How is Buying a Home Like Justifying Data Security Investments? Developing Return on Security...
-
Upload
ca-technologies -
Category
Technology
-
view
29 -
download
0
Transcript of How is Buying a Home Like Justifying Data Security Investments? Developing Return on Security...
World®’16
HowisBuyingaHomeLikeJustifyingDataSecurityInvestments?DevelopingReturnonSecurityInvestment(ROSI)AnalysisJeffCherrington - SeniorDirectorofProductManagement- CATechnologies
MFX118S
MAINFRAMEANDWORKLOADAUTOMATION
2 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
©2016CA.Allrightsreserved.Alltrademarksreferencedhereinbelongtotheirrespectivecompanies.
Thecontentprovidedinthis CAWorld2016presentationisintendedforinformationalpurposesonlyanddoesnotformanytypeofwarranty. The informationprovidedbyaCApartnerand/orCAcustomerhasnotbeenreviewedforaccuracybyCA.
ForInformationalPurposesOnlyTermsofthisPresentation
3 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Abstract
Dataprotectionisamandatoryhygienerequiredinthedatacenteranddemandedbycustomers,bothconsumerandcommercial.Justifyingadditionalinvestmentsindatasecuritycanbechallengingtojustifytotheexecutiveteam,asitseldomhasdirectline-of-sighttoincreasedrevenueorreducedcosts.However,investmentsmustpacewiththeincreasesinboththethreatsofincreasinglyorganizedandsophisticatedattacksandthebroader,moreinvasiveregulations.Findouthowjustifyinginvestmentsindatasecurityissimilartothedecisionsmadewhenpurchasingahome.ThesessioncontinuesbyreviewingstrategiesforbuildingpersuasivebusinesscasesfortheadditionalmainframeprotectionstoprotectthemainframedatacenterinitscurrentroleandintheincreasinglycriticalroleitmustplayintheemergingApplicationEconomy.
JeffCherringtonCATechnologiesSeniorDirector,ProductManagement
4 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Agenda
PURPOSEOFSESSION
SHAREDEXPERIENCE– BUYINGAHOME
QUESTIONS,DISCUSSIONS,ANDEXPERIENCES
HOWDOESTHATRELATETODATASECURITY?
RETURNONSECURITYINVESTMENT(ROSI)
DEVELOPINGAROSI ANALYSIS
1
2
3
4
5
6
5 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
PurposeofThisSession
§ Enterprisesmustdiligentlyassessinvestmentsindatasecurity,strivingtoinvestenough,neithertoomuchnortoolittle
§ Thissessionofferssomestrategiesforequippingseniormanagerswithrelevantfinancialanalysis
§ Theconversationisframedusingcomparisontoexperiencemanyofusshare– purchasingahome
§ Youareencouragedtoshareyourquestionsandexperiences
6 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
SharedExperience– BuyingaHome
§ Buyingahomeisthelargestfinancialdecisionmost ofusmakeinourpersonallives
§ Mostofusfindtheprocessunfamiliarthefirsttime,withmanymurkycomponents– lendingratesandterms,homeownersinsurance,titleinsurance,inspectionfees,…
§ ThinkaboutwhenyouboughtyourfirsthomeandyouhadtoengagewiththingslikePMIorMIP(insuranceonmymortgage?Really?),loan-to-value(LTV)ratio,points,…
§ Ingoodcases,weareguidedthroughtheprocessbycompetentprofessionalsofintegrity,whospeaktousclearlyusingconceptsweunderstand
7 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Whatdoesthathavetodowithenterprisedatasecurity?
