SlideShare uma empresa Scribd logo

Creating Order from Chaos: Metrics That Matter

Priyanka Aash
Priyanka Aash

Decision-makers need reliable data in order to understand risk and determine value of investments. With the amount of data available in a multinational company, one would assume that answers would be easy to find. But how does one identify which data is reliable and make it meaningful? This talk will provide best practices and lessons learned on how ADP built an effective security metrics program. Learning Objectives: 1: Understand use cases in which metrics can be applied to business-driven security. 2: Gain a structured approach to leveraging data for security decision-making. 3: Learn through practical lessons how to communicate results of your metrics program. (Source: RSA Conference USA 2018)

Tecnologia
1 de 25
Baixar para ler offline
SESSION ID: #RSAC James Lugabihl CREATING ORDER FROM CHAOS: METRICS THAT MATTER GRC-W04 Director, Execution Assurance- Global Security Organization, ADP Marta Palanques Security Lead Consultant, Execution Assurance- Global Security Organization, ADP
#RSAC Uncomfortable questions 2 The executive asks What controls need to be implemented? Where do those controls need to be implemented? Where do we allocate resources? How can investments be rearranged? What you have available to answer Multiple systems of record Manual processing Data skepticism Disjointed reporting
#RSAC Our solution Executive self service Self-service platform that enables security decision making Oriented to answer leadership questions Allows to intuitively navigate data leveraging conceptual relationships Uses data that is currently available in multiple environments Operational Services Cost Resources Projects Coverage and Maturity Business Value Risk Incidents Vulnerab ilities Unit Cost
#RSAC Retrospective Where is our program today • Reduced time to execute 3 previous manual reports by 70% • Added 12 more services • Currently using 6 data sources • Monthly report on our key goals and risk areas • 140 users, 54 of which are active What did it take 18 months 3 resources Approximately 3,000 work hours to build
#RSAC What to expect • A pragmatic 5-step approach to implement metrics • Survival tips • Ideas on integration with risk framework • Visualization techniques for your audience
#RSAC Where to start How do you eat an elephant? Stick to your goal!!! Accelerate decision making Ensure we’re doing the right things the right way Achieve more with less: identify focus areas (“low hanging fruit”) Survival tip #1
#RSAC Application of the DIKW pyramid 7 Wisdom Knowledge Information Data (Raw) Understanding, applied knowledge Enabling decision making Missing meaning Missing context List of vulnerabilities in your environment Grouped by host, OS or application Grouped by Data Center or product or line of business Execution plan to eliminate the issues/gaps from the environment
#RSAC Wisdom Knowledge Information Data (Raw) Understanding, applied knowledge Enabling decision making Our philosophy Missing meaning Missing context Focusonthevulnerabilities Focusontheplan
#RSAC Step 1 – define your requirements Objectives Identify business objectives that establish the need for resilience and cybersecurity Goal Develop one or more goals for each objective Question Develop one or more questions that, when answered, help determine the extent to which the goal is met Indicator Identify one or more pieces of information that are required to answer each question Metric Identify one or more metrics that will use the selected indicators to answer the question Source: Lisa Young, Measuring What Matters
#RSAC Places to find “Goals” Security strategy Risk Register Audit/Controls Policies Executive’s questions Survival tip #2
#RSAC Step 2 - Searching for data sources Potential sources Process bi-products Technologies assets interact with Peripheral processes External sources Don’t need an inventory
#RSAC Step 3 - Choosing your data source Aspects to consider Automatic vs manual Ownership/source Does it align with other sources? Use a common dictionary? Completeness Data variability Refresh frequency Does it contain stale/old data
#RSAC Progressive data improvement 13 Find data sources Gather data Report Follow up questions Identify missing data elements Survival tip #3
#RSAC Trust curve 14 Data improvement cycles Datatrustlevel Questioning the data Questioning the measured object
#RSAC Step 4 - Analyze Don’t need tools Needs to be repeatable Agreed upon approach Analyze deeper than needs to be presented Complexity of metrics
#RSAC Step 5 – Communicate / Present Draw attention to the most relevant items
#RSAC Step 5 – Communicate / Present Use familiar formats and charts
#RSAC Step 5 – Communicate / Present Repeated colors and patterns Why? Because of this
#RSAC Relationship between data sources 19 Vulnerabilities Service Technology Risk Result in Identified through Identified usingIncidents cause Supported byDetected by Asset Owner manages Related to Owned by has Impact / affect
#RSAC Recap on 5 steps Define requirements • Relevant and meaningful • Use the executive’s questions as guidance Identify potential data sources • Organic data sources • Be creative – an inventory isn’t always the best option Data evaluation / data quality • Doesn’t need to be perfect • Ownership is important Analysis • Make it repeatable • Agree on approach to reduce bias Communicate • Focus on the story • KISS • Make it interactive
#RSAC Integration with Risk framework 21 RISK MONITORING RISK RESPONSERISK ANALYSIS RISK IDENTIFICATION Refine scope Prioritize plan of action Set clear goals Use metrics as input for analysis Report on key risk indicators Measure success of plans
#RSAC What is next • Continue adding more data points and reports • Leverage reports to drive change in the organization (and measure that change) • Leverage metrics as inputs to FAIR analysis • Reduce operational overhead of maintenance
#RSAC Apply it Next week you should: Identify one of your organizational goals In the first three months following this presentation you should: Define your reporting requirements for that goal List potential data sources for your metrics, obtain a sample and compare them to select one Within six months you should: Use the data to answer the following questions: — Is my organization achieving this goal? — If not, what should I focus on first to get closer to it?
#RSAC References and Resources 24 Lisa Young, Measuring what matters; https://www.rsaconference.com/writable/presentations/file_upload/ grc-r05_measuring_what_matters.pdf
#RSAC Any questions? 25 James Lugabihl James.Lugabihl@adp.com Marta Palanques Marta.Palanques@adp.com

