1

Security as a Marketing Tool

October 2009

Paul A. Moran CISSP, CISA, CGEITInformation Security & Compliance Office

ARI® – Automotive Resources International

I Sell Cars !!!

2

ARI – Automotive Resources International

• Wholly-owned subsidiary of Holman Enterprises– Family-owned and operated since 1924

• ARI established 1948• Configure personalized leasing and fleet management services • More than 2,000 clients• Centralized web-based reporting for domestic & global car & truck fleets• 1,100 employees• Over $1 billion in revenues • 650,000 vehicles• Offices throughout the U.S., Canada, Mexico, Puerto Rico, and Europe• www.arifleet.com

3

My Background

Paul A. Moran, CISSP, CISA, CGEITInformation Security & Compliance OfficeARI – Automotive Resources International

• Develop and communicate information security roadmap. Work closely with all departments to ensure integrity of security procedures, systems, and policies.  Serve as Lead IT Auditor.

• Before ARI– Senior Information Security Risk Analyst (IBC)– Division Security Administrator (CIGNA) – 12 years at CGU Insurance Company (formerly General Accident)

• Various positions including Security Administrator, Help Desk, and Actuarial Programmer

• Vice President, ISSA-DV• Member of ISACA

4

Agenda

• Everyone’s Goal

• Where Security Fits In

• Real Life Example

• The RFP

• Posture

5

Goals• Profit

– Satisfy the customer• Leads to

– Repeat business– Increase in business

• How?– Good dependable products/service– Trust– Peace of mind

• Deliver on your promise

6

QuotesA not-so-wise man often said: “Security doesn't make money

but it sure can save it"

A very wise man often said: “My staff is comprised of 4 CISSP’s, various CISCO Certs, an EnCase Cert, and the local ISSA-VP…”

The boss often says: “Security is disproportionate to convenience”

A great company recently emailed its managers asking: “Please collect and report back any certifications your employees might have”

7

Security Landscape

• Important Numbers – 2005: 263,418,869 x $198 = $52,156,936,062

• Majority of security attacks can be avoided without the increase of security spending– ROI???????

• Historically, IT security has been a business cost centre– Consider recent data breaches– Consumers are becoming very weary

• Security Magazine survey– 90 percent are concerned about security

• Take-away: There are two areas for marketing your "brand trust"– Your organization’s promotion of its security competencies, and, – (Gasp!) your response to a data breach

8

Security Definition

Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or ...

An all encompassing term that refers to the security of the information systems that are used and the data that is processed.

Situation in which information security risks are under control.

The protection of data against unauthorized access. Programs and data can be secured by issuing passwords and digital certificates to authorized ...

The implementation of programs and practices that protect the integrity and safety of computer programs and information.

Preservation of the confidentiality, integrity and availability of information.

The securing or safeguarding of all sensitive information, electronic or otherwise, which is owned by an organization.

Policies, Procedures, Guidelines, Compliance, Hardening

Marketing in the

10

Then

• Widget– Product

– Price

– Service

– Quality

– What Else ?

• Widget on steroids– Security = a part– Not an add on

• How?• Product benefits plus security

– A=Availability– B=Belief (Integrity)– C=Confidentiality– D=Ability to Deliver

Now

11

Real Life - Product Research

• Customers surveyed– Convenience– Security

• Don’t make promises you can’t keep – Legal problems– Reputation

• Use security to better market your product • What is your competition doing

– Sounds like ?• Visit your competitors and take notes

– ISSA, ISACA, NIST, COBIT…..• New security efforts = costs and benefits

12

13

Spend the Money on Security?

• Video cameras – IDS• Guard dogs – IPS • Walls/fences – firewalls • Lighting – logs • Cleanliness

– How can cleanliness be an element of security? – An issue of perception

• Security guards • Security – access systems • Pair features with benefits • Don't assume people will make the connection without you explicitly spelling

it out• Bottom line: weigh the pros & cons of each

14

RFP • RFP presents enough challenges

– Now you have to be concerned about security• Security portion is no different then the rest of the RFP

– The requestor uses a set criteria to evaluate responses– Use same techniques to respond? aka industry related standards– Watch for the repeated question

• RFP provides a structure for requestors to identify their project requirements so vendors can understand their needs and use the information to create a response

• Poorly written RFP– Deal with it

• Reread– Response strategy

15

Posture • General statement: ensure the CIA • Roadmap

– Policies (Process)– Education (People)– Data (Technology)– Compliance (People)

• Information Security Program (ISP)• Certifications

– CISSP, CISA, CGEIT• Best Practices

– ISO17799, Cresson Wood, COBIT, SANS, ASIS

16

Declaration• Security Framework (ISO17799)

– SECURITY POLICY MANAGEMENT OBJECTIVES

1. Organizational Security 2. Organizational Asset Management Objectives 3. Human Resource Security Management Objectives 4. Physical and Environmental Security Management Objectives 5. Communications and Operations Management Objectives 6. Information Access Control Management Objectives 7. Systems Development and Maintenance Objectives 8. Information Security Incident Management Objectives 9. Business Continuity Management Objectives 10. Compliance Management Objectives

17

Trust & Verify Third-party audits• Company A covers:

– Access to programs and data– Program change – Program development – Computer operations

• Company B covers:– Target identification scans of domains and IP addresses – Vulnerabilities– Modem security assessment– Security awareness assessment

• Social engineering exercises

• Internal Covers

18

Details • In-house programs

• Policies– Scope, procedures, etc

• Risk assessment guidelines

• Security awareness

• Backup procedures

• Procedure specific to your client

19

Not the Newspaper

• Stay out of the newspaper• The bogus article advertisement

– XYZ reports that over 1M customer records were lost last week…

• Don’t let this happen to you

• We are all salesman– We just sell different products

20

Define Security• Information security means protecting information and information systems

from unauthorized access, use, disclosure, disruption, modification or ...• an all encompassing term that refers to the security of the information

systems that are used and the data that is processed.• Situation in which information security risks are under control.• The protection of data against unauthorized access. Programs and data can be

secured by issuing passwords and digital certificates to authorized ...• The implementation of programs and practices that protect the integrity and

safety of computer programs and information.• Preservation of the confidentiality, integrity and availability of information.• The securing or safeguarding of all sensitive information, electronic or

otherwise, which is owned by an organization.• Policies, Procedures, Guidelines, Compliance, Hardening

Common Ties: Preventative Measures to Secure Assets

21

REDEFINE Security• Information security means protecting information and information

systems from unauthorized access, use, disclosure, disruption, modification or ......an all encompassing term that refers to the security of the information systems that are used and the data that is processed……..….Situation in which information security risks are under control…..……The protection of data against unauthorized access. Programs and data can be secured by issuing passwords and digital certificates to authorized ….…..The implementation of programs and practices that protect the integrity and safety of computer programs and information…..…….Preservation of the confidentiality, integrity and availability of information……The securing or safeguarding of all sensitive information, electronic or otherwise, which is owned by an organization.…….Policies, Procedures, Guidelines, Compliance, Hardening

Security plays a key role in any business by providing the customer with peace of mind that in today’s environment is not considered a value add but

an important PART of any product.

22

Resources•Privacyrights.org

•Wilkepedia

•ISO17799

•Securecomputing.net

•Knowledge.wharton.upenn.edu

23

Any Questions ???Any Questions ???

Paul A. Moran pmoran@arifleet.com ThanksThanks