Securing Buy-In for Security Budgets: Panel

i' like to welcome all and

I ored and now I like to reest our P to introduce CH please hello name is I'm theer

of um I to other wordss or mediums and I recently joined W as a adviser maybe tell hi uh I'm Sarah a I work in La Consulting at a s RIS Management Consultant and prior to this I worked in the aition center uh so processing own it's to very POS and prior to that I worked as a security operation um administrator and so I kind of s how had around from the fishing to the vulnerability to get coupons um C and so that's kind of thing my true for now set up so hello [Music] everyone my name is

city

consulations tr

security of

the so I'd like to ask how do you balance the F security with

this is my first speak um I wrot down um I would say let's speak called St holders have a lot to consider in meting a budget especially when you're a small company is always a challenge there are a lot of great products out there but they can be very expensive and most of the time they have more features than what you really need I would start small and can I would focus on a risk assessment to identify your critical assets and focus your funding on areas with the highest risk for example for um there might be some tools you already paid for that you're not fully utilizing and you can look to the open

source thank yeah so when you rning budgets uh I think that's a problem out a lot of the Stu to deal with and so you back Shel set um there sometimes uh communties don't realize that they have certain tools but I that there are more featuring an angle that they have access to I think of a classic example like for example let say you have an organization that has a certain amount of people that because you pay for so many licenses to like let's say Microsoft you actually qualify some of their tools for free because UC so much so that's most realiz security to and so kind of thinking about a limited budget you know

you don't have toow whatever it is just kind of think about what needs your business and sit down and think like okay what are the basic elements be try to get here and then like shant said there's some great open source tools that can can use to kind of just establish basic perhaps work see what working with that me have to hi future and at that point there's ways that you can kind modify say you can modify that or realize okay this what we like this we like and then you can maybe start looking at that so not kind of going shopping L shoing looking that's again if you want to do the try to go so there's kind about it

I will you answer things the business en and also communication so um looking look at project go the business when the business is trying to achieve the also communicating down different stold all security of security

business we

have how

so

yes as

this the is TR for and we also have one and the have security training already most organization one of those train they just watch recording When uned or after six month to I just give you round test and um and they didn't see any need for another taot um security awareness training or another F system so what we did was to um discuss about a similar organization um the organization organization and this happened last year um an organization that thought um that's on S attack actually I think inario and of course some in their cents they not affected and all we did was to present that case to them and this actually happened as a result of a fishing email

it is one of the employee teaching a fishing email and um they realize that how they can be that that can be the old situation also so oh yeah out you to do business with

them yeah uh to build up what said he uh kind of within our Consulting he keep the same kind of strategy so often cents come to us and they say well you haven't had anything happened to us yet like we not go it but we're so scared about the day that something does happen to us and so often when we're kind of working with and we try to make the case of you know this is your industry here's examples like we can even we are really in the industry but like if in the last year you some examples that we have found where you know the company has to see this cyber or this reach what notot and we kind of

show them okay this is how we parallel with their industry um this is how you know they were tackled this is kind of what with the situation so like going to our company what are you doing to protect against this seems like within the industry this is how uh T to kind of get in so have protected uh against those threats do have to a place right we think about examples like Ling drugs right Ling drugs they actually didn't pay the when deci to come you know rebuild every charge it was but from that they learn to kind of create more security same thing went to college n college right you also example of a company that he okay what can we do

here so taking my less Le that start from scratch build the strong foundation and kind of get it up so you know there's ways that you can pull those lessons through to try to make yourself a little bit more from par in case it happens did um a lesson you learn uh from us we um very you does anybody know what attack is yeah uh okay so about 14 years ago when our company started um we had a Dos attack in this so for those that don't know but it is Dos attack is when millions of infected computers cared a single ID to cause disruption to the service or distract in effect so the attack lasted about 10 days on and it

was really stressful really ter we didn't really know what was going on had people coming down from um calary figure out um following this uh we messed in protection thankfully have since but the incident made us realize in this type of theack is dead needed to invest to our user stay online in our infrastructure anything this is

I for

then no such

have

yeah so meding a case for your budget if you have so uh again I said say we have no um we have yet to have security incident and so same sometimes they kind of say like yeah so we don't really know how it would handle that and so the next question I'd ask is okay you want to make a case have you ever have an answer response test have you ever done a take CL exercise and so what that is is you can kind of do that on an executive level or you could do that more on an operation level where you kind of say okay we're having somewh in what does the first thing that we would

do go right can we kind of try to work through that and so sometimes when you're kind of working me through those situations uh the adrenaline is kind of going through every you know you get the get into the enironment or get into the the situation and that's when you start realizing like oh my gosh we don't have aers or oh my gosh we actually don't have you know someone that can be calling in a little the night you know I want to be kind of out so you start realiz gaps in there and then when you kind of go through situation or scenario then you kind of can see okay these are if you were to look you something these

