SlideShare una empresa de Scribd logo

Selling Infosec to the CSuite

D
Dave R. Taylor
1 de 13
Descargar para leer sin conexión
How to Sell InfoSec to the C-Suite A Playbook to Build Your Case and Get Your Budget Infosec
How to Sell InfoSec to the C-Suite 2 My BIG Security Plan You need the whole team behind you to keep your business running. But sometimes IT managers can feel pretty alone in the backfield. Take network security. Your business can’t afford the kind of attack that hit Target and Home Depot. You’ve set up the best defense you can, but now you need more money, tools, and support. That’s what this hands-on playbook is for. We’ll walk you through the steps to analyze your situation, put together a business case, and present it successfully to the C-suite. And because you don’t always win your first contest, we’ll also give you a back-up plan. Let’s get started.
Playbook Checklist 4 Talk to department managers.What network resources do theyneed to meet their goals? 4 What’s the impact if business unitslost network resources? 4 What are hard costs (actual costs or revenue losses) if criticalsystems were hacked? 4 Estimate soft costs (hits to reputation, brand, and customersatisfaction) as well. 4 Take this opportunity to evangelizeyour security plans and get yourpeers on board. 3 How to Sell InfoSec to the C-Suite Step 1. Scouting Report Before you step out of the locker room, you need to know what you’re up against. A business impact analysis helps you understand what’s important to keep the business running, so you know what’s at risk.
4 How to Sell InfoSec to the C-Suite Step 2. Training Day You’ve established the risk if the business lost access to critical systems due to a security incident. Now it’s time for a security audit to look for vulnerabilities. You can do this yourself, or bring in experts to help. Playbook Checklist 4 Explore outside agencies and online tools to perform a security audit. 4 Create an InfoSec policy: everything from how often passwords should be changed to how employees remotely access company resources. 4 Get consensus on the policy from other departments so they can proactively help secure assets. 4 Review and update policies annually, including InfoSec, NDAs, AUPs, etc. 4 Keep the business running. Get approval before addressing any issues. 4 Plan how you’re going to turn audit results into understandable, actionable information.
How to Sell InfoSec to the C-Suite 5 How to find audit resources: 4 Talk to your outside auditor about reviewing your cybersecurity readiness. 4 Get referrals from the security community and current technology partners. 4 Ask on technical mailing lists and social networking sites such as LinkedIn. 4 Search online for “vulnerability assessment services,” “security assessment services,” “penetration testing services,” “incident detection and response services,” or “threat exposure management.” Required Team Reading Stay up-to-date on risks and solutions. Subscribe to security forums and reports and review them regularly. InformationWeek’s DarkReading http://www.darkreading.com Internet Storm Center https://isc.sans.edu KrebsonSecurity krebsonsecurity.com Naked Security https://nakedsecurity.sophos.com Reading Room http://www.sans.org/reading-room Schneier on Security https://www.schneier.com WatchGuard Security Center http://watchguardsecuritycenter.com
How to Sell InfoSec to the C-Suite 6 Step 3. Go the Distance This is when you put your security program through its paces using security scans. Even the best security programs have issues, so if you don’t find anything, there’s a good chance something’s wrong with your methodology. Playbook Checklist 4 Do your research. Read and talk to experts so you know what kind of scanning tools you need. 4 Before running any scan, get approval first. 4 Make sure you understand the tools and what effect they might have on the business. 4 Analyze network size and scan intensity to estimate time required (a few hours to weeks). 4 Run the scans, scheduling network maintenance time if necessary.
How to Sell InfoSec to the C-Suite 7 Sample Workouts High-quality, open source security scanning tools are widely available online at no cost. Start with a general-purpose tool and move to specialty scans as needed. General Tools NMAP is a network mapper and fingerprinting software http://nmap.org OpenVAS is a vulnerability scanner http://www.openvas.org Specialty Tools Zed Attack Proxy (ZAP) is a tool for finding vulnerabilities in web applications https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Sqlmap is a penetration testing tool that automates the process of detecting and exploiting SQL injection flaws http://sqlmap.org
