The State of Risk-Based Security Management

The State of Risk-Based Security Management

Katherine BrocklehurstRIM Renaissance Oct 25, 2013

The State of Risk-Based Security Management

Katherine Brocklehurst

TripwireRIM Renaissance Oct 25, 2013

3

$150M+Annual Sales

400+Employees

$$$Profitable

7000+Customers

In 96 countries

The right size to be nimble, innovative; Large enough to be the long-term leader in the SVM market

4

The State of Risk-Based Security ManagementSurveyed 1,320 security professionalsUS and UKCommissioned by TripwireConducted by Ponemon Institutewww.Tripwire.com

RISK MANAGEMENT: ART OR SCIENCE?

MATURITY AND GOVERNANCE

RISK-BASED SECURITY METRICS

SECURITY CONTROLS AND SPENDING

COLLABORATION, COMMUNICATION AND CULTURE

METHODOLOGY

AGENDA

RISK MANAGEMENT: ART OR SCIENCE?

MATURITY AND GOVERNANCE

RISK-BASED SECURITY METRICS

AGENDA

7

8

Art or Science?

9

Art or Science?

10

Art or Science?

11

Art or Science?

12

Art or Science?

ART¨ The higher up the

management chain you go Art¨ Retail¨ Financial Services¨ Tech &

Communications¨ Health & Pharma

SCIENCE¨ The more hands-on,

direct dealings with technology Science¨ Industry¨ Services¨ Public Sector¨ Education & Research

2013 Risk-Based Security Management Metrics

14

There is Hope: Maturity is Slowly Improving

47%

15

The Use of Metrics is Related to Maturity

GARTNER PREDICTS THAT BY 2014, 80% OF GLOBAL 2000 ORGANIZATIONS WILL

REPORT ON RISK AND SECURITY TO THEIR BOARDS OF DIRECTORS AT LEAST ANNUALLY.

-GARTNER, INC.“BUILDING AN EFFECTIVE IT RISK AND INFORMATION SECURITY

PRESENTATION FOR YOUR BOARD OF DIRECTORS” JUNE 2012

The CISO Challenge

17

Aligning Security & Business Needs Improvement

62% 50%

18

19

Critical Business Objectives of RBSM

• IP• Compliance• Decreasing

Costs & Inefficiencies

20

“IN THIS RESTRICTIVE ECONOMIC ENVIRONMENT, CISOS HAVE AN OPPORTUNITY TO REFRAME THE RISK DISCUSSION [WITH MISSION

OWNERS] AND BUILD A STRATEGY…

…THIS MAY SEPARATE THE SUCCESSFUL SECURITY AND RISK PROFESSIONALS, WHO CAN ADAPT STRATEGICALLY TO THE

CURRENT CLIMATE, FROM THE UNSUCCESSFUL ONES, WHO STAY MIRED IN DAY-TO-DAY SECURITY FIREFIGHTING.”

-FORRESTER RESEARCH“UNDERSTANDING SECURITY AND RISK BUDGETING FOR 2013”

JANUARY 2013

The CISO Opportunity

22

Why Metrics Are Not Created or Understood by Sr Execs

¨ Silos

¨ Too technical

¨ Comm @ too low level

¨ Negative facts are filtered

¨ Only when there’s an incident

¨ Too much time/resource

¨ Info ambiguous leading to poor decisions

¨ Senior execs not interested

23

When Do You Communicate?

24

Do We Communicate Effectively?

Reasons Why Metrics Are Not Understood:Information too technicalMore pressing issuesOnly communicate when incident happensTakes too much time

25

The CISO needs what the CFO has….

Financial Reporting• Objective facts• Consistent definitions• Trending• Performance against goals• Performance against peers• Clear communication to

diverse audiences interally and externally

A way to describe a company’s security performance just like the CFO describes financial performance

Earnings Per Share

Revenues

Gross Margins

EBITDAOperating Income

Net Income

Current Assets

Accounts Receivable

Cash Flow

Current Liabilities

26

Metrics for Security Efficiency - Cost

27

Significant Barriers

¨ Lack of skilled personnel¨ Insufficient resources or

budget¨ Business lacks

understanding of the role and contribution of IT Security

¨ Insufficient risk assessment enforcement

28

29

Business/Security Metrics and Analytics

Objective and consistently measuredTrend and comparison that makes sense to non-technicalsPreferably automated (cheapest way to gather)Ideally paced to align with business reporting (M/Q2/1H/Yr)Typically expressed as a number or percentageHas business contextActionable

What makes a good security business metric?

IT SECURITY & COMPLIANCE AUTOMATION30

Communicate effectively how security enables the business

IT SECURITY & COMPLIANCE AUTOMATION

Balance Security Risk with Business Demands

32

Continuous

33

Tripwire Pulse

34

35

36

Measure, Communicate and Drive Action

SANS 5: Malware

Attack Surface Index (Summary)

Across Business Context

SANS Controls

Aggregated/Weighted

SANS 1: Asset Inventory SANS 3: VA

SANS 4: CA

Operational Reports

37

Because Everyone Could Use a Laugh

Enjoy at: tripwire.com/powers @CISOpowers Twitter

tripwire.com | @TripwireInc

THANK YOU!KBROCKLEHURST@TRIPWIRE.COM

www.tripwire.com/state-of-security

@Kat_Brock