Insert sponsor logo here. Dell SecureWorks ISACA Webinar Program ISACA. All rights reserved.

(1)

Insert sponsor

logo here

Bye

Bye--Bye Budget:

Bye Budget:

Top spending mistakes that

put your budget at risk

Matt Anthony

(2)

Today’s webinar:

•

Text in questions using the Ask A Question button

•

All audio is streamed over your computer

–

Having technical issues? Click the ? Button

•

Download the slide deck from the Event Home Page

•

After viewing the webinar, ISACA Members may earn 1 CPE

credit.

–

To earn 1 CPE, click the CPE Quiz link on the Event Home Page. Once you

pass the quiz, you will receive a printable CPE Certificate.

Q

ti

? E

il th

t

L

i

@i

(3)

Stats:

•

100K New malware specimens per day

•

700+ Federal and state security-related laws

•

8,000+ Publicly disclosed vulnerabilities in 2011

76% IT

d

it

b li

th

l

th

•

76% IT and security pros believe they are less secure now than a

year ago

•

61% CSOs report their budgets are flat or decreasing

(4)

How executives view security

•

It costs money now

It

t

ti l f t

t

•

It saves potential future costs

•

It does not create revenue

(5)

What drives security funding?

•

Major data breaches

•

Business disruption

•

Compliance

•

Compliance

•

F U D

•

F.U.D.

C dibl

it l

d

hi

(6)

Credible?

•

Credible to who?

–

HINT: not other security professionals

HINT: not other security professionals…

•

What determines credibility?

y

–

Knowing the business

–

Starting with the facts

–

Speaking the language

–

Building relationships

B i

f l

–

Being successful

“Consultants have credibility because they are not dumb enough to work at

Consultants have credibility because they are not dumb enough to work at

your company.”

(7)

No credibility?

No funding.

“It takes many good deeds to build a good

It takes many good deeds to build a good

reputation, and only one bad one to lose

it ”

it.

(8)

Mistake 1: Security is reason

enough!

•

Failure to make the business case

N b

i f

th

l

d

•

No buy-in from other leaders

•

Failure to prepare others for impact

(9)

Lessons learned

•

Security leaders must engage the business

H

h ti

d

ith l

d

t id

f

–

How much time do you spend with leaders outside of

IT?

–

What are their priorities?

p

–

What is your impact to their functions?

•

Interview other leaders and peers

•

“Pre wire” major security projects

•

Pre-wire major security projects

•

Partnering with business leaders can fund projects beyond

g

p j

y

your budget

(10)

Mistake 2: If a tree falls in the

woods

•

No one notices good security

S

it

i

l

b d

•

Security news is always bad news

•

You haven’t used successes to build credit

•

Failure happens, but your account is

empty

(11)

Lessons learned

•

When you succeed, promote it

y

, p

–

Passed the audit and met partner security requirements

–

Remediated 12 high severity vulns, including critical

b it i

website issue

–

Reduced average incident count from 12 to 3 per month,

saving an $250K in productivity

g

$

p

y

•

A great way to build your success is to help others succeed

(12)

Mistake 3: Keeping up with the

Joneses

•

Everyone wants to be leading edge

y

g

•

Difficult to get ROI from V1 tools

–

Harder to use

–

Less integration

–

More expensive

•

Project fails to deliver on potential

•

Project fails to deliver on potential

(13)

Lessons learned

•

Few have a strong business case for the latest widget

g

•

Tap existing investments before buying new

•

Biggest improvements come in V2

•

Don’t pay a premium for a “beta” product

“Only a fool uses an armored car to take one

di

t th b

k ”

(14)

Mistake 4: Breaking the compliance

stick

•

Compliance is the “magic” budget justification

Compliance is the magic budget justification

•

Most spend tied to a compliance requirement

•

Most spend tied to a compliance requirement

•

Failure to justify beyond the checkbox

(15)

Lessons learned

•

Avoid spend that is driven only by compliance

•

Business justification needs to be risk-based

•

Compliance is part of the risk equation

“The path of least resistance is what makes

p

rivers run crooked.”

–

Elbert Hubbard, author of

A Message to

Garcia

(16)

Mistake 5: Over

Mistake 5: Over--optimistic business

optimistic business

case

•

Big, expensive project

SIEM Data Loss Prevention Identity & Access

–

SIEM, Data Loss Prevention, Identity & Access

Management, etc.

•

Underestimated real costs

–

Lower costs = easier to justify

–

“Doable with the team we have”

F il t

t

t ti

•

Fail to meet expectations

–

Over budget and under funded

–

Scope severely reduced

–

Scope severely reduced

(17)

Lessons learned

•

Don’t use headcount savings to justify technology

i

t

investments

•

Use worst/expected/best case cost ranges

•

Use worst/expected/best case cost ranges

•

Hiring the right people always takes longer than

•

Hiring the right people always takes longer than

planned

•

Evaluate build vs. buy vs. partner

(18)

(19)

About Dell

About Dell SecureWorks

SecureWorks::

•

Managed Security

–

Managed IDS/IPS

Firewall Mgmt

•

Threat Intelligence

–

Vulnerability Feed

Advisories

–

Firewall Mgmt

–

Log Management

–

Vulnerability Mgmt

–

Host IPS

SIM O D

d

–

Advisories

–

Threat Feed

–

Live Intel Briefings

–

Malware Analysis

Mi

ft U d t A

l

i

–

SIM On-Demand

–

Web App FW

–

Web App Scanning

–

Microsoft Update Analysis

–

Attacker Database

–

Emerging Threat Tips

•

Security Consulting

–

Compliance & Certification

–

Penetration Testing

–

Vulnerability Assessment

–

Incident Response

–

Forensics

–

Program Development

Architecture & Integration

–

Architecture & Integration