selling data security technology
DESCRIPTION
In this Security technology workshop designed specially for senior IT and business line executives, we will show you how to navigate the “valley of death” of the complex sale of enterprise information protection and make or break the business justification with your management board. Through specific Business Threat Modeling(TM) tactical methods we will show you how to discover current data loss violations, quantify threats and valuate your risk in order to select the most cost-effective security technologies to protect your enterprise information.TRANSCRIPT
Licensed under the Creative Commons Attribution LicenseDanny Lieberman
[email protected] http://www.controlpolicy.com/
Selling Data security to the CEO
Sell high
“it's a lot easier to manage a big project than a small one”
Boaz Dotan – Founder of Amdocs (NYSE:DOX), $5.3BN Cap.
Agenda
• Introduction and welcome
• What is data security?
• Defining the problem
• After Enron
• Weak sales strategy
• The valley of death
• Strong sales strategy
• Execution
Introduction
• Our mission today– How to sell data security to the CEO
What the heck is data security?
• Security– Ensure we can survive & add value
• Physical, information, systems, people
• Data security– Protect data directly in all realms
Defining the problem
• You can't sell to a need that's never been observed(*)
– Little or no monitoring of data theft/abuse
• Perimeter protection, access control– Firewall/IPS/AV/Content/AD
(*) Paraphrase of Lord Kelvin
What happened since Enron
• Threat scenario circa 1999– Bad guys outside– Lots of proprietary protocols– IT decides
• Threat scenario circa 2009– Bad guys inside– Everything on HTTP– Vendors decide
Weak sales strategy
IT – data security is “very important”...Forrester
Management board – fraud/data theft can maim or destroy the company...SarbanesOxley
Mind the gap
IT – We can get DLP technology for 100K and the first 6 months are free....Websense
Management board – We have Euro 100M VaR...PwC
The valley of death
Month 1 Month 1218Month 5
Logical &rational
Emotional & Political
IT Requirements
CapabilitiesPresentation
Compliance requirements
Evaluatealternatives
Close
Project
Meetvendors
Talk toanalysts
Losing control
Why you lose control
• Issues shift– Several vendors have technology
• Non-product differentiation
• Divided camps– Nobody answers all requirements
• Need a political sponsor
• Loss of momentum– No business pain– No power sponsors
Strong sales strategy
• Build business pain– Focus on biggest threat to the firm– Rational
• Get a power sponsor– CEO,COO, CFO,CIO– Personal
Close the gap
Toxic customer data VaR: 100M VaR reducation: 20M Cost: 1M over 3 years...Security & Risk
Management board – We have 100M VaR...PwC
Execution – building business pain
• Prove 2 hypotheses:– Data loss is happening now.– A cost effective solution exists that
reduces risk to acceptable levels.
H1: Data loss is happening
• What keeps you awake at night?
• What data types and volumes of data leave the network?
• Who is sending sensitive information out of the company?
• Where is the data going?
• What network protocols have the most events?
• What are the current violations of company AUP?
H2: A cost effective solution exists
• Value of information assets on PCs, servers & mobile devices?
• What is the Value at Risk?
• Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)
• How much do your current security controls cost?
• How do you compare with other companies in your industry?
• How would risk change if you added, modified or dropped security controls?
What keeps you awake at night
Asset has value, fixed over time or variablePlans to privatize, sell 50% of equity
Threat exploits vulnerabilities & damages assets. IT staff read emails and files of management board
Employee leaks plans to pressBuyer sues for breach of contract.
Vulnerability is a state of weakness mitigated by a
countermeasure.IT staff
have accessto mail/file servers
Countermeasure has a costfixed over time or recurring.
Monitor abuse of privilege & Prevent leakage of
management board documentson all channels.
Calculating Value at Risk
MetricsAsset value, Threat damage to asset,Threat probability
Value at Risk=Threat Damage to Asset x Asset Value x Threat Probability
(*)PTA Practical threat analysis risk model
Coming attractions
• Sep 17: Selling data security technology• Sep 24: Write a 2 page procedure• Oct 1: Home(land) security• Oct 8: SME data security
http://www.controlpolicy.com/workshops
Learn more
• Presentation materials and resourceshttp://www.controlpolicy.com/workshops/data-security-workshops/
• Software to calculate Value at RiskPTA Professionalhttp://www.software.co.il/pta