Moving Security from Cost Center to Revenue Generator

[Music]

all right so as mentioned my name is Ariane Willa I work for Twilio I run their security risk trust and compliance group and I'm here to talk to you today about moving security from a cost center to a revenue generator so I'd like to start and you can see this right perfect I'd like to start by talking about language so French is the international language of love I'm having internet issues so hold on the official language of the world bank is English surprised they have a official language that was news to me Thank You Wikipedia the international language of business is money so bear with me as we go through some basic business fundamentals so I

know we're all on the same page businesses are in business to make money if they do not make money they die and go out of business and so businesses either want to make money or save money aka cut costs this is a recent public Twilio announcement you'll notice it's about money because that's how businesses measure themselves you'll also notice that we as a company are growing a lot and I happen to be hiring so if you know anything about security compliance and want to hang out with developers come chat with me after cuz I would love to hire you anyhow so we're talking about businesses measuring themselves with money this is an income statement from 2005 from a random

business it is from 2005 but luckily accounting never changes so this is still up to date you'll notice the most important pieces if you can read it it might be too small are the fact that every single line is either a revenue or an expense item because businesses measure themselves in money I'll repeat it a couple of times I want it to just stick because that's the rest of the presentation is about and this goes even deeper than that the business itself each of the different departments within a business measure themselves with money finance is measured on how well they manage money sales is measured on how much money they bring into the business marketing is measured on how

much money they bring to sales to bring into the business operations is measured on how much they save the company on their expenses etc etc etc until we hit security and here is how we measure security we've got vulnerabilities from cross-site scripting and buffer overflows modularity encryption authentication logging here's another one that doesn't actually have any measurements it's just got buckets but we've got web gateways mobile security mobile data protection ids/ips DLP here's another one it's super small I'll go run through it we've got vulnerability scan coverage baseline defense coverage time to incident recovery patch latency number of incidents detected here's another one we've got protection scores detection scores response scores Network perimeter protection scores meantime two

containment metrics and everyone's favorite security event true positive rates I think are at least I hope you get where I'm going with this none of those measures have money in it which means that we're not speaking the same language as the rest of the business so I was told not to put this up in case anyone got offended but I think it's a really good point so I'm gonna leave it in there hopefully no one's offended we need to stop communicating about security in ways that mean nothing to the rest of the business we talked about how businesses need to either make money or cut costs for some executives also known as budget renters security does not do either of

those things it doesn't make the business money and last time I checked my budget it sure as hell does not save money but here's the thing security does make a company money it's just indirect and so what we need to do as security professionals is start measuring how we make a business money and make sure that people know about that so um there are methodologies like fair that advocate for measuring risk in dollars big fan of that this talk is not about measuring risk in dollars it's about measuring the benefits that security brings to an organization and putting that in dollars so there are three strategies I want to talk through today number one how we're going to be

tracking revenue enabled how we should track revenue protected and how we should track future potential revenue and I think you'll notice we'll go back really quick all of these things are dollars in dollars they're going to be talking to you Security's ability to increase sales or decrease costs and this is important because it allows executives to make better investment decisions a company has limited resources in the form of headcount and budget to go around and we've been asking executives to make decisions between things like on one hand purchasing an email security tool and on the other hand adding 15 million dollars to the bottom line by acquiring another company you'll notice that the executive is asked to compare apples and oranges

one choice is a nebulous concept and the other is a quantified benefit to the business so making security investment information comparable to other departments within a company will allow executives to compare apples to apples when they look at investments for the future of their business so let's jump into how we can provide those hard numbers and start with tracking revenue and neighborhood this was activity is very easy please raise your hand if you have ever been asked or heard about this happening

yes everybody has vendor forums so my group at Twilio is responsible for filling these out and every time I get this question there's a part of my soul that dies a little bit and then there's a part that rejoices a little bit too because hearing this means that our customers care about security or at least they would like to project the image of carrying one of the two I like to thank the former using the transitive property if a customer cares about security and your company cares about customers fingers crossed they do we can assume your company should care about security so tracking revenue enabled by point number one will let you prove how much your customers care which should

indicate how much your customers are sorry how much your company should care about security we should be tracking how much our customers care so they're a company we'll know how much they care I just mention that all of these things on the screen are evidence of security practices that wouldn't be around without us so when we send out a vendor security forum or jump on a phone call to explain security we should be tracking that because it's evidence of how much our customers care about security and when you track them there's one other piece of information that's needed for the full impact of tracking revenue enabled surprise surprise its revenue the money here Salesforce or

