Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
© 1975-2018 PRICE Systems, LLC All Rights Reserved
Estimating the Cost of Cybersecurity
29 November 2018
Anthony A DeMarco, President
Richard D Mabe, Senior Solutions Architect
PRICE Systems, L.L.C.
www.pricesystems.com
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
Life cycle cybersecurity protection of IT systems is a critical issue Internet of Things (IOT)Aggressive nature of Cyber attacks
Need to evaluate approaches for cybersecurity protection with system
total ownership cost (TOC) to determine affordable approaches Life cycle systems managementCloudUser owned data center
This briefing presents approaches to model and estimate cybersecurity
costs in an IT system. Contributors: Anthony A DeMarco; Presiden; PRICE Systems LLCZachary Jasnoff; VP Professional Services; PRICE Systems LLCDavis Cass; VP Cloud Global Security Services; IBMRichard Mabe; Solutions Consultant; PRICE Systems LLC
Foreword
2
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
Scope and Definition of IT
Scope and Definition of Cybersecurity
Impact of Transitioning System Functions to the Cloud
Cost Estimating Strategy and Approaches
Overview
3
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved 5
Internet of Things (IOT) Platform IT Systems
Building Blocks (Devices, Services) Integrated into Functional Systems
Co
mm
un
ica
tio
ns
Da
ta M
an
ag
emen
tInfo
rma
tio
n M
gm
t
Inte
llig
ence
Co
ntr
ol/
Mo
nit
or
Ra
da
r N
avi
ga
tio
n
Information Systems (Data Centers; Enclaves)
Information Technology (IT) is:
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved 6
Where and how is the system hostedOperating Platforms (Airplanes, Ships, Environmental Systems, Vehicles)
Private Data Centers
Commercial Cloud
Configuration and Complexity of System Components
Level of Security and Vulnerability
Life Cycle Management RequirementsModifications
Enhancements
Upgrades
Recurring Operations
Cost Considerations
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved 8
Measures taken to protect digital devices, processors and systems against unauthorized access or attack
Protect against information being lost, stolen or compromised
Includes HW and SW strategies/technologies
Protect confidentiality, integrity and accessibility of data and systems
Definition
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved 9
Includes Cybersecurity functions and management within an IT System
Hardware, Software, and Services
Life cycle engineering management
Also includes IT systems with a primary Cybersecurity function (Cybersecurity as an IT System)
Defensive
Offensive
Hunter/surveillance
Vulnerability testing
Application
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved 11
Applications with Sensitive Data
Applications with complex processes & transactions Regulation
IntensiveApplications
Not yet virtualized applications
Highly customized applications
Big Data & Analytics
Collaboration
Development & Test Workloads
Front Office / Desktop
ComputeWorkloads
Business Processes (e.g. Expense Reporting)
Web Applications
InformationIntensive
Applications
Isolated workloads(Classified)
Mature workloads
Batch processing
Disaster Recovery
High PerformanceComputing
Social Business
Mobile
Archive
Database Workloads
e-Commerce
DevOps
Risk & Compliance
Customer Service
ERP / CRM
3rd Party Applications
StorageWorkloads
Moved to Cloud
May be ready for
Cloud Cloud
Not Ready for Cloud
HR / Workforce
Optimal Hosting of Info Systems/Data Centers is driven by Workload
11
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
Management’s Cybersecurity Concerns with Cloud Ops:
12
Are we protected?
Can we hire the right skills?
Can we adapt?
Have we protectedour most crucial data?
Are we maximizing the value of our security investments?
Are we communicating risk to our customers?
12
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
Cloud Service Delivery Models
13
Networking Networking Networking Networking
Storage Storage Storage Storage
Servers Servers Servers Servers
Virtualization Virtualization Virtualization Virtualization
O/S O/S O/S O/S
Middleware Middleware Middleware Middleware
Runtime Runtime Runtime Runtime
Data Data Data Data
Applications Applications Applications Applications
Traditional IT
on premises
Infrastructure
as a Service
Platform
as a Service
Software
as a Service
Clien
t M
an
ag
ed
Ve
nd
or M
an
ag
ed
in C
lou
d
Ve
nd
or M
an
ag
es
in C
lou
d
Ve
nd
or M
an
ag
es
in C
lou
d
Clie
nt
Ma
na
ge
s
Clie
nt
Ma
na
ge
s
Additional Service Management Needed Provided by Cloud Provider
Integration of Roles, Processes, Information, and Technology requires additional cloud service management
13
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
The Solution: A Well Planned Transition
14
As Is System
(User Data Cntr)
- Operate- Sustain
Transition:
- Software- Data- Interfaces
To Be System
(Cloud Host)
- IaaS- PaaS- SaaS
Plan for Transition:- Business Case- Change Mgmt- Svc Level
Agreement
Execute Plan:- SW Porting- Data Migration- User Training
• What• When• Where To• Security• Access
Recurring Costs:• Labor• Materials• Overhead• ODCs• Facilities• PM/SE
Non-Recurring Costs:• Modify/Refactor SW apps• Prep data for migration• Develop new middleware
Interfaces• Adapt to Cloud OS and
Middleware Services• PM/SE
• Migrate• Instantiate• Test/Verify• Parallel Ops• Changeover• Go Live
Recurring Costs:• Fees• Licenses• SubscriptionsFor:• Infrastructure• Run Time Env• SW Services• Access• Cybersecurity• PM/SE
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
US Government Accountability Office (GAO) Cost Estimating Guide
16
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
GAO Cost Estimating GuideThe 12 Steps
17
1. Define the estimate’s purpose2. Develop the estimating plan3. Define the program4. Determine the estimating structure5. Identify ground rules and assumptions6. Obtain the data7. Develop the point estimate [Compare to bids]8. Conduct sensitivity analysis9. Conduct a risk and uncertainty analysis10.Document the estimate11.Present estimate [and comparisons] to management12.Update the estimate to reflect actual costs/changes
