Insert sponsor logo here Bye-Bye Budget: Top spending mistakes that put your budget at risk Matt Anthony Dell SecureWorks
Today s webinar: Text in questions using the Ask A Question button All audio is streamed over your computer Having technical issues? Click the? Button Download the slide deck from the Event Home Page After viewing the webinar, ISACA Members may earn 1 CPE credit. To earn 1 CPE, click the CPE Quiz link on the Event Home Page. Once you pass the quiz, you will receive a printable CPE Certificate. Question or suggestion? Email them to elearning@isaca.org 2
Stats: 100K New malware specimens per day 700+ Federal and state security-related laws 8,000+ Publicly disclosed vulnerabilities in 2011 76% IT and security pros believe they are less secure now than a year ago 61% CSOs report their budgets are flat or decreasing 3:1 Growth in demand for security ypros to growth in supply ppy 3
How executives view security It costs money now It saves potential ti future costs It does not create revenue It reduces risk 4
What drives security funding? Major data breaches Business disruption Compliance FUD F.U.D. Credible security leadership 5
Credible? Credible to who? HINT: not other security professionals What determines credibility? Knowing the business Starting with the facts Speaking the language Building relationships Being successful Consultants have credibility because they are not dumb enough to work at your company. Scott Adams, creator of Dilbert 6
No credibility? No funding. It takes many good deeds to build a good reputation, and only one bad one to lose it. Benjamin Franklin 7
Mistake 1: Security is reason enough! Failure to make the business case No buy-in from other leaders Failure to prepare others for impact Out on a limb all by yourself 8
Lessons learned Security leaders must engage the business How much time do you spend with leaders outside of IT? What are their priorities? What is your impact to their functions? Interview other leaders and peers Pre-wire wire major security projects Partnering with business leaders can fund projects beyond your budget 9
Mistake 2: If a tree falls in the woods No one notices good security Security news is always bad news You haven t used successes to build credit Failure happens, but your account is empty 10
Lessons learned When you succeed, promote it Passed the audit and met partner security requirements Remediated 12 high severity vulns, including critical website issue Reduced average incident count from 12 to 3 per month, saving an $250K in productivity A great way to build your success is to help others succeed Tie internal promotion into security awareness efforts 11
Mistake 3: Keeping up with the Joneses Everyone wants to be leading edge Difficult to get ROI from V1 tools Harder to use Less integration More expensive Project fails to deliver on potential Not aligned with business priorities 12
Lessons learned Few have a strong business case for the latest widget Tap existing investments before buying new Biggest improvements come in V2 Don t pay a premium for a beta product Only a fool uses an armored car to take one dime to the bank. 13
Mistake 4: Breaking the compliance stick Compliance is the magic budget justification Most spend tied to a compliance requirement Failure to justify beyond the checkbox Real risks go unchecked 14
Lessons learned Avoid spend that is driven only by compliance Business justification needs to be risk-based Compliance is part of the risk equation The path of least resistance is what makes rivers run crooked. Elbert Hubbard, author of A Message to Garcia 15
Mistake 5: Over-optimistic business case Big, expensive project SIEM, Data Loss Prevention, Identity & Access Management, etc. Underestimated real costs Lower costs = easier to justify Doable with the team we have Fail to meet expectations ti Over budget and under funded Scope severely reduced Project drags on and on 16
Lessons learned Don t use headcount savings to justify technology investments t Use worst/expected/best case cost ranges Hiring the right people always takes longer than planned Evaluate build vs. buy vs. partner In the business case, err on the side of higher costs 17
Questions 18
About Dell SecureWorks: Managed Security Managed IDS/IPS Firewall Mgmt Log Management Vulnerability Mgmt Host IPS SIM On-Demand Web App FW Web App Scanning Threat Intelligence Vulnerability Feed Advisories Threat Feed Live Intel Briefings Malware Analysis Microsoft Update Analysis Attacker Database Emerging Threat Tips Security Consulting Compliance & Certification Penetration Testing Vulnerability Assessment Incident Response Forensics Program Development Architecture & Integration Residency Services 19