RCL & Associates The Economic Return of Security Bob Lonadier, CISSP RCL & Associates.

Slides:



Advertisements
Similar presentations
Security+ All-In-One Edition Chapter 17 – Risk Management
Advertisements

Measuring a Web Project's Financial.
Professional Services Overview
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Technology Applications in the Age of Integrity Integrity Forum 2006 Tony Murphy Vice President, Worldwide Sales ACL Services Ltd.
CSI 2005 Computer Crime Survey Put together by J. Scott, 2006 Using Graphics and Text from the Published CSI/FBI 2005 Crime Survey.
1 Risk Management at Progressive Insurance How we got started Getting corporate support Capital Management Examples of deliverables The value risk management.
Do you REALLY know… how your business is performing? Copyright 2010 Hedeen Consulting Group LLC- all rights reserved.
© 2013 Cengage Learning. All Rights Reserved. May not be scanned, copied, duplicated, or posted to a publicly accessible website, in whole or in part.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Policies.
The State of Security Management By Jim Reavis January 2003.
Chapter 14 Contemporary cost management. Cost management §Improvement of an organisation’s cost effectiveness through understanding and managing the real.
Chapter 10 Ranking and Value Management of Computer System Performance.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Chapter 1 Accounting Information Systems: An Overview Copyright © 2012 Pearson Education 1-1.
1 Copyright © 2014 PPM 2000 Inc. SINGAPRORE, AUGUST 2014 Denis O’Sullivan, CPP INCIDENT MANAGEMENT TECHNOLOGY CHALLENGES.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Quantitative.
Accounting Information Systems: An Overview
2014 IT Salary Survey: Application Development Research Findings © 2014 Property of UBM Tech; All Rights Reserved.
Sampling Program Measurement Options. Why do you need to measure program results? Product sampling is one of the most expensive promotions on a per-consumer.
Security Risk Management Paula Kiernan Ward Solutions.
MBA/MIS Class #3 September 2, 2008 IT Business Value Financial Justification 1.
IDENTITY MANAGEMENT: PROTECTING FROM THE INSIDE OUT MICHAEL FORNAL, SECURITY ANALYST PROVIDENCE HEALTH & SERVICES SOURCE SEATTLE CONFERENCE
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 4 Tom Olzak, MBA, CISSP.
Lessons Learned in Smart Grid Cyber Security
Outcomes based approach to measuring the impact of new technology Vikas Arya HSCI 740 Spring 2004 May 22,2004.
Banking Security in a Digital Age Trevor LaFleche, IDC Financial Insights.
Mark Carey, CPA, CISA President x8431 Management-ese: An Introductory Course.
Chapter 1 Accounting Information Systems: An Overview Copyright © 2012 Pearson Education 1-1.
Corporate Governance.  What is risk? ◦ Risks are uncertain future occurrences which, left unchecked, could adversely influence the achievement of a company’s.
1 Practical ERM Midwestern Actuarial Forum Fall 2005 Meeting Chris Suchar, FCAS.
Optimizing Marketing Spend Through Multi-Source Conversion Attribution David Jenkins.
Chapter 19 Further aspects of capital expenditure decisions.
To protect the confidential and proprietary information included in this material, it may not be disclosed or provided to any third parties without the.
Lecture 19 Chapter 10 A Portfolio Approach to Managing IT Projects.
Chapter 1 Accounting Information Systems: An Overview Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 1-1.
Chapter 1 Accounting Information Systems: An Overview Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 1-1.
Chapter 18 The Chief Information Officer’s Role. Introduction Drucker said, “Effectiveness, in other words, is a habit; that is, a complex of practices.
Chapter Outline 9.1Principals of Business Valuation Valuation Formula Components of the Opportunity Cost of Capital Compensation for Risk 9.2Risk Management.
Note1 (Admi1) Overview of administering security.
Competing For Advantage Chapter 4 – The Internal Organization: Resources, Capabilities, and Core Competencies.
© 2015 Planview, Inc. | 1© 2014 Planview, Inc. | 1 | Confidential© 2015 Planview, Inc. | 1 The Resource Capacity Conundrum Why Solving It is Essential.
Change????Change???? I Hate Change I Love Change.
Measuring IT Innovation Benefits. Evaluation of IT innovation Why measure IT benefits? A new IS/IT system is an investment; it must be strategically/financially.
COST ACCOUNTING. Unit 1 Cost Accounting and Information for Decision Makers.
Chapter 16 Managing Costs and Uncertainty Cost Accounting Foundations and Evolutions Kinney and Raiborn Seventh Edition COPYRIGHT © 2009 South-Western,
Copyright  2006 McGraw-Hill Australia Pty Ltd PPTs t/a Management Accounting: Information for managing and creating value 4e Slides prepared by Kim Langfield-Smith.
Dolly Dhamodiwala CEO, Business Beacon Management Consultants
1 EIT 2.2 Is your company missing out on the cost-savings opportunities offered by data center consolidations? Andy Abbas Co-Founder and Vice President.
© 2015 Gryphon Networks Confidential The Four C’s to Accelerate your CRM’s ROI July 23, 2015.
A firm may employ a specialized entity to manage account receivables. A firm may employ a specialized entity to manage account receivables. This specialized.
Quantifying Cyber Security Risk in Dollars and Cents to Optimize Budgets CRM008 Speakers: Chris Cooper, VP, Operational Risk Officer; RGA Reinsurance Company.
New Hire Packet Automation Factors for Decision Making.
Insider Connectivity Review & Savings Analysis
Distributed Asset Management Making The Business Case
Chapter 21 Information for capital expenditure decisions
Further aspects of capital expenditure decisions
btX Event October 22, :00 PM EDT, 11:00 AM PDT, 7:00 PM GMT
10 Mistakes that Kill Sales Calls
Chapter 11 Risk ad Return in Capital markets.
Chapter 22 Further aspects of capital expenditure decisions
Procurement: Use of Metrics
Chapter 10: Evaluating Projects with the Benefit-Cost Ratio Method
Further aspects of capital expenditure decisions
Managing the Security Function
PRJ566 Managing Risk.
Presentation transcript:

