8/2/2019 Selling Security v4
1/37
JaredPfost
June1,2011
VirtualProblems RealAnswers
1
8/2/2019 Selling Security v4
2/37
Disclaimer
The
views
and
opinions
expressed
during
this
conference
are
those
of
thespeakersanddonotnecessarilyreflecttheviewsandopinionsheldbytheInformationSystemsSecurityAssociation(ISSA),theSiliconValleyISSA,theSanFranciscoISSAortheSanFranciscoBayAreaInfraGardMembersAlliance(IMA). NeitherISSA,InfraGard,nor
anyof
its
chapters
warrants
the
accuracy,
timeliness
or
completeness
oftheinformationpresented. Nothinginthisconferenceshouldbeconstruedasprofessionalorlegaladviceorascreatingaprofessionalcustomerorattorneyclientrelationship. Ifprofessional,legal,or
other
expert
assistance
is
required,
the
services
of
a
competent
professionalshouldbesought.
TheseviewsandopinionsarealsodonotreflectthoseofFremontBancorp.
June1,2011
VirtualProblems RealAnswers
2
8/2/2019 Selling Security v4
3/37
Introductions
JustinDrain,
CISM,CRISC,
CISSP
DataSecurityManager FremontBank
Securityexperience:banking,aerospace,federal
government,medical
JaredPfost
CEO
ThirdDefense
Securityexperience:banking,technology,consulting
June1,2011
VirtualProblems RealAnswers
3
8/2/2019 Selling Security v4
4/37
SecurityProjects SecuringExecutiveApproval
June1,2011
VirtualProblems RealAnswers
4
Agenda
PresentState HowItWorksNowWhyIsItso?MySolution InTheory InMoreDetailBasicPointsToRemember LetsGo!
8/2/2019 Selling Security v4
5/37
HowItWorks
June1,2011
VirtualProblems RealAnswers
5
Infrastructurevs.
Security
ProjectMgmt vs.SecurityPractitioner
Mature
Organization
vs.
Just
Getting
Heard
8/2/2019 Selling Security v4
6/37
PresentState HowItWorksNow
June1,2011
VirtualProblems RealAnswers
6
WithAny
Infrastructure
Project
:
ANeedIsIdentified
BusinessCase
For
Addressing
The
Need
Is
Built
SimultaneouslyASearchForASolutionIs
Underway
Acceptance!
8/2/2019 Selling Security v4
7/37
PresentState HowItWorksNowcontd
June1,2011
VirtualProblems RealAnswers
7
TheCriteria
For
Acceptance
Is
Relatively
Straightforward:
It
Makes
Us
Money
ItMakesUsLookGood
It
Keeps
Us
From
Looking
Bad(compliance)
8/2/2019 Selling Security v4
8/37
SecurityProjects
June1,2011
VirtualProblems RealAnswers
8
ThingsAre
Different
with
Security
Atfirst
Struggleswith
Buy
in
on
Need
Resistance:ImpacttoBusinessProcess
PushbackOn
Cost
8/2/2019 Selling Security v4
9/37
WhyIs
It
So?
Its
Psychological
June1,2011
VirtualProblems RealAnswers
9
WhyTheresaDifference
WhyAre
Insurance
Salesmen
So
Unpopular?
Reality/Perception&Profit/Risk
SoundBite
What
Do
You
Want?
MatureCompaniesBuildProductsW/Infosec
BakedIn
Catchphrase,"WeTakeCareOfSecurity
8/2/2019 Selling Security v4
10/37
WhatHave
We
Done
in
Response?
June1,2011
VirtualProblems RealAnswers
10
StandardApproach
FearAndLoathing
ComplianceCard
ADifficult
Definition
8/2/2019 Selling Security v4
11/37
WhatHave
We
Done
in
Response?
contd
June1,2011
VirtualProblems RealAnswers
11
Fearis
not
an
option,
unless
it
is
applied
appropriately
8/2/2019 Selling Security v4
12/37
WhatHave
We
Done
in
Response?
contd
June1,2011
VirtualProblems RealAnswers
12
ComplianceCard
ComplianceIsNotSecurity
ThisOnlyGoesSoFar
8/2/2019 Selling Security v4
13/37
WhyIs
It
So?
