Monday, March 22, 2010

Ways to Justify Security Programs: 13 Cs

My last post Forget ROI and Risk. Consider Competitive Advantage seems to be attracting some good comments. I thought it might be useful to mention a variety of ways to justify a security program.

I don't intend for readers to use all of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se, or to even agree. However, you may find a handful that might have traction in your environment.

  1. Crisis. Something bad happens. Although this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 worst way to justify a program, it is often very effective.

  2. Compliance. An external force compels a security program. This is also not a great way to justify a program, because resources are often misallocated.

  3. Competitiveness. Please see my previous blog post.

  4. Comparison. If your company security team is 10% cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 size of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 average peer organization size, it's not going to look good when you have a breach and have to justify your decisions.

  5. Cost. It's likely that breaches are more expensive than defensive measures, but this can be difficult to capture.

  6. Customers. It seems rare to find customers abandoning a company after a breach. People still shop at TJX brands. Still, you may find traction here. Compliance is supposed to protect customers but it often is insufficient.

  7. Constituents. I use this term to apply to internal parties. Large companies often provide services to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r business units.

  8. Controllership. Is your organization well-governed? Can it account for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state of its systems for auditors and so forth?

  9. Conservation. This is a play on "green IT." What has a lower carbon footprint: 1) flying consultants all over cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 world to handle incidents, or handling cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m remotely by moving data, not people?

  10. Consolidation or Centralization. These cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mes are likely to enable specialization, more effective internal resource allocation, and improve defenses.

  11. Confidence. Confidence applies to all parties involved. Can you trust your data?

  12. Counting. This is a plug for metrics.

  13. [Securities and Exchange] Commission. This is a play on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 10k- forms shareholders receive in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mail. Please see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 linked post for more details.

4 comments:

gunnar said...

wrt customers - focus on customers is bigger than just consumer credit cards (TJX). For one example, I am guessing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 small businesses that Krebs has been reporting as losing 5 and 6 figures will be seeking ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r places to store and process cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir funds.

The Ubiquitous Mr. Lovegroove said...

Cover [Your Ass]: This is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only reason government and very large entities ("Too big to fail/punish")implement security. As a security consultant I've dealt with a few large (for my country) government entities and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't care about security - protecting citizens' and corporations' data. They care if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will loose cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir jobs or how much screaming cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 governing minister will exert at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

If I can convince that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 brown-matter storm will be big enough, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y might spend some on security.

Chris Blunt (Axenic) said...

Chance: Understand and manage cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 risk to your organsation.

itAuditSecurity said...

It's a lot easier to justify KEEPING security than justifying starting it or expanding it.

These are good points, but I've seen cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m fail to work ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 KEEPING realm.

I remember one company, where after I cleaned up a breach and recommended a myriad of changes (again), cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 executives wiped cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir brow and said, "Boy, were we lucky cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y didn't get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 credit cards."

And nothing changed.