I.T. Geeks Can't Talk to Management

One Big Threat to Cyber Security: IT Geeks Can’t Talk to ManagementREKHA SHENOYVICE PRESIDENT, MARKETING & CORPORATE DEVELOPMENT

One Big Threat to Cyber Security: IT Geeks Can’t Talk to ManagementREKHA SHENOYVICE PRESIDENT, MARKETING & CORPORATE DEVELOPMENT

THE STATE OF RISK BASED SECUIRTY

MANAGEMENT: BENCHMARK SURVEY RESULTS

HOW TO CONNECT SECURITY TO THE BUSINESS

HOW TRIPWIRE CAN HELP

AGENDA

4

The State of Risk-Based Security ManagementBenchmark survey of 1,320 security professionalsUS and UKCommissioned by TripwireConducted by Ponemon Institute

5

6

Art or Science?

7

Art or Science?

The State of Risk-Based Security Management

9

Good News: 81% Say Significant Commitment to RBSM

10

Bad News: 46% Don’t Have a Consistent Strategy

11

There is Hope: Maturity is Improving

GARTNER PREDICTS THAT BY 2014, 80% OF GLOBAL 2000

ORGANIZATIONS WILL REPORT ON RISK AND SECURITY TO THEIR

BOARDS OF DIRECTORS AT LEAST ANNUALLY.

-GARTNER, INC.“BUILDING AN EFFECTIVE IT RISK AND INFORMATION

SECURITY PRESENTATION FOR YOUR BOARD OF DIRECTORS” JUNE 2012

The CISO Challenge

13

Aligning Security & Business Needs Improvement

14

Key Objectives of RBSM: IP & Compliance

“IN THIS RESTRICTIVE ECONOMIC ENVIRONMENT, CISOS HAVE AN OPPORTUNITY TO REFRAME THE RISK DISCUSSION [WITH

MISSION OWNERS] AND BUILD A STRATEGY…

…THIS MAY SEPARATE THE SUCCESSFUL SECURITY AND RISK PROFESSIONALS, WHO CAN ADAPT STRATEGICALLY TO THE CURRENT CLIMATE, FROM THE UNSUCCESSFUL ONES, WHO

STAY MIRED IN DAY-TO-DAY SECURITY FIREFIGHTING.”

-FORRESTER RESEARCH“UNDERSTANDING SECURITY AND RISK BUDGETING FOR 2013”

JANUARY 2013

The CISO Opportunity

16

64% Respondents Don’t Communicate Security Risks

17

Do We Communicate Effectively?

Reasons Why Metrics Are Not Understood:Information too technicalMore pressing issuesOnly communicate when incident happensTakes too much time

18

The CISO needs what the CFO has….

Financial Reporting• Objective facts• Consistent definitions• Trending• Performance against goals• Performance against peers• Clear communication to

diverse audiences interally and externally

A way to describe a company’s security performance just like the CFO describes financial performance

Earnings Per Share

Revenues

Gross Margins

EBITD

A

Operating Income

Net Income

Current Assets

Accounts Receivable

Cash Flow

Current Liabilities

19

Business Metrics and Analytics

What makes a good business metric? Objective and consistently measured Preferably automated (cheapest way to gather) Typically expressed as a number or percentage Has business context Actionable

What makes a good business metric?