your CRM of choice is your best friend because each time that we jump on a phone call or send out a vendor security questionnaire we should be essentially connecting that to a deal an opportunity and sales loves money so in the CRM they're always going to put how much their deal is going to cost each deal will have a forecasted amount of revenue and we should be tracking one day there we go we should be tracking the amount of revenue that security is supporting you'll see that my fake security group here in q1 has done an amazing job supporting sales and we've helped enable ten point five million dollars of revenue which is not too shabby

keep it pin on this number it's fake but we'll come back to it later the second strategy is around tracking revenue protected this one can be pretty easy to calculate as an example say your company is losing two million dollars a year due to account takeovers you implement multi-factor authentication and while fraud decreases by 1.5 million dollars congratulations you have just protected 1.5 million dollars keep it tab in this again fake number and last but not least what revenue can we enable in the future this is often the most compelling number to have on hand when talking with executives because it can enable future investment and how do we track this who knows the future right most sales teams

will actually track opportunities lost and the key to tracking potential future revenue is to make sure that security is being considered within that process so when sales opportunities are lost due to lack of security controls we should know about that and we should have use that to create a compelling story for future investment in those controls and those controls can be a single control like enabling encryption at rest for sensitive data or it can be a set of controls like the HIPAA framework so we'll go through an example let's assume you work for a company who wants to do business with healthcare companies healthcare companies require you to be compliant with HIPAA so it's also

assumed that your company has estimated the healthcare market is worth 60 million dollars thank you business strategy folks instead company in our scenario one of the best ways to push for investment is to realize that revenue start to realize that we need do a return on investment analysis so once we do an assessment on how much effort it's going to be to get hipaa-compliant we need to provide that to the executives oh whoops you stopped we tell where I'm going next let's say it takes seven million dollars to uplevel your security controls to reach HIPAA standards if health care market is worth 60 million dollars it takes seven million dollars to get to a point where

your HIPAA compliant BAM you've enabled 53 million dollars of future revenue take a bow walk away everyone cheers it's a beautiful day so if you've been following along at this point my fake security group in quarter one alone I know we're pretty good has enable of ten point five million dollars in sales we've protected one point five million dollars in money and we've opened up a new market worth fifty three million dollars and again these numbers are 100% fake I made them up while I was making this presentation I made the numbers easy is that the math is easy for me but this revenue enabling story is the story that we should be telling about security

we no longer should be the gloom and doom people that just show up to talk about problems and ask for large sums of money to fix them we need to be showing how we're enabling business so a quick recap we need to start tracking revenue enabled we need to track revenue protected and we need to track future potential revenue security is a priority for businesses nowadays and we need to start communicating in ways that the business understands this will help bridge the gap between a security issue and a business issue at this point in time those are the same thing so let's communicate in terms that everyone understands so that we can compare apples to apples and obtain the

resources that we need to implement proper security practices so the kind folks at picked this presentation to be presented to all of you however the reason that I wanted to give this presentation is because I'm not an expert in this topic it's something that we've been exploring we've done some of this at Twilio some of its works really well as some of it's worked fine but if you've done any of this if you've used it for different practices if you use these practices and they've failed miserably I would love to hear about it and kind of chat about it because I think this is something that we need to move forward to towards together and I'd like this to be a

community discussion a super thanks to all of the images that contributed to this nonprofit and educational presentation and again I am Arianna Willa I do security at Twilio if you'd like to get in contact with me here and my internet things that you can reach out to and I'd also like to chat afterwards if you would like so I am good yeah if we have any questions yeah we have every other time maybe yeah we have plenty of time for the cheese session so I mean does anybody have question it's not so much a question is it it's a thank you you've managed to take a topic which could be quite boring to different audiences

governance risk and compliance and we came quite compelling and quite exciting I feel rejuvenated about my job I wish I had planted you in the audience that's so nice so do you like to come to my next talk potentially sure are you going to be hanging around after this because I do I do have some notes to exchange with you cool thank you I see one more I think there's some over here too oh just kidding sorry folks hi so I was wondering if you've tried to analyze the potential savings for the company in terms of when you patch vulnerabilities or when you closed security holes what is that gaining you in what you could

have potentially lost if there'd been an incident that came from that yeah that's that's a great question and I'm glad that you brought that up because that's actually one of the things that we're trying to start doing now it's very difficult to do at scale so we it's not in my talk because I didn't have enough information to feel comfortable explaining it but yes we are trying it's it's been a challenge it's been interesting thank you yeah I believe we have one more one up front this is a question kind of in light with the recent events with Congress and Facebook and so how do you quantify or I guess you're trying to monetize this thing but sometimes you're

