Justifying your Security Spend

Privileged and Confidential. NDA Required for External Disclosure.

Presented by: Jojo ColinaHead, Product Management & Development

Justifying your Security Investment

Privileged and Confidential. NDA Required for External Disclosure.

Presented by: Jojo ColinaHead, Product Management & Development

“Security Problems are never truly solved. The bad guys are always waiting for an opportunity...”

“Security Problems are never truly solved. The bad guys are always waiting for an opportunity...”

And they are getting better all the time!

Risk can never be Eliminated!

– “There is no ‘right’ amount of money to spend on IT infrastructure.” No matter how much money you spend on infrastructure, you’ll never

be totally safe and secure. So the “right” amount of money for a company to spend on IT infrastructure — whether it’s for security or

for something else like database reliability or resilient servers — depends on the amount of risk that the company is willing to tolerate.

• Good Security is Invisible– It’s difficult to justify security when it’s

working.

The biggest investments in security usually come right after a security

breach • A government website is defaced and makes the news.

– Suddenly that agency and others make inquiries about Web Security products and services.

• Local BPO is infected with Conficker worm– Review and upgrade of Endpoint Security is undertaken

• Making People Dissatisfied is the Only Way to Justify Investment

• Dissatisfaction with the status quo is most important when you’re trying to sell security investment.

• To justify additional security investment you have to convince the business that your current security infrastructure is inadequate.

Three challenges to Security

1. Make your end users “feel” secure

Three challenges to Security

1. Make your end users “feel” secure2. Implement an infrastructure with a reasonable level of

security for the amount of money the company is willing to invest

Victim of your own success

“Security to your end users is a state of mind. One which you created by your success in solving security challenges.”

Victim of your own success

“Security to your end users is a state of mind. One which you created by your success in solving security challenges.”

Now that they feel secure, how do you justify additional security expense?

Three challenges to Security

1. Make your end users “feel” secure2. Implement an infrastructure with a reasonable level of

security for the amount of money the company is willing to invest

3. Recommend the right level of infrastructure security investment and getting agreement from the business

How to determine the right level of Investment

• What are other companies doing who have a similar risk tolerance to your company?

• Does your company deal with confidential information from your customers?

• Does your company differentiate itself from its competition based on an enhanced level of trust or risk avoidance?

• Does your company hold a proprietary advantage over its competition which could be lost if confidential company information was revealed?

Justify the Need• Enterprise Objectives for Security

– Obtain Blueprint documents from CTO/CIO to understand roadmap for technology growth in hardware/software/network

• Regulatory Mandates– Contact Compliance, Legal and industry groups to understand immediate and short-

term/long-term regulatory requirements

• Risk Analysis– Understand your risks in cyber/physical security, disaster recovery/business continuation

and compliance to data protection/data sharing regulations– Quantify the impacts wherever possible; per incident, per potential loss

• Probability of Occurrence– Be realistic; Pull industry trend information; poll industry alliances; previous internal loss

• Impact of Occurrence– Be realistic; compute hard financial impacts, estimate soft financial impact based on real

industry losses/settlements/pay-outs; poll industry vendors

• Benefit to Enterprise– Avoidance is one benefit but weak justification for getting approved funds– Tie to hard savings/loss reduction

Build a Business Case

• Understand TCO– Total Cost of Ownership – use Finance to assist; plan across next 5 fiscal years

[understand where you can cut if necessary]– Use this TCO in your ROSI Calculations

Build a Business Case

• Timelines and Resource Requirements– Articulate inter-dependencies between security initiatives– Speak to the large plan; cross-utilize resources– Use compliance requirements to your advantage– Make contact with industry firms early to determine resource availability– Try to MINIMIZE EXPENSES [save up for future battles]

Build a Business Case

• Use Financial Metrics– Build metrics that can reflect your project progress– Always be ready to estimate financial cost avoidance from a deterred incident – Provides immediate feedback of success and hardened evidence of ROSI for

future projects/enhancements

ROI and ROSI

ROI (Return on Investment)

ROSI (Return on Security Investment)

To calculate ROI, the cost of a purchase is weighed against the expected returns over the life of the item. Ex: if a new production facility will cost $1M andis expected to bring in $5M over the course of three years, the ROI for the three year period is 400% (4x the initial investment of net earnings).

ViriCorp has gotten viruses before. It estimates that the average cost in damages and lost productivity due to a virus infection is $25,000. Currently, ViriCorp gets four of these viruses per year. ViriCorp expects to catch at least 3 of the 4 viruses per year by implementing a $25,000 virus scanner.

Build a Business Case

• Articulate Impact – Piggyback– You have to be able to articulate what the umbrella benefit is, what

the specific impact potential might be, and the specific benefits of each project

– Piggyback related projects to provide ‘value-added’ benefit.

• Meet Stakeholders Expectations– Write the narrative to the expectations of your project stakeholders– Know what they need to accomplish within their realm [financial,

organizational, resource management, bonus structure, etc]

Justifying your Investment– Key points

• Security Investment is hard to quantify• The need for security is obvious

– Impact of a security breach is real– Justification ahead of time is difficult

• Accurate Risk Analysis– Accurately determine your risk profile

• Financial Analysis– ROI/ROSI– Determine impact and loss deference of investing

• Create a sound business plan• Instrument your projects

– Create metrics which highlight success/failure– Document performance to refine your ROSI model

• Roadmap your security plan

References

• Return On Security Investment (ROSI): A Practical Quantitative Model– http://www.infosecwriters.com/text_resources/pdf/ROSI-Practical_Model.pdf

• Three things your CEO wants to Know– http://blog.makingitclear.com/2008/06/10/ceowantstoknow/

• Trial by Fire - Price Waterhouse Coopers Advisory Services– http://

www.pwc.com/en_GX/gx/information-security-survey/pdf/pwcsurvey2010_report.pdf

• CSI Computer Crime and Security Survey 2009– http://gocsi.com/survey

• Performance Measurement Guide for Information Security– http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf

Thank you

Presentation can be viewed at:http://www.slideshare.net/du1jec/justifying-security-investment