!

26


27/37

ues on an nswerJames Anderson

ues on an nswerJames Anderson

ro ess ona ssurance

[email protected]

ro ess ona ssurance

[email protected]

27


28/37

The Emperor's New ClothesThe Emperor's New Clothes

Be Skeptical or Be ExposedBe Skeptical or Be Exposed

Michael WatersManager of Enterprise Information Security

Booz Allen Hamilton

28


29/37

Three types of firmsThree types of firms

Those that have been compromised Those that have been compromised

Those that have been compromised but dont know it

Those that have been compromised but dont know it

Recognizing and defending against noisy threats likeviruses, spam, and script kiddies is basic. Most firms

do this and consider themselves safe.

Recognizing and defending against noisy threats likeviruses, spam, and script kiddies is basic. Most firms

do this and consider themselves safe.

Advanced attackers the adversary are stealthy,persistent and almost certainly in your environment

Advanced attackers the adversary are stealthy,persistent and almost certainly in your environment

right nowright now

29


30/37

Potential impact of compromise is hugePotential impact of compromise is huge

For compromises that are made public Loss of re utation / client confidence lost future revenue

For compromises that are made public Loss of re utation / client confidence lost future revenue

Loss of shareholder confidence decreased market cap

Contractual remedies loss of revenue + loss of clients

Loss of shareholder confidence decreased market cap

Contractual remedies loss of revenue + loss of clients

-generating activities

Regulatory penalties

state privacy legislation, HIPAA, etc.

-generating activities

Regulatory penalties

state privacy legislation, HIPAA, etc. For compromises by stealthy adversaries, not public

Loss of Intellectual Capital loss of competitive edge

For compromises by stealthy adversaries, not public Loss of Intellectual Capital loss of competitive edge

Plusall the impacts of public compromises if it becomes public

Plusall the impacts of public compromises if it becomes public

30


31/37

Steps you need to take to defend yourselfSteps you need to take to defend yourself

Many firms still dont get the basics right Patch user s stems and servers

Many firms still dont get the basics right Patch user s stems and servers

Challenge and validate security at each step in systemdevelopment / acquisition lifecycle.

Challenge and validate security at each step in systemdevelopment / acquisition lifecycle.

Web proxy to prevent access to dangerous sites

Ste in it u

Web proxy to prevent access to dangerous sites

Ste in it u Two factor authentication to replace passwords

Internet isolation

Two factor authentication to replace passwords

Internet isolation

desktops

Network Access Control (NAC)

desktops

Network Access Control (NAC)

31


32/37

What you need to check and protectWhat you need to check and protect

Systems you build or buy for internal use Systems you build or buy for internal use

Systems you build or buy to sell to your clients

Systems you build or buy to sell to your clients

Outsourced services you resell to your clients

Systems you had no idea were associated with your

Outsourced services you resell to your clients

Systems you had no idea were associated with yourrm u were oug y o n ccoun ng ve yearsago from a cousin of his that now sits unprotected onthe Internet serving up your sensitive information to

rm u were oug y o n ccoun ng ve yearsago from a cousin of his that now sits unprotected onthe Internet serving up your sensitive information to

any script kiddie with an Internet connectionany script kiddie with an Internet connection

32


33/37

Trust, but verifyTrust, but verify

Establish internal standards, then check to ensurethe are bein followed

Establish internal standards, then check to ensurethe are bein followed

Outsourced service providers that do not providevalidation of the security status of their offerings

Outsourced service providers that do not providevalidation of the security status of their offeringsshould be subject to additional scrutiny

An unverified promise that a third party will protect

should be subject to additional scrutiny

An unverified promise that a third party will protectyour n orma on s co com or n e even o abreachyour n orma on s co com or n e even o abreach

33


34/37

ues on an nswerMichael Waters

ues on an nswerMichael Waters

anager o n erpr se n orma on ecur yBooz Allen Hamilton

anager o n erpr se n orma on ecur yBooz Allen Hamilton

34


35/37

Open DiscussionOpen Discussion

Kevin D. Spease, CISSP-ISSEP Treasurer/Chief FinancialKevin D. Spease, CISSP-ISSEP Treasurer/Chief Financial

cer, n erna ona oar

Ron Hardy - Vice President, Product Management and

cer, n erna ona oar

Ron Hardy - Vice President, Product Management and

Marketing, NetIQ

Michael Waters - Manager of Enterprise Information Security,

Marketing, NetIQ

Michael Waters - Manager of Enterprise Information Security,Booz Allen Hamilton

-

Booz Allen Hamilton

-. , , ,

Professional Assurance, LLC Pinehurst

. , , ,

Professional Assurance, LLC Pinehurst


36/37

CPE CreditCPE Credit

Within 24 hours of the conclusion of this webcast, you willreceive a link via email to a post Web Conference quiz.

Within 24 hours of the conclusion of this webcast, you willreceive a link via email to a post Web Conference quiz.

http://www.surveygizmo.com/s3/649201/ISSA-Web-Conference-Educating-Senior-Business-Management

http://www.surveygizmo.com/s3/649201/ISSA-Web-Conference-Educating-Senior-Business-Management

After the successful com letion of the uiz ou will be After the successful com letion of the uiz ou will begiven an opportunity to PRINT a certificate of attendanceto use for the submission of CPE credits.given an opportunity to PRINT a certificate of attendanceto use for the submission of CPE credits.

36


37/37

Closing RemarksThank you to our Sponsor

Thank you to Citrix for donating this Webcast service

Online Meetings Made Easy

37

Date post:	05-Apr-2018
Category:	Documents
Upload:	hbayraktar
View:	221 times
Download:	0 times

ISSA WebConf Educating Sr Bus Mgt Sept 27 2011

Documents