So You Want Money To Fund Your Cool Tools, Not So Fast by Darren Conway

so um thanks everyone for coming uh without the fans we wouldn't have a band um so this this topic um I'm gonna take the conversation to a um perhaps more of a cyber security management system and a program level and um I in my daily role as as a advisory consultants for um organizations otit organizations I tend to talk to csos and cyber security group managers and and whatnot do we have any csos in the room right now well I'm not going to turn you into one but if you if you are um ever going to be bringing perhaps you're influencing the solutions that are going into your organizations these are some of the thoughts that perhaps

you might want to do to try and get the budgets and so again um when you're dealing with with large organizations there's quite a few factors that go into which tools are we going to buy uh and can we then support them throughout their life cycle moving on in my credentials you can see I've got some it and OT credentials doing the I.T for more than 20 years the OT and Manufacturing stuff for just the last five so you so this deck I built this deck myself so yes you said cheesy transitions like that um my marketing uh Department had nothing to do with it but so um I was recently recently talking to the head of

security for a large um multinational power generation company and he was less interested in the the solutions that we can provide from you know risk assessment through to Improvement plan and solution development deployment and more interested in how are you going to drive this message up through my business and actually get the budget budget and so I I talked about a few of these different things and it's kind of nine easy steps to getting a budget and then this last one here is continual uh Improvement um but uh I could tell that he was not convinced that we would ever get get his organization to go anywhere with with the thought so um I'm not going to read each of these

to you because I do have a little bit of conversation on each of these topics but the first thing that you need to do is you need to make sure that you know what it is that you're trying to put your arms around you need to be able to understand the scope of your organization to then be able to understand what potential security requirements you might have and that what I'm going to do um uh a lot of what we do is is um we have to justify you know these budgets and whatnot and oftentimes I refer to the individual citations and whatnot through the different International standards and so you'll see a lot of those citations as we go

through here but first thing we need to do is understand what your infrastructure is uh look at the vulnerabilities to that infrastructure and then the associated risks and so that that all makes sense because what we want to do is we want to make sure that we're putting in Security Solutions that address some risk and and perhaps my biggest risk my most important risks are these solutions would also be prioritized as well and then when we identify perhaps we're trying to meet a certain standard and we've identified these vulnerabilities and gaps then what we're creating is a prioritized um actionable risk treatment plan with an improvement plan and some projects behind that so once you've identified kind of this

oh and those citations rather the iso um 27001 this section 421-422-423 is really talking about the scope of your organization in understanding that and then down here in the 10-2 this is where I think six we actually talk about a risk management program but I thought the more impactful statement here was uh ten one where we're implementing those risk treatments and it's talking about um I'm planning for security management system the organization shall consider uh the issues referred to in the scoping section and it's it anytime you see these words shall it means that you as an organization need to do it those are the types of words that you bring to your steering committee when you're

trying to be a budget so there's different ways and and platforms and things like that that you can once you identified your assets and looking at your vulnerabilities and doing your risk assessment I I see some folks working in spreadsheets some folks working in tools that have a nice dashboard and things like that this here is from security gate IO one of the tools that I've been able to use I know to use others but I think really what we're trying to do is look at where do we want to invest our money and so this is a statement from the ncsc regarding getting your cyber security budget it says that every organization has to make an investment decision about

how to protect their technology and services of every organization is unique so there's not one solution fits all whether you've got a fancy tool with a dashboard or working in spreadsheets really doesn't matter it's it's the goal you're trying to achieve obviously trying to drive towards tools because it's easier to as you implement improvements in your environment you can track those changes you can make assignments and things like that so um the next thing you want to do is you want to align to some sort of internationally recognized standard so um more recently in 2018 the news regulation came out governing all of the operators of essential Services the OES is out there and so that has to do with

um since power generation and how much power are you generating or how many people do you serve in that Community there are other obviously operators of essential Services as well such as transportation and now they've recently added public media Outlets as well but so there's different standards that you might pick so a couple that I frequently use is the iso 27000 ex governments obviously and then in my operational technology 6443 is is a really common set of standards as well what's interesting is they both kind of cover the same controls it's just that these folks are worried about confidentiality integrity and availability while these folks are prioritizing availability integrity and confidentiality same set of controls but

just different priorities so that I think is is the important thing is when we're trying to get these budgets and get the justification uh and and get them in front of our Syrian committees and see cells we were it's all based on best practices I didn't dream this up I'm not just looking at this new cool shiny tool or not some sales guy kicking pick me up for golf which I I wouldn't take you up anyways um so the next thing is building the business case so this sounds like a no-brainer but do you have any consultants in there so the thing this whole conversation for Consultants all this happens before we call you right before the end user gets