are are apps and this is what our you know are older so then you can start to think okay the case for we have these risks how can we mitigate them and then now you start putting a budget or start you know having a conversation with how level Executives of you know we actually prly toy this we how this to we know how we program we don't know how many this is to stor to we do some but what not right these are all like real life situations and these have come up with a TI and so having that kind of experience and having uh you know controlled situation really kind of open eyes especially when get in the room so

that's an example of course to

to I getting them I have like the entire s te getting together kind of go over some some ideas on what to happen see where you can improve and IFL first um and then double checking the clock for say already LIC well maybe there happing and then you can go to your to your directors and show um all that you've just discovered and and then you can showes SEC business C say she show them the cost of all right um for

example or% the I am and one my when Amazon was F some ago and they didn't see why they need to put some things in place don't think that's who on

and yes this is for you to it's a very similar so showing them the costom compliance we I'm also showing similar organization to all other organizations have F and yeah I all this is not one

resp

and is this is

what how do he face them sure um I would say that we to understand how important it is it's just a balance of knowing how much to spend in what area and what is the most important thing to protect so I suggest putting together a presentation that outes your immediate incern uh uring it's very clear and simply outlined you can share examples highlighting what happen with other organizations and how it impacted their reputation ultimately sales um perhaps that also entails showing how part of organization uh to prove how vulnerable suon the see is believe I certain I agree just go way to kind of you know show an organization K you say you're protecting this but we

just found out that actually not you actually have those public calls they're regly in that system right um yeah I definitely agree with that um Metric school all wa to show return investment too especially on like some of the tools that you're using uh for example uh when I used to be Bri's administrator we had a fishing program and then so with that fishing program we're able to chat like we're having an issue where uh first time uh clickers are were a lot most frequently the first time or that you're just new people or new employ company within the last six months and so we designed a whole trade program just to kind of Target then and try to give a

lot of knowledge so we were actually able to see that you know people that were you know and so you like the the percentage of cck for new new employees was up like 40% and then it actually went down to something like you know under 5% and so we were able to kind of turn that around and then so that's how we were able to see that yeah our our Learning Management platform is actually being useful and the videos that Michigan is useful because this is what our clip rate was before and then after start content and being trying to teach them to be more mindful this is what it wasn't for or now so we've kind of shown

that change and shown that Cas for this is why you should continue to invest in this this is why this tool is important it's actually changing behaviors and overall making this com more secur yeah I think also present of security as us organization must to pay for I like to present an investment investment that business an investment that can give us a competitive um Advantage competitor for example being some through certified it's not just unting the organization used to pay for it's a it shows that we do we security seriously as an organization it shows that um Cent who business with us you know that that um the data is sa us and also give that

compet the compe so an investment that can help business better just have to pay for that just post so

call must get mad

how many fighta

incident can happen right and then TR to in AI driven so what we should focus on with PRI prioritization so when proring I look at some things what is theity of the system that we're trying toate it and also what is to really question so for example if we have a critical system that internet facing and um vulnerability was found on day right compared to another system that's less critical and the first system we for our day to-day operations and the other system um it's l internet facing is not that princial um here to the first one the fact that the first one is internet fac we know that is a lot of things that can go and this is a

that we use our day-to-day operations if something goes wrong is going to affect to business it means when to operate maybe 24 to 4 48 depends on how through so has the criticality and also imp something those are the TR for and it doesn't matter yeah first Consulting I I to me I've come a lot of it as the big three so what is a company doing for fish right how is the company protecting that um you know they say that the weakest Li your SEC for people right so typically when we're talking to your clients we say okay like we do a whole risk assessment and we evaluate their cost of okay here's Mission and you know are you

training your uh users are you training specifically you know your uh high priy like high susceptible users the markeing the finance their Executives like all of those people are susceptible to three well fishings and then we kind of asked them okay what about your uh supply chain how are you protecting map do you have a third party vendor program are you getting your vendors are you do you have security uh language anded your contracts are you AC off you checking if your access is in the same look are you actually checking to see as well if if they still have access to a data or whatever you ex is that data still in that so those are kind of the things

that we going to ask them when we measure up to uh you know a task that's important the be in these days right on average in Canada the Outreach Comm company will have breaching about7 billion well we asked him what are you doing for R more what are you doing for the backup do you have't done that table uh table top the SS right so we kind of look at those big three those are kind of you know some of the highest attacks that high like the most harm reported we kind of say are you measuring after to those what controls ask to protect

you e

for yeah as

Miss

so

what um anyone get can go for so security should not be sa as a should be SE as a business should not be seen as host organization to pay for it should be seen as an investment and you as a security organizationand you know Empower your people and three CHS organization or security of business do to business this how it too we say the tech we is there so uh when securing buying the first thing is like your Market is secure buying they don't know what's there they're oh we only have four laptops you know but there's like 200 people in this start conv station you know so the first thing you got to do is like just find out

