SecurityCertified

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Monday, March 22, 2010

Ways to Justify Security Programs: 13 Cs

Posted on 9:37 AM by Unknown
My last post Forget ROI and Risk. Consider Competitive Advantage seems to be attracting some good comments. I thought it might be useful to mention a variety of ways to justify a security program.

I don't intend for readers to use all of these, or to even agree. However, you may find a handful that might have traction in your environment.

  1. Crisis. Something bad happens. Although this is the worst way to justify a program, it is often very effective.

  2. Compliance. An external force compels a security program. This is also not a great way to justify a program, because resources are often misallocated.

  3. Competitiveness. Please see my previous blog post.

  4. Comparison. If your company security team is 10% the size of the average peer organization size, it's not going to look good when you have a breach and have to justify your decisions.

  5. Cost. It's likely that breaches are more expensive than defensive measures, but this can be difficult to capture.

  6. Customers. It seems rare to find customers abandoning a company after a breach. People still shop at TJX brands. Still, you may find traction here. Compliance is supposed to protect customers but it often is insufficient.

  7. Constituents. I use this term to apply to internal parties. Large companies often provide services to other business units.

  8. Controllership. Is your organization well-governed? Can it account for the state of its systems for auditors and so forth?

  9. Conservation. This is a play on "green IT." What has a lower carbon footprint: 1) flying consultants all over the world to handle incidents, or handling them remotely by moving data, not people?

  10. Consolidation or Centralization. These themes are likely to enable specialization, more effective internal resource allocation, and improve defenses.

  11. Confidence. Confidence applies to all parties involved. Can you trust your data?

  12. Counting. This is a plug for metrics.

  13. [Securities and Exchange] Commission. This is a play on the 10k- forms shareholders receive in the mail. Please see the linked post for more details.

Email ThisBlogThis!Share to XShare to Facebook
Posted in | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • Review of Intelligence, 4th Ed Posted
    Amazon.com just posted my five star review of Intelligence: From Secrets to Policy, 4th Ed by Mark Lowenthall . From the review : I was a...
  • SQL Injection Challenge and Time-Based Security
    Thanks to this Tweet by @ryancbarnett, I learned of the lessons learned of the Level II component of the ModSecurity SQL Injection Challen...
  • Practice of Network Security Monitoring Table of Contents
    Since many of you have asked, I wanted to provide an updated Table of Contents for my upcoming book, The Practice of Network Security Monito...
  • C-SPAN Posts Video of Tuesday Hearing
    You can now access video of Tuesday's House Select Committee on Intelligence Hearing on Cybersecurity at C-SPAN . Some people are alread...
  • Bejtlich's Thoughts on "Why Our Best Officers Are Leaving"
    Twenty-two years ago today I flew to Colorado Springs, CO and reported for Basic Cadet Training with the class of 1994 at the United States ...
  • A Book for the Korean Cyber Armies
    I've got a book for the Korean cyber armies, North and South. That's right, it's my first book , The Tao of Network Security Mo...
  • Bejtlich Teaching at Black Hat West Coast Trainings
    I'm pleased to announce that I will be teaching at  Black Hat West Coast Trainings  9-10 December 2013 in Seattle, Washington. This is a...
  • Mandiant APT1 Report: 25 Best Commentaries of the Last 12 Days
    Two weeks ago today our team at Mandiant was feverishly preparing the release of our APT1 report . In the twelve days that followed public...
  • Tort Law on Negligence
    If any lawyers want to contribute to this, please do. In my post Shodan: Another Step Towards Intrusion as a Service , some comments claim ...
  • Review of America the Vulnerable Posted
    Amazon.com just posted my five star review of America the Vulnerable by Joel Brenner. I reproduce the review in its entirety below. I'...

Categories

  • afcert
  • Air Force
  • analysis
  • announcement
  • apt
  • attribution
  • bestbook
  • blackhat
  • books
  • breakers
  • bro
  • bruins
  • certification
  • china
  • cisco
  • cissp
  • cloud
  • clowns
  • commodore
  • conferences
  • controls
  • correlation
  • counterintelligence
  • cybercommand
  • cyberwar
  • dfm
  • education
  • engineering
  • feds
  • fisma
  • freebsd
  • GE
  • ge-cirt
  • hakin9
  • history
  • impressions
  • information warfare
  • ipv6
  • law
  • leadership
  • malware
  • mandiant
  • microsoft
  • mssp
  • nsm
  • offense
  • oisf
  • packetstash
  • philosophy
  • pirates
  • powerpoint
  • press
  • psirt
  • reading
  • redteam
  • reviews
  • russia
  • sans
  • sec
  • sguil
  • snorby
  • spying
  • threat model
  • threats
  • Traffic Talk
  • training
  • tufte
  • tv
  • ubuntu
  • usenix
  • verizon
  • vulnerabilities
  • wisdom
  • writing

Blog Archive

  • ►  2013 (16)
    • ►  September (1)
    • ►  August (1)
    • ►  June (2)
    • ►  April (2)
    • ►  March (1)
    • ►  February (3)
    • ►  January (6)
  • ►  2012 (60)
    • ►  December (4)
    • ►  November (5)
    • ►  October (3)
    • ►  September (10)
    • ►  August (2)
    • ►  July (6)
    • ►  June (6)
    • ►  May (4)
    • ►  April (2)
    • ►  March (9)
    • ►  February (6)
    • ►  January (3)
  • ►  2011 (108)
    • ►  December (3)
    • ►  November (7)
    • ►  October (11)
    • ►  September (9)
    • ►  August (18)
    • ►  July (10)
    • ►  June (5)
    • ►  May (4)
    • ►  April (13)
    • ►  March (17)
    • ►  February (2)
    • ►  January (9)
  • ▼  2010 (193)
    • ►  December (14)
    • ►  November (11)
    • ►  October (6)
    • ►  September (16)
    • ►  August (15)
    • ►  July (26)
    • ►  June (15)
    • ►  May (15)
    • ►  April (15)
    • ▼  March (16)
      • GE-CIRT Joins FIRST
      • Bejtlich in April Wired Magazine
      • Bejtlich Returns to PaulDotCom Podcast
      • Ways to Justify Security Programs: 13 Cs
      • Forget ROI and Risk. Consider Competitive Advantage
      • Time and Cost to Defend the Town
      • Guest Post on SecureThinking about Cyber Shockwave
      • Verizon Incident Sharing Framework
      • Bejtlich Keynote at VizSec 2010
      • Bejtlich OWASP Podcast Posted
      • Traffic Talk 10 Posted
      • Einstein 3 Coming to a Private Network Near You?
      • Making a Point with Pressure Points
      • Keeping FreeBSD Applications Up-to-Date in BSD Mag...
      • Bejtlich Teaching at Black Hat EU and USA 2010
      • Bejtlich to Speak at FIRST 2010
    • ►  February (19)
    • ►  January (25)
  • ►  2009 (123)
    • ►  December (10)
    • ►  November (17)
    • ►  October (21)
    • ►  September (13)
    • ►  August (20)
    • ►  July (21)
    • ►  June (21)
Powered by Blogger.

About Me

Unknown
View my complete profile