3. Who Are We
• Fred Ritch – Chief Operating Officer
• Passion for making the complex simple
• Career UX professional
• Built user experience functions in several large organizations (IBM, Cisco, Dell)
• Over 10 years experience in InfoSec
• Shelly Carlin – Chief Executive Officer
• C-Suite executive skilled at driving transformational change
• 30+ years in finance and human resources
• Former Chief HR Officer at Motorola
• CEO,American Health Policy Institute
4. • Current state -The Rise of InfoSec
• We’ve been here before – A cautionary tale
• The CISO of the Future – Developing a business mindset
• Preparing to Lead –What you can do now
What we’ll cover
5. The Rise of InfoSec
• Current InfoSec spending estimated at $100 billion, expected to double in the
next 10 years
• Explosion of products and solutions fueled by significant venture capital
investments
• InfoSec now one of the most important strategic challenges facing business
6. Back to the future? 2015 Ponemon Study
75%
41%
25%
59%
0%
10%
20%
30%
40%
50%
60%
70%
80%
Today Future (3 years from now)
Necessary cost Competitive Advantage
Do your organization’s senior leadership view cybersecurity as a
necessary cost or a competitive advantage?
34%
54%
66%
46%
0%
10%
20%
30%
40%
50%
60%
70%
Today Future (3 years from now)
Yes No or Unsure
Does senior leadership view cybersecurity as a strategic priority ?
22%
66%
78%
34%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Today Future (3 years from now)
Yes No or Unsure
Does your organization’s security leader brief the board of directors on
the cybersecurity strategy?
7. But…more money and greater visibility means
people will ask: Where’s the money going?
8. The CFO Wants to Know
• Finance professionals dislike “unmanaged” spend – especially when it’s growing
rapidly
• The CFO is accountable to the Board and shareholders – so he will intervene,
eventually…and try to measure something he probably doesn’t understand
“If something cannot go on forever, it will stop.”
- Herbert Stein, economist
10. The current path is unsustainable
• Accelerating spending that is not measured – and managed – is
unsustainable
• Pressure from the finance organization, the Board and regulators will
result in the need to more clearly explain how money is being spent
• The good news…we are at the early stage of the cost curve; history
does not have to repeat
Information Security professionals can transform our
profession and create a sustainable foundation for the
future.
11. The CISO of the Future
A security professional with a business mindset and a collaborative approach to
protecting against the threat of cyber crime, who creates business value by:
• Aligning InfoSec investments to business priorities – recognizing all threats are
not created equal
• Measures the effectiveness of InfoSec activities in financial terms
• Collaborates with the broader organization to lead an integrated response to the
cyber threat
12. What is a Business Mindset?
• When everything you do is intended to create competitive advantage for your
company
• There are two ways to create competitive advantage
• Increase revenue
• Reduce costs
Everything you do must lead to higher revenue or lower
costs – or why are you doing it?
13. How InfoSec Creates Strategic Advantage
• Assess and Quantify Risk
• Measure Financial Performance
• Collaborate Across the Organization
• Communicate Effectively
14. Assess and Quantify Risk
• The CISO of the future will be skilled at assessing risk in the context of business
strategies and quantifying it
• The fundamental job of InfoSec is to help management determine the level of
acceptable risk
• Since risk must be assessed across the organization, it must be measured in the
single common measure of business – dollars
15. Quantifying Risk
• Since every business decision is about allocating scarce resources, all decisions
must be stated in financial terms
• The FAIR model is one approach to quantifying risk
• Fundamental principles of FAIR
• Risk – the probability that a loss will happen and the magnitude ($) of that loss
