selling security v4

8/2/2019 Selling Security v4

1/37

[email protected]

[email protected]

JaredPfost

[email protected]

June1,2011

VirtualProblems RealAnswers

1


2/37

Disclaimer

The

views

and

opinions

expressed

during

this

conference

are

those

of

thespeakersanddonotnecessarilyreflecttheviewsandopinionsheldbytheInformationSystemsSecurityAssociation(ISSA),theSiliconValleyISSA,theSanFranciscoISSAortheSanFranciscoBayAreaInfraGardMembersAlliance(IMA). NeitherISSA,InfraGard,nor

anyof

its

chapters

warrants

the

accuracy,

timeliness

or

completeness

oftheinformationpresented. Nothinginthisconferenceshouldbeconstruedasprofessionalorlegaladviceorascreatingaprofessionalcustomerorattorneyclientrelationship. Ifprofessional,legal,or

other

expert

assistance

is

required,

the

services

of

a

competent

professionalshouldbesought.

TheseviewsandopinionsarealsodonotreflectthoseofFremontBancorp.

June1,2011


2


3/37

Introductions

JustinDrain,

CISM,CRISC,

CISSP

DataSecurityManager FremontBank

Securityexperience:banking,aerospace,federal

government,medical

JaredPfost

CEO

ThirdDefense

Securityexperience:banking,technology,consulting

June1,2011


3


4/37

SecurityProjects SecuringExecutiveApproval

June1,2011


4

Agenda

PresentState HowItWorksNowWhyIsItso?MySolution InTheory InMoreDetailBasicPointsToRemember LetsGo!


5/37

HowItWorks

June1,2011


5

Infrastructurevs.

Security

ProjectMgmt vs.SecurityPractitioner

Mature

Organization

vs.

Just

Getting

Heard


6/37

PresentState HowItWorksNow

June1,2011


6

WithAny

Infrastructure

Project

:

ANeedIsIdentified

BusinessCase

For

Addressing

The

Need

Is

Built

SimultaneouslyASearchForASolutionIs

Underway

Acceptance!


7/37

PresentState HowItWorksNowcontd

June1,2011


7

TheCriteria

For

Acceptance

Is

Relatively

Straightforward:

It

Makes

Us

Money

ItMakesUsLookGood

It

Keeps

Us

From

Looking

Bad(compliance)


8/37

SecurityProjects

June1,2011


8

ThingsAre

Different

with

Security

Atfirst

Struggleswith

Buy

in

on

Need

Resistance:ImpacttoBusinessProcess

PushbackOn

Cost


9/37

WhyIs

It

So?

Its

Psychological

June1,2011


9

WhyTheresaDifference

WhyAre

Insurance

Salesmen

So

Unpopular?

Reality/Perception&Profit/Risk

SoundBite

What

Do

You

Want?

MatureCompaniesBuildProductsW/Infosec

BakedIn

Catchphrase,"WeTakeCareOfSecurity


10/37

WhatHave

We

Done

in

Response?

June1,2011


10

StandardApproach

FearAndLoathing

ComplianceCard

ADifficult

Definition


11/37

WhatHave

We

Done

in

Response?

contd

June1,2011


11

Fearis

not

an

option,

unless

it

is

applied

appropriately


12/37

WhatHave

We

Done

in

Response?

contd

June1,2011


12

ComplianceCard

ComplianceIsNotSecurity

ThisOnlyGoesSoFar


13/37

WhyIs

It

So?

Its

Psychological

contd

June1,2011


13

TheProspect

Theory

InTheory

BusinessModels

ApplyingToSecurity


14/37

WhatHaveWeDoneinResponse?

Definition

Of

Insanity

June1,2011


14


15/37

SoNow

What?

My

Solution

June1,2011


15

FromaHigh

Level

ButfirstwheredoIgetoff?

WorksForMe

ImmaturetoMature


16/37

Strategy,Strategy,

Strategy

June1,2011


16

NoSingle

Switch

IntegratedStrategy

FocusedMethodology

Groundwork

BuildingA

Case

For

Security

Before

You

BuildTheBusinessCase


17/37

Don'tFight

the

Feeling

June1,2011


17

Make

Human

Nature

Your

AllyFrameSecurityInPositiveLight

Usethe

Shaky

Perceptions

SecurityBrakes

AgainWith

The

Fear


18/37

NotOverPlayingTheFearCard

BurglarAlarm

9/11 SkyISFalling

June1,2011


18


19/37

HowDoes

It

Go

Again?

More

Detail

June1,2011


19

HowDoes

It

All

Come

Together?


20/37

InitialSteps

June1,2011


20

BeInTheRoom

SecureAnAlly CreateAnAdvocate.

