1 / 25

Dr. J. Greg Hanson Executive Vice President Criterion Systems, Inc. December 10 th , 2008

Dr. J Greg Hanson presents Return on Security Investment Analysis (ROSI) An IMF Executive Security Council Web Forum. Dr. J. Greg Hanson Executive Vice President Criterion Systems, Inc. December 10 th , 2008. Overview.

lenka
Download Presentation

Dr. J. Greg Hanson Executive Vice President Criterion Systems, Inc. December 10 th , 2008

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dr. J Greg Hanson presents Return on Security Investment Analysis (ROSI)An IMF Executive Security Council Web Forum Dr. J. Greg Hanson Executive Vice President Criterion Systems, Inc. December 10th, 2008

  2. Overview • Protecting Information at the United States Senate: A Challenging Operating Environment • Threats and Challenges • An Approach for Evaluating Return on Security Investment (ROSI) • Discussion J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  3. A Challenging Operating Environment The Senate’s Decentralized, Non-Hierarchical Structure No common vision Control who sits in a given seat at a given point in time Do not determine the existence of the institution Constituents Competition Multiple Visions, Missions,Strategies Senator 1 Senator 2 Committee 1 Senator 100 … Direction & Guidance Requirements Common Information Infrastructure Chief Information Officer J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  4. Lots of “Moving Parts” 100 Senators 24 Committees Officers & Leadership Organizations Sergeant at Arms Secretary of the Senate 14 Others J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  5. The Business of the Senate • Common Functions: • Constituent Service • Legislative Functions • Common High-level Requirements: • Informed • Secure • Internal Communication • External Communication • Staff & Office Operations • Information Processing J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  6. The Senate’s CIO Organization ~ 250 Government FTEs ~ 250 Support Contractors ~ 10,000 Customers ~ 450 Disparate Connected LANS ~ 435 State Offices Connected Via WAN • National Help Desk Operations • Telephone Central Office • Capitol Exchange • Software Development House • Program Management Office • Test & Assessment Labs • Multiple Computing Centers • Network Ops. Ctr. • Security Ops. Ctr. • Cyber Security Branch • Emergency Communications • COOP J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  7. Challenge:Building an Enterprise Anything “My anger goes back to what I have said before… the Senate is not an enterprise and no amount of wishing will make it so. … We are not business units…. We are not a team…As much as we might get along personally, ½ of us are working to get the other ½ thrown out of their jobs. I see the CIO as a kind of contractor to the offices. We are – each office-Independent from one another, and the CIO should be there to support US not the other way around. We are not one big company – we are like 100 little companies who have one ISP.” A Senator’s System Administrator In response to message with directions from CIO to eradicate Welchia Computer Worm – 20 August 2003 J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  8. Challenge: Security How do you protect a high-viz target? J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  9. The Senate Belongs to the Public The Senate is a Target COOP and COG – Preparing for What? Data Custody and Control Implications Challenge: Security August 31, 2004 Hackers Hijack Federal Computers By Jon Swartz, USA Today PITTSBURGH – Hundreds of powerful computers at the Defense Department and U.S. Senate were hijacked by hackers who used them to send spam e-mail, federal Authorities say. J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  10. The Challenge: Security Cisco VPN/RSA SecurID SSL VPN Intrusion Detection Systems Enterprise Firewall SPAM Filtering Senate Office Router ACL Personal Firewall Managed Antivirus A Layered Defense-In-Depth Approach Managed OS Critical Security Updates Screen Password Protection Strong Username and Password J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  11. Challenge: Privacy & ConfidentialityWhose Data is it, Anyway? • Information Custody, Control & Impact on IT Programs • Tradeoffs: • Security vs. Privacy • Emergency Planning vs. Privacy J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  12. The Challenge: Privacy & Confidentiality Whose Networks are they, Anyway? • > 400 Disparate Networks • Patch Management Challenges • Security Policies & Practices • Fighting Cyber Threats Inside and Out J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  13. Challenge: Security – What’s on the Radar? • State-sponsored cyber terrorism • Privacy and personal information • Malware, Spam, & Adware • Internal Threats/Education • Emergency communications • Data