Recomendados

Cloudera Federal Forum 2014: A 360 Degree View of the Insider Threat
Cloudera Federal Forum 2014: A 360 Degree View of the Insider ThreatCloudera Federal Forum 2014: A 360 Degree View of the Insider Threat
Cloudera Federal Forum 2014: A 360 Degree View of the Insider ThreatCloudera, Inc.
 
Security Risk Assessment
Security Risk AssessmentSecurity Risk Assessment
Security Risk AssessmentHealthcare Information Technologies
 
Development and implementation of metrics for information security risk asses...
Development and implementation of metrics for information security risk asses...Development and implementation of metrics for information security risk asses...
Development and implementation of metrics for information security risk asses...pero periuc
 
011918 incident analytics_service_fact_sheet_rs
011918 incident analytics_service_fact_sheet_rs011918 incident analytics_service_fact_sheet_rs
011918 incident analytics_service_fact_sheet_rsRichard Smiraldi
 
Intelligence and investigation management
Intelligence and investigation management Intelligence and investigation management
Intelligence and investigation managementAdeola Taiwo-Ogunbode
 
Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)OCTF Industry Engagement
 
Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005Anton Chuvakin
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTri Phan
 

Recomendados

Cloudera Federal Forum 2014: A 360 Degree View of the Insider Threat
Cloudera Federal Forum 2014: A 360 Degree View of the Insider ThreatCloudera Federal Forum 2014: A 360 Degree View of the Insider Threat
Cloudera Federal Forum 2014: A 360 Degree View of the Insider ThreatCloudera, Inc.
 
Security Risk Assessment
Security Risk AssessmentSecurity Risk Assessment
Security Risk AssessmentHealthcare Information Technologies
 
Development and implementation of metrics for information security risk asses...
Development and implementation of metrics for information security risk asses...Development and implementation of metrics for information security risk asses...
Development and implementation of metrics for information security risk asses...pero periuc
 
011918 incident analytics_service_fact_sheet_rs
011918 incident analytics_service_fact_sheet_rs011918 incident analytics_service_fact_sheet_rs
011918 incident analytics_service_fact_sheet_rsRichard Smiraldi
 
Intelligence and investigation management
Intelligence and investigation management Intelligence and investigation management
Intelligence and investigation managementAdeola Taiwo-Ogunbode
 
Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)Cyber-Risk-Management-Assessment (1)
Cyber-Risk-Management-Assessment (1)OCTF Industry Engagement
 
Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005Anton Chuvakin
 
TrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTrustedAgent GRC for Public Sector
TrustedAgent GRC for Public SectorTri Phan
 
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1North Texas Chapter of the ISSA
 
Allgress Brochure
Allgress BrochureAllgress Brochure
Allgress Brochurelinkedinlion11
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA AuditSecurityMetrics
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramCigital
 
Technology Assesment
Technology AssesmentTechnology Assesment
Technology AssesmentDavid Duncan
 
HIPAA Audits: The Dos and Don'ts
HIPAA Audits: The Dos and Don'tsHIPAA Audits: The Dos and Don'ts
HIPAA Audits: The Dos and Don'tsPYA, P.C.
 
