maximizing security training roi
DESCRIPTION
Security training for developers, Training ROI, Business case for security Emerging threats How to build an effective training program?TRANSCRIPT
Maximizing Security Training ROIKartik Trivedi, Symosis
Who am I?
• VP / Co-Founder of Symosis, 10+ years in information security consulting & Training, USC, Foundstone, McAfee, Accuvant, C-Level security, etc
• Invited speaker, author and educator
• MBA, MS Comp Sc, CISM, CISA, CISSP
2Symosis Confidential
Table of Content
• Business case for security• Emerging threats• How to build an effective training program?• Case Studies
3Symosis Confidential
The Business Case for Security
Proper security enables a company to meet its business objective by providing a safe and secure environment
4Symosis Confidential
Impact of Security Breach
Loss of RevenueLoss of Revenue Damage to ReputationDamage to Reputation
Loss or Compromise of DataLoss or Compromise of Data
Damage to Investor ConfidenceDamage to Investor Confidence
Legal ConsequencesLegal Consequences
Interruption of Business ProcessesInterruption of Business Processes
Damage to Customer ConfidenceDamage to Customer Confidence
5Symosis Confidential
Dollar Amount Of Loss
* CSI 20066Symosis Confidential
Cost of Security Breach
* Aberdeen Group August 20107Symosis Confidential
The cost of security is not trivial; however, it i
s a
fraction of the cost of mitigating security
compromises
Security Breach Example Costs
Cost of Recent Customer Records Breach• $6.5 Million: DSW Warehouse Costs from Data Theft• $5.7 Million: BJ’s Wholesale Club from Data Breach
Additional impact/cost due to lost customers• 20% of customers have ended a relationship with a
company after being notified of a breach (Ponemon Institute)
• 58% said the breach decreased their sense of trust and confidence in the organization reporting the incident
8Symosis Confidential
Table of Content
• Business case for security• Emerging threats• How to build an effective training program?• Case Studies
9Symosis Confidential
Emerging Threats
GLOBALInfrastructure
Impact
REGIONALNetworks
MULTIPLENetworks
INDIVIDUALNetworks
INDIVIDUALComputer
Target and Scope of Damage
Rapidly Escalating Threat to Businesses
First Gen Boot
viruses
Weeks Second Gen
Macro viruses
Denial ofService
DaysThird Gen
Distributed Denial ofService
Application threats
Malware
Minutes
Next Gen
Flash threats
Massive “bot”-driven DDoS
Damaging payload worms
Seconds
1980s 1990s Today Future10Symosis Confidential
Emerging Threats DriversThreats becoming increasingly difficult to detect and mitigate
TH
RE
AT
SE
VE
RIT
Y
1990 1995 2000 2005 WHAT’S NEXT?
FINANCIALTheft & Damage
FAMEViruses and Malware
TESTING THE WATERSBasic Intrusions and Viruses
11Symosis Confidential
Emerging Attack Methods
* SANS 2010 12Symosis Confidential
Emerging Application Weaknesses
* SANS 2010 13Symosis Confidential
Table of Content
• Business case for security• Evolving threats• How to build an effective training program?• Case Studies
14Symosis Confidential
Why Security Training – Security Guy view
• Build in-depth knowledge to design, implement, or operate security programs
• Develop skills for users can perform their jobs while using IT systems more securely
• Increase security awareness
15Symosis Confidential
Why Security Training – CEO view• Demonstrating care & due diligence can
help indemnify the institution against lawsuits
• Dissemination & enforcement of policy become easier when training & awareness programs are in place
• Reduce accidental security breaches
16Symosis Confidential
Step 1: Define Objectives• Compliance, Regulations
and Governance• Client & Partner
requirements• Increase the general level
of security awareness• Design, develop and
maintain secure IT infrastructure and applications
17Symosis Confidential
How is Information Security (Training) Justified in Corporations Today?
PWC security survey 2010 18Symosis Confidential
Payment Card Industry (PCI)PCI DSS mandates security
awareness program that12.6.1: Educate employees upon hire and at least annually 12.6.2: Require employees to annually acknowledge in writing that they have read and understood the company's security policy and procedure
19Symosis Confidential
Health Insurance Portability and Accountability Act (HIPAA)
• Mandated annual privacy and security training for management, agents & contractors
• Security “Marketing” Efforts
• Annual System-specific training
20Symosis Confidential
Gramm–Leach–Bliley Act (GLBA)• Mandates IT Security
Awareness Training for all employees of financial service providers (FSPs) including – insurance agencies , tax
preparers, finance companies, collections agencies,
– leasing agencies, travel agencies and financial advisors
21Symosis Confidential
Federal Information Security Management Act (FISMA)
• FISMA requires federal agencies to develop, document, and implement security training program that educates personnel, including contractors and other users, of their responsibilities in maintaining information security, complying with organizational policies and procedures, and reducing the risks associated with their activities
22Symosis Confidential
ISO 27002
• ISO 27002 recommends designing and implementing adequate level of security education and training to your organization’s employees, contractors and third party users
23Symosis Confidential
Table of Content
• Business case for security• Evolving threats• How to build an effective training program?