you on site but ultimately when you when the Consultants are on site this is really what you are trying to address you're trying to address the way back from the start the business case um to save it this is why I'm here and this is what I'm going to do for you effectively so um we want to make sure that we have um uh the the organization understands why to invest in cyber security because to be great because it's similar to an insurance uh plan then ideally you don't want to use it but if you don't use it then perhaps you don't see the value in it ever um I will say to understand the

potential risks for financial implications perhaps reputation business loss things like that when I'm talking about risks here or looking at the business case this is a different risk assessment than we did previously that that risk assessment was looking at um what we're trying to do as an organization and assignment security controls we're implementing this is a risk to the actual business and the brand and whether or not we'll be able to open the doors tomorrow because we have no customers left foreign be ready to prepare uh um you know a compelling story to your um csos or steering committees but what I um Graphics or anything but what I've put there is the X over the word fun and

that's fear uncertainty and doubt never be with your uncertainty in doubt and say you know we got to do this otherwise we're going to get hacked and ransomware and all of these things it may be true but that's not what's going to get um Seasons to uh to give you the money what they need to know is that you are aligning with your organizational goals right we as an organization are trying to optimize our operations by integrating with some of our I.T folks we're trying to get a centralized stock going we're trying to move these resources up into the clouds so that all of our organists all of our offices can lower their costs of

communicating to the officer or whatever those organizational goals are this is where you're saying that security is a business driver and you can kind of say that this is going to make not only us more secure but it's actually going to help us do what we're trying to do if you can if you can articulate that in a story then you're much more likely to get uh the budget that you're after so this one here collaborating with other departments it's yeah I think it makes sense that you do that because ultimately if you can pool your resources in and get a single solution that everyone's happy with then you have a better business case but in

reality um coming from a power generation um customer base right now uh they say oh there's no silos well there are physical silos there and there are like all these organizational silos as well the OG guys don't like the I.T guys and group well they're running you know this IDs and and we don't want to run that idea so we want to we want to do our own makeup and choose our own platforms and and things like that but in reality if you had these different individual sites and businesses under groups all agree on something that they could centralize a song and you could kind of forget about the operation of it I mean you could

there's definitely benefits trying to reach out to different organizations and here I've got more of an I.T type of an example with I.T Finance in the universe a standard business you know I.T Finance legal compliance and whatnot but just the more that the organization as a whole that agrees with what it is you're trying to do and again this goes back to identifying risks and your risk treatment plan that's going to prioritized actionable risk treatment Improvement plan uh is is more people who agree with the elements of that Improvement the better off and where I have compliance here I'm talking about perhaps your internal Auditors or even your external Auditors that's one thing that can really drive a cyber security

solution forward is if you can say and I can just hit print on this thing and give it to the Auditors and they'll go away that is a compelling compelling case for whatever that solution is um we do need to make sure that they understand that the cyber security is an organized additional thing and when we're bringing these things in there are organizational rules and responsibilities that come with it there's not just you know this software is going to just fix everything and I'll get a little bit into that uh more here in a couple minutes but um and then uh seek the support and involvement of multiple groups to collaborate together to pull together

and get your resources so highlight emerging threats and Trends again I'm going to go back to my statement earlier to say that we don't want to use fear uncertainty and doubt but um but you can't walk around with blinders on either you you really need to know what are the internal and external threats to my business and and how can I uh qualify these so I can start quantifying what what the the appropriate security mitigation controls are for it now um I need some help here I don't have the number but does anyone know how many um threat intelligence how many companies Forest has said in their recent report on threat intelligence are selling a threat intelligence product

if you may reckon 40 there's 40 different and you know you're thinking about mandiant and um all these companies who say that you know we we've got to threatened threat intelligence labs and we'll we'll sell you through intelligence and so which one of those sporties should you choose um it can get confusing so there's there's a lot of different options out there there are some that are more tailored to individual Industries there are others that you can tailor to your industry which is interesting as well so let's say if you're in finance what's most interesting to you is threat intelligence or Finance what type of attacks are hitting my sector right now and some of the some of the tools

um you can use to actually tweak it to give you what's most relevant to you in your organization but yeah the the annex a this is where we're talking about a what the specific definitions of the individual controls are let's talk about information regarding information security threats which we collected and analyzed to produce threat intelligence there's two places that this can happen one is internally so earlier I was I was in a discussion about Network management network monitoring and there was a young lady who works in the head of Assad definitely that's the first doctor threat intelligence what's happening right now on my assets on my my boundaries on my web application firewalls and things like that but that gives you a

kind of a small picture it is through the external threat research contracts or agreements that you have that you'll actually get the bigger picture in again try and narrow that down to uh what's what's relevant ideally to your industry or the types of services you're running and things like that so starting with smaller initiatives is a way to get some budget and um it can work and so I've got a road with a number of switchbacks here and you can just say if we can get to here and show success then we can get and move the project to here and to me that that actually aligns with the way that project managers build their Improvement plans so you've

