$how Me the Money! (Getting Business Buy-in)

yeah I always have to figure out how to present these things I never do this anymore hi I'm your your on and it sounds good and on your top right there's a share and just to the left of its present no not share the presentment present there we go alright show me the money getting business by unjust carrier organization I want to take a moment to say Who I am I'm Carlotta sage I've worked in a lot of very large companies neck your Netflix Facebook and most recently several years ago fireEye I took a six-week contract at fireEye in 2013 when they were three hundred people and four and a half years later I was

like wow that was a wild ride the company is great but I really love the industry so big shout out to my Draper Utah guys at fireEye I miss you but I'm happy to be here with you today you can reach me on Twitter and LinkedIn and I wanted to thank Chris I think the the talk that he gave is really important and you I do want to touch real quick on a question that somebody to ask is if you're later in your career you know take it from the pay cuts brutal and I agree there was a point at far I where I had to decide if I wanted to move to the Intel team and take a 35 percent pay cut

or if I wanted to move out of the company and I ended up moving out of the company I still took a pay cut because I started my own company but I don't regret it at all so I know it's hard to take that pay cut but your other option is to find a role that is if you're for example a program manager an ops manager at a large company that makes you very qualified to be a CIO to small companies that may be another route that you want to look at is taking that CIO role and growing the security team and becoming a CSUN level so I have actually become at Virtua C so doing that originally when I

started my company I was consulting into security groups and security startups doing what's called knowledge strategy and that's basically we're tech processed business process and people meet that's kind of my special squishy area so that's what this talk is going to be about if you are in a small org I hope to give you some really good info for growing security in your organization if you are in a larger work or at a vendor these the worksheets that I give you at the end should still help you facilitate conversations which is really very helpful so a quick moment to say thank you thank you besides Salt Lake City I'm glad to be here and thank

you to all of the sponsors and to turn it around and make it a virtual conference so quickly very impressive so thank you for the con org team as well but to give you context around this whole thing that I'm talking about you know we in security and having word for a vendor I know this is true we mostly hear from vendors and there's really big organizations that they're selling to so I want to give you the context of that black line that's you know that's who we're hearing from and we need to hear from them because they have a greater need they have more money they can drive innovation they can drive conversations but the majority of us live in this

green area you know in the United States alone ninety-nine point seven percent of businesses are less than five hundred employees the orgs that I've been working with have usually been less than 100 employees and some of those companies need more security than others you know some of those companies can just get Google Mail or 365 and that's going to cover the majority of their needs right but there's a lot of businesses in there that need more and we having more conversations around that so if you are in that smaller space and you're having trouble you're the IT person you're having trouble really getting people to buy into security what I really need you to understand is that

this is not about you and it's not about the technology because you're the security expert in that smaller org and it's a little bit of like black magic for those folks that you're trying to get on board with security concepts you're like okay you're kind of like chicken little running around you know saying the sky is falling down and you're starting you know the fear is putting them off the pressure some of that negativity is putting them off so what I need you to really practice I need you to practice well sorry what I need you to understand is that the data you're securing is not just about the technology that you are driving or using

every business process every person in your org have their fingers in that data in some way and you have to think systematically right you have to think of the whole big picture so with that you need to start practicing your social engine right right there's if you know more about Mandy it's apt 29 and you're in a small org then you know about your executives and your internal customers I'm going to ask you to reassess your priorities either you need to really start looking for a vendor to work for a very large organization to work for or you need to commit to being that security architect that security generalist that eventual CSO and you need to really start working

on your soft skills I know that is never anything anyone in tech wants to hear but it makes your role and getting security buy-in so much easier so all of those you know OS nth things that you hear about and that you see conferences on all of those things can be applied internally right you have to meet your internal audience where they are your executives you know their personal life they've got the homeless balance of cuts these made they have a yacht right and they care about that and in the business life they care about risk and operational costs and there are other things that they care about but you need to figure out what those are

and risk is anything that puts pressure on a business for you right now coronavirus nobody this has F all to do with technology it has all nothing to do with business but the impact that we're feeling from it it that was a huge risk and I personally know CIOs pieces who have in their business continuity plans they have plans for pandemics they have plans for zombie apocalypse like what do we do if people physically cannot get into work what do we do do if there is civil unrest in one of our global centers when I worked I believe it met here there was a major issue and a major unrest in Egypt and literally we opened

