Maximizing Security Training ROI

Preview:

DESCRIPTION

Security training for developers, Training ROI, Business case for security Emerging threats How to build an effective training program?

Citation preview

Maximizing Security Training ROIKartik Trivedi, Symosis

Who am I?

• VP / Co-Founder of Symosis, 10+ years in information security consulting & Training, USC, Foundstone, McAfee, Accuvant, C-Level security, etc

• Invited speaker, author and educator

• MBA, MS Comp Sc, CISM, CISA, CISSP

2Symosis Confidential

Table of Content

• Business case for security• Emerging threats• How to build an effective training program?• Case Studies

3Symosis Confidential

The Business Case for Security

Proper security enables a company to meet its business objective by providing a safe and secure environment

4Symosis Confidential

Impact of Security Breach

Loss of RevenueLoss of Revenue Damage to ReputationDamage to Reputation

Loss or Compromise of DataLoss or Compromise of Data

Damage to Investor ConfidenceDamage to Investor Confidence

Legal ConsequencesLegal Consequences

Interruption of Business ProcessesInterruption of Business Processes

Damage to Customer ConfidenceDamage to Customer Confidence

5Symosis Confidential

Dollar Amount Of Loss

* CSI 20066Symosis Confidential

Cost of Security Breach

* Aberdeen Group August 20107Symosis Confidential

The cost of security is not trivial; however, it i

s a

fraction of the cost of mitigating security

compromises

Security Breach Example Costs

Cost of Recent Customer Records Breach• $6.5 Million: DSW Warehouse Costs from Data Theft• $5.7 Million: BJ’s Wholesale Club from Data Breach

Additional impact/cost due to lost customers• 20% of customers have ended a relationship with a

company after being notified of a breach (Ponemon Institute)

• 58% said the breach decreased their sense of trust and confidence in the organization reporting the incident

8Symosis Confidential

Table of Content

• Business case for security• Emerging threats• How to build an effective training program?• Case Studies

9Symosis Confidential

Emerging Threats

GLOBALInfrastructure

Impact

REGIONALNetworks

MULTIPLENetworks

INDIVIDUALNetworks

INDIVIDUALComputer

Target and Scope of Damage

Rapidly Escalating Threat to Businesses

First Gen Boot

viruses

Weeks Second Gen

Macro viruses

Denial ofService

DaysThird Gen

Distributed Denial ofService

Application threats

Malware

Minutes

Next Gen

Flash threats

Massive “bot”-driven DDoS

Damaging payload worms

Seconds

1980s 1990s Today Future10Symosis Confidential

Emerging Threats DriversThreats becoming increasingly difficult to detect and mitigate

TH

RE

AT

SE

VE

RIT

Y

1990 1995 2000 2005 WHAT’S NEXT?

FINANCIALTheft & Damage

FAMEViruses and Malware

TESTING THE WATERSBasic Intrusions and Viruses

11Symosis Confidential

Emerging Attack Methods

* SANS 2010 12Symosis Confidential

Emerging Application Weaknesses

* SANS 2010 13Symosis Confidential

Table of Content

• Business case for security• Evolving threats• How to build an effective training program?• Case Studies

14Symosis Confidential

Why Security Training – Security Guy view

• Build in-depth knowledge to design, implement, or operate security programs

• Develop skills for users can perform their jobs while using IT systems more securely

• Increase security awareness

15Symosis Confidential

Why Security Training – CEO view• Demonstrating care & due diligence can

help indemnify the institution against lawsuits

• Dissemination & enforcement of policy become easier when training & awareness programs are in place

• Reduce accidental security breaches

16Symosis Confidential

Step 1: Define Objectives• Compliance, Regulations

and Governance• Client & Partner

requirements• Increase the general level

of security awareness• Design, develop and

maintain secure IT infrastructure and applications

17Symosis Confidential

How is Information Security (Training) Justified in Corporations Today?

PWC security survey 2010 18Symosis Confidential

Payment Card Industry (PCI)PCI DSS mandates security

awareness program that12.6.1: Educate employees upon hire and at least annually 12.6.2: Require employees to annually acknowledge in writing that they have read and understood the company's security policy and procedure

19Symosis Confidential

Health Insurance Portability and Accountability Act (HIPAA)

• Mandated annual privacy and security training for management, agents & contractors

• Security “Marketing” Efforts

• Annual System-specific training

20Symosis Confidential

Gramm–Leach–Bliley Act (GLBA)• Mandates IT Security

Awareness Training for all employees of financial service providers (FSPs) including – insurance agencies , tax

preparers, finance companies, collections agencies,

– leasing agencies, travel agencies and financial advisors

21Symosis Confidential

Federal Information Security Management Act (FISMA)

• FISMA requires federal agencies to develop, document, and implement security training program that educates personnel, including contractors and other users, of their responsibilities in maintaining information security, complying with organizational policies and procedures, and reducing the risks associated with their activities

22Symosis Confidential

ISO 27002

• ISO 27002 recommends designing and implementing adequate level of security education and training to your organization’s employees, contractors and third party users

23Symosis Confidential

Table of Content

• Business case for security• Evolving threats• How to build an effective training program?