Playbook Checklist 4 Review your audit and scan reports. Prioritize issues basedon importance of the asset andlikelihood of the attack vector beingexploited. 4 Use your business impact analysisto prioritize risks appropriately. Ahigh-level vulnerability in a test sitemight be less important than amoderate risk in a critical system. 4 Identify which items require littleeffort or resources to mitigate. 4 Develop a remediation plan alongwith the stakeholders from thebusiness impact analysis. How to Sell InfoSec to the C-Suite 8 Step 4. Flag On the Play Now that you’ve discovered where the issues are, it’s time for remediation. Decisions on what to remediate (or not) should be based on the severity of the vulnerability, the chance of it being exploited, and the exposure it would cause.
How to Sell InfoSec to the C-Suite 9 Step 5. Get Your Game Face On It’s time to put your training to the test. Presenting to the C-suite may feel like the big league, but this is your playing field. If senior management doesn’t understand the risks, it’s your job to educate them. Playbook Checklist 4 Own the security concerns you’re reporting. 4 Present risks in terms that management understands and that are specific to the business. 4 Don’t use misleading statistics as scare tactics. 4 Be transparent about what you’ve already done. 4 Explain how you’ve exhausted current resources and what you need to succeed. 4 Identify stakeholders and sponsors from meetings with business unit managers. 4 Be iterative in your communication until you get the support you need. What we have doesn’t work. We need to fix it— NOW. I have a plan!
How to Sell InfoSec to the C-Suite 10 Tips for success 4 Don’t send out raw reports. Apply context to help managers understand your decisions. 4 Frame the conversation with security requirements related to your industry (SOC for publicly traded companies, HIPAA for healthcare, PCI DSS for retailers, etc.). 4 Consider creating custom reports for each business unit. Document the process Explain each riskAudit/scan methodology Whether risk is acceptableWhen they were performed How to mitigate itParticipation of stakeholders What happens if you don’tRemediation steps Estimated cost and effort Reporting Statistics Regularly update and distribute reports that include a concise, business-focused executive summary.
How to Sell InfoSec to the C-Suite 11 Step 6. The Season Isn’t Over Until It’s Over Security is important, but your C-suite has to balance competing business initiatives, challenges, and expenses. You may not get everything you ask for right away, but you’re always just one security incident away from getting funding. Be prepared. Playbook Checklist 4 Keep your reports current so you’re ready when you’re called up. 4 Run free tools and remediate every issue you can. 4 Add remediation actions to your regularly distributed reports. 4 Be prepared to show progress since your last presentation. 4 If you can’t fix an issue, provide options: accept the risk, assign resources, or take at-risk assets offline.
How to Sell InfoSec to the C-Suite 12 PRODUCTS Step 7. Don’t Bring Anything Less than Your “A” Game Once you’re ready to implement new security services, make sure your team is well-equipped for the challenge. WatchGuard can help with a full suite of security products and top performance to meet the needs of businesses of all sizes.
How to Sell InfoSec to the C-Suite 13 About Watchguard WatchGuard® Technologies, Inc. is a global leader of integrated, multi-function business security solutions that intelligently combine industry standard hardware, best-of-breed security features, and policy-based management tools. WatchGuard provides easy-to-use, but enterprise-powerful protection to hundreds of thousands of businesses worldwide. WatchGuard products are backed by WatchGuard LiveSecurity® Service, an innovative support program. WatchGuard is headquartered in Seattle, Wash. with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com. No express or implied warranties are provided for herein. All specifications are subject to change and any expected future products, features, or functionality will be provided on an if and when available basis. ©2015 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Fireware, and LiveSecurity are registered trademarks of WatchGuard Technologies, Inc. All other trademarks and tradenames are the property of their respective owners. 505 Fifth Avenue South Suite 500 Seattle, WA 98104 www.watchguard.com North America Sales +1.800.734.9905 International Sales +1.206.613.0895

