To protect the confidential and proprietary information included in this material, it may not be disclosed or provided to any third parties without the approval of Hewitt Associates LLC. Selling security How to talk to the business that feeds you

2[MM/DD/YYYY] Cost and benefit in security Risk analysis Risk = Asset Cost X Threat Probability Controls to prevent risks Cost of controls Not only direct cost of roll-out (license, installation) Employee’s burden to use control is also Cost Control Cost > Asset Cost doesn’t make much sense Pretty obvious for Business folks Not so obvious for Security folks

3[MM/DD/YYYY] Security as a cost? This is how it’s often seen by Bussiness Security = Necessary evil, required by Regulators, waste of our hardly earned money Security folks know the truth here Often they can’t properly express it Security is not a cost Security is an investment to prevent losses Spend $100k to prevent losing $1m = 10x benefit It’s not: „Security spent $100k” It’s: „Security helped saving $1m for just $100k”

4[MM/DD/YYYY] Two ways to enable security Enforcement model You have powers to enforce any control Law, public administration, some corporate environments (financial, military) If Asset Cost is HUGE, Security might take priority YOU set the rules, and THEY must obey them Soft model You have little powers to enforce controls Most private companies, most corporate environment If Sales makes $5m revenue and Security makes $500k „loss” quarterly, you have to be very careful before trying to put a stick in their wheels Your arms are: talk and listen – YOU must fit THEIR needs

5[MM/DD/YYYY] Kids with guns If you have powers to enforce any control... You will be tempted to enforce even the dumbest ones – Security vendors are good in overrating risks to sell stuff Common approach among some regulators and governments Example: qualified electronic signature for e-invoice in Poland – 5% usage since 2005 (mostly EDI) – Compare to Denmark’s 60% (mostly OCES)

6[MM/DD/YYYY] Don’t turn shepherd into a policeman So even if you have powers... Try to understand your client needs as much as possible – Client = your Sales dept, Citizens, National business Perform as much real life risk analysis (including cost & benefit) Make sure your controls help things instead of breaking things Periodically perform a reality check – how does my security help business? Otherwise you may destroy your organisation’s flexibility and competitive advantage – And lose your job – and make hundreds other people lose job as well

7[MM/DD/YYYY] Most important control from ISO „Obtain management support” Everything starts here If you won’t, business will ignore you, your controls or try to work around them How to obtain management support? Talk to business Talk to management – It’s the best reality check you can think of – To convince old sharks you must have really good arguments – Don’t get tempted to grab some scary number from vendor ordered „independent reports”

8[MM/DD/YYYY] If you failed to obtain management support You may be wrong Make sure you REALLY understand where does your salary come from Management may be wrong You might be right but used wrong arguments – again, your fault Management may already have selected controls using arguments other than rational risk analysis – you can’t do much about it

9[MM/DD/YYYY] „Talking to Bussiness HOWTO” Avoid „weasel talk” and buzzwords Blacklist wording like: „some attacks exist that migh pose a risk” Use as much facts and numbers as possible Do use industry reports But always filter them through your company’s context Learn from historic incidents in YOUR organisation – Single such incident is worth 10 industry reports Perform periodic reality checks on your arguments If necessary drill down to a single specific incident Build cause-reason trees Make sure at the end the threat is still there!

10[MM/DD/YYYY] Some examples - Ponemon Report (2006) Direct cost to handle data breach incidents On average 4,8 milion USD – from 226’000 to 22’000’000 Cost of controls implemented after the breach On average 180’000 USD for one incident Data loss caused by organization internal factors 70% cases caused by lack of data ownership, ignoring procedures and negligence Data loss during electronic data processing 90% incidents caused by loss of laptop or electronic media

11[MM/DD/YYYY] Threat analysis – case study Real life incident from 2005 Financial industry, event still remembered by some management people One stolen laptop resulted in ~5000 affected clients Handling of every record costed ~115 USD It pretty much fits Ponemon’s estimate from 2008 ($ per record) Even if no actual loss was caused to the clients (laptop was lost without trace) How much this single incident costed organisation at the end of the day? $500k

12[MM/DD/YYYY] Threat analysis – case study #2 FSA fined HSBC Group for £3m, June 2009 Public report on FSA website Detailed list of issues found How many of these you recognize in your organisation? How close was the hit to your industry?

13[MM/DD/YYYY] Control analysis – last example Company deployed full-disk encryption (FDE) All laptops covered, cost $100k Office break-in happens in laptops stolen 2 contained sensitive client’s records Cost for organisation at the end of the day – close to ZERO Hardware was covered by insurance Data was backed up Whole operating system was encrypted You can prove this to client, because all laptops are encrypted

14[MM/DD/YYYY] Questions? Questions, comments