in a business where the people who are logging I don't know what Twilio it does exactly but if you're a social network people coming in for free they're really the product that you're selling to advertisers and that's where you're getting your money but that product is their personal information and now we're starting to find out the ramifications of you know selling that information off making it easy easily available to not just people who want to sell you something but also political actors and how do you quantify that how do you deal with that on a I mean how do you how would you emphasize security to your board in that kind of situation which may not be really a monitor in fact of

me mean that you have to subtract revenue in order to deal with it or to deal with government regulations that arise out of that problem and that's the essence Mike yes so it's kind of a broad-based if you can answer that's really late and easy to to answer is it really good I try let's see I do not have personal experience with that Twilio is a business to business company for the most part and so we haven't gone into topics like that yet um there are like I said practices like ferry that can that do have processes or ways to try and quantify that I'll defer to the experts there no no though it's a

great question I wish I had the answer to it so I have a friend and another company that I will not mention but he you saw me at a party one time that at his company they figured out a way to make the additional security like for example HIPAA compliance a value add the customers pay extra for so rather than just be have a quantified like that it's a it's a checkbox item that encourages customers to go up to you know from silver to gold kind of thing as Twilio looked into actually making pulling out security making it something that P people explicitly pay extra for the HIPAA compliant portion versus the non HIPAA compliant portion

yeah so I've got my sales pitch ready in my back pocket you could check out the Twilio for enterprise plan it's made for enterprises unfortunately we have it things like HIPAA and such we haven't done yet but I'm sure that the product folks want to productize that you hit on an interesting point so this talk is not about productizing security it's about kind of taking the security practices that are already there and showing them in a different light to business executives but sure if you can actually productize features security features of your platform you end up in actually a much better position when you go and talk about the benefits of security to the c-suite

the board etc so a great point hi so I had a question on the data points there so I like the way you bucket to them out but I found z' like it is based on having a relationship with finance to be able to pull those data points so I guess what is the process there I guess what are your thoughts on one getting those data points and making them ready rather be available to be able to kind of put those things together yeah sure so actually most of the data points come directly from Trulia uses Salesforce and most of those data points come directly from Salesforce so you have the the things that security is doing to support

sales and enable revenue that you should have access to on the security team and then all you really need are all I use really is is access to a CRM and so that way you can get the revenue numbers that support your message any other ok yeah so I'm wondering if when you actually total up all the value that you've enabled and protected and even the potential future revenue if that actually offsets the full cost of your security program including headcount tools etc I don't know if I'm allowed to tell you that presentation so I will say it's a compelling comparison okay that's I worry because I I actually haven't I mean thank you it is a wonderful

presentation it's a great model and and I look forward to attempting to apply it it's just a matter of wondering if I'll like what the answer is I'll find that there are still other costs that we have to continue to bear in the security program that are unfortunately not offset by all the great work we do in these other areas sure I would encourage you to run the numbers they've been Pleasant for at least Twilio so any other questions oh hi I was one if you could talk a little bit about the details on how you implement this process to capture this information even if it's not proprietary yeah no it's not the dietary it's something really

complicated called Google sheets and we're moving it into the couple of different tools so we're trying to move into Salesforce reports and move into content management systems and try and keep our tracking outside of a sheet but mostly it's just been me and me and the Google suite so thanks for who work it for Google yeah have you had an opportunity to do this for a long enough amount of time so that you can say project down the road say three to five years what the margin for the security cost would be based upon the overall revenue looking back so that way you can forecast yes and yes I have so I started at 2002 and a half years

ago and I've been tracking these numbers for two and a half years in terms of forecasting really I was a young company and changes often enough that my forecasts are not fantastic but if they were any better I would go into you know looking into the future maybe get myself a crystal ball but it has been helpful in projecting needs for security folks and projecting needs for certain areas of the business me again hello yes I've given the amount of interest here and taking a look at the time maybe this would be an appropriate idea and that is let's do a little GRC breakout in the common room after this okay if you all want to look for me or her we'll be over

there and we'll do a little breakout session thank you yeah just one more questions and one more question and we will wrap it up I are you tracking how long you're spending on each of these interactions yesterday um no but it is on my list of things to do literally this week we I mean we also are trying to I have your job at rapid7 and we're trying to do the same thing we're just we know that it would be a great way to measure you know us doing a better job responding if we can get the time down yeah and we have like a time tracking thing in our ticket system that all of us always forget to use yeah yeah

that's the problem is we have to actually track it yes it's been on my radar for some time it's I'm trying to implement it your talk this morning was great by the way okay if you figure it out just like text me totally totally yeah okay so it's time and yeah we'd like to show our appreciation to Arianna thank you for the awesome and young people they get to besides they're funny thank you thank you very much