Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


We Have A Breach - Updated

ROI on Information Security - A Fresh Approach

Amar Singh

on 18 April 2013

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of We Have A Breach - Updated


"So How Much

Has the Stock

Lost? " "Excuse Me Boss,
We Have Just Been Hacked !!" Some Call It ROI Putting a
Value on
Information Security
Incidents Can I have a Budget Increase.... Security = enemy of the Bottom Line Everyone Mentions: Web Hosting firm - Incident?
Token Authentication firm - Breach
Game Manufacturer - Breach
Store Retailer - CC stolen
Payment systems provider - CC stolen
Professional Social Website - Passwords Approach(es) Apart From An ROI The IANS Methodology http://www.iansresearch.com/ I am Not Going to: Bore you To Sleep OR early Retirement
Stand here Teach You Math
Share REAL incidents I am Going to: Share Challenges I See
Share an Interesting ROI methodology
Share Additional Thoughts Data is starting to become readily available - BUT Holistic Headache! Some Examples (Oh Yes) Common type of attack associated with data breaches is malware; seen in half of all incidents.

This is followed by malicious insider actions, which occur in 33 percent of data breach cases. Recent News & Updates Recent News & Updates Cost of Data Breaches Falls for First Time .... RISK VENDORS & COMPETITORS FREE! (cost efficient) INITIATIVES The IANS Approach to ROI Very Dynamic Threat Landscape - in Cyber Space Fewer customers abandoning companies after data breaches, reducing "churn" ...

Customer churn levels differ....with financial services and healthcare organizations being susceptible to a higher churn. Interestingly: Now is it because customers ARE BORED - or IS IT BECAUSE everyone HAS been breached ? :) The study also found that organizations experience lower costs if they have a chief information security officer (CISO) .. to assist with the data breach response.

Such companies are generally better-prepared to deal with data breaches, Ponemon said. Three Cheers for the CISO (PCWorld Mar 2012) Thoughts & Updates Stats & Data Availability What About The
99% ;) The Ones that never make it to the News?
The Ones that never report it?
The Ones that cannot report it? Confusion & Disagreement Over: -
Risk is always Financial Risk!!
Only Banks Need Risk Frameworks
Inconsistent Taxonomy Risk Register IS NOT a
Risk Management Framework Recommend Get All Senior Folks a Half Day Primer on:
Framework To Manage Risk -
Either CRISC or M_o_R Get Your Execs to Repeat This Every Day - Please Insurance can mitigate
Personal Record theft, CC theft
Can Be Costly - with considerable "deductions" or "retentions"
US - Heard 400K - 800k figures for between 10M - 20M
In the UK - More BIG firms starting to consider Is Insurance the New Panacea for all Breaches? Can You Ever Insure: You Wish it Was Finally - Reputation & Goodwill Intentions: Free Flow of current risks & threats
to help co-ordinate the fight
and stop additional breaches
Code of Conduct What! Talk To Your Competitors & Vendors A Media Specialist Once told Me Nothing Wrong with "Wishful Thinking" Nothing is Off The Record :) Update that InfoSec Policy !!
Takes Effort Yes Not much Money
Where are Your Critical Assets
Digital Products,
Customer Data (where is it?)
Centralize Logs/Review -
esp Privileged Access On the Cheap (Free even) Think About Doing Assess Yourself (or pay someone little Money ) You Still Have to Spend Your Time on this though... ISO 27001 & PCI Auditors & Auditing (whom I truly like) Security, in Most cases No fines - How much is reputation worth to Globally Applicable? Representative? Visualize Your Network
Network folks know a lot
Talk to your Developers
Almost every org is developing
Review Your Out-Sourcers
Policies, etc Training & Awareness
Your employees don't know what they don't know On the Cheap (Free even) Think About Doing Assess Yourself (or pay someone little Money ) You Still Have to Spend Your Time on this though... ISO 27001 & PCI Overshare
One key way to breach, steal, compromise is digging up your overshare - Close it. Not easy to manage without strict COC UK has Chatham House Rules to encourage such activity ... Spear Phishing Get them - (target the CEO/senior execs !!) the CEO and/or the shareholders? Security is Like Water
When you really thirsty you tend to over drink
and then you may not drink for several hours/day - or drink very little
Too much water - and you may drown ! (over secured) Water & Security ? Can You Ever Insure: You Wish it Was Reputation & Goodwill Correctly points out that too much security is always a bigger burden A low-priced antivirus software package could save a business thousands of dollars in lost productivity

A high-priced, too-strict firewall could reduce access to a system so much that it reduces business value Every Risk is also an: Opportunity Enumerate benefits and values–
Objective Value - The achievement of a business goal–
Risk Value - The reduction of risk–
Infrastructure Value - The improvement of prior investments.–
Agility Value.- The enablement of new business. The Methodology Can You Ever Insure: A tiny bit complicated Reputation & Goodwill Calculate costs of a security project

Objective Cost - The price of purchasing, deploying, maintenance
Infrastructure Cost
The degradation of prior investments
Agility Cost - The inhibition of business The Methodology Can You Ever Insure: You Wish it Was Reputation & Goodwill Therefore to measure the value of a security project requires:

– Add: Objective Value + Risk Value + Infrastructure Value + Agility Value
– Subtract: Objective Cost + Infrastructure Cost + Agility Cost In a NutShell Total Value of an Info-Sec Initiative You Wish it Was (OV + RV + IV + AV) – (OC + IC + AC) Almost Done - Closing Thoughts P.O.C - Helpful if you can demonstrate value/risk/roi after it - otherwise vendors will start disliking you Sometimes a good set of risk statements/analysis can be very helpful Government agencies - Love them when they come over & mention "stuff" to the CEO and suddenly you have loads of money to spend The small incidents that don't even fit into a Risk Register? Almost Done - Closing Thoughts On more than one occasion I have done the "I bet you I will find something if you give me some money" - won most of the bets :) If you don't know your Org Risk Appetite You are in Big Problems ROI - Make it specific
Threats - If you don't threats specific to the industry, the business ROI maybe too generic Finally !! Risk Return Infrastructure Return Objective Value Oh No The Math !! Produced & First Presented by Amar Singh at EC-Council Global CISO Summit, 2012 Email Me for the Full IANS Methodology Some Interesting Links www.iansresearch.com -- > Have Allowed me to Share their Methodology & Their Presentation

http://www.securitycurve.com/ Diana from Security Curve -

http://www.ponemon.org/data-security -- > A Bit Old Stuff But Relevant


Exonar: www.overshare.com have used some interesting stats from them

http://www.cracked.com/blog/4-things-movies-always-get-wrong-about-computer-hackers/ Amar Singh Full Credit to www.iansresearch.com for their ROI Methodology http://uk.linkedin.com/in/chiefinfosec Twitter @amisecured Email: amar@asingh.me Feel Free to Share & Make Contact CISO & Information Security Assurance Expert Briefly ... Chief Information Security Officer
at News International Amar Singh Feel Free to Share & Get in Touch Information Governance, Risk & Compliance Expert First Presented at.. My Personal Views Only @amisecured amar@asingh.me Chair of ISACA London Security Group prezi.com/user/amarsingh/ Produced & First Presented by Amar Singh at EC-Council Global CISO Summit, 2012 However, there is a lot to take in - So please do review the presentation again if you need to.
Full transcript