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
Source Selection: Determine the 80% confidence most probable life cycle cost (MPLCC) of the project to evaluate potential supplier bids and award a contract
Define the estimate’s purpose
18
1
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved 19
90
85
80
75
70
65
60
55
50
45
40
IT Pros Cyber Cops Counter IT SecurIT
Confidence Level
Bidder
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved 20
Measures all costs over the system’s life cycle
TCO = Capital Expenses + Operational Expenses + IT Governance/Sys Mgmt(Direct) (Direct + Indirect) (Overhead/Admin)
(Infrastructure) (Services) (PM, FM, SE, Cyber Mgmt)
Total Ownership Costs for MPLCC
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
• Use the GAO Cost Guide
• Assign two cost estimators for three weeks
• Use PRICE TruePlanning and IT models• Proven models in a robust user interface
• Provides a resource loaded activity structure
• Determines cost drivers and structure, cost driver benchmarks
• Identify subject matter experts to be interviewed
Develop the estimating plan
21
2
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
Estimating is all we do
22
DataIdentification, Collection,
Categorization, Normalization
Analytics and ModelingDistributions, Regression,Non-Parametric Methods
EstimatingBudgetary ROMs, IGCEs, MPLCCs,
Concept Studies, AOAs, MBSE Affordability Analyses, Supplier Assessments, Price-to-Win, Etc.
Training and MentoringHow to collect and use dataHow to be better estimators
How to create credible estimates24/7 Toll Free Hotline
Estimating Software Development
Ease-of-Use, Speed, Credibility
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
TruePlanning® and the PRICE Models
Data visualization, statistical analyses, and proven predictive models in an easy-to-useintegrated environment. Responsive reports and graphics to give you the answers you need
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
Program summary statement of work (SOW): Protect military base network operations center from cyber attacks
Define the program
24
3
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
Determine the Estimating Structure
25
4
MIL-STD-881D APPENDIX J TruePlanning WBS by Phse
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
MIL-STD-881D APPENDIX J
26
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
IT System WBS for Cost Estimating
27
Establish the system and IT capability- Integrate COTS tools and services- Develop custom tools as needed- Connect to enterprise IT- Includes Risk Mgmt* as part of Governance
Life cycle operations and maintenance- Custom SW modifications- COTS Licenses/Fees/Replacement- Help Desk and engineering support- Recurring compliance and Risk Mgmt* part
of Governance
Overall System PBS informed by Mil-Std-881D: Development + Sustainment
*Separate Sys Eng, Test, PM and Integration objects are beingtested now as new adds to the library
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved 28
WBS for Cybersecurity In a System
Indenture Cybersecurity HW, SW and Services within the IT System architecture
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
WBS for Cybersecurity As a System
29
The entire IT System Architecture is designed to provide Cybersecurity Services to a larger Network of Integrated Systems
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
• Cybersecurity costs do not all carry equal weight
• Generally, cybersecurity specific HW and SW are not cost drivers for the system
• Drivers include: • Systems Eng Labor (Establish Controls/Risk
Mgmt)• Initial and Recurring Cybersecurity Tests• Life Cycle Engineering Management:
• Continuous monitoring and threat analysis• Continuous validation of requirements
(confidentiality, availability and integrity) • High replacement rate for vulnerable
SW/HW
Cost Drivers
30
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
Identify Ground Rules and Assumptions
31
5
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
Develop the point estimate and compare to bids
33
7
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
Conduct sensitivity
34
8
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
Conduct risk and uncertainty analysis
35
9
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
Document the estimate
36
10
Present estimate [and comparisons] to management
11
Update the estimate to reflect actual costs/changes12
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved 37
90
85
80
75
70
65
60
55
50
45
40
IT Pros Cyber Cops Counter IT SecurIT
Confidence Level
Bidder
© 1975-2018 PRICE Systems, LLC All Rights Reserved
Summary
• Cybersecurity presents estimators with many challenges
• Estimators need to understand the many cybersecurity components and options
• The GAO Cost Estimating Guide is a comprehensive step-by-step process to create credible estimates
• Statistical models, cost driver databases, and estimating systems exist to make the task faster and easier
38
Estimate With Confidence © 1975-2018 PRICE Systems, LLC All Rights Reserved
PRICE CustomersOver 300 customers, including: 10 US Federal Organizations8 Non-US Ministries of Defense4 Organization-wide licenses10 of top 10 Global Defense Contractors
Global Partnerships, including: Key resellers in Australia, China, Germany, Italy, Korea, Japan(TBD)
39
40
About PRICE • PRICE Systems (PRICE) is a leading expert and provider of cost estimation
solutions that maximizes the success rate of projects, programs and professionals. Since 1975, PRICE has provided federal agencies and commercial companies with superior estimates, process integration, powerful insights and cost models and exceptional customer support to enable confidence in estimation and the success of innovative projects and estimators worldwide.
For superior cost estimation solutions, contact us today.
About PRICE
Anthony A. DeMarcoPresident, PRICE Systems, L.L.C.
17000 Commerce Parkway - Suite AMt. Laurel, NJ 08054
856.608.7214 (Office)856.261.0908 (Mobile)
www.pricesystems.com