the call center for that crew to come in and shelter in place there because it was so dicey where they were you have to consider all of those pieces you can't just look at the technology and this is where if this is the route that you want to go and a lot of people and crisp previously just also talked about it some people care about certs some people don't if you're looking at this more general security architect or is he so eventually roll the SIS actually is very good because it gives you really good insight into business continuity disaster recovery that kind of thing if you are a hundred percent technical and you want to be a CSUN one day you really

need to start looking at that and even if you don't get the cert the pieces that they cover on the business side we're going to be critical for you to understand and be successful but mostly those soft skills that nobody ever wants to talk about and nobody if you're putting soft skills off has a oh you know I can have somebody else do that your frankly you're doing it wrong because getting people invested in more success as an IT or security person is going to be critical for making your job a lot easier easier especially in a smaller word you know so for those internal customers they're looking to optimize their work they want to put

his little and all of us do this right we want to put his little effort in and get the most effort out that we can and that means that any friction that we introduced to their business process or to their work life becomes an obstacle this is where really understanding the business processes becomes important sit down you know with your or virtually at this point right with your internal customers and say walk me through your typical day show me the systems that you use and then really think about how what you are going asking them to do from a security perspective think about how that impacts them because they are not security experts they will probably never be

security experts there will probably be one or two people who really love what you do and are really curious and become you know you become their inspiration but the majority of them are very happy doing what they're doing I hope and they're not going to they're just not going to ever move that bought in you have to make it personal in a lot of ways you have to make sure that they feel like they're heard and even if they're heard and you still have to do it this way anyhow and here's why that at least gives some context they feel like they've had a say one of those pieces that that I love to do is okay I

know multifactor and VPN is real pain in your butt but it's really important here's why here are the statistics on this and I know it doesn't matter to you personally but it makes our company and our customers a lot more secure on that side recognition works better than shaming take on a Friday hit your slack channel and say hey thanks to these three people this week that made my life a little bit easier we need that gets you visibility people understand that you're really trying to connect to them and they respond better to that and then you know success how do you become a part of their success how do they become a part of yours it's a

it's a psychology thing is a social engineering thing it's a piece that you really need to start looking at it just smooths a lot of things over so but going back to those those risk and there's operational costs what the business knows is coming and what they can plan for is a very different thing you has a security person have a much bigger picture of what's going on in the landscape and you have to distill that in a way that you can warn your your exact order your exact team what's coming down the pipe or what's being seen and it's got to be sound by like you Twitter is great because if you learned to write a

concept and two or three tweets that is fantastic for learning to deal with executives because they don't have a lot of time to dive into details you need to have those details prepared if they ask for it but at the same time that's what they really want is that bottom line how does this impact us what are you talking about why is this important you need to figure out where they are as your leadership and how you can make what you need them to agree to you the easiest and simplest and least fearful thing operating on fear doesn't work it does sometimes but it doesn't always because after a while you really do sound like Chicken Little those are the

two big pieces I think on your exec team and your internal customers if you have people are going to say when you talk about security but we use Google we use Microsoft you know we use we use a juror we use AWS and they're secure so that means we're secure and the simplest way I have found to tell people no that's you're thinking of this wrong is to say yes they are a secure and they're a part of our tool set but our security is about securing our relationship with the customer we don't want Google we don't want uws we don't my group Microsoft to own our customer relationship because they'll put us out of business and when you say it like

that your exact suddenly understand okay now they're thinking about technology has a tool in their set rather than has a solution for security itself so if you have any questions if you are running into very common pushback people don't want begin people don't want multi-factor authentication you know feel free to toss that in the questions and we'll address and get some herbage for you for that but really when it comes down to it it is about the money and money for business execs talks if you're in a very small word your margins tend to be very thin so I'm going to share and walk you through two worksheets that will help you frame those conversations I'm going to preface

this by saying when you were putting together worksheets and talking about numbers there are people who are going to push back on that they're gonna say oh these numbers aren't real blah blah blah that's fine if they disagree with it give them the worksheet and tell them you tell me which numbers are correct really it's about starting that conversation and getting that moving so I'm gonna walk you through two things and if I can see if I can I'm gonna toss these links into the chat so in the zoom chat you know I have a couple of the links one of them should be okay one of them should be a simple knowledge strategy or ally and

what this does and I've done this two ways in here one of the things that your operations team is concerned about is what they're paying people and what they're getting for that money and anytime that you can say we can make people more efficient and free them up especially if people are really funding for headcount we if we buy this service or do this project here is how we make people more efficient and therefore actually save money we get that investment back so you can say anything from if your IT group is having to provision a lot of laptops because you keep getting owned and here is how much money software to solve that you know is going to cost us here's how

