The State of Risk-Based Security Management Katherine Brocklehurst RIM Renaissance Oct 25, 2013
May 29, 2015
The State of Risk-Based Security Management
Katherine BrocklehurstRIM Renaissance Oct 25, 2013
The State of Risk-Based Security Management
Katherine Brocklehurst
TripwireRIM Renaissance Oct 25, 2013
3
$150M+Annual Sales
400+Employees
$$$Profitable
7000+Customers
In 96 countries
The right size to be nimble, innovative; Large enough to be the long-term leader in the SVM market
4
The State of Risk-Based Security ManagementSurveyed 1,320 security professionalsUS and UKCommissioned by TripwireConducted by Ponemon Institutewww.Tripwire.com
RISK MANAGEMENT: ART OR SCIENCE?
MATURITY AND GOVERNANCE
RISK-BASED SECURITY METRICS
SECURITY CONTROLS AND SPENDING
COLLABORATION, COMMUNICATION AND CULTURE
METHODOLOGY
AGENDA
RISK MANAGEMENT: ART OR SCIENCE?
MATURITY AND GOVERNANCE
RISK-BASED SECURITY METRICS
AGENDA
7
8
Art or Science?
9
Art or Science?
10
Art or Science?
11
Art or Science?
12
Art or Science?
ART¨ The higher up the
management chain you go Art¨ Retail¨ Financial Services¨ Tech &
Communications¨ Health & Pharma
SCIENCE¨ The more hands-on,
direct dealings with technology Science¨ Industry¨ Services¨ Public Sector¨ Education & Research
2013 Risk-Based Security Management Metrics
14
There is Hope: Maturity is Slowly Improving
47%
15
The Use of Metrics is Related to Maturity
GARTNER PREDICTS THAT BY 2014, 80% OF GLOBAL 2000 ORGANIZATIONS WILL
REPORT ON RISK AND SECURITY TO THEIR BOARDS OF DIRECTORS AT LEAST ANNUALLY.
-GARTNER, INC.“BUILDING AN EFFECTIVE IT RISK AND INFORMATION SECURITY
PRESENTATION FOR YOUR BOARD OF DIRECTORS” JUNE 2012
The CISO Challenge
17
Aligning Security & Business Needs Improvement
62% 50%
18
19
Critical Business Objectives of RBSM
• IP• Compliance• Decreasing
Costs & Inefficiencies
20
“IN THIS RESTRICTIVE ECONOMIC ENVIRONMENT, CISOS HAVE AN OPPORTUNITY TO REFRAME THE RISK DISCUSSION [WITH MISSION
OWNERS] AND BUILD A STRATEGY…
…THIS MAY SEPARATE THE SUCCESSFUL SECURITY AND RISK PROFESSIONALS, WHO CAN ADAPT STRATEGICALLY TO THE
CURRENT CLIMATE, FROM THE UNSUCCESSFUL ONES, WHO STAY MIRED IN DAY-TO-DAY SECURITY FIREFIGHTING.”
-FORRESTER RESEARCH“UNDERSTANDING SECURITY AND RISK BUDGETING FOR 2013”
JANUARY 2013
The CISO Opportunity
22
Why Metrics Are Not Created or Understood by Sr Execs
¨ Silos
¨ Too technical
¨ Comm @ too low level
¨ Negative facts are filtered
¨ Only when there’s an incident
¨ Too much time/resource
¨ Info ambiguous leading to poor decisions
¨ Senior execs not interested
23
When Do You Communicate?
24
Do We Communicate Effectively?
Reasons Why Metrics Are Not Understood:Information too technicalMore pressing issuesOnly communicate when incident happensTakes too much time
25
The CISO needs what the CFO has….
Financial Reporting• Objective facts• Consistent definitions• Trending• Performance against goals• Performance against peers• Clear communication to
diverse audiences interally and externally
A way to describe a company’s security performance just like the CFO describes financial performance
Earnings Per Share
Revenues
Gross Margins
EBITDAOperating Income
Net Income
Current Assets
Accounts Receivable
Cash Flow
Current Liabilities
26
Metrics for Security Efficiency - Cost
27
Significant Barriers
¨ Lack of skilled personnel¨ Insufficient resources or
budget¨ Business lacks
understanding of the role and contribution of IT Security
¨ Insufficient risk assessment enforcement
28
29
Business/Security Metrics and Analytics
Objective and consistently measuredTrend and comparison that makes sense to non-technicalsPreferably automated (cheapest way to gather)Ideally paced to align with business reporting (M/Q2/1H/Yr)Typically expressed as a number or percentageHas business contextActionable
What makes a good security business metric?
IT SECURITY & COMPLIANCE AUTOMATION30
Communicate effectively how security enables the business
IT SECURITY & COMPLIANCE AUTOMATION
Balance Security Risk with Business Demands
32
Continuous
33
Tripwire Pulse
34
35
36
Measure, Communicate and Drive Action
SANS 5: Malware
Attack Surface Index (Summary)
Across Business Context
SANS Controls
Aggregated/Weighted
SANS 1: Asset Inventory SANS 3: VA
SANS 4: CA
Operational Reports
37
Because Everyone Could Use a Laugh
Enjoy at: tripwire.com/powers @CISOpowers Twitter