Licensed under the Creative Commons Attribution LicenseDanny Lieberman

dannyl@controlpolicy.com http://www.controlpolicy.com/ 

Selling Data security to the CEO

   

Sell high

“it's a lot easier to manage a big project than a small one”

Boaz Dotan – Founder of Amdocs (NYSE:DOX), $5.3BN Cap.

   

Agenda

• Introduction and welcome

• What is data security?

• Defining the problem

• After Enron

• Weak sales strategy

• The valley of death

• Strong sales strategy

• Execution

   

Introduction

• Our mission today– How to sell data security to the CEO

   

What the heck is data security?

• Security– Ensure we can survive & add value

• Physical, information, systems, people

• Data security– Protect data directly in all realms

   

Defining the problem

• You can't sell to a need that's never been observed(*)

– Little or no monitoring of data theft/abuse

• Perimeter protection, access control– Firewall/IPS/AV/Content/AD

(*) Paraphrase of Lord Kelvin

   

What happened since Enron

• Threat scenario circa 1999– Bad guys outside– Lots of proprietary protocols– IT decides

• Threat scenario circa 2009– Bad guys inside– Everything on HTTP– Vendors decide

   

Weak sales strategy

IT – data security is “very important”...Forrester

Management board – fraud/data theft can maim or destroy the company...Sarbanes­Oxley

   

Mind the gap

IT – We can get DLP technology for 100K and the first 6 months are free....Websense

Management board – We have Euro 100M VaR...PwC

   

The valley of death

Month 1 Month 12­18Month 5

Logical &rational

Emotional & Political

IT Requirements 

CapabilitiesPresentation

Compliance requirements

Evaluatealternatives

Close

Project

Meetvendors

Talk toanalysts

Losing control

   

Why you lose control

• Issues shift– Several vendors have technology

• Non-product differentiation

• Divided camps– Nobody answers all requirements

• Need a political sponsor

• Loss of momentum– No business pain– No power sponsors

   

Strong sales strategy

• Build business pain– Focus on biggest threat to the firm– Rational

• Get a power sponsor– CEO,COO, CFO,CIO– Personal

   

Close the gap

Toxic customer data ­ VaR: 100M­ VaR reducation: 20M­ Cost: 1M over 3 years...Security & Risk

Management board – We have 100M VaR...PwC

   

Execution – building business pain

• Prove 2 hypotheses:– Data loss is happening now.– A cost effective solution exists that

reduces risk to acceptable levels.

   

H1: Data loss is happening

• What keeps you awake at night?

• What data types and volumes of data leave the network?

• Who is sending sensitive information out of the company?

• Where is the data going?

• What network protocols have the most events?

• What are the current violations of company AUP?

   

H2: A cost effective solution exists

• Value of information assets on PCs, servers & mobile devices?

• What is the Value at Risk?

• Are security controls supporting the information behavior you want (sensitive assets stay inside, public assets flow freely, controlled assets flow quickly)

• How much do your current security controls cost?

• How do you compare with other companies in your industry?

• How would risk change if you added, modified or dropped security controls?

   

What keeps you awake at night

Asset has value, fixed over time or variablePlans to privatize, sell 50% of equity

Threat exploits vulnerabilities & damages assets. IT staff read emails and files of management board

Employee leaks plans to pressBuyer  sues for breach of contract.

Vulnerability is a state of weakness mitigated by a

countermeasure.IT staff

have accessto mail/file servers

Countermeasure has a costfixed over time or recurring.

Monitor abuse of privilege & Prevent leakage of

management board documentson all channels.

   

Calculating Value at Risk

MetricsAsset value, Threat damage to asset,Threat probability

Value at Risk=Threat Damage to Asset x Asset Value x Threat Probability

 (*)PTA ­Practical threat analysis risk model

   

Coming attractions

• Sep 17: Selling data security technology• Sep 24: Write a 2 page procedure• Oct 1: Home(land) security• Oct 8: SME data security

http://www.controlpolicy.com/workshops 

   

Learn more

• Presentation materials and resourceshttp://www.controlpolicy.com/workshops/data-security-workshops/

• Software to calculate Value at RiskPTA Professionalhttp://www.software.co.il/pta