what's on your system find out what your data is find out what your inventory is get an of what that is and then from there try to find out what your risks are get an assessment or do it yourself just try to think about you know what are our gaps and then from there once you have that information you have you know information techologies that then you're able to make the best decisions possible and then presenting that kind of to like your Executives or even within your security and you're at that point able to you know start to make bettered decisions right and know what you need to start implementing and attacking yeah I

like I say don't get frustrated if you don't get approv RightWay there might be something else going on and budgets are tight um keep making your Cas in the need do extensive research use knowledge and Implement what you can in the meantime maybe there's a solution you didn't think of before W good I'm that you covered on

yeah and head points regular checkups helpful

any insights you like to share Z anything help you guys can the questions

how

seems in the show how but

strong taking a

few show the good oh so I have a question so whenever any organization under go this stand up initiative it's like a big deal to find the right skin ERS as well like mention so what can be his key factor in deciding better the c or inh house worker or versus the uh you know going out to find it any like to

start depends on theity critical diality of what you're trying to achieve if what you have in house and first of all the cre sign to work on if it's um very um something that's very tical eye and uh it's anything goes WR can affect the business and you got to be s in house and not take care of that then of course or that like Consultants like they have the experience they probably Miss SE this before and they can bringing the experties and talk the issue on time before something moves WR or if it's not critical and take something and business come to your gradually sving host again maybe um sing that c and maybe hiring one

of the team and can take initiative once the time yeah yeah just depends on how f it is hi um we're actually now that is kind of having that mindset of like do he hire her in or do he a up and uh a point of consideration is how what is the workload of your current team right if your current team is doing like five different things not justum the same area and they currently getting distributed and spreed in then maybe they're not able to effectively contribute to that main area that they need to get into and then that's a case for bringing on with people growing rou tee right so that's something to consider but if you haven't seen that

you know there's some City and they're showing initiative and they're showing the you know the dve to much to learn more you know they were willing to take on that W and and you know have that knowledge that well technically we're already invested in them have that loyalty there have dedication why not in the chat yeah

they check they to

doank so

M question add in different scenario let's

say know that just secure all secure assets and then and then let's say know we have a s something goes wrong how do we know or I guess move on from that right set you know we we have this speaking or a sub Insurance you might have to wor about or how

even when the companies have cber insurances sometimes stay P to see all the Clauses there are like a lot of things that you need to do even when you have a cyber insurance so that is like what thing that uh you know companies need to focus either right yeah ready so what I I know talk about oh this trans I prer Tove

sh responsib actually share yeah we fin of it but there still still working on you have cover from my then you have to be the trust issues and so call for anyone as opposed to the I i' say that cyance c for us to be honest um that not only when you fill the application expectation that you you have all this initiative place just qu cyber insurance so I would say if you have cyber insurance and you don't have a lot of those I would review what their expectations are as far as organization what you should have to make sure that you're not Bing pance you definitely nowadays can not have not Place t with for they will not and they will

always it could possibly Avid your this and it's getting more and more yeah I want to add know I feel like often times when they is sh involved a company know you need to have this control this never stct you know this is how we expect you need to have strong contion but then they will tell you you no five or you they hire you to so I guess the question is how do we improve security R right like you know sure most hes would have all the musics and place other you won't gu sh but I feel like that often what you have or meet come this do and you don't want to move some so the question really is how

do we take the next level after that

exactly and

so with that

of you and support how

this and is so you like to yeah yeah and but it's like um so I'm program that have a SE so and um so in terms of funding sour it's like we there's Capital funding uh and there's you know offra Mi right it's a capital funding when are actual software servers and things like that andrees for Matic service account rules right and then fire there so it sort of influences um the solute right if you have F sources so and government for there two have funding Capital FAL feder ta so is that do you find any solution that do you find that F turn propos operating there capital

yeah so just doesn't come

something now I think even though

like C if you have and you you care to take care SE and then should be sh but also like CS not going to take care of your creation company and let's the the the level of clients are face on you companies off service couple conferences or a new company it's up and they're saying well um the the host we say best for example so there's totally on them it has nothing to do with us cringy also on average when we talk to our clients uh we ask them like what's your max funding what's the

max yeah so yeah so we're learning almost now to so like working with security insurance which you also compan policies there procedur there every get maybe TR school and everybody knows exactly what they need to do where they go like even if they know F like the information is there for them to to be able expences and be able to know about being because these policies place by the compan themselves not by I guess like alter anything like that yeah good point

this really like it's you can almost use it as a but's you here just like do you know know you have to do they know who to reach out to they know what to do they know what you know communication on do they know you know who they're going to call you know and it literally yes yes yes so no yeah no we haven't talked to them about that there's your Gap right there right so sometimes like you know you just oh gosh you're to bite off you're just like well you know get yourself a r like get yourself a frame R and sometimes at that point then you kind of like need to call

you be you I think when you sign up for insurance it's pretty intense like you have to both checklist and they want to make sure that you have um soers or all SE place before them even stick and help them f

and