Recomendados

Agile security
Agile securityAgile security
Agile security
Arthur Donkers
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
gjdevos
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application Security
Cigital
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
Arthur Donkers
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!
Cigital
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-program
Priyanka Aash
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Brian Andrzejewski
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard Of
Adrian Sanabria
 

Recomendados

Agile security
Agile securityAgile security
Agile security
Arthur Donkers
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
gjdevos
 
The Path to Proactive Application Security
The Path to Proactive Application SecurityThe Path to Proactive Application Security
The Path to Proactive Application Security
Cigital
 
Cyber Security testing in an agile environment
Cyber Security testing in an agile environmentCyber Security testing in an agile environment
Cyber Security testing in an agile environment
Arthur Donkers
 
Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!Handle With Care: You Have My VA Report!
Handle With Care: You Have My VA Report!
Cigital
 
Establishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-programEstablishing a-quality-vulnerability-management-program
Establishing a-quality-vulnerability-management-program
Priyanka Aash
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Brian Andrzejewski
 
Ten Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard OfTen Security Product Categories You've Probably Never Heard Of
Ten Security Product Categories You've Probably Never Heard Of
Adrian Sanabria
 
Agile Security—Field of Dreams
Agile Security—Field of DreamsAgile Security—Field of Dreams
Agile Security—Field of Dreams
Priyanka Aash
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself Secure
Cigital
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015
Paul Hogan
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the exam
Infosec
 
Matryx 4pp single
Matryx 4pp singleMatryx 4pp single
Matryx 4pp single
Matryx Consulting Pty Ltd
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to Startups
Adrian Sanabria
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Stefan Streichsbier
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
bugcrowd
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
Cigital
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
Cigital
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Damon Small
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin?
Cigital
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software Security
Cigital
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
SecPod Technologies
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif Ghauri
Atif Ghauri
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
Brencil Kaimba
 
Security Proposal for High Profile/Government Individual
Security Proposal for High Profile/Government IndividualSecurity Proposal for High Profile/Government Individual
Security Proposal for High Profile/Government Individual
Dayo Olujekun
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
Damon Small
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
Jerod Brennen
 
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
Net at Work
 

Más contenido relacionado

La actualidad más candente

To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015
Paul Hogan
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
Adrian Sanabria
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif Ghauri
Atif Ghauri
 
Security Proposal for High Profile/Government Individual
Security Proposal for High Profile/Government IndividualSecurity Proposal for High Profile/Government Individual
Security Proposal for High Profile/Government Individual
Dayo Olujekun
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
Damon Small
 

La actualidad más candente (20)

Agile Security—Field of Dreams
Agile Security—Field of DreamsAgile Security—Field of Dreams
Agile Security—Field of Dreams
 
Can You Really Automate Yourself Secure
Can You Really Automate Yourself SecureCan You Really Automate Yourself Secure
Can You Really Automate Yourself Secure
 
To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015To MSSP or not to MSSP IISF 2015
To MSSP or not to MSSP IISF 2015
 
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP'sAlienVault MSSP Overview - A Different Approach to Security for MSSP's
AlienVault MSSP Overview - A Different Approach to Security for MSSP's
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the exam
 
Matryx 4pp single
Matryx 4pp singleMatryx 4pp single
Matryx 4pp single
 
RSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to StartupsRSAC 2016: CISO's guide to Startups
RSAC 2016: CISO's guide to Startups
 
Practical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} HackathonPractical Secure Coding Workshop - {DECIPHER} Hackathon
Practical Secure Coding Workshop - {DECIPHER} Hackathon
 
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...[Webinar] Building a Product Security Incident Response Team: Learnings from ...
[Webinar] Building a Product Security Incident Response Team: Learnings from ...
 
Secure Design: Threat Modeling
Secure Design: Threat ModelingSecure Design: Threat Modeling
Secure Design: Threat Modeling
 
6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions6 Most Common Threat Modeling Misconceptions
6 Most Common Threat Modeling Misconceptions
 
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
451 and Endgame - Zero breach Tolerance: Earliest protection across the attac...
 
Beyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability AssessmentBeyond the Scan: The Value Proposition of Vulnerability Assessment
Beyond the Scan: The Value Proposition of Vulnerability Assessment
 
Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin? Software Security Initiative Capabilities: Where Do I Begin?
Software Security Initiative Capabilities: Where Do I Begin?
 
BSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software SecurityBSIMM: Bringing Science to Software Security
BSIMM: Bringing Science to Software Security
 
Many products-no-security (1)
Many products-no-security (1)Many products-no-security (1)
Many products-no-security (1)
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif Ghauri
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
Security Proposal for High Profile/Government Individual
Security Proposal for High Profile/Government IndividualSecurity Proposal for High Profile/Government Individual
Security Proposal for High Profile/Government Individual
 
Enterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to BasicsEnterprise Vulnerability Management: Back to Basics
Enterprise Vulnerability Management: Back to Basics
 

Similar a Selling Infosec to the CSuite

CMIT 321 Executive Proposal ProjectThe purpose of this project i.docx
CMIT 321 Executive Proposal ProjectThe purpose of this project i.docxCMIT 321 Executive Proposal ProjectThe purpose of this project i.docx
CMIT 321 Executive Proposal ProjectThe purpose of this project i.docx
clarebernice
 
Successful DevSecOps Organizations - by Dawid Balut
Successful DevSecOps Organizations - by Dawid BalutSuccessful DevSecOps Organizations - by Dawid Balut
Successful DevSecOps Organizations - by Dawid Balut
Dawid Balut
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
wkyra78
 

Similar a Selling Infosec to the CSuite (20)

Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
Information Security Risks - What You Can Do To Help Your Clients Avoid Costl...
 
Cmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEWCmgt 400 Entire Course NEW
Cmgt 400 Entire Course NEW
 
CMGT 400 Entire Course NEW
CMGT 400 Entire Course NEWCMGT 400 Entire Course NEW
CMGT 400 Entire Course NEW
 
Building A Security Operations Center
Building A Security Operations CenterBuilding A Security Operations Center
Building A Security Operations Center
 
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdfFor Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
For Public_ Cybersecurity_ Frameworks, Fundamentals, and Foundations 2023.pdf
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)
 
All About Cybersecurity Frameworks.pptx
All About Cybersecurity Frameworks.pptxAll About Cybersecurity Frameworks.pptx
All About Cybersecurity Frameworks.pptx
 
CMIT 321 Executive Proposal ProjectThe purpose of this project i.docx
CMIT 321 Executive Proposal ProjectThe purpose of this project i.docxCMIT 321 Executive Proposal ProjectThe purpose of this project i.docx
CMIT 321 Executive Proposal ProjectThe purpose of this project i.docx
 
All About Cybersecurity Frameworks.pdf
All About Cybersecurity Frameworks.pdfAll About Cybersecurity Frameworks.pdf
All About Cybersecurity Frameworks.pdf
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White Paper
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Successful DevSecOps Organizations - by Dawid Balut
Successful DevSecOps Organizations - by Dawid BalutSuccessful DevSecOps Organizations - by Dawid Balut
Successful DevSecOps Organizations - by Dawid Balut
 
10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY10 KEYS TO EFFECTIVE NETWORK SECURITY
10 KEYS TO EFFECTIVE NETWORK SECURITY
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
CMIT 321 EXECUTIVE PROPOSAL PROJECT
CMIT 321 EXECUTIVE PROPOSAL PROJECTCMIT 321 EXECUTIVE PROPOSAL PROJECT
CMIT 321 EXECUTIVE PROPOSAL PROJECT
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
 
Top 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptxTop 10 Interview Questions for Risk Analyst.pptx
Top 10 Interview Questions for Risk Analyst.pptx
 
SanerNow a platform for Endpoint security and systems Management
SanerNow a platform for Endpoint security and systems ManagementSanerNow a platform for Endpoint security and systems Management
SanerNow a platform for Endpoint security and systems Management
 

