Professional Documents
Culture Documents
ISSA WebConf Educating SR Bus MGT Sept 27 2011
ISSA WebConf Educating SR Bus MGT Sept 27 2011
Agenda
The Art of Selling Security to the Business
Ron Hardy - Vice President, Product Management and Marketing, NetIQ
What Senior Management Needs to Know About Your Security Business Case
James M. Anderson CISSP, CISM, CGEIT - President Professional Assurance LLC M CISSP CISM President, Assurance, Pinehurst
Compliance mandates Business objectives Corporate risk management S Security and IT Operations it d O ti Emerging technologies
SOX
7
Every day CEOs must assume the role of risk-takers. This is one component that defines a good CEO. What risks should he take on behalf of the company in order to grow it? The CISO must be able to contribute to the wider risk discussion and help the company take the right risks.
- Claudia Natanson, Chief Information Security Officer, Diageo
Control
Operational Risk
10
Communicate need for security investments in terms of acceptable business risk the right balance. balance
Security is not the goal but a means to manage risk of business innovation.
Proactively work with the business to mitigate risk as part of new initiatives.
Security becomes part of the project investment investment. Avoid layering security on after the fact.
12
tinyurl.com/PIMwhitepaper
14
15
What Senior Management Needs to Know about Your Security Business Case
James Anderson Professional Assurance
janderson@profassure.com
16
17
18
P Preparing th ground phase ( i the d h (may t k months) take th ) Identify company bus case templates, procedures Complete and pitch the business case Follow-ups and after action analysis
19
D l and l rollingnecessary? Deals d log lli ? Business Case Process: forms, schedules, committees
NPV or IRR? Cost Thressholds?
20
21
Does your proposal address risk in just one part of the business? Or across multiple parts? How does this proposal fit with other initiatives p , p p past, present of planned?
23
..doyouhaveawaytogetonthesenior managementradarscreenwhenwarranted?
24
Is there a company metrics initiative you are (or will be) hooked into? How close are your metrics to the revenue-producing y p g side of the business?
25
27
28
29
30
Stepping it up pp g p
Two factor authentication to replace passwords Internet isolation White listing / black listing of programs on servers and desktops Network Access Control (NAC)
31
32
33
34
Open Discussion
Kevin D. Spease, CISSP-ISSEP Treasurer/Chief Financial Officer, ISSA I t Offi Internationall B d ti Board Ron Hardy - Vice President, Product Management and Marketing, NetIQ Michael Waters - Manager of Enterprise Information Security, Booz Allen Hamilton James M. Anderson CISSP, CISM, CGEIT - President President, Professional Assurance, LLC Pinehurst
CPE Credit
Within 24 hours of the conclusion of this webcast, you will receive a link via email to a post Web Conference q p quiz. http://www.surveygizmo.com/s3/649201/ISSA-WebConference-Educating-Senior-Business-Management After the successful completion of the quiz you will be given an opportunity to PRINT a certificate of attendance to use for the submission of CPE credits.
36
Closing Remarks
Thank you to our Sponsor
37