Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
We Have A Breach - Updated
Transcript of We Have A Breach - Updated
"So How Much
Has the Stock
Lost? " "Excuse Me Boss,
We Have Just Been Hacked !!" Some Call It ROI Putting a
Incidents Can I have a Budget Increase.... Security = enemy of the Bottom Line Everyone Mentions: Web Hosting firm - Incident?
Token Authentication firm - Breach
Game Manufacturer - Breach
Store Retailer - CC stolen
Payment systems provider - CC stolen
Professional Social Website - Passwords Approach(es) Apart From An ROI The IANS Methodology http://www.iansresearch.com/ I am Not Going to: Bore you To Sleep OR early Retirement
Stand here Teach You Math
Share REAL incidents I am Going to: Share Challenges I See
Share an Interesting ROI methodology
Share Additional Thoughts Data is starting to become readily available - BUT Holistic Headache! Some Examples (Oh Yes) Common type of attack associated with data breaches is malware; seen in half of all incidents.
This is followed by malicious insider actions, which occur in 33 percent of data breach cases. Recent News & Updates Recent News & Updates Cost of Data Breaches Falls for First Time .... RISK VENDORS & COMPETITORS FREE! (cost efficient) INITIATIVES The IANS Approach to ROI Very Dynamic Threat Landscape - in Cyber Space Fewer customers abandoning companies after data breaches, reducing "churn" ...
Customer churn levels differ....with financial services and healthcare organizations being susceptible to a higher churn. Interestingly: Now is it because customers ARE BORED - or IS IT BECAUSE everyone HAS been breached ? :) The study also found that organizations experience lower costs if they have a chief information security officer (CISO) .. to assist with the data breach response.
Such companies are generally better-prepared to deal with data breaches, Ponemon said. Three Cheers for the CISO (PCWorld Mar 2012) Thoughts & Updates Stats & Data Availability What About The
99% ;) The Ones that never make it to the News?
The Ones that never report it?
The Ones that cannot report it? Confusion & Disagreement Over: -
Risk is always Financial Risk!!
Only Banks Need Risk Frameworks
Inconsistent Taxonomy Risk Register IS NOT a
Risk Management Framework Recommend Get All Senior Folks a Half Day Primer on:
Framework To Manage Risk -
Either CRISC or M_o_R Get Your Execs to Repeat This Every Day - Please Insurance can mitigate
Personal Record theft, CC theft
Can Be Costly - with considerable "deductions" or "retentions"
US - Heard 400K - 800k figures for between 10M - 20M
In the UK - More BIG firms starting to consider Is Insurance the New Panacea for all Breaches? Can You Ever Insure: You Wish it Was Finally - Reputation & Goodwill Intentions: Free Flow of current risks & threats
to help co-ordinate the fight
and stop additional breaches
Code of Conduct What! Talk To Your Competitors & Vendors A Media Specialist Once told Me Nothing Wrong with "Wishful Thinking" Nothing is Off The Record :) Update that InfoSec Policy !!
Takes Effort Yes Not much Money
Where are Your Critical Assets
Customer Data (where is it?)
Centralize Logs/Review -
esp Privileged Access On the Cheap (Free even) Think About Doing Assess Yourself (or pay someone little Money ) You Still Have to Spend Your Time on this though... ISO 27001 & PCI Auditors & Auditing (whom I truly like) Security, in Most cases No fines - How much is reputation worth to Globally Applicable? Representative? Visualize Your Network
Network folks know a lot
Talk to your Developers
Almost every org is developing
Review Your Out-Sourcers
Policies, etc Training & Awareness
Your employees don't know what they don't know On the Cheap (Free even) Think About Doing Assess Yourself (or pay someone little Money ) You Still Have to Spend Your Time on this though... ISO 27001 & PCI Overshare
One key way to breach, steal, compromise is digging up your overshare - Close it. Not easy to manage without strict COC UK has Chatham House Rules to encourage such activity ... Spear Phishing Get them - (target the CEO/senior execs !!) the CEO and/or the shareholders? Security is Like Water
When you really thirsty you tend to over drink
and then you may not drink for several hours/day - or drink very little
Too much water - and you may drown ! (over secured) Water & Security ? Can You Ever Insure: You Wish it Was Reputation & Goodwill Correctly points out that too much security is always a bigger burden A low-priced antivirus software package could save a business thousands of dollars in lost productivity
A high-priced, too-strict firewall could reduce access to a system so much that it reduces business value Every Risk is also an: Opportunity Enumerate benefits and values–
Objective Value - The achievement of a business goal–
Risk Value - The reduction of risk–
Infrastructure Value - The improvement of prior investments.–
Agility Value.- The enablement of new business. The Methodology Can You Ever Insure: A tiny bit complicated Reputation & Goodwill Calculate costs of a security project
Objective Cost - The price of purchasing, deploying, maintenance
The degradation of prior investments
Agility Cost - The inhibition of business The Methodology Can You Ever Insure: You Wish it Was Reputation & Goodwill Therefore to measure the value of a security project requires:
– Add: Objective Value + Risk Value + Infrastructure Value + Agility Value
– Subtract: Objective Cost + Infrastructure Cost + Agility Cost In a NutShell Total Value of an Info-Sec Initiative You Wish it Was (OV + RV + IV + AV) – (OC + IC + AC) Almost Done - Closing Thoughts P.O.C - Helpful if you can demonstrate value/risk/roi after it - otherwise vendors will start disliking you Sometimes a good set of risk statements/analysis can be very helpful Government agencies - Love them when they come over & mention "stuff" to the CEO and suddenly you have loads of money to spend The small incidents that don't even fit into a Risk Register? Almost Done - Closing Thoughts On more than one occasion I have done the "I bet you I will find something if you give me some money" - won most of the bets :) If you don't know your Org Risk Appetite You are in Big Problems ROI - Make it specific
Threats - If you don't threats specific to the industry, the business ROI maybe too generic Finally !! Risk Return Infrastructure Return Objective Value Oh No The Math !! Produced & First Presented by Amar Singh at EC-Council Global CISO Summit, 2012 Email Me for the Full IANS Methodology Some Interesting Links www.iansresearch.com -- > Have Allowed me to Share their Methodology & Their Presentation
http://www.securitycurve.com/ Diana from Security Curve -
http://www.ponemon.org/data-security -- > A Bit Old Stuff But Relevant
Exonar: www.overshare.com have used some interesting stats from them
http://www.cracked.com/blog/4-things-movies-always-get-wrong-about-computer-hackers/ Amar Singh Full Credit to www.iansresearch.com for their ROI Methodology http://uk.linkedin.com/in/chiefinfosec Twitter @amisecured Email: firstname.lastname@example.org Feel Free to Share & Make Contact CISO & Information Security Assurance Expert Briefly ... Chief Information Security Officer
at News International Amar Singh Feel Free to Share & Get in Touch Information Governance, Risk & Compliance Expert First Presented at.. My Personal Views Only @amisecured email@example.com Chair of ISACA London Security Group prezi.com/user/amarsingh/ Produced & First Presented by Amar Singh at EC-Council Global CISO Summit, 2012 However, there is a lot to take in - So please do review the presentation again if you need to.