Its
Psychological
contd
June1,2011
VirtualProblems RealAnswers
13
TheProspect
Theory
InTheory
BusinessModels
ApplyingToSecurity
8/2/2019 Selling Security v4
14/37
WhatHaveWeDoneinResponse?
Definition
Of
Insanity
June1,2011
VirtualProblems RealAnswers
14
8/2/2019 Selling Security v4
15/37
SoNow
What?
My
Solution
June1,2011
VirtualProblems RealAnswers
15
FromaHigh
Level
ButfirstwheredoIgetoff?
WorksForMe
ImmaturetoMature
8/2/2019 Selling Security v4
16/37
Strategy,Strategy,
Strategy
June1,2011
VirtualProblems RealAnswers
16
NoSingle
Switch
IntegratedStrategy
FocusedMethodology
Groundwork
BuildingA
Case
For
Security
Before
You
BuildTheBusinessCase
8/2/2019 Selling Security v4
17/37
Don'tFight
the
Feeling
June1,2011
VirtualProblems RealAnswers
17
Make
Human
Nature
Your
AllyFrameSecurityInPositiveLight
Usethe
Shaky
Perceptions
SecurityBrakes
AgainWith
The
Fear
8/2/2019 Selling Security v4
18/37
NotOverPlayingTheFearCard
BurglarAlarm
9/11 SkyISFalling
June1,2011
VirtualProblems RealAnswers
18
8/2/2019 Selling Security v4
19/37
HowDoes
It
Go
Again?
More
Detail
June1,2011
VirtualProblems RealAnswers
19
HowDoes
It
All
Come
Together?
8/2/2019 Selling Security v4
20/37
InitialSteps
June1,2011
VirtualProblems RealAnswers
20
BeInTheRoom
SecureAnAlly CreateAnAdvocate.
EvenIfItMeansGivingUpCredit
PlantTheSeeds(Awareness,Metrics)
BuildAwarenessOfSecurityStrategy
8/2/2019 Selling Security v4
21/37
21
BusinessDrivers
ImproveSecurity
Services
RegulatoryRequirements
Workwemustdo
Workwe
should
do
Workwe
could
do
ManageCompliant
ReadyServices
ReachaLegally
DefensibleLevel
of
Security
EmbedRiskBased
DecisionstoAchieve
BusinessGoals
Formalizemandatoryvs.discretionarycategories.
8/2/2019 Selling Security v4
22/37
CommunicateTop
Risks
June1,2011
VirtualProblems RealAnswers
22
ConstructaTopDownStory
EvidenceDriven
RisksPlacedinActionCategories
Act,Evaluate,Accept
ImpactRanges
CalibrateMonetary&Risk
ExposuresacrossScale
LikelihoodRanges
UseEvidence
for
Occurance
8/2/2019 Selling Security v4
23/37
PrioritizebyBusiness
Value RiskPriority
ITCapability
BusinessSupport
PoliticalReality
Cost
DocumentDecisionand
Justificationfor
Posterity
23
Efficiency
Gains.Save
$110K
BusinessDriven
Investments
8/2/2019 Selling Security v4
24/37
EvidenceDriven
QuantifyWhenDefensibleJune1,2011
VirtualProblems RealAnswers
24
CommunicateTop
Risks
&
Investments
PrioritizebyRisk,Capability,
Cost,&Politics
8/2/2019 Selling Security v4
25/37
InitialSteps
contd
June1,2011
VirtualProblems RealAnswers
25
GainWideAcceptanceAtInception
AsPart
Of
Your
Strategy
ProveYouCanDoItBeforeYouProve
YouCan
Do
It
(TimeTravel?No.DemonstrateEffectiveness)
CarrotAnd
Stick
8/2/2019 Selling Security v4
26/37
Next
Clearthe
Path
June1,2011
VirtualProblems RealAnswers
26
MoreGroundwork
SolutionLookingForAProblem
SecuritySolutionsCanImprove
CustomerExperienceValueAdd
PeopleAreSTILLthePerimeter
8/2/2019 Selling Security v4
27/37