How to Connect Security to the Business

21

Business

Management

Users

Concerns

Systems, tests, incidents, breaches

Goals

Prioritize my work, Keep my job

21

IT SECURITY & COMPLIANCE AUTOMATION




26

Business

Management

Users Prioritize my work, Keep my job

Trends, oversight, budget, security risk Communicate value up, Manage across


Concerns Goals

U.S. CONSUMER

71+7%

ORG RANK: 17/25

TARGET

85MEDIAN

76

HIGHEST SCORE

FULFILLMENT, EMEA

88

LOWEST SCORE61U.S. COMMERCIAL

WEEKLY SECURITY REPORT CARD U.S. CONSUMER DIVISION

Organizational Benchmark: 75

SECURITY POLICY STATE BY LINE OF BUSINESS

SYSTEM HARDENING REPORT, BY DIVISIONCIS Benchmark

GEOGRAPHY OWNER

APPLICATIONSERVICE

CURRENT SECURITY BREAKDOWNCONSUMER DIVISION


AGGREGATE SECURITY SCORING

32

Business

Management

Users Prioritize my work, Keep my job

Trends, oversight, budget Communicate value up, Manage down

Revenue, customers, costs, reputation Know the business is safe


Concerns Goals

33


Continuously measure security & risk posture

Manage with leading indicators

Deliver confidence with robust, flexible reporting

Run Your Business Your Way

By Platform By RiskBy Region

Visualize Security & Communicate Risks

CONNECT DYNAMICALLY CONNECT SECURITY TO YOUR BUSINESS

34

Clearly Show Trends & Progress

FulfillmentFinancial Reporting

E-Commerce

35

Summary

• Start with the business initiative and goals• Identify infrastructure critical to the business

initiative• Apply foundational controls and monitor

continuously• Link security metrics to business goals• Leverage the metrics to influence the organization• Communicate effectively

Connecting Security to the Business

How Tripwire Can Help

37

$150M+Annualsales

400+employees

$Profitable

7000+customers

in 96 countries

Remain small enough to be nimble, innovative; Large enough to be the long-term leader in the SVM market

38

The leading provider of risk-based security and compliance management solutions, enabling enterprises

to effectively connect security to their business

• Broadest set of foundational security controls

• Business context with blended asset and risk scoring

• Security business intelligence with performance reporting and visualization to make better decisions

• Covering the extended enterprise

TRIPWIRECONFIDENCE: SECURED

39

Tripwire’s Vision

Make Connecting Security to the Business a reality

Deliver the SANS CSC “First Four”

Cover the extended enterprise

CONNECT

PROTECT

DETECT

Make security efforts visible,

measurable & actionable

Dynamically protect systems your organization depends upon

Detect leading indicators of breach activity across the dynamic enterprise

40

Tripwire Delivers Foundational Security Controls

Deep FIM

SecurityConfiguration Management

Vulnerability Management& Log Management

Agent-based

Agentless

Asset Discovery & Reconciliation

De

pth

of

Co

ntr

ol

HighLow Number of Devices

CRITICAL DATA

Risk & Business Criticality

BUSINESS PARTNERS

Servers Applications BYODDatabases DesktopsFirewalls Net Devices Printer Wireless

41

Tripwire’s Risk-based Security Management

SecurityConfiguration Management

Vulnerability Management& Log Management

Agent-based

Agentless

Asset Discovery& Reconciliation

CRITICAL DATA

Risk & Business Criticality

BUSINESS PARTNERS

De

pth

of

Co

ntr

ol

Servers Applications BYODDatabases DesktopsFirewalls Net Devices Printer Wireless

Low Number of Devices

THE TRIPWIRE DIFFERENCE

Deep FIM

Run Things Your Way

By Platform By RiskBy Region

Clearly Show Trends & Progress

E-Commerce

Compare to Peers

High

Inventory Hardware1 Inventory Software2

Secure Configurations for Network Devices

10

SANS 20 CSCDELIVERING THE ‘FIRST FOUR’

42

Secure Configurations for Servers & Endpoints

3

Application Security6

Boundary Defense13 Maintain & Monitor Audit Logs14

Vulnerability Assessment4

5: Malware Protection7: Wireless Device Control11: Limit & Control Net Ports

Additional Support

12: Control Admin Privileges15: ‘Need to Know’ Access16: Account Monitoring & Control

43

Tripwire Product Portfolio

SCM Solution

Agentless

Agent

FIM Solution

Agentless

Agent

Log Solution

Agentless

Agent

VM Solution

Cloud-based

On-Premise

Reporting & Visualization

Analytics Connect Security To the Business

Enable Aligned & Risk-based Security

Provide Flexible & Scalable Deployment Options

Deliver Foundational Security Controls

44

Tripwire Product Portfolio

SCM Solution

Configuration Compliance

Manager

(CCM)

Tripwire Enterprise

FIM Solution

File Integrity Monitor

Tripwire IntegrityManager

Log Solution

Log Center

LogCenter

VM Solution

PureCloud

IP360

VIA Data Mart | Suite360 Intelligence Hub Benchmark

Connect Security To the Business

Enable Aligned & Risk-based Security

Provide Flexible & Scalable Deployment Options

Deliver Foundational Security Controls

tripwire.com | @TripwireInc

THANK YOU!

Technology

I.T. Geeks Can't Talk to Management