Selling Infosec to the CSuite

  • 1. How to Sell InfoSec to the C-Suite A Playbook to Build Your Case and Get Your Budget Infosec
  • 2. How to Sell InfoSec to the C-Suite 2 My BIG Security Plan You need the whole team behind you to keep your business running. But sometimes IT managers can feel pretty alone in the backfield. Take network security. Your business can’t afford the kind of attack that hit Target and Home Depot. You’ve set up the best defense you can, but now you need more money, tools, and support. That’s what this hands-on playbook is for. We’ll walk you through the steps to analyze your situation, put together a business case, and present it successfully to the C-suite. And because you don’t always win your first contest, we’ll also give you a back-up plan. Let’s get started.
  • 3. Playbook Checklist 4 Talk to department managers.What network resources do theyneed to meet their goals? 4 What’s the impact if business unitslost network resources? 4 What are hard costs (actual costs or revenue losses) if criticalsystems were hacked? 4 Estimate soft costs (hits to reputation, brand, and customersatisfaction) as well. 4 Take this opportunity to evangelizeyour security plans and get yourpeers on board. 3 How to Sell InfoSec to the C-Suite Step 1. Scouting Report Before you step out of the locker room, you need to know what you’re up against. A business impact analysis helps you understand what’s important to keep the business running, so you know what’s at risk.
  • 4. 4 How to Sell InfoSec to the C-Suite Step 2. Training Day You’ve established the risk if the business lost access to critical systems due to a security incident. Now it’s time for a security audit to look for vulnerabilities. You can do this yourself, or bring in experts to help. Playbook Checklist 4 Explore outside agencies and online tools to perform a security audit. 4 Create an InfoSec policy: everything from how often passwords should be changed to how employees remotely access company resources. 4 Get consensus on the policy from other departments so they can proactively help secure assets. 4 Review and update policies annually, including InfoSec, NDAs, AUPs, etc. 4 Keep the business running. Get approval before addressing any issues. 4 Plan how you’re going to turn audit results into understandable, actionable information.
  • 5. How to Sell InfoSec to the C-Suite 5 How to find audit resources: 4 Talk to your outside auditor about reviewing your cybersecurity readiness. 4 Get referrals from the security community and current technology partners. 4 Ask on technical mailing lists and social networking sites such as LinkedIn. 4 Search online for “vulnerability assessment services,” “security assessment services,” “penetration testing services,” “incident detection and response services,” or “threat exposure management.” Required Team Reading Stay up-to-date on risks and solutions. Subscribe to security forums and reports and review them regularly. InformationWeek’s DarkReading http://www.darkreading.com Internet Storm Center https://isc.sans.edu KrebsonSecurity krebsonsecurity.com Naked Security https://nakedsecurity.sophos.com Reading Room http://www.sans.org/reading-room Schneier on Security https://www.schneier.com WatchGuard Security Center http://watchguardsecuritycenter.com
  • 6. How to Sell InfoSec to the C-Suite 6 Step 3. Go the Distance This is when you put your security program through its paces using security scans. Even the best security programs have issues, so if you don’t find anything, there’s a good chance something’s wrong with your methodology. Playbook Checklist 4 Do your research. Read and talk to experts so you know what kind of scanning tools you need. 4 Before running any scan, get approval first. 4 Make sure you understand the tools and what effect they might have on the business. 4 Analyze network size and scan intensity to estimate time required (a few hours to weeks). 4 Run the scans, scheduling network maintenance time if necessary.
  • 7. How to Sell InfoSec to the C-Suite 7 Sample Workouts High-quality, open source security scanning tools are widely available online at no cost. Start with a general-purpose tool and move to specialty scans as needed. General Tools NMAP is a network mapper and fingerprinting software http://nmap.org OpenVAS is a vulnerability scanner http://www.openvas.org Specialty Tools Zed Attack Proxy (ZAP) is a tool for finding vulnerabilities in web applications https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project Sqlmap is a penetration testing tool that automates the process of detecting and exploiting SQL injection flaws http://sqlmap.org