§ Seniorenterpriseexecutivesstrugglewithassessingsecurityinvestment,atleastinpart,becauseitalignsonlyuncomfortablywiththeconceptstheyusemostfrequently–ReturnonInvestment(ROI),InternalRateofReturn(IRR),NetPresentValue(NPV)…
§ Evaluatingandcommittingtoinvestmentsindatasecurityintroduceselementslessfamiliarandmorenebuloustomostseniorexecutiveexperience
§ Theyknowsomeisrequiredbyregulation,someismandatorytoremainoperational,whilesomeisdiscretionarywithuncomfortableunderstandingoftheriskaddressedandtowhatdegree…
8 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ReturnonSecurityInvestment(ROSI)
§ ROI=(GainfromInvestment– CostofInvestment)CostofInvestment
§ Gainsfrominvestmentinsecurityarehard,ifnotimpossible,toquantify– ifthesecurityworks,thebestcaseisnothingbadhappens(meetexpectations)
§ ReturnonSecurityInvestmentalterstheviewpointfrom‘whathappensifyouinvestinx’to‘whathappensifyoudon’tinvestinx’
§ Standardapproachesappliedtonormalizingunitsofmeasureandprobabilityofnegativeeventoccurrences
§ Supportedbyabodyofbothacademicandcommercialresearch
9 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
ReturnonSecurityInvestment(ROSI)
§ ROSI =((RiskExposure *%RiskMitigated)– SolutionCost)/SolutionCost
§ RiskExposure=AnnualLossExposure(ALE)
§ ALE =SingleLossExposure(SLE)*AnnualRateofOccurrence(ARO)
§ SLE =Estimatedcostofanegativesecurityevent
§ ARO =Estimatedprobabilityofthenegativesecurityeventoccurringinaperiod(typically,ayear)
10 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AnExampleofanROSIAnalysis– DataBreach
§ AnalysisusingindustrystandardReturnonSecurityInvestment(ROSI)calculations1
§ ROSI =((RiskExposure*%RiskMitigated)– SolutionCost)/SolutionCost
§ RiskExposure=AnnualLossExposure(ALE)
§ ALE =SingleLossExposure(SLE)*AnnualRateofOccurrence(ARO)
§ ARO =22%3,accordingtoPonemon Institute
§ UsingPonemon Institutefigures2
Cost/Record $217.00RecordsLostRange CostofBreach ALELow 5,655 $1,227,135 $269,970Average 28,070 $6,091,190 $1,340,062High 96,550 $20,951,350 $4,609,297
11 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
AnExampleofanROSIAnalysis– DataBreach
ROSI=((RiskExposure*%RiskMitigated)– SolutionCost)/SolutionCost
Assumeaninvestmentoptionmitigatesonly20%ofthetargetrisk
UsingtheAveragePonemon InstituteIncident
[ALE]$6,091,191*[ARO]22%=[RiskExposure]$1,340,062
SmallEnterprise (using28Kcompromisedrecordsasbasis)
ROSI=(($1,340,062*20%)– $31,8934)/$31,893,or700%+ROSI
MediumEnterprise (using28Kcompromisedrecordsasbasis)
ROSI=(($1,340,062*20%)– $160,6404)/$160,640,or69%ROSI
LargeEnterprise (usingpublicfiguresformajordatabreach)
ROSI=(($56,000,000*20%)– $833,3335)/$833,33,or1200%+ROSI
12 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
Recap
§ Manyexecutiveswhotheultimatedecisionmakersregardingsecurityinvestmentsaremorecomfortableapproachingsuchdecisionsusingconceptsandtechniquesfamiliarfromevaluatingotherinvestments
§ SecurityinvestmentsarepoorlyalignedwithtraditionalROIapproached
§ ROSIalignsfinancialanalysistechniquesfamiliartoexecutiveswiththecontentofdataprotection’srealities
14 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
RecommendedSessions
SESSION# TITLE DATE/TIME
MFX173S TheImportanceofMainframeSecurityEducation 11/16/2016at3:45pm
MFT174SMainframeSecurityStrategyandRoadmap:BestPracticesforProtectingMissionEssentialData
11/17/2016at12:45pm
MFT175S GapsinYourDefense:HackingtheMainframe 11/17/2016at3:00pm
15 ©2016CA.ALLRIGHTSRESERVED.@CAWORLD#CAWORLD
MustSeeDemos
Real-TimeDataSecurityandCompliance
CADataContentDiscoveryMainframeTheatre
MainframeSecuritySmartBar
CATopSecret®MainframeTheatre
Real-TimeDataSecurityandCompliance
CAComplianceEventManagerMainframeTheatre
MainframeSecuritySmartBar
CAACF2MainframeTheatre