communicating security imperatives to the business
DESCRIPTION
Imagine, due to significant cost cutting, that vulnerability management has been ignored in your company. Now, under new leadership, vulnerability management is reassessed and recent reports have highlighted 50,000+ vulnerabilities in the IT environment. As a security expert, you worry that these vulnerabilities could be exploited by an attacker and lead to a major security incident. It’s time to bring this to the attention of management—before it’s too late. As critical as risk is, most security experts find it challenging to convey security imperatives to executive management. Where do you start? What will give you the edge for getting buy-in to invest in security? Global IT executive Jitender Arora and Dwayne Melancon, Tripwire’s CTO, will demonstrate the pitfalls and offer tips and tricks for communicating security initiatives with executives and non-financial stakeholders. In this presentation you will: - Learn how to start the conversation with the business (aligning to its initiatives v. NGFW) - Prioritize your spending based on what’s important to the business - Connect security controls with business initiatives (talk about SCM, VM, SIEM, etc.) - Continuously measure progress and tie results back to the business objectives Full webcast available here: http://www.tripwire.com/register/how-to-communicate-security-imperatives-to-the-business/TRANSCRIPT
Communicating Security Imperatives to the Business
JITENDER ARORA – INFORMATION SECURITY & RISK EXECUTIVEDWAYNE MELANCON – CHIEF TECHNOLOGY OFFICER, TRIPWIRE
Communicating Security Imperatives to the Business
Jitender Arora – Information Security & Risk Executive
Dwayne Melancon – Chief Technology Officer, Tripwire
TODAY’S SPEAKERS
Dwayne Melancon
Chief Technology Officer, Tripwire
@ThatDwayne
Jitender Arora
Information Security and Risk Executive
@jee2uu
Cindy Valladares
Sr. Manager Corporate Communications
@cindyv
4
$150M+Annualsales
400+employees
$Profitable
7000+customers
in 96 countries
Remain small enough to be nimble, innovative; Large enough to be the long-term leader in the SVM market
REFRESHING MEMORIES
6
Good days…Before Banking Crisis…
@jee2uu: Those were the days when funding was not a big problem.
7
2008…2013….
@jee2uu: Then there was bad news, and even more bad news…
8
Every dollar spent came under scrutiny…
@jee2uu: Why would the board pay if they don’t believe in ROI?
@ThatDwayne: BoD asks, “Do we really need to spend? What have you been doing with the money we already gave you?”
SETTING THE SCENE
10
Business Exec CISOHey, your email mentioned that you wanted to discuss something important?
Typical conversation…
11
Business Exec CISOHey, your email mentioned that you wanted to discuss something important?
Yes, recent vulnerability scanning reports have indicated that we have 120,000+ vulnerabilities in our IT environment. This is very serious and we need additional $1.5m for the remediation. Have a look at the report.
Typical conversation…
12
Business Exec CISOHey, your email mentioned that you wanted to discuss something important?
Yes, recent vulnerability scanning reports have indicated that we have 120,000+ vulnerabilities in our IT environment. This is very serious and we need additional $1.5m for the remediation. Have a look at the report.Hold on, why is this an issue
now? Why didn’t someone tell me this before? You understand cost pressures that we have, don’t you?
Typical conversation…
13
Business Exec CISOHey, your email mentioned that you wanted to discuss something important?
Yes, recent vulnerability scanning reports have indicated that we have 120,000+ vulnerabilities in our IT environment. This is very serious and we need additional $1.5m for the remediation. Have a look at the report.Hold on, why is this an issue
now? Why didn’t someone tell me this before? You understand cost pressures that we have, don’t you? I understand, but we have to fix
it otherwise we can be hacked and it will lead to significant reputational damage. Remember Sony & RSA??
Typical conversation…
14
Business Exec CISOHey, your email mentioned that you wanted to discuss something important?