got a number of different swimwear swim lands so let's say your your risk assessment high level risk assessment against the organization I had 56 findings in it and of those findings they were able to um align those with seven projects in and put that into a large Improvement plan each of those projects could be individually funded and if we can continue to show Improvement in success not only will we get um perhaps more trust from from our board of directors that we're actually getting successful at getting this done but also if you are a regulated company and you are being audited those continual improve or those a smaller step improvements are what they're looking for they're they're not

looking to say next time we come back you better have all this done right they want to see that you've got a plan and you're working towards it um and so um this is uh again a good way to get additional funding but only if you're in the trust of your steering committee that you're successful in getting these things done now when we quantify the budget requirements this is where and at the beginning of the conversation I said we're going to be up with these service Security Management System area this is where you really have to understand all of the elements of the service experience so we have certainly got tools and that's that's the cool thing you want to

have on a dashboard but the other things that you want is you want to have either you or someone else be able to look at it and have time to do that and then you also want to have the resources for perhaps upgrades and things like this so when we talk about cyber security Management Programs as being a life cycle type thing it's not we got that stuff installed and and we're super stoked uh we need to understand what are the the costs to be an organization not only for the hardware and the software but also the people in the processes behind it uh to keep this thing up and running so I I work with a number of different

organizations and in cyber security Consulting um and I I manage a team of Consultants that do technical delivery services and they will go out one week and install a real-time vulnerability management system to a power company we'll say uh and that that system includes asset identification um change management to the systems IDs and a number of you know controls to effectively see not only what do we have going on but what are the threats and the attempts to to explain vulnerabilities and all of that and so they put this into a client's environment and then nothing happens like they don't tune it and it just sits there building alerts and building alerts and building alerts

and there is a risk to the your financial Financial rescue organization um by uh something called shelf wear stating we bought something and it's never been deployed it's on a shelf there's a much larger risk to buying security controls and putting them in place and then never looking at the audits that in the logs and the alerts and all the things that come out of it because now what you have is this false sense of security the csos Weaponry yeah we got an IDs we're good but nobody's looking at these things right and so one of the services that my company has rolled out is management monitoring because I know I'm dealing with a lot of

electrical engineers who have no time or interest to look at all of the alerts and logs and things like that to come out of it so really when you're trying to get this budget you need to understand the life cycle of that thing and not only do we need to get the hardware and the licenses to get it in place it has to be managed otherwise it's it's actually you probably lowering our security posture because we believe we're doing better than we are so another citation here for the budget leadership responsibilities uh 5.1c is ensuring the resources needed for the information security management system are available it is the executive's job they shall do that

so um and then so you've done all you did the last eight steps you figured out you know how how does this improve our business how do we align with um what our business goals are do we have all the elements of the cyber security life cycle considered when we're putting our budget together do we have the Improvement plan in place that's iterative but something we can do in stages and and can we clearly articulate all of this if you can then you bring these to your steering committee or the CSO whatever you present what you've got um and you do so in such a way that it's clearly articulated but it's it's not obviously overly techy and things like

that and one thing that I I say when we're doing this and it could be a pain in the ass but it could it could also um get your budget approved quicker is give them more than one option give them say here's the high cost solution for our problem here's the medium cost and the low cost the one I recommend medium or high probably probably not the low but when you you want them to realize that if you if you give someone options you Empower them to make a decision if you come and say hey guys we need to fix this here's the proposal we got to do it they can sit and think about that and

Analysis paralysis for for quite some time so um uh then then last thing is continual Improvement monitor your tools make sure your tools are working for you the way you want that's the way you're going to get the continual life cycle budget and whatnot um and so you should have some way of measuring that you're successful um so just I know how difficult this is because working with csos and and heads of security every day but just you need to to be persistent effective communication and understand the context of the organization that was slide number one here what am I trying to secure and then you can increase your likelihood if you've done those steps

you'll increase your likelihood of getting the budget and strengthen your organization's security pots here

yes sir

go go

yes sir I think that is one of our biggest problems is the install tools they spend all the money on the shiny new thing I've had to put it on the software licensing without X many days of training and then it sits there and it gets actually because it's chewy it doesn't improve its value so they move on to the next chain because you don't you don't need to get the next one because you're not seeing the value out of the last question and what I'm saying is it's it's realizing that the life cycle is it's not just the hardware and software it's the people in the processes to support them and that seems to be one of our

hardest things to do is to actually get the problem out too um you get a few small features and then you look at his next change so he does that we should haven't ever used it not leverage balls and that's what I'm saying we need to have an actionable improvement plan that that we can get these things deployed it's all part of a larger program though and you know those next tools you know those next tools are coming because you've got a big old dashboard of your improvement plan and yeah we got this on the board um deploy but we can't just lose sight because we're moving into the next one it's going to be life cycle but I

suspect everyone in this room struggles with this [Music] I think guys we've got Lisa downstairs isn't it or is it just something yeah so um I don't want to take up any of her values foreign