In this Security technology workshop designed specially for senior IT and business line executives, we will show you how to navigate the “valley of death” of the complex sale of enterprise information protection and make or break the business justification with your management board. Through specific Business Threat Modeling(TM) tactical methods we will show you how to discover current data loss violations, quantify threats and valuate your risk in order to select the most cost-effective security technologies to protect your enterprise information.
Writing An Effective Security Procedure in 2 pages or less and make it stick
Selling Data Security Technology
1. Selling Data security
to the CEO
Licensed under the Creative Commons Attribution License
Danny Lieberman
dannyl@controlpolicy.com http://www.controlpolicy.com/
2. Sell high
“it's a lot easier to manage a
big project than a small one”
Boaz Dotan – Founder of Amdocs (NYSE:DOX), $5.3BN Cap.
3. Agenda
• Introduction and welcome
• What is data security?
• Defining the problem
• After Enron
• Weak sales strategy
• The valley of death
• Strong sales strategy
• Execution
5. What the heck is data security?
• Security
– Ensure we can survive & add value
• Physical, information, systems, people
• Data security
– Protect data directly in all realms
6. Defining the problem
• You can't sell to a need that's never been
observed(*)
– Little or no monitoring of data
theft/abuse
• Perimeter protection, access control
– Firewall/IPS/AV/Content/AD
Lord Kelvin
(*) Paraphrase of
7. What happened since Enron
• Threat scenario circa 1999
– Bad guys outside
– Lots of proprietary protocols
– IT decides
• Threat scenario circa 2009
– Bad guys inside
– Everything on HTTP
– Vendors decide
10. The valley of death
Logical &rational
Emotional & Political
IT Requirements
Compliance
requirements Meet Close
vendors Evaluate
alternatives
Capabilities Project
Presentation
Talk to
analysts
Losing control
Month 1 Month 5 Month 1218
11. Why you lose control
• Issues shift
– Several vendors have technology
• Non-product differentiation
• Divided camps
– Nobody answers all requirements
• Need a political sponsor
• Loss of momentum
– No business pain
– No power sponsors
12. Strong sales strategy
• Build business pain
– Focus on biggest threat to the firm
– Rational
• Get a power sponsor
– CEO,COO, CFO,CIO
– Personal
14. Execution – building business pain
• Prove 2 hypotheses:
– Data loss is happening now.
– A cost effective solution exists that
reduces risk to acceptable levels.
15. H1: Data loss is happening
• What keeps you awake at night?
• What data types and volumes of data leave the network?
• Who is sending sensitive information out of the company?
• Where is the data going?
• What network protocols have the most events?
• What are the current violations of company AUP?
16. H2: A cost effective solution exists
• Value of information assets on PCs, servers & mobile devices?
• What is the Value at Risk?
• Are security controls supporting the information behavior you want
(sensitive assets stay inside, public assets flow freely, controlled
assets flow quickly)
• How much do your current security controls cost?
• How do you compare with other companies in your industry?
• How would risk change if you added, modified or dropped security
controls?
17. What keeps you awake at night
Asset has value, fixed over time or variable
Plans to privatize, sell 50% of equity
Threat exploits vulnerabilities & damages assets.
IT staff read emails and files of management board
Employee leaks plans to press
Buyer sues for breach of contract.
Vulnerability is a state of Countermeasure has a cost
weakness mitigated by a fixed over time or recurring.
countermeasure. Monitor abuse of privilege &
IT staff Prevent leakage of
have access management board documents
to mail/file servers on all channels.
18. Calculating Value at Risk
Value at Risk
Metrics =Threat Damage to
Asset value, Asset x Asset Value x
Threat damage to asset, Threat Probability
Threat probability
(*)PTA Practical threat analysis risk model
19. Coming attractions
• Sep 17: Selling data security technology
• Sep 24: Write a 2 page procedure
• Oct 1: Home(land) security
• Oct 8: SME data security
http://www.controlpolicy.com/workshops
20. Learn more
• Presentation materials and resources
http://www.controlpolicy.com/workshops/data-security-workshops/
• Software to calculate Value at Risk
PTA Professional
http://www.software.co.il/pta