DefineTargetstoDriveAcceptableRisk
June1,2011
VirtualProblems RealAnswers
27
MetricsDemonstrate
Progress
&
Needs
8/2/2019 Selling Security v4
28/37
Clearthe
Path
contd
June1,2011
VirtualProblems RealAnswers
28
MoretoConsider
RevenueNow SecurityLater
Dont
Be
The
Nail
8/2/2019 Selling Security v4
29/37
Toahammer,
everythinglookslikea
nail
DontBe
The
Nail
June1,2011
VirtualProblems RealAnswers
29
8/2/2019 Selling Security v4
30/37
Engage
June1,2011
VirtualProblems RealAnswers
30
OnTheSurfaceEverythingSeemsNormal
BackAttheTable
PresentationIsKey,DoYourHomework
BePrepared
To
Defend
The
Obvious
(obvioustous)
KnowYour
Audience
And
Speak
Their
Language
8/2/2019 Selling Security v4
31/37
Engage contd
June1,2011
VirtualProblems RealAnswers
31
SecurityNeedsIt'sOwnROI
ManyAreWilling/AbleToRationalize
CertainLosses
ConvinceThemYouAreBetterOff
W/SecuritySolution
8/2/2019 Selling Security v4
32/37
Engage contd
June1,2011
VirtualProblems RealAnswers
32
Dont
Forget
The
Rank
and
FileWhatsTheDeductible
Areyou
better
off
now,
than
you
were MetricsCanHelpHereToo
8/2/2019 Selling Security v4
33/37
Closethe
Deal
/Follow
Up
June1,2011
VirtualProblems RealAnswers
33
YouSetThemUpNowIt'sTimeTo
KnockThem
Down
ThereIsNothingMoreExpensive
ThanRegret
Vi l P bl R l A
8/2/2019 Selling Security v4
34/37
Closethe
Deal
/Follow
Up
contd.
June1,2011
VirtualProblems RealAnswers
34
Securityisnotintuitive:continue
education
Integration,integrationand
integration.
WherestheBeef?
Virt al Problems Real Ans ers
8/2/2019 Selling Security v4
35/37
SoIn
Closing
June1,2011
VirtualProblems RealAnswers
35
PointsToRemember
BeInTheRoom.
DontBetheNail
FearIS
an
Option
Sometimes
IfYouDontWriteitDown.Metrics NOW!
SecurityROI
is
different.
Virtual Problems Real Answers
8/2/2019 Selling Security v4
36/37
FinalThought
June1,2011
VirtualProblems RealAnswers
36
The state of mind which enables a man to
do work of this kind is akin to that of the
religious worshiper or the lover; the daily
effort comes from no deliberate intention or
program, but straight from the heart.
-Albert EinsteinPhysical Society address, 1918
Virtual Problems Real Answers
8/2/2019 Selling Security v4
37/37
June1,2011
VirtualProblems RealAnswers
37
DisclaimerTheviewsandopinionsexpressedduringthisconferencearethoseofthespeakersanddonotnecessarilyreflecttheviewsand
opinionsheld
by
the
Information
Systems
Security
Association
(ISSA),
the
Silicon
Valley
ISSA,
the
San
Francisco
ISSA
or
the
San
FranciscoBayAreaInfraGardMembersAlliance(IMA). NeitherISSA,InfraGard,noranyofitschapterswarrantstheaccuracy,
timelinessorcompletenessoftheinformationpresented. Nothinginthisconferenceshouldbeconstruedasprofessionalorlegal
adviceorascreatingaprofessionalcustomerorattorneyclientrelationship. Ifprofessional,legal,orotherexpertassistanceis
required,theservicesofacompetentprofessionalshouldbesought.
Thank You!
Questions?
[email protected]@thirddefense.com
Top Related