much we're spending in terms of labor this gives you a chance to actually start that conversation in a place where your operations team actually will listen because now you're actually talking about the money when it comes to larger organizations especially supporter IT groups where you'd have kind of a tiered level of here's what we pay the lower level here's what we pay level to here's what we've a little three people you can get more complicated with this tiered efficiency piece and it was again how these pieces affect your team as a whole are really great you can also do this if you're in a support or an IT Help Desk role you can do that or ally by case deflection

which I have found to be very effective the bigger your group is the better this scales it and it just helps make sure that people understand there is a price to productivity here and we can quantify that and we can quantify that in ways that are meaningful to you that way can either be my case or by actual like hourly labor and the other piece that I put together it's sorry Jason thank you put those links in again apparently I was only sending them to the panelists so the other piece I've put together and this is a piece it takes a little bit longer to go through is a risk and recovery estimate and this I've divided

up into four separate pieces for separate sections the first one is infrastructure if all you're doing is securing an infrastructure here is how you estimate productivity loss you know incident response and recovery and recovery costs are going to include anything that is not already planned in your operational budget so if you have to go out and hire mandiant to come in and do an incident response that wasn't planned here it goes isn't your recovery cost so if you've ever wondered where those numbers have come from where people like well we think this incident has cost this company this they're probably working off of something very similar to this I know Adrian sanabria has put out a

simple incident calculator which I've linked to and the helpful sources tab on this sheet as well and I tried to go through and actually give context and that's really important when you're talking to your teams giving context of why we're setting this up and all of this is just example numbers actually they're they're example numbers from from one of the clients in the VC so for so there are real numbers but they're replaceable anything in green you can put that you can plug that in your your yellow and red numbers will calculate so in terms of securing your infrastructure this can give them you know okay I'm not too worried about losing $3,000 in productivity I'm not too worried about

losing you know $3,000 on an incident response it's probably somebody has clicked a fish link but when you start looking at recovery costs then those can really add up I know that one of my clients actually had to completely migrate out of a platform and probably about two weeks because they had a website debasement and that cost them not just the loss of credibility and there's a lot of intangibles that I talk about in these contacts right productivity loss being kind of intangible but when we get to service delivery an application you start getting a lot more credibility brand you know reputation hits that you can't quantify as easily you can quantify them if you're losing money that's a lot

easier to quantify but until you actually lose that money it's a best guess right so so that's for securing your infrastructure your service delivery and again these are actual numbers from an unnamed client on very similar rounded numbers from a man named client where this is how much they lose per day if they have a denial of service or some sort of interruption to their service and that's not again this is just the money that we're losing in terms of service we should be delivering if they had a service level agreement that says after three hours you start paying us then you have to add that money in okay that becomes extra cost to the business and again your support

impact cases I've actually change this to say help desk or I'm not going to do it right now but it's basically your help desk your support impact you can for example if your support team usually gets 500 tickets in a month and suddenly they get 500 tickets in a unique then you can say you can actually put a number to that impact of that incident it's really great when you can do that because it it makes your board pay attention and again those incident response response costs in terms of brand loss there's all kinds of studies out there you can of course there have been huge retail shops hit Target Home Depot all of those kinds of

things they're big enough that they've recovered because they can spend that money on marketing to to keep that brand going so there you're gonna see a big dip for for the and their value but they're gonna be able to turn that around because they've got the money to do that smaller shops probably not as easily there are I think there was a recent example in my helpful resources that I linked to a smaller company of less than 300 people that ransom word took them out they just they couldn't recover they did not have good business continuity they did not have good disaster recovery getting the basics of IT correct get your lot and security they really do I can't stress

that enough if you can get the basics down make sure your backups are working make sure your business continuity is actually comprehensive and understandable comprehendible rate that becomes very important and on application risk estimates I'm still trying to come up with context for that but it's a little more straightforward because you need to confirm the vulnerability but someone is reported to you you have to develop or redevelop around it and then you have to test it so those costs can be a little more easy again for a very big company there aren't there's a there are small shops that are developing but a lot of this is really geared more towards a larger company with a very large very complex

system you can still use it for a smaller shop it's just your impacts can be smaller but at the same time you at least know what that impact is I keep a running I've started keeping a running log of malware a ransom demand estimates and business email compromised estimates and I give my sources on who they are and I try to give a lot of context again you should be able to hand the sheet to a finance person and they can read through the context and then they can come back to you and they can say this makes sense this doesn't and at least again facilitating that conversation trying to meet your your team where they