Yes, recent vulnerability scanning reports have indicated that we have 120,000+ vulnerabilities in our IT environment. This is very serious and we need additional $1.5m for the remediation. Have a look at the report.Hold on, why is this an issue
now? Why didn’t someone tell me this before? You understand cost pressures that we have, don’t you? I understand, but we have to fix
it otherwise we can be hacked and it will lead to significant reputational damage. Remember Sony & RSA??
Typical conversation…
These issues have been in our environment for the last few months. We are still profitable. Tell me again, why do we need to spend money?
15
Business Exec CISOHey, your email mentioned that you wanted to discuss something important?
Yes, recent vulnerability scanning reports have indicated that we have 120,000+ vulnerabilities in our IT environment. This is very serious and we need additional $1.5m for the remediation. Have a look at the report.Hold on, why is this an issue
now? Why didn’t someone tell me this before? You understand cost pressures that we have, don’t you? I understand but we have to fix
it otherwise we can be hacked and it will lead to significant reputational damage. Remember Sony & RSA??
Typical conversation…
These issues have been in our environment for the last few months. We are still profitable. Tell me again, why do we need to spend money?
Hmmm… because, we can be hacked… Remember Sony & RSA?? …. Hmmm…
16
Business Exec CISOI am sure there is going to be some bad news... and asking for more money…
Anatomy…
17
Business Exec CISOI am sure there is going to be some bad news... and asking for more money…
This is so important… I need to get this money to save this company from bad press and reputational damage. I need this money to remediate issues…
Anatomy…
18
Business Exec CISOI am sure there is going to be some bad news... and asking for more money…
This is so important… I need to get this money to save this company from bad press and reputational damage. I need this money to remediate issues…
We are profitable… Board & Shareholders… Pressure to increase profitability… Spend on marketing, legacy IT, business development… I am sure this is not a big deal.
Anatomy…
19
Business Exec CISOI am sure there is going to be some bad news... and asking for more money…
This is so important… I need to get this money to save this company from bad press and reputational damage. I need this money to remediate issues…
We are profitable… Board & Shareholders… Pressure to increase profitability… Spend on marketing, legacy IT, business development… I am sure this is not a big deal.
Why don’t business execs listen? It’s so important. Will they be happy if we get hacked and face bad press? Accept the risk and my job is done…
Anatomy…
20
Business Exec CISOI am sure there is going to be some bad news... and asking for more money…
This is so important… I need to get this money to save this company from bad press and reputational damage. I need this money to remediate issues…
We are profitable… Board & Shareholders… Pressure to increase profitability… Spend on marketing, legacy IT, business development… I am sure this is not a big deal
Why don’t business execs listen? It’s so important. Will they be happy if we get hacked and face bad press? Accept the risk and my job is done…
Anatomy…
If these issues have been in our environment for the last 18 months.. Why do I need to fix them now? Going to accept the risk. Sales meeting tomorrow…
21
Business Exec CISOI am sure there is going to be some bad news... and asking for more money…
This is so important… I need to get this money to save this company from bad press and reputational damage. I need this money to remediate issues…
We are profitable… Board & Shareholders… Pressure to increase profitability… Spend on marketing, legacy IT, business development… I am sure this is not a big deal
Why don’t business execs listen? It’s so important. Will they be happy if we get hacked and face bad press? Accept the risk and my job is done…
Anatomy…
If these issues have been in our environment for the last 18 months.. Why do I need to fix them now? Going to accept the risk. Sales meeting tomorrow…
I knew that he would just accept the risk… It’s not my problem if they don’t get it…
FUNDAMENTAL ISSUES TO BE ADDRESSED
23
Accountability…
@jee2uu: I need to help myself. Nobody else will do it for me.
@ThatDwayne: Who is to blame if business execs don’t get it? What is it that I want? Who is responsible for fulfilling my objectives?
24
Need to understand…
@jee2uu: Tough climates call for drastic measures.
25
What is it that I want?
@ThatDwayne: We crave the recognition and support, i.e. funding.
