IT Security As A Service
2 likes1,061 views
The document discusses trends in security services, specifically focusing on Security as a Service (SECaaS) and the challenges faced by IT audits in a rapidly changing environment. It emphasizes the need for a shift in the fundamental value proposition of IT audits, advocating for a more flexible and customer-focused approach. Key recommendations include enhancing communication, customizing deliverables, and ensuring metrics and transparency to improve security service adoption.
IT Security As A Service
- 1. Copyright ©2011Savid Security As A Service The Future of Security Services Michael A. Davis Chief Executive Officer Savid Technologies, Inc. http://www.savidtech.com
- 2. Agenda • Trends that you must get in front of • What is SecaaS? • Why do we need this methodology? • How do I use it? • War Stories • Ask Questions
- 3. Who am I? • Michael A. Davis – CEO of Savid Technologies • IT Security Consulting • Risk Assessments/Auditing • Security Remediation – Speaker at Major Security Conferences • Defcon, CanSecWest, Toorcon, Hack In The Box – Open Source Software Developer • Snort • Nmap • Dsniff
- 4. Author
- 6. Where we got our data » March 2012 And November 2011 Survey » Over 1,100 Security Professionals » Follow-up Interviews With Fortune 1000 CSO/CISOs » Wide Variety Of Industries – Financial – Healthcare – Business Services
- 7. What is everyone concerned with? Source: Savid/Information Week Data Survey, 2011
- 8. They are paying attention
- 9. Complexity is everywhere Application integration OS Database Collaboration Business intelligence/ Analytical applications Application development tools Hardware platform Applications Services Computer Network Storage FS Applications Security IDS Content Filtering Management AV/Spyware Anti-Spam Identity Management Regulatory Compliance Firewalls Vulnerability Assessment Monitoring Network & Systems Management Management Vendors Dynamic Provisioning Storage Source: CA, 2009
- 10. Complex IT Projects Fail - A lot Out Of 200 Multi-nationals: • 67% Failed To Terminate Unsuccessful Projects • 61% Reported Major Conflicts • 34% Of Projects Were Not Aligned With Strategy • 32% Performed Redundant Work 1 In 6 Projects Had A Cost Overrun Of 200%! Source: 2011 Harvard Business Review – Berlin Univ Technical survey
- 11. The Problem • Too many areas to audit • Security can’t keep up either • Velocity of change is high • Audit or Security isn’t involved in the critical projects How do we handle a high velocity of change while providing a high level of assurance that controls are being implemented?
- 12. The Future of IT Audit © PWC IA Audit 2012 Report
- 13. We All Do Them Source: 2011 InformationWeek Analytics Strategic Security Survey 0% 10% 20% 30% 40% 50% 60% 70% 80% Yes No Don't Know % that perform Risk Assessments 2012 2011
- 14. The Reality Source: 2011 InformationWeek Analytics Strategic Security Survey Very 30% Somewhat 67% Not At All 3% Risk Assessment Effectiveness
- 16. What This Means To Security Amazon EC2 - IaaS The lower down the stack the Cloud provider stops, the more security you are tactically responsible for assessing and implementing yourself. Salesforce - SaaS Google AppEngine - PaaS RFP/Contract It In RFP/Contract It In Build It InBuild It In
- 17. Future of Audit and Security Adequacy = Compliance Effectiveness = Consultancy
- 18. Audit As a Service • Be Relevant Not Redundant • Partner with other risk functions in company • Focus on start-up/future activities • Be flexible, don’t limit to the annual plan • Our recommendation is to stop trying to make everyone a security expert and instead • Focus on educating people so they know when to ask for expertise To be successful IT Audit’s fundamental VALUE proposition MUST SHIFT
- 20. The Services Menu • Risk Assessments – NOT CONTROL ASSESSMENTS • Guidance without risk levels – Areas of concern, “pre-audit” • Cloud Vendor Selection Analysis • Education • Advisory Services • Metric/KRI Development
- 21. Why This Works • Providing real value – Audit is asked to be involved • Communication increases helping develop your team talent • Customers understand what services are available • Audit understands which services are being requested and which are not as popular. This allows for growth planning. • Customers understand how service consumption affects their budgets. • Increased accountability • Closer to continuous monitoring/auditing!
- 22. How To Implement • Approach each as an customer engagement – Why are we performing this engagement? – What value can we provide back? – Can we provide value to another group? • Surveys/NetPromoter – “On a scale of one to 10, how likely is it that you would recommend us to a colleague?” – Promoters = 9 to 10. Passive = 7 to 8, satisfied but enthusiastic about service Detractors = 0 to 6, unhappy with the service and will damage teams reputation through word of month.
- 23. How To Implement • Customize your deliverables! – Not everything needs to be a finding/risk ranking – What is valuable to the project? • What other value can we derive from our process? – Interviews – Data Collection • Augment Security As a Service too!
- 24. Getting buy-in • Metrics and Transparency are essential • We want to provide consistency • Reduce one-off high likelihood risks. • Work with PMO, if you have one. • Track adoption rates • Provide incentives to adopt services
- 25. Security Services Menu • Ensure Controls map to technologies being deployed • Traditionally you see items such as: • Content security, Antivirus/Anti-malware, Spam filtering • Email encryption, DLP for outbound email, Web mail, Anti-phishing
- 26. A Better Security Menu • Focus on Services! Not Technologies! • Internal and / or external penetration test, Application penetration test • Host and guest assessments, Firewall / IPS (security components of the infrastructure) • Virtual infrastructure assessment • THEN provide technology options
- 28. A Case Study
- 29. The Formula Of Successful Risk Management PBL = λ1 x p1 + λ2 x p2 + λ3 x p3
- 30. Hazard vs. Speculative Risk
- 31. Linking to Business Goals Copyright Carnegie Mellon SETI MOSAIC Whitepaper
- 32. Outcome Management Copyright Carnegie Mellon SETI MOSAIC Whitepaper
- 33. Conclusion Contact Information Michael A. Davis [email protected] 708-532-2843 Twitter: @mdavisceo