Selling Data Security Technology
-
Upload
software-associates -
Category
Documents
-
view
533 -
download
0
description
Transcript of Selling Data Security Technology
Licensed under the Creative Commons Attribution LicenseDanny Lieberman
[email protected] http://www.controlpolicy.com/
Selling Data security to the CEO
Sell high
“it's a lot easier to manage a big project than a small one”
Boaz Dotan – Founder of Amdocs (NYSE:DOX), $5.3BN Cap.
Agenda
• Introduction and welcome
• What is data security?
• Defining the problem
• After Enron
• Weak sales strategy
• The valley of death
• Strong sales strategy
• Execution
Introduction
• Our mission today– How to sell data security to the CEO
What the heck is data security?
• Security– Ensure we can survive & add value
• Physical, information, systems, people
• Data security– Protect data directly in all realms
Defining the problem
• You can't sell to a need that's never been observed(*)
– Little or no monitoring of data theft/abuse
• Perimeter protection, access control– Firewall/IPS/AV/Content/AD
(*) Paraphrase of Lord Kelvin
What happened since Enron
• Threat scenario circa 1999– Bad guys outside– Lots of proprietary protocols– IT decides
• Threat scenario circa 2009– Bad guys inside– Everything on HTTP– Vendors decide
Weak sales strategy
IT – data security is “very important”...Forrester
Management board – fraud/data theft can maim or destroy the company...SarbanesOxley
Mind the gap
IT – We can get DLP technology for 100K and the first 6 months are free....Websense
Management board – We have Euro 100M VaR...PwC
The valley of death
Month 1 Month 1218Month 5
Logical &rational
Emotional & Political
IT Requirements
CapabilitiesPresentation
Compliance requirements
Evaluatealternatives
Close
Project
Meetvendors
Talk toanalysts
Losing control
Why you lose control
• Issues shift– Several vendors have technology
• Non-product differentiation
• Divided camps– Nobody answers all requirements
• Need a political sponsor
• Loss of momentum– No business pain– No power sponsors
Strong sales strategy
• Build business pain– Focus on biggest threat to the firm– Rational
• Get a power sponsor– CEO,COO, CFO,CIO– Personal
Close the gap
Toxic customer data VaR: 100M VaR reducation: 20M Cost: 1M over 3 years...Security & Risk
Management board – We have 100M VaR...PwC
Execution – building business pain
• Prove 2 hypotheses:– Data loss is happening now.– A cost effective solution exists that
reduces risk to acceptable levels.
H1: Data loss is happening
• What keeps you awake at night?
• What data types and volumes of data leave the network?
• Who is sending sensitive information out of the company?
• Where is the data going?
• What network protocols have the most events?
• What are the current violations of company AUP?
H2: A cost effective solution exists
• Value of information assets on PCs, servers & mobile devices?
• What is the Value at Risk?
• Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)
• How much do your current security controls cost?
• How do you compare with other companies in your industry?
• How would risk change if you added, modified or dropped security controls?
What keeps you awake at night
Asset has value, fixed over time or variablePlans to privatize, sell 50% of equity
Threat exploits vulnerabilities & damages assets. IT staff read emails and files of management board
Employee leaks plans to pressBuyer sues for breach of contract.
Vulnerability is a state of weakness mitigated by a
countermeasure.IT staff
have accessto mail/file servers
Countermeasure has a costfixed over time or recurring.
Monitor abuse of privilege & Prevent leakage of
management board documentson all channels.
Calculating Value at Risk
MetricsAsset value, Threat damage to asset,Threat probability
Value at Risk=Threat Damage to Asset x Asset Value x Threat Probability
(*)PTA Practical threat analysis risk model
Coming attractions
• Sep 17: Selling data security technology• Sep 24: Write a 2 page procedure• Oct 1: Home(land) security• Oct 8: SME data security
http://www.controlpolicy.com/workshops
Learn more
• Presentation materials and resourceshttp://www.controlpolicy.com/workshops/data-security-workshops/
• Software to calculate Value at RiskPTA Professionalhttp://www.software.co.il/pta