Selfish Outcomes =
Thank You
+
26
What is it that business wants?
Business Outcomes =
Profitability
+Efficiencies
Cost Reduction
+
27
Be Relevant…
@ThatDwayne: Need to align our “wants” w/biz “wants.” Need to demonstrate that we care about biz objectives/pressures & explain in terms biz understands.
28
Trust & Confidence…
@jee2uu: Being relevant is key for CISO to gain trust/confidence of biz execs. Confidence must come across in the message & data must support – but confidence isn’t just about the data.
29
Trust needs to be earned…
@jee2uu: Fear of failure kills innovation. Be ready to take risks & give confident answers. And risk doesn’t mean making decisions with zero data– risk is making informed decisions with data.
LET’S SEE IF WE CAN DO IT DIFFERENTLY TO WIN TRUST & CONFIDENCE
31
Business Exec CISOHey, your email mentioned that you wanted to discuss something important?
A bit different conversation…
32
Business Exec CISOHey, your email mentioned that you wanted to discuss something important?
Recent report 120,000+ vulnerabilities Detailed investigation 10% effecting critical assets serving customers and Internet facing Looking at cost challenges Accept 90% & Remediate 10%
A bit different conversation…
33
Business Exec CISOHey, your email mentioned that you wanted to discuss something important?
Recent report 120,000+ vulnerabilities Detailed investigation 10% effecting critical assets serving customers and Internet facing Looking at cost challenges Accept 90% & Remediate 10%Understand. Can we accept
the risk and delay this remediation until next year? We have significant cost challenges for next 6 months.
A bit different conversation…
34
Business Exec CISOHey, your email mentioned that you wanted to discuss something important?
Recent report 120,000+ vulnerabilities Detailed investigation 10% effecting critical assets serving customers and Internet facing Looking at cost challenges Accept 90% & Remediate 10%Understand. Can we accept
the risk and delay this remediation until next year? We have significant cost challenges for next 6 months. I understand. But customer-facing
channels being exploited can have direct impact to the revenue, customer experience and let’s not forget: undue attention from regulators.
A bit different conversation…
35
Business Exec CISOHey, your email mentioned that you wanted to discuss something important?
Recent report 120,000+ vulnerabilities Detailed investigation 10% effecting critical assets serving customers and Internet facing Looking at cost challenges Accept 90% & Remediate 10%Understand. Can we accept
the risk and delay this remediation until next year? We have significant cost challenges for next 6 months. I understand. But customer-facing
channels being exploited can have direct impact to the revenue, customer experience and let’s not forget: undue attention from regulators.
A bit different conversation…
Understand. What do you recommend?
36
Business Exec CISOHey, your email mentioned that you wanted to discuss something important?
Recent report 120,000+ vulnerabilities Detailed investigation 10% effecting critical assets serving customers and Internet facing Looking at cost challenges Accept 90% & Remediate 10%Understand. Can we accept
the risk and delay this remediation until next year? We have significant cost challenges for next 6 months. I understand. But customer-facing
channels being exploited can have direct impact to the revenue, customer experience and let’s not forget: undue attention from regulators.
A bit different conversation…
Understand. What do you recommend?
I suggest that we the fix high risk issues as soon as possible and accept medium and low risks. Let me work on a plan to address this in long term.
37
Business Exec CISOHey, your email mentioned that you wanted to discuss something important?
Recent report 120,000+ vulnerabilities Detailed investigation 10% effecting critical assets serving customers and Internet facing Looking at cost challenges Accept 90% & Remediate 10%Understand. Can we accept
the risk and delay this remediation until next year? We have significant cost challenges for next 6 months. I understand. But customer-facing
channels being exploited can have direct impact to the revenue, customer experience and let’s not forget: undue attention from regulators.
A bit different conversation…
Understand. What do you recommend?
I suggest that we the fix high risk issues as soon as possible and accept medium and low risks. Let me work on a plan to address this in long term.
Good plan. How much money do you need to fix immediate issues?