EvenIfItMeansGivingUpCredit

PlantTheSeeds(Awareness,Metrics)

BuildAwarenessOfSecurityStrategy


21/37

21

BusinessDrivers

ImproveSecurity

Services

RegulatoryRequirements

Workwemustdo

Workwe

should

do

Workwe

could

do

ManageCompliant

ReadyServices

ReachaLegally

DefensibleLevel

of

Security

EmbedRiskBased

DecisionstoAchieve

BusinessGoals

Formalizemandatoryvs.discretionarycategories.


22/37

CommunicateTop

Risks

June1,2011


22

ConstructaTopDownStory

EvidenceDriven

RisksPlacedinActionCategories

Act,Evaluate,Accept

ImpactRanges

CalibrateMonetary&Risk

ExposuresacrossScale

LikelihoodRanges

UseEvidence

for

Occurance


23/37

PrioritizebyBusiness

Value RiskPriority

ITCapability

BusinessSupport

PoliticalReality

Cost

DocumentDecisionand

Justificationfor

Posterity

23

Efficiency

Gains.Save

$110K

BusinessDriven

Investments


24/37

EvidenceDriven

QuantifyWhenDefensibleJune1,2011


24

CommunicateTop

Risks

&

Investments

PrioritizebyRisk,Capability,

Cost,&Politics


25/37

InitialSteps

contd

June1,2011


25

GainWideAcceptanceAtInception

AsPart

Of

Your

Strategy

ProveYouCanDoItBeforeYouProve

YouCan

Do

It

(TimeTravel?No.DemonstrateEffectiveness)

CarrotAnd

Stick


26/37

Next

Clearthe

Path

June1,2011


26

MoreGroundwork

SolutionLookingForAProblem

SecuritySolutionsCanImprove

CustomerExperienceValueAdd

PeopleAreSTILLthePerimeter


27/37

DefineTargetstoDriveAcceptableRisk

June1,2011


27

MetricsDemonstrate

Progress

&

Needs


28/37

Clearthe

Path

contd

June1,2011


28

MoretoConsider

RevenueNow SecurityLater

Dont

Be

The

Nail


29/37

Toahammer,

everythinglookslikea

nail

DontBe

The

Nail

June1,2011


29


30/37

Engage

June1,2011


30

OnTheSurfaceEverythingSeemsNormal

BackAttheTable

PresentationIsKey,DoYourHomework

BePrepared

To

Defend

The

Obvious

(obvioustous)

KnowYour

Audience

And

Speak

Their

Language


31/37

Engage contd

June1,2011


31

SecurityNeedsIt'sOwnROI

ManyAreWilling/AbleToRationalize

CertainLosses

ConvinceThemYouAreBetterOff

W/SecuritySolution


32/37

Engage contd

June1,2011


32

Dont

Forget

The

Rank

and

FileWhatsTheDeductible

Areyou

better

off

now,

than

you

were MetricsCanHelpHereToo


33/37

Closethe

Deal

/Follow

Up

June1,2011


33

YouSetThemUpNowIt'sTimeTo

KnockThem

Down

ThereIsNothingMoreExpensive

ThanRegret

Vi l P bl R l A


34/37

Closethe

Deal

/Follow

Up

contd.

June1,2011


34

Securityisnotintuitive:continue

education

Integration,integrationand

integration.

WherestheBeef?

Virt al Problems Real Ans ers


35/37

SoIn

Closing

June1,2011


35

PointsToRemember

BeInTheRoom.

DontBetheNail

FearIS

an

Option

Sometimes

IfYouDontWriteitDown.Metrics NOW!

SecurityROI

is

different.

Virtual Problems Real Answers


36/37

FinalThought

June1,2011


36

The state of mind which enables a man to

do work of this kind is akin to that of the

religious worshiper or the lover; the daily

effort comes from no deliberate intention or

program, but straight from the heart.

-Albert EinsteinPhysical Society address, 1918

Virtual Problems Real Answers


37/37

June1,2011


37

DisclaimerTheviewsandopinionsexpressedduringthisconferencearethoseofthespeakersanddonotnecessarilyreflecttheviewsand

opinionsheld

by

the

Information

Systems

Security

Association

(ISSA),

the

Silicon

Valley

ISSA,

the

San

Francisco

ISSA

or

the

San

FranciscoBayAreaInfraGardMembersAlliance(IMA). NeitherISSA,InfraGard,noranyofitschapterswarrantstheaccuracy,

timelinessorcompletenessoftheinformationpresented. Nothinginthisconferenceshouldbeconstruedasprofessionalorlegal

adviceorascreatingaprofessionalcustomerorattorneyclientrelationship. Ifprofessional,legal,orotherexpertassistanceis

required,theservicesofacompetentprofessionalshouldbesought.

Thank You!

Questions?

[email protected]

[email protected]@thirddefense.com

selling security v4

Documents