Manipulation/Extraction • Innovative ways to leverage SOCs to provide value to our customers Senate SOC saw RinBot 8 days before U.S. CERT sent a bulletin! J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  14. Challenge: Security & Special Events • Elections & Transitions • Conventions • Inaugurations • State Funerals J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  15. Challenge: Security &The Unexpected Impact of July 2004 Intel Committee 9/11 Report on Network Traffic Pandemic Planning Report Released August 2005 Hurricane Katrina Wiped out 11 State Offices J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  16. Challenge: Security & Supporting a Mobile/Enabled User Base 8000 4000 2000 1000 500 250 Senate Trends in Mobility(2002 - 2006) BlackBerrys RSA SecurID Laptops Web VPN Passfaces VTC 2002 2003 2004 2005 2006 J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  17. Challenge: Security and Emerging Technologies & Cultural Changes • Social computing/collaboration technologies • Information security issues and technologies • Sophistication of adversaries • Ability to track vs. desire for privacy • Web 2.0 • Convergence technologies • Remote computing & teleworking • Expectation that bandwidth is infinite J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  18. During My Tenure as CIO:Information Security Was HIGH PRIORITY • Tied to virtually EVERYTHING • One of five pillars of Senate Information Technology Strategic Plan • Major component of annual CIO budget • Major oversight and interest from: • Senate Leadership • Senate Appropriations Committee • Senate Rules Committee • A Cost Analysis Tool to Assess: • $$ vs Capability • Requirements vs Capability • Would Have Been Extremely Useful J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  19. A Practical Quantitative Model ForAnswering: • How much is the lack of security costing the enterprise? • What impact is lack of security having on people (productivity)? • What impact would a catastrophic breach have? • What are the most cost-effective solutions? • What impact will the solutions have on productivity? RISK COST J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  20. Return on Security Investment (ROSI)(Wes Sonnenreich, SageSecure LLC, 2004) ROSI = (Risk Exposure x % Risk Mitigated by Solution) – Cost of Security Investment Cost of Security Investment Determining values for these is the difficult task Determining values for these is the difficult task J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  21. Determining Risk Exposure (Risk Exposure x % Risk Mitigated by Solution) – Cost of Security Investment ROSI = Cost of Security Investment • Risk Exposure = Average Cost per Incident x Number of Incidents • Average Cost per Incident: • Estimated incident cost: From empirical organization data -- At the • Senate this could be collected at the SOC • Verified using vendor and government sources (e.g.: NIST, Computer • Security Institute, FBI, Microsoft, Oracle, etc.) Accuracy of incident cost is less important than consistency of the method for calculating and reporting the cost…. J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  22. Losses – In the Context of the Enterprise • Loss of highly confidential information(how much is intellectual property worth?) • Loss of productivity associated with an incident • Loss of “business advantage” • Loss of customer confidence All would be considered critical and unacceptable in the Senate environment J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  23. Determining % Risk Mitigated by Solution % Risk Mitigated by Solution – One Approach: • Conduct and score a risk assessment based on a consistent algorithm – to ascertain the amount of risk currently being mitigated • Conduct another risk assessment based on same algorithm as if the solution is already in place • Difference between the results is the risk mitigated by the solution (Risk Exposure x % Risk Mitigated by Solution) – Cost of Security Investment ROSI = Cost of Security Investment The Problem: Security doesn’t create anything tangible, but rather prevents loss. A loss that is prevented, may not have been known or anticipated. Accuracy of result fully dependent of quality of assessment and scoring algorithm. J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  24. Cost of Security Investment • Products • Implementation Costs • Opportunity Costs • Productivity Impacts (Does the solution increase productivity?) (Risk Exposure x % Risk Mitigated by Solution) – Cost of Security Investment ROSI = Cost of Security Investment J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

  25. Conclusions Not Viable Solutions Viable Solutions Too Little Risk Mitigation Acceptable Risk Mitigation J. Greg Hanson, Executive Vice President Defense & Homeland Security, Criterion Systems Inc. 2008

More Related