  • 8. Playbook Checklist 4 Review your audit and scan reports. Prioritize issues basedon importance of the asset andlikelihood of the attack vector beingexploited. 4 Use your business impact analysisto prioritize risks appropriately. Ahigh-level vulnerability in a test sitemight be less important than amoderate risk in a critical system. 4 Identify which items require littleeffort or resources to mitigate. 4 Develop a remediation plan alongwith the stakeholders from thebusiness impact analysis. How to Sell InfoSec to the C-Suite 8 Step 4. Flag On the Play Now that you’ve discovered where the issues are, it’s time for remediation. Decisions on what to remediate (or not) should be based on the severity of the vulnerability, the chance of it being exploited, and the exposure it would cause.
  • 9. How to Sell InfoSec to the C-Suite 9 Step 5. Get Your Game Face On It’s time to put your training to the test. Presenting to the C-suite may feel like the big league, but this is your playing field. If senior management doesn’t understand the risks, it’s your job to educate them. Playbook Checklist 4 Own the security concerns you’re reporting. 4 Present risks in terms that management understands and that are specific to the business. 4 Don’t use misleading statistics as scare tactics. 4 Be transparent about what you’ve already done. 4 Explain how you’ve exhausted current resources and what you need to succeed. 4 Identify stakeholders and sponsors from meetings with business unit managers. 4 Be iterative in your communication until you get the support you need. What we have doesn’t work. We need to fix it— NOW. I have a plan!
  • 10. How to Sell InfoSec to the C-Suite 10 Tips for success 4 Don’t send out raw reports. Apply context to help managers understand your decisions. 4 Frame the conversation with security requirements related to your industry (SOC for publicly traded companies, HIPAA for healthcare, PCI DSS for retailers, etc.). 4 Consider creating custom reports for each business unit. Document the process Explain each riskAudit/scan methodology Whether risk is acceptableWhen they were performed How to mitigate itParticipation of stakeholders What happens if you don’tRemediation steps Estimated cost and effort Reporting Statistics Regularly update and distribute reports that include a concise, business-focused executive summary.
  • 11. How to Sell InfoSec to the C-Suite 11 Step 6. The Season Isn’t Over Until It’s Over Security is important, but your C-suite has to balance competing business initiatives, challenges, and expenses. You may not get everything you ask for right away, but you’re always just one security incident away from getting funding. Be prepared. Playbook Checklist 4 Keep your reports current so you’re ready when you’re called up. 4 Run free tools and remediate every issue you can. 4 Add remediation actions to your regularly distributed reports. 4 Be prepared to show progress since your last presentation. 4 If you can’t fix an issue, provide options: accept the risk, assign resources, or take at-risk assets offline.
  • 12. How to Sell InfoSec to the C-Suite 12 PRODUCTS Step 7. Don’t Bring Anything Less than Your “A” Game Once you’re ready to implement new security services, make sure your team is well-equipped for the challenge. WatchGuard can help with a full suite of security products and top performance to meet the needs of businesses of all sizes.
  • 13. How to Sell InfoSec to the C-Suite 13 About Watchguard WatchGuard® Technologies, Inc. is a global leader of integrated, multi-function business security solutions that intelligently combine industry standard hardware, best-of-breed security features, and policy-based management tools. WatchGuard provides easy-to-use, but enterprise-powerful protection to hundreds of thousands of businesses worldwide. WatchGuard products are backed by WatchGuard LiveSecurity® Service, an innovative support program. WatchGuard is headquartered in Seattle, Wash. with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com. No express or implied warranties are provided for herein. All specifications are subject to change and any expected future products, features, or functionality will be provided on an if and when available basis. ©2015 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Fireware, and LiveSecurity are registered trademarks of WatchGuard Technologies, Inc. All other trademarks and tradenames are the property of their respective owners. 505 Fifth Avenue South Suite 500 Seattle, WA 98104 www.watchguard.com North America Sales +1.800.734.9905 International Sales +1.206.613.0895