– Step 1: Define Objectives– Step 2: Assess Needs– Step 3: Key Success Factors– Step 4: Metrics
• Case Studies
24Symosis Confidential
Step 2: Assess Needs
• Identify training administrator
• Primary responsibility lies with Chief Information Security Officer, top management and security team
25Symosis Confidential
Assess Needs
Using wrong training methods can:
Hinder transfer of
knowledge
Lead to unnecessary expense& frustrated, poorly trained employees
26Symosis Confidential
Assess Needs
• Who needs to be trained and on what? – All stakeholders: Security Awareness Training,
Compliance– Program Managers – Security principles & Design – Developers – Threats, coding mistakes, secure
software development – Testers / QA – Security Test Cases
27Symosis Confidential
Table of Content
• Business case for security• Evolving threats• How to build an effective training program?
– Step 1: Define Objectives– Step 2: Assess Needs– Step 3: Key Success Factors– Step 4: Metrics
• Case Studies
28Symosis Confidential
Step 3: Key Success Factors
• Build in-house• Buy ready made • Classroom Training• Web Based Training• Generic vs. Customized• Hosting
29Symosis Confidential
Build in-house• Business needs are
unique• Internal capability,
time, resources• Proprietary
information or data needs to be protected
• Complexity of interface with company's LMS
30Symosis Confidential
Buy ready made
• Reduce and control operating costs
• Free internal resources
• Gain access to external expertise
• Share risks
31Symosis Confidential
Classroom Training
• Time set aside dedicated to learning• Costs include course fees, travel,
accommodation and opportunity costs • Face to face access to a trainer • Network with other students
32Symosis Confidential
Web Based Training
• Individuals can study at their own time and pace
• Cost effective • Easily Customizable• Easier to measure
student progress and justify costs
33Symosis Confidential
Generic vs. Customized• Generic training is cost
effective and focuses on core security issues like OWASP Top 10, etc
• Customization provides training that matches specific needs for content, completion requirements, quiz, policies, and even employee responsibility acknowledgment.
34Symosis Confidential
Hosting
• Internal hosting provides greater control but could be resource and cost intensive
• SAAS service is often turn key but may limit scalability and usage
35Symosis Confidential
Table of Content• Business case for security• Evolving threats• How to build an effective training program?
– Define Objectives– Assess Needs– Key Success Factors
• Build vs. Buy • Classroom vs. Web Based • Generic vs. Customized• Hosting
– Metrics• Case Studies
36Symosis Confidential
Step 4: Metrics
• Quiz and survey results• Content• People
37Symosis Confidential
Metrics - Quiz and survey results
• Score Results: How did people score?• Answer Breakdown: How did people answer?• Attempt Detail: How did a user answer?
38Symosis Confidential
Metrics - Content
• Activity: What was the activity for a content item?• Traffic: How often was an item viewed?• Progress: How many slides did people view?• Popular Content: Which content was viewed the most?
39Symosis Confidential
Metrics - People
• Group Activity: What content did a group view?• User Activity: What content did a user view?• Active Groups: Who were my most active groups?• Active Users: Who were my most active users?
40Symosis Confidential
Table of Content
• Business case for security• Evolving threats• How to build an effective training program?• Case Studies
41Symosis Confidential
Case Study 1 - Project management and custom software
company• Challenge:
– Ensure secure coding elements have been taught – Prevent top 10 threats and mitigation techniques– Meet a time sensitive requirement under a DoD
contract
42Symosis Confidential
Case Study 1 - Project management and custom software
company• Solution:
– Implement best practices software security training for Java
– Provide access to training on demand from a SaaS model
43Symosis Confidential
Framework– Define Objectives– Assess Needs– Key Success Factors
• Build vs. Buy • Classroom vs. Web Based • Generic vs. Customized• Hosting
– Metrics
Case Study 2: Large financial & Tax Software Company
• Challenge– Improve software
quality by eliminating common mistakes
– Provide foundation for everyone to ‘own’ security
44Symosis Confidential
Case Study 2: Large financial & Tax Software Company
• Solution– Create custom course based on
previously identified risk and mitigation
– Integrate security cases into QA lifecycle
– Measure year over year declines in security related CRs
45Symosis Confidential
Framework– Define Objectives– Assess Needs– Key Success Factors
• Build vs. Buy • Classroom vs. Web Based • Generic vs. Customized• Hosting
– Metrics
Case Study 3: Large Fitness Center Chain
• Challenge: – Meet PCI compliance for
integrating secure coding practices
– Short timeline, small budget, looking for turnkey solution
46Symosis Confidential
Case Study 3: Large Fitness Center Chain
• Solution– Implement JAVA/.NET
secure coding practices– Address PCI Cardholder
Data requirements within application development
47Symosis Confidential
Framework– Define Objectives– Assess Needs– Key Success Factors
• Build vs. Buy • Classroom vs. Web Based • Generic vs. Customized• Hosting
– Metrics
Thanks for listening…
Questions?
To try or evaluate Symosis security training for FREE, please email me at [email protected]
48Symosis Confidential
Symosis Training Offerings• Introductory Tracks
– Security Awareness Training– Introduction to Application Security (covering OWASP, WASC and MS SDL)
• Advanced Tracks– Security Training for Managers / Architects– Security Training for Developers - .NET – Security Training for Developers – JAVA / J2EE– Security Training for Developers – C/C++– Security Training for Developers – Flash / FLEX– Security QA / Testing for Applications
• Regulations & Compliance– PCI DSS Awareness Training– PCI DSS Training for Developer– Security Training for HIPAA
Symosis Confidential 49