– Step 1: Define Objectives– Step 2: Assess Needs– Step 3: Key Success Factors– Step 4: Metrics

• Case Studies

24Symosis Confidential

Step 2: Assess Needs

• Identify training administrator

• Primary responsibility lies with Chief Information Security Officer, top management and security team

25Symosis Confidential

Assess Needs

Using wrong training methods can:

Hinder transfer of

knowledge

Lead to unnecessary expense& frustrated, poorly trained employees

26Symosis Confidential

Assess Needs

• Who needs to be trained and on what? – All stakeholders: Security Awareness Training,

Compliance– Program Managers – Security principles & Design – Developers – Threats, coding mistakes, secure

software development – Testers / QA – Security Test Cases

27Symosis Confidential

Table of Content

• Business case for security• Evolving threats• How to build an effective training program?

– Step 1: Define Objectives– Step 2: Assess Needs– Step 3: Key Success Factors– Step 4: Metrics

• Case Studies

28Symosis Confidential

Step 3: Key Success Factors

• Build in-house• Buy ready made • Classroom Training• Web Based Training• Generic vs. Customized• Hosting

29Symosis Confidential

Build in-house• Business needs are

unique• Internal capability,

time, resources• Proprietary

information or data needs to be protected

• Complexity of interface with company's LMS

30Symosis Confidential

Buy ready made

• Reduce and control operating costs

• Free internal resources

• Gain access to external expertise

• Share risks

31Symosis Confidential

Classroom Training

• Time set aside dedicated to learning• Costs include course fees, travel,

accommodation and opportunity costs • Face to face access to a trainer • Network with other students

32Symosis Confidential

Web Based Training

• Individuals can study at their own time and pace

• Cost effective • Easily Customizable• Easier to measure

student progress and justify costs

33Symosis Confidential

Generic vs. Customized• Generic training is cost

effective and focuses on core security issues like OWASP Top 10, etc

• Customization provides training that matches specific needs for content, completion requirements, quiz, policies, and even employee responsibility acknowledgment.

34Symosis Confidential

Hosting

• Internal hosting provides greater control but could be resource and cost intensive

• SAAS service is often turn key but may limit scalability and usage

35Symosis Confidential

Table of Content• Business case for security• Evolving threats• How to build an effective training program?

– Define Objectives– Assess Needs– Key Success Factors

• Build vs. Buy • Classroom vs. Web Based • Generic vs. Customized• Hosting

– Metrics• Case Studies

36Symosis Confidential

Step 4: Metrics

• Quiz and survey results• Content• People

37Symosis Confidential

Metrics - Quiz and survey results

• Score Results: How did people score?• Answer Breakdown: How did people answer?• Attempt Detail: How did a user answer?

38Symosis Confidential

Metrics - Content

• Activity: What was the activity for a content item?• Traffic: How often was an item viewed?• Progress: How many slides did people view?• Popular Content: Which content was viewed the most?

39Symosis Confidential

Metrics - People

• Group Activity: What content did a group view?• User Activity: What content did a user view?• Active Groups: Who were my most active groups?• Active Users: Who were my most active users?

40Symosis Confidential

Table of Content

• Business case for security• Evolving threats• How to build an effective training program?• Case Studies

41Symosis Confidential

Case Study 1 - Project management and custom software

company• Challenge:

– Ensure secure coding elements have been taught – Prevent top 10 threats and mitigation techniques– Meet a time sensitive requirement under a DoD

contract

42Symosis Confidential

Case Study 1 - Project management and custom software

company• Solution:

– Implement best practices software security training for Java

– Provide access to training on demand from a SaaS model

43Symosis Confidential

Framework– Define Objectives– Assess Needs– Key Success Factors

• Build vs. Buy • Classroom vs. Web Based • Generic vs. Customized• Hosting

– Metrics

Case Study 2: Large financial & Tax Software Company

• Challenge– Improve software

quality by eliminating common mistakes

– Provide foundation for everyone to ‘own’ security

44Symosis Confidential

Case Study 2: Large financial & Tax Software Company

• Solution– Create custom course based on

previously identified risk and mitigation

– Integrate security cases into QA lifecycle

– Measure year over year declines in security related CRs

45Symosis Confidential

Framework– Define Objectives– Assess Needs– Key Success Factors

• Build vs. Buy • Classroom vs. Web Based • Generic vs. Customized• Hosting

– Metrics

Case Study 3: Large Fitness Center Chain

• Challenge: – Meet PCI compliance for

integrating secure coding practices

– Short timeline, small budget, looking for turnkey solution

46Symosis Confidential

Case Study 3: Large Fitness Center Chain

• Solution– Implement JAVA/.NET

secure coding practices– Address PCI Cardholder

Data requirements within application development

47Symosis Confidential

Framework– Define Objectives– Assess Needs– Key Success Factors

• Build vs. Buy • Classroom vs. Web Based • Generic vs. Customized• Hosting

– Metrics

Thanks for listening…

Questions?

To try or evaluate Symosis security training for FREE, please email me at kartik@symosis.com

48Symosis Confidential

Symosis Training Offerings• Introductory Tracks

– Security Awareness Training– Introduction to Application Security (covering OWASP, WASC and MS SDL)

• Advanced Tracks– Security Training for Managers / Architects– Security Training for Developers - .NET – Security Training for Developers – JAVA / J2EE– Security Training for Developers – C/C++– Security Training for Developers – Flash / FLEX– Security QA / Testing for Applications

• Regulations & Compliance– PCI DSS Awareness Training– PCI DSS Training for Developer– Security Training for HIPAA

Symosis Confidential 49

Recommended