A Closer Look: Data Science Consulting Firm - Business Analysis on Clients an...
A Closer Look: Data Science Consulting Firm - Business Analysis on Clients an...A Closer Look: Data Science Consulting Firm - Business Analysis on Clients an...
A Closer Look: Data Science Consulting Firm - Business Analysis on Clients an...For The Women Foundation
 
What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)Kendall Gill
 
Iso 31000 presentation
Iso 31000 presentationIso 31000 presentation
Iso 31000 presentationchristianaegerter1
 
Healthcare Portfolio | RemotePanda
Healthcare Portfolio | RemotePandaHealthcare Portfolio | RemotePanda
Healthcare Portfolio | RemotePandaRemotePanda
 
The challenges of big data, how data capable is your business? DQM Group
The challenges of big data, how data capable is your business? DQM Group The challenges of big data, how data capable is your business? DQM Group
The challenges of big data, how data capable is your business? DQM Group Internet World
 
Tips For Being Compliance Ready
Tips For Being Compliance ReadyTips For Being Compliance Ready
Tips For Being Compliance ReadyPeak 10
 
Data Discoverability with DataHub
Data Discoverability with DataHubData Discoverability with DataHub
Data Discoverability with DataHubGleb Mezhanskiy
 
Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0Finto Thomas , CISSP, TOGAF, CCSP, ITIL. JNCIS
 
Managing Your Risk Taxonomy within StratexPoint
Managing Your Risk Taxonomy within StratexPointManaging Your Risk Taxonomy within StratexPoint
Managing Your Risk Taxonomy within StratexPointAscendore Limited
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureSABSAcourses
 
Accenture-Applying-Analytics-Transform-Internal-Audit-for-High-Performance
Accenture-Applying-Analytics-Transform-Internal-Audit-for-High-PerformanceAccenture-Applying-Analytics-Transform-Internal-Audit-for-High-Performance
Accenture-Applying-Analytics-Transform-Internal-Audit-for-High-PerformanceDave Hildebrand
 
Padma resume
Padma resumePadma resume
Padma resumePadma Thangaraj PMP, CSSGB, ITIL, CSPO, CSM
 
Dika model
Dika modelDika model
Dika modelnjbrann
 
(Webinar slides) Google Scholar and Free Legal Research
(Webinar slides) Google Scholar and Free Legal Research(Webinar slides) Google Scholar and Free Legal Research
(Webinar slides) Google Scholar and Free Legal ResearchMyCase Legal Case and Practice Management Software
 
Developing useful metrics
Developing useful metricsDeveloping useful metrics
Developing useful metricsPriyanka Aash
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security OperationsPriyanka Aash
 

Mais conteúdo relacionado

Mais procurados

Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1North Texas Chapter of the ISSA
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA AuditSecurityMetrics
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramCigital
 
Technology Assesment
Technology AssesmentTechnology Assesment
Technology AssesmentDavid Duncan
 
HIPAA Audits: The Dos and Don'ts
HIPAA Audits: The Dos and Don'tsHIPAA Audits: The Dos and Don'ts
HIPAA Audits: The Dos and Don'tsPYA, P.C.
 
A Closer Look: Data Science Consulting Firm - Business Analysis on Clients an...
A Closer Look: Data Science Consulting Firm - Business Analysis on Clients an...A Closer Look: Data Science Consulting Firm - Business Analysis on Clients an...
A Closer Look: Data Science Consulting Firm - Business Analysis on Clients an...For The Women Foundation
 
What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)Kendall Gill
 
Healthcare Portfolio | RemotePanda
Healthcare Portfolio | RemotePandaHealthcare Portfolio | RemotePanda
Healthcare Portfolio | RemotePandaRemotePanda
 
The challenges of big data, how data capable is your business? DQM Group
The challenges of big data, how data capable is your business? DQM Group The challenges of big data, how data capable is your business? DQM Group
The challenges of big data, how data capable is your business? DQM Group Internet World
 