38
Business Exec CISOI am sure there is going to be some bad news... and asking for more money…
Anatomy…
39
Business Exec CISOI am sure there is going to be some bad news... and asking for more money…
I understand that we have recently given a commitment to the board to reduce operating cost by 20% and increase revenue by 15%. Going to focus on what’s absolutely necessary.
Anatomy…
40
Business Exec CISOI am sure there is going to be some bad news... and asking for more money…
I understand that we have recently given a commitment to the board to reduce operating cost by 20% and increase revenue by 15%. Going to focus on what’s absolutely necessary.This guy is well prepared and
has done his homework. He understands my pressures and sounds reasonable. Let me ask a bit more information.
Anatomy…
41
Business Exec CISOI am sure there is going to be some bad news... and asking for more money…
I understand that we have recently given a commitment to the board to reduce operating cost by 20% and increase revenue by 15%. Going to focus on what’s absolutely necessary.This guy is well prepared and
has done his homework. He understands my pressures and sounds reasonable. Let me ask a bit more information.
It’s a fair question… And I am well prepared, because I have done detailed analysis. I need to help him make a decision.
Anatomy…
42
Business Exec CISOI am sure there is going to be some bad news... and asking for more money…
I understand that we have recently given a commitment to the board to reduce operating cost by 20% and increase revenue by 15%. Going to focus on what’s absolutely necessary.This guy is well prepared and
has done his homework. He understands my pressures and sounds reasonable. Let me ask a bit more information.
It’s a fair question… And I am well prepared, because I have done detailed analysis. I need to help him make a decision.
Anatomy…
Hmm… It’s going to be quite damaging to have dis-satisfied customers, especially when we are trying to win new business. What is the right thing to do? Let me ask…
43
Business Exec CISOI am sure there is going to be some bad news... and asking for more money…
I understand that we have recently given a commitment to the board to reduce operating cost by 20% and increase revenue by 15%. Going to focus on what’s absolutely necessary.This guy is well prepared and
has done his homework. He understands my pressures and sounds reasonable. Let me ask a bit more information.
It’s a fair question… And I am well prepared, because I have done detailed analysis. I need to help him make a decision.
Anatomy…
Hmm… It’s going to be quite damaging to have dis-satisfied customers, especially when we are trying to win new business. What is the right thing to do? Let me ask… I am already prepared with
an answer. I knew that I have to help make this decision.
44
Business Exec CISOI am sure there is going to be some bad news... and asking for more money…
I understand that we have recently given a commitment to the board to reduce operating cost by 20% and increase revenue by 15%. Going to focus on what’s absolutely necessary.This guy is well prepared and
has done his homework. He understands my pressures and sounds reasonable. Let me ask a bit more information.
It’s a fair question… And I am well prepared, because I have done detailed analysis. I need to help him make a decision.
Anatomy…
Hmm… It’s going to be quite damaging to have dis-satisfied customers, especially when we are trying to win new business. What is the right thing to do? Let me ask… I am already prepared with
an answer. I knew that I have to help make this decision.
We need to fix this. Let me fund this from my contingency budget.
KEY TAKEAWAYS
46
Finally…
Security Goals = Business Outcomes It’s not possible to fix everything. Focus on what’s important
Demonstrate business acumen in your day to day actions
Communicate & Be Relevant Delivering results with effective communication
Perception Management is equally important
Do not communicate only when there is an issue
Listen Listen to business goals, objectives and, most importantly, their pressures
Building Trust and Gaining Confidence is the Key Selling and Marketing attitude
Think differently. Be ready to take risks
47
Because Everyone Could Use a Laugh
Enjoy at: tripwire.com/powers @CISOpowers Twitter
tripwire.com | @TripwireInc
THANK YOUJitender Arora
Twitter: @jee2uuBlog: http://jitenderarora.co.uk
Dwayne MelanconTwitter: @ThatDwayne
Blog: http://www.tripwire.com/state-of-security/