are and make security accessible and less blackmagic to them if you really want to get your finance person on board you can tell them that sock to come clients one of the industry the industry standard was developed by the American Association of CPAs it's the finance guys that were driving that security standard so ideally if you're having a lot of trouble talk to your finance to your head finance person and say how do I make this meaningful to you and your team and if you bring this worksheet to them you're gonna at least have a conversation and hopefully that conversation will be productive for you some of that may be you know it's a lot

cheaper to send a couple of our people to conferences and maybe an extra training or pay for a cert to help us out then paying ransomware and of course we never recommend paying ransomware because less than half the time it actually works there's also what I like about secure world and the FBI is they've started putting together those pieces of sure this is what they're asking for and whether or not that works you're still having to pay for recovery because once they've compromised your system now you have to bring somebody in figure it out undo the damage lock it down so there are costs associated that five thousand may not look like it's very big but

there's a much bigger cost behind it and part of this is just to make people aware of that so with that my last tab here it are actually they're helpful resources these are places where you can get shared decryption keys from the new more ransomware project there's FBI field offices if you were hit by now where even if you pay it and that goes away that's great you'd be very lucky if that's true still encourage you to report that to the FBI because that makes their numbers more meaningful they're the best thing we have right now for looking at the country as a whole in terms of security and how the impact you impact on

business on American businesses so their internet Crime Complaint Center could use some updating but I think Adrienne snobbery again big shout out thank you has begun keeping a spreadsheet of business instead of reported themselves closed has consequences of breach so those are great there's other cost calculators out there I really like the sample data breach cost calculator because it actually asks you a series of questions I don't know I don't have insight to the assumptions they're making or how accurate their calculation is but just kind of looking at what the FBI puts out versus what they're calculating it seems to be pretty reasonable I don't see it to be I don't see it as being really out

scaled and then an incident cost calculator again from Adrienne Sanabria that's that's a much more that's looking at the incident rather than the impact across an organization and then in terms of how do I get security or at least started get my my my start with security tools when I can't buy anything great there were some fantastic resources out there security onion is a big one I did not realize that that was created by some of the XP Indian folks that I used to work with I ran into them at b-sides again I guess still last year and got to say hi to them and I had worked with them primarily virtually so it was

really nice to get to meet them and realize they were behind this really fantastic open source software mandiant had a very big ethos around sharing their tools and fire-eyed has fortunately kept some of those tools if you go to fireEye's website you can find and i'll update the links in here you can find redline and some and analyst tools triage tools mapping tools there's some really great ones there I know no before has some fantastic open source tools as well if you know of a vendor you work with a vendor or you are a vendor who does that some of open source tools for folks would love to hear from you I'd love to add you to the list I

know the security onion folks have a conference every year I put there in 2019 conference videos and watch them if you're in a small shop this is a really fantastic way to get started on network monitoring so that's that's what I have right now um let me switch to Q&A and King bird has asked it seems like small businesses lately are really caught in an unfair situation most don't have the funds for the more expensive effective solutions nor the funds to cover an incident like breaches and ransomware attacks what low-cost options exist that's a really great question king bird I hope the security and onion pieces giving you a start there are a lot more out there I

personally have the most experience with security onion and with the mandiant /ri Red Line product has I here I know that some of the one of the really fantastic security guide Paul Nelson at Target has put out he's got a scraper for pastebin that had some really interesting information that it's he just puts it out there on Twitter it's free there's a lot of free content on Twitter there's a lot of open source software out there I think security onion so far to me has been the most comprehensive and part of the ethos that that team went into it with was exactly this we're protecting the wrong people like the big guys can afford that protection and the small

businesses are having a really struggling with that I think we're going to see a shift in the market as well because you know there's a thousand 410 1000 companies there's 5.6 million small businesses now even if only 10% of that 5.6 million can afford anything that's still a much bigger market than your fortune 500 so I would like to see and I believe I'm already starting to see that shift towards addressing addressing the down market the mid market and eventually the smaller market I think Google's tools for example have done a really good job like nobody you don't even think about anymore if you've got a friend who's an artist or store website or something it's like hey you

know for six bucks a month you can have a Google business account that kids your email and drive and all of these other things so does that does that answer your question in king bird okay any other questions I know we're right up on the line great thanks camper that was a really great question and again I encourage you hit me up on Twitter if you find a tool if you have an open-source tool that you're using in a smaller org I would love to hear about it and hear about your experience walk me through it I'm not going to put every link on this page I'm gonna put links that I had laid eyes

on or laid hands on and we'll go from there so thanks guys and gals thanks folks