Tips For Being Compliance Ready
Tips For Being Compliance ReadyTips For Being Compliance Ready
Tips For Being Compliance ReadyPeak 10
 
Data Discoverability with DataHub
Data Discoverability with DataHubData Discoverability with DataHub
Data Discoverability with DataHubGleb Mezhanskiy
 
Managing Your Risk Taxonomy within StratexPoint
Managing Your Risk Taxonomy within StratexPointManaging Your Risk Taxonomy within StratexPoint
Managing Your Risk Taxonomy within StratexPointAscendore Limited
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureSABSAcourses
 
Accenture-Applying-Analytics-Transform-Internal-Audit-for-High-Performance
Accenture-Applying-Analytics-Transform-Internal-Audit-for-High-PerformanceAccenture-Applying-Analytics-Transform-Internal-Audit-for-High-Performance
Accenture-Applying-Analytics-Transform-Internal-Audit-for-High-PerformanceDave Hildebrand
 
Dika model
Dika modelDika model
Dika modelnjbrann
 

Mais procurados (20)

Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
Ntxissacsc5 yellow 2-evidence driven infosec compliance strategy-garrettp1
 
Allgress Brochure
Allgress BrochureAllgress Brochure
Allgress Brochure
 
5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit5 Documents to Prepare for a HIPAA Audit
5 Documents to Prepare for a HIPAA Audit
 
Getting Executive Support for a Software Security Program
Getting Executive Support for a Software Security ProgramGetting Executive Support for a Software Security Program
Getting Executive Support for a Software Security Program
 
Technology Assesment
Technology AssesmentTechnology Assesment
Technology Assesment
 
HIPAA Audits: The Dos and Don'ts
HIPAA Audits: The Dos and Don'tsHIPAA Audits: The Dos and Don'ts
HIPAA Audits: The Dos and Don'ts
 
A Closer Look: Data Science Consulting Firm - Business Analysis on Clients an...
A Closer Look: Data Science Consulting Firm - Business Analysis on Clients an...A Closer Look: Data Science Consulting Firm - Business Analysis on Clients an...
A Closer Look: Data Science Consulting Firm - Business Analysis on Clients an...
 
What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)What AT CM Can do for you (Color Apothocary)
What AT CM Can do for you (Color Apothocary)
 
Iso 31000 presentation
Iso 31000 presentationIso 31000 presentation
Iso 31000 presentation
 
Healthcare Portfolio | RemotePanda
Healthcare Portfolio | RemotePandaHealthcare Portfolio | RemotePanda
Healthcare Portfolio | RemotePanda
 
The challenges of big data, how data capable is your business? DQM Group
The challenges of big data, how data capable is your business? DQM Group The challenges of big data, how data capable is your business? DQM Group
The challenges of big data, how data capable is your business? DQM Group
 
Tips For Being Compliance Ready
Tips For Being Compliance ReadyTips For Being Compliance Ready
Tips For Being Compliance Ready
 
Data Discoverability with DataHub
Data Discoverability with DataHubData Discoverability with DataHub
Data Discoverability with DataHub
 
Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0Gdpr brief and controls ver2.0
Gdpr brief and controls ver2.0
 
Managing Your Risk Taxonomy within StratexPoint
Managing Your Risk Taxonomy within StratexPointManaging Your Risk Taxonomy within StratexPoint
Managing Your Risk Taxonomy within StratexPoint
 
Adaptive Enterprise Security Architecture
Adaptive Enterprise Security ArchitectureAdaptive Enterprise Security Architecture
Adaptive Enterprise Security Architecture
 
Accenture-Applying-Analytics-Transform-Internal-Audit-for-High-Performance
Accenture-Applying-Analytics-Transform-Internal-Audit-for-High-PerformanceAccenture-Applying-Analytics-Transform-Internal-Audit-for-High-Performance
Accenture-Applying-Analytics-Transform-Internal-Audit-for-High-Performance
 
Padma resume
Padma resumePadma resume
Padma resume
 
Dika model
Dika modelDika model
Dika model
 
(Webinar slides) Google Scholar and Free Legal Research
(Webinar slides) Google Scholar and Free Legal Research(Webinar slides) Google Scholar and Free Legal Research
(Webinar slides) Google Scholar and Free Legal Research
 

