1 Introduction Welcome! Format of day Response to previous requests from clients Amendment to schedule Using Information Security for Business Advantage.

1

Introduction

• Welcome!

• Format of day

• Response to previous requests from clients

• Amendment to schedule

Using Information Security for Business Advantage

MWR InfoSecurity

The Business Case for Information Security

12 March 2009

Alex Fidgen Ian Shaw

3

What will we achieve?

• Help you gain organisational commitment and justify required spend

• Introduction• Part 1 - Visualisation techniques• Part 2 - Communication techniques• Part 3 - Supporting frameworks

Using Information Security for Business Advantage

4

Introduction

• Communicating security risk can be very hard in environments without structured metrics

• The classic chicken and egg scenario

• We did not want to concentrate on the

is there/isn’t there argument for ROI.

5

Problems

• Senior Management and Board directors need to increase shareholder value

• Mature metrics makes it easy to communicate shareholder value based risk

• Associating technical risks with revenue is impossible without a business context

• Information security managers with IT backgrounds find it hard to communicate risk at a business level

• The business seldom understands the value of its information assets

6

Communication!

This is a communication issue!

7

Part 1 – Protecting Traditional Assets

(Opening the Board’s Eyes to Information Security Spend – Is information security spending in line with traditional asset protection?)

Using Information Security for Business Advantage

8

Questions your Board may be asking

• Why do we need to worry about this information security issue?• Why is Malware Protection so expensive?• Are these costs of doing business online justified?• I don’t understand whether this expenditure is justified

• The following examples have been developed to demonstrate how security is integrated seamlessly into existing business models

• Try to ignore any immediate reaction to industry sector!

Using Information Security for Business Advantage

9 Using Information Security for Business Advantage

Typical Retail Organisation (Asset Protection)

Shops

Warehouse / Distribution

Human Resources

Finance

CCTV

Counterfeit Detection

Store Detectives

Security Guards

RFID

Safes / Alarms

Secure Cash Handling

Vetting / References

Disciplinary Procedure

Internal Audit

External Audit

Stock Control

Credit Control

Accounting Policies / Standards

Financial Reconciliations

Product Integrity*

* For example: tamper evident jars

Cardwatch

Local Crime Schemes

10

Typical Retail Organisation (Asset Protection)

Using Information Security for Business Advantage

Shops

Warehouse / Distribution

Human Resources

Finance

CCTV

Counterfeit Detection

Store Detectives

Security Guards

RFID

Safes / Alarms

Secure Cash Handling

Vetting / References

Disciplinary Procedure

Internal Audit

External Audit

Stock Control

Credit Control

Accounting Policies / Standards

Financial Reconciliations

Product Integrity*

* For example: tamper evident jars

Cardwatch

Local Crime Schemes

11

Typical E-Retail (Information Asset Protection)

Using Information Security for Business AdvantageUsing Information Security for Business Advantage

Ecommerce Site

Data Storage

Business Interfaces

IT/IS/DevelopmentAnti-Virus

Firewalls

Encryption

Security in SDLC

Threat Modelling

Build Standards

Information Security Policies

Legislative Compliance

Configuration Reviews

Patch Management

Access Control Reviews

Application Testing

Penetration Testing

Monitoring / Intrusion Detection

Vulnerability Assessment

Vetting / References

Disciplinary Procedure

InfoSec Awareness Training

12

In Summary

• Information asset protection still lags behind traditional asset protection

• Opening the organisation’s eyes to traditional security measures can ‘set the scene’ to introduce information security

• A simple visualisation technique helps soften attitudes to information security spend

Using Information Security for Business Advantage

13

Part 2 – A model for information asset identification and classification

Using Information Security for Business Advantage

14

Part 2 - Communication of risk

• High level abstract link…

• How best to communicate the risk from this point forward

• Need to highlight risks that may impact shareholder value

• Must be flexible and expose risks not currently perceived

• One technique is threat modelling…plenty of others however

Using Information Security for Business Advantage

15

Risk – A quick reminder

An event that could have a detrimental effect on an asset

A conduit that could be exploited by a threat

An item of value

The effect on a business of a risk being realised

BUSINESS IMPACT

Asset

Threats Vulnerability

Risks

16

What is threat modelling

• Threat Modelling:

• Grades Threats

• Allows identification of vulnerabilities

• Enhances the final calculation of risk

• Very powerful and business focussed

Using Information Security for Business Advantage

17 Using Information Security for Business Advantage

What it can provide:

• Defence in depth

• Effective controls with efficient expenditure

• Asset protection is proportional to the business value

• Greater measurable returns on security investment

18

Case Study – Insurance Company

• In excess of 600 systems

• Business run in a federated sense

• There is/was no centralised security management function,

• Some security testing in the past against core systems

• No set budget for security

• Some basic security training, around physical security and access control

Using Information Security for Business Advantage

19

How the model was formed..

• identified the systems and the assets,

• a high level risk assessment based on the business risk and potential business impact

• Assignation of a commercial revenue value to each system

Using Information Security for Business Advantage

20

How the model was formed.. cont

• All revenue streams documented

• the most important systems quickly became evident,

• Allowed focus on the most financially important assets

• Intangible assets were also assessed (reputation, client satisfaction, employee

happiness etc.).

21

What did this do?

• This made an actual and tangible link to the management team connecting the

value of the information assets (within systems) with the value of assigned

security spend to identify and manage the risk

• It open their eyes to the asset value, and made justification of budget almost

self fulfilling

22 Using Information Security for Business Advantage

Part 3 – Effecting Change(Operational Information Security)

23

Where are we?

Using Information Security for Business Advantage

Information Assets

Threats Vulnerabilities Risks=

Existing Controls

Current Position=+

24

What is the appetite for risk?

Using Information Security for Business Advantage

Current PositionWhere we want

to be- =

STAGE 1Organisational

Changes

25

Stage 1 – Organisational Change

• What is required for successful organisational change

• Change Plan – how will we know when we arrive?

• Resources – do we have the resources to achieve the change?

• Sponsorship – do we have executives backing for change?

• Support (Culture) – important if exec sponsorship is broken?

Using Information Security for Business Advantage

26

Stage 2 - Operation

• Measure performance (results not activities)

• Make changes as necessary

• Periodically review performance

• Review measures

Using Information Security for Business Advantage

27

Summary

Your organisation is protecting its

assets, but probably not adequately

protecting its information assets

The risks may be different from the perceived risks.

Communicate this by identifying

assets and the threats to them

You can only manage what your measure. Identify

the changes necessary,

measure transition

Using Information Security for Business Advantage

28

Questions?

Using Information Security for Business Advantage