Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. J Greg Hanson presents Return on Security Investment Analysis (ROSI) An IMF Executive Security Council Web Forum Dr. J. Greg Hanson Executive Vice.

Similar presentations


Presentation on theme: "Dr. J Greg Hanson presents Return on Security Investment Analysis (ROSI) An IMF Executive Security Council Web Forum Dr. J. Greg Hanson Executive Vice."— Presentation transcript:

1 Dr. J Greg Hanson presents Return on Security Investment Analysis (ROSI) An IMF Executive Security Council Web Forum Dr. J. Greg Hanson Executive Vice President Criterion Systems, Inc. December 10 th, 2008

2 Overview Protecting Information at the United States Senate: A Challenging Operating Environment Threats and Challenges An Approach for Evaluating Return on Security Investment (ROSI) Discussion J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

3 A Challenging Operating Environment Multiple Visions, Missions, Strategies Multiple Visions, Missions, Strategies Common Information Infrastructure Chief Information Officer Constituents No common vision Control who sits in a given seat at a given point in time Do not determine the existence of the institution Competition Requirements Senator 2 Committee 1 Senator 100 … Senator 1 Direction & Guidance The Senate’s Decentralized, Non-Hierarchical Structure J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

4 Lots of “Moving Parts” 100 Senators 100 Senators Sergeant at Arms Secretary of the Senate 14 Others Officers & Leadership Organizations Officers & Leadership Organizations 24 Committees 24 Committees J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

5 The Business of the Senate Common Functions: – Constituent Service – Legislative Functions Common High-level Requirements: – Informed – Secure – Internal Communication – External Communication – Staff & Office Operations – Information Processing J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

6 The Senate’s CIO Organization National Help Desk Operations Telephone Central Office Capitol Exchange Software Development House Program Management Office Test & Assessment Labs Multiple Computing Centers Network Ops. Ctr. Security Ops. Ctr. Cyber Security Branch Emergency Communications COOP ~ 250 Government FTEs ~ 250 Support Contractors ~ 10,000 Customers ~ 450 Disparate Connected LANS ~ 435 State Offices Connected Via WAN J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

7 Challenge: Building an Enterprise Anything “My anger goes back to what I have said before… the Senate is not an enterprise and no amount of wishing will make it so. … We are not business units…. We are not a team…As much as we might get along personally, ½ of us are working to get the other ½ thrown out of their jobs. I see the CIO as a kind of contractor to the offices. We are – each office- Independent from one another, and the CIO should be there to support US not the other way around. We are not one big company – we are like 100 little companies who have one ISP.” A Senator’s System Administrator In response to message with directions from CIO to eradicate Welchia Computer Worm – 20 August 2003 J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

8 Challenge: Security How do you protect a high-viz target? Challenge: Security How do you protect a high-viz target? J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

9 Challenge: Security The Senate Belongs to the Public The Senate is a Target COOP and COG – Preparing for What? Data Custody and Control Implications Hackers Hijack Federal Computers By Jon Swartz, USA Today PITTSBURGH – Hundreds of powerful computers at the Defense Department and U.S. Senate were hijacked by hackers who used them to send spam , federal Authorities say. August 31, 2004 J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

10 The Challenge: Security Cisco VPN/RSA SecurID SSL VPN Intrusion Detection Systems Enterprise Firewall SPAM Filtering Personal Firewall Managed Antivirus Managed OS Critical Security Updates Screen Password Protection Senate Office Router ACL Strong Username and Password A Layered Defense- In-Depth Approach J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

11 Challenge: Privacy & Confidentiality Whose Data is it, Anyway? Information Custody, Control & Impact on IT Programs Tradeoffs: – Security vs. Privacy – Emergency Planning vs. Privacy J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

12 The Challenge: Privacy & Confidentiality Whose Networks are they, Anyway? > 400 Disparate Networks Patch Management Challenges Security Policies & Practices Fighting Cyber Threats Inside and Out J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