Semelhante a Creating Order from Chaos: Metrics That Matter

Developing useful metrics
Developing useful metricsDeveloping useful metrics
Developing useful metricsPriyanka Aash
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security OperationsPriyanka Aash
 
Too much data and not enough analytics!
Too much data and not enough analytics!Too much data and not enough analytics!
Too much data and not enough analytics!Emma Kelly
 
Data Analytics 3 Analytics Techniques
Data Analytics 3 Analytics Techniques Data Analytics 3 Analytics Techniques
Data Analytics 3 Analytics Techniques Jim Kaplan CIA CFE
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programPriyanka Aash
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA Information Security
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersDenim Group
 
Achieving and Measuring Success with the Security Awareness Maturity Model
Achieving and Measuring Success with the Security Awareness Maturity ModelAchieving and Measuring Success with the Security Awareness Maturity Model
Achieving and Measuring Success with the Security Awareness Maturity ModelPriyanka Aash
 
Data architecture around risk management
Data architecture around risk managementData architecture around risk management
Data architecture around risk managementSuvradeep Rudra
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessmentpchronis
 
SDM Presentation V1.0
SDM Presentation V1.0SDM Presentation V1.0
SDM Presentation V1.0KirSinc
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security MetricsCigital
 
Data summit connect fall 2020 - rise of data ops
Data summit connect fall 2020 - rise of data opsData summit connect fall 2020 - rise of data ops
Data summit connect fall 2020 - rise of data opsRyan Gross
 
Implementing Agile Data Governance
Implementing Agile Data GovernanceImplementing Agile Data Governance
Implementing Agile Data GovernanceTami Flowers
 
From Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROFrom Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROPriyanka Aash
 
RbM Webinar Slides- A Practical Guide for Getting Your RBM Program Up and Run...
RbM Webinar Slides- A Practical Guide for Getting Your RBM Program Up and Run...RbM Webinar Slides- A Practical Guide for Getting Your RBM Program Up and Run...
RbM Webinar Slides- A Practical Guide for Getting Your RBM Program Up and Run...TRI, the risk-based monitoring company
 
Architecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk ManagementArchitecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk Managementjadams6
 
Enriched Insights in Finance: Blending Data, Boosting Performance
Enriched Insights in Finance: Blending Data, Boosting PerformanceEnriched Insights in Finance: Blending Data, Boosting Performance
Enriched Insights in Finance: Blending Data, Boosting PerformanceProphix Software
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesSlideTeam
 

Semelhante a Creating Order from Chaos: Metrics That Matter (20)

Developing useful metrics
Developing useful metricsDeveloping useful metrics
Developing useful metrics
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security Operations
 
Too much data and not enough analytics!
Too much data and not enough analytics!Too much data and not enough analytics!
Too much data and not enough analytics!
 
Data Analytics 3 Analytics Techniques
Data Analytics 3 Analytics Techniques Data Analytics 3 Analytics Techniques
Data Analytics 3 Analytics Techniques
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk program
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and NumbersApplication Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
Application Portfolio Risk Ranking: Banishing FUD With Structure and Numbers
 
Achieving and Measuring Success with the Security Awareness Maturity Model
Achieving and Measuring Success with the Security Awareness Maturity ModelAchieving and Measuring Success with the Security Awareness Maturity Model
Achieving and Measuring Success with the Security Awareness Maturity Model
 
Data architecture around risk management
Data architecture around risk managementData architecture around risk management
Data architecture around risk management
 
Process Maturity Assessment
Process Maturity AssessmentProcess Maturity Assessment
Process Maturity Assessment
 
Does audit make us more secure
Does audit make us more secureDoes audit make us more secure
Does audit make us more secure
 
SDM Presentation V1.0
SDM Presentation V1.0SDM Presentation V1.0
SDM Presentation V1.0
 
Software Security Metrics
Software Security MetricsSoftware Security Metrics
Software Security Metrics
 
Data summit connect fall 2020 - rise of data ops
Data summit connect fall 2020 - rise of data opsData summit connect fall 2020 - rise of data ops
Data summit connect fall 2020 - rise of data ops
 
Implementing Agile Data Governance
Implementing Agile Data GovernanceImplementing Agile Data Governance
Implementing Agile Data Governance
 
From Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROFrom Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIRO
 
RbM Webinar Slides- A