RCL & Associates The Economic Return of Security Bob Lonadier, CISSP RCL & Associates

RCL & Associates 2 Agenda The sad state of security spending The underlying problem Why the current economic models are inadequate What to do about it Q&A

RCL & Associates 3 The Sad State of Security Spending Companies spend a lot on security, but they aren’t more secure. –Spending increases (both absolute and relative to IT spending) don’t result in more security –Most incremental spending goes toward dealing with the complexity created by the previous security investment Insecurity abounds

RCL & Associates 4 The Security Return Problem 1/ Security Relative Insecurity Relative Security Absolute Security (not possible) Cost Increased Connectivity Open Systems Hackers Insiders Advances in Security Technology Policy Creation and Enforcement Training and Education

RCL & Associates 5 The Underlying Problem Why justifying security is difficult The management view The view from the trenches

RCL & Associates 6 Attempts at Justifying Security Investment The ROI model The risk management model Other models

RCL & Associates 7 ROI: Necessary but Insufficient? According to Hurwitz Group’s e-Mentor PRO Study 2000: 77% of enterprises use ROI to evaluate e-Business solution purchases The largest companies use ROI the most – 94% of companies with annual revenues of $10 billion or more According to a 1999 survey by Cambridge Information Network of over 1,400 CIOs and senior IT executives: “ROI analysis is typically a political prerequisite to get an IT investment approved.” However, this same study found that while 91% of respondents consider cost savings as key results from ROI, 65% consider revenue creation an important factor.

RCL & Associates 8 The Shortcomings of ROI The self-serving aspects The measurement problem The challenge in reducing cost without increasing risk

RCL & Associates 9 The Risk Management Model Average loss expectancy (ALE) = impact of event  frequency of occurrence Invest in security where incremental cost  incremental reduction in ALE Outsource (insure) where incremental cost  incremental reduction in ALE

RCL & Associates 10 The Four Risk Actions Accept it Ignore it (accept it) Assign it to someone else (insure against or outsource it) Mitigate it (reduce it)

RCL & Associates 11 The Challenges of the Risk Management Model Qualifying risk –Information security risk vs. Business risk Quantifying risk –Measuring risk well (and over time) Reducing risk –Risk management in an era of uncertainty Diversifying risk –The insurance model: why it falls short

RCL & Associates 12 An Uptime Approach to Security 1/ Security Relative Insecurity Relative Security Absolute Security (not possible) Availability Security returns increased availability Security returns decreased availability Security returns optimal availability

RCL & Associates 13 Why The Current Approaches are Inadequate They cannot answer: how much security spending do I need? They cannot effectively manage or diversify risk efficiently –Security outsourcing vs. hacker insurance They cannot answer: When am I secure (enough)?

RCL & Associates 14 The Security Treadmill

RCL & Associates 15 A New Approach Towards the Economic Return on Security Security as a process, not an outcome –Business processes vs. IT processes –Re-developing security awareness Security as a teaching tool –Security and the learning organization –Security awareness as a barometer for corporate health

RCL & Associates 16 Is Security Free? Security can be a by-product of business process improvement (BPI) But, nobody really knows how to make the connection So, it’s really difficult to think about it those terms (given the status quo)

RCL & Associates 17 Next Steps Break the (in)security-return cycle –Don’t look for return where there is none Restore security as a process –Map it to the business needs of the firms –Evaluate from the perspective of total quality management (TQM)

RCL & Associates 18 How? Vendor Track –Reject conventional security ROI –Demonstrate value add to the process Management Track –Educate, educate, educate –Use security awareness (or lack thereof) as a proxy for corporate dysfunction

RCL & Associates 19 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.