• Measurement is not precision – it is the reduction of uncertainty
• Probability v. Possibility – a world of difference
• Forecasts are not predictions
16. Measure Financial Performance
• The CISO of the future will be charged with both fighting the war and getting
smarter in funding the war against cyber crime
• Instead of fighting budget battles, understand how resource allocation
decisions are made – it’s about risk v. return
• Invest in controls in a way that reflects the risk profile of your business
• Measure the operational and financial performance of your controls
17. How did your controls perform – financially?
• Measuring how well your controls (tools, processes) prevented or
identified an attack is only part of the story
• Senior executives measure performance relative to the cost of
delivering that performance
• Once you align your InfoSec spending to the company’s most
critical risks, you need to measure how well those controls
performed – taking into account the amount invested in them
18. Measuring InfoSec ROI
COST of control failure
offset by
SAVINGS from control success
Net Benefit (Cost)=
RETURN on
INVESTMENT
=
INVESTMENT
in the control
19. COST of control failure
offset by
SAVINGS from control success
Actual cost of any
breaches experienced
during the period
“Noise” – actual cost of
investigating false
positives generated by the
control
plus
Measuring InfoSec ROI
20. Measuring InfoSec ROI
COST of control failure
offset by
SAVINGS from control success
Estimated average cost
of a breach
Probability of that a
breach will occur and
result in financial loss
multiplied by
21. Measuring InfoSec ROI
COST of control failure
offset by
SAVINGS from control success
Net Benefit (Cost)=
INVESTMENT
in the control
Fixed cost of the control
22. Measuring InfoSec ROI
COST of control failure
offset by
SAVINGS from control success
Net Benefit (Cost)=
RETURN on
INVESTMENT
=
INVESTMENT
in the control
23. Collaborate Across the Organization
• The CISO of the future will work across organizations and functions to lead an
integrated response to the strategic threat posed by cyber crime
• Collaboration means aligning across the organization with a common goal in
mind – maximizing the performance of the business
Collaboration is hard. It requires the ability to listen with
the intent to understand. And a commitment to a larger,
common goal.
24. Communicate Effectively
• The CISO of the future will effectively translate threats, risks and opportunities
into actionable information for executives and Boards of Directors
• Communicating effectively is the result of a business-oriented approach to
InfoSec
• Business-driven assessment and quantification of risk
• An integrated risk management plan with broad organizational support
• A disciplined method to measure both the operational and financial performance of the
company’s InfoSec investment
25. Key Takeaways
• Accelerated unmeasured spending is unsustainable
• We’ve been here before – healthcare
• InfoSec professionals are key to leading the transformation
26. Preparing to Lead
• It’s a choice – agree or not – but think about it
• What you can do
• Think differently about risk (FAIR is a good start)
• Go beyond budget battles and measure the financial performance of your
initiatives
• Understand your peers in business and finance; how can you contribute to their
success? How can they help you?
• Communicate with a business mindset
I think we should state our problem statement right up front – Ted Talk style.
Thanks for being here….our presentation is called the ’Gathering Storm’ because…
Objective: Establish credibility, set the tone
Fred’s Story
Career UX professional – focus on the world of users
Learned info sec from the “outside in”: Users POV first – then tech
Started in 2006 – very ‘operational oriented’ – 12 years
Have watched infosec grow and mature in many respects – but still struggling to pivot into a mature business practice
Research has told us a change must come – and that’s what we are here to talk about.
Shelly’s Story
35 year executive professional – transformational HR leader in C-suite
BoD experience – brings business acumen POV
Connected with Fred via infosec startup adventure – focus on ops
Through that experience and exposure to the world of info sec – saw many parelles to other business functions
Formed an opinion based in extensive experience about direction infosec is headed in terms of business impact - and that what we are here to talk about today.
We met as part of another early stage startup and realized that while there are literally hundreds of companies dedicated to building tools to fight cyber crime, nobody was paying any attention to whether those tools were worth what was being spent on them. That led us to form our own venture, Cambio Analytics. At Cambio, we’re focused on one simple goal - helping companies measure the financial performance of their cyber security investment.
What we are going to talk about today….
Now is a great time to be in InfoSec – lot’s of exciting opportunities and challenges to solve – we’ll level set on what we believe is the current state of InfoSec and what it means for moving forward.
We’ve seen this trend before regarding increased spending and the impact and response it’s had on business – what can we learn from it
We believe the InfoSec leader of the future is a leader with a business mindset – and that successful InfoSec programs will be lead by those who can successfully translate the complexity InfoSec into terms executive and BoD leadership values and understands; and who can lead a collaborative, integrated effort across the organization to manage risk at a level acceptable to the business.
Now is a unique time and opportunity for InfoSec leaders to emerge – we offer some practical advice on how to get started.
Gartner study
Ponemon study
Board views of Infosec