13 Challenge: Security – What’s on the Radar? State-sponsored cyber terrorism Privacy and personal information Malware, Spam, & Adware Internal Threats/Education Emergency communications Data Manipulation/Extraction Innovative ways to leverage SOCs to provide value to our customers Senate SOC saw RinBot 8 days before U.S. CERT sent a bulletin! J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

14 Challenge: Security & Special Events Elections & Transitions Conventions Inaugurations State Funerals J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

15 Challenge: Security &The Unexpected Report Released Impact of July 2004 Intel Committee 9/11 Report on Network Traffic August 2005 Hurricane Katrina Wiped out 11 State Offices Pandemic Planning J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

16 VTC Web VPN Passfaces RSA SecurID Laptops Senate Trends in Mobility ( ) BlackBerrys Challenge: Security & Supporting a Mobile/Enabled User Base J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

17 Social computing/collaboration technologies Information security issues and technologies – Sophistication of adversaries – Ability to track vs. desire for privacy Web 2.0 Convergence technologies Remote computing & teleworking Expectation that bandwidth is infinite Challenge: Security and Emerging Technologies & Cultural Changes J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

18 Tied to virtually EVERYTHING One of five pillars of Senate Information Technology Strategic Plan Major component of annual CIO budget Major oversight and interest from: – Senate Leadership – Senate Appropriations Committee – Senate Rules Committee During My Tenure as CIO: Information Security Was HIGH PRIORITY A Cost Analysis Tool to Assess: $$ vs Capability Requirements vs Capability Would Have Been Extremely Useful J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

19 A Practical Quantitative Model For Answering: How much is the lack of security costing the enterprise? What impact is lack of security having on people (productivity)? What impact would a catastrophic breach have? What are the most cost-effective solutions? What impact will the solutions have on productivity? RISK COST J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

20 Return on Security Investment (ROSI) (Wes Sonnenreich, SageSecure LLC, 2004) Determining values for these is the difficult task ROSI = (Risk Exposure x % Risk Mitigated by Solution) – Cost of Security Investment Cost of Security Investment J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

21 Determining Risk Exposure Risk Exposure = Average Cost per Incident x Number of Incidents Average Cost per Incident: Estimated incident cost: From empirical organization data -- At the Senate this could be collected at the SOC Verified using vendor and government sources (e.g.: NIST, Computer Security Institute, FBI, Microsoft, Oracle, etc.) J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc ROSI = (Risk Exposure x % Risk Mitigated by Solution) – Cost of Security Investment Cost of Security Investment Accuracy of incident cost is less important than consistency of the method for calculating and reporting the cost….

22 Losses – In the Context of the Enterprise Loss of highly confidential information (how much is intellectual property worth?) Loss of productivity associated with an incident Loss of “business advantage” Loss of customer confidence All would be considered critical and unacceptable in the Senate environment J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

23 Determining % Risk Mitigated by Solution % Risk Mitigated by Solution – One Approach: Conduct and score a risk assessment based on a consistent algorithm – to ascertain the amount of risk currently being mitigated Conduct another risk assessment based on same algorithm as if the solution is already in place Difference between the results is the risk mitigated by the solution J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc ROSI = (Risk Exposure x % Risk Mitigated by Solution) – Cost of Security Investment Cost of Security Investment The Problem: Security doesn’t create anything tangible, but rather prevents loss. A loss that is prevented, may not have been known or anticipated. Accuracy of result fully dependent of quality of assessment and scoring algorithm.

24 Cost of Security Investment Products Implementation Costs Opportunity Costs Productivity Impacts (Does the solution increase productivity?) ROSI = (Risk Exposure x % Risk Mitigated by Solution) – Cost of Security Investment Cost of Security Investment J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

25 Conclusions Option 0 Option 1 Option 2 Option 3 Option 4 Option … Option n Not Viable SolutionsViable Solutions Too Little Risk MitigationAcceptable Risk Mitigation J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008


Download ppt "Dr. J Greg Hanson presents Return on Security Investment Analysis (ROSI) An IMF Executive Security Council Web Forum Dr. J. Greg Hanson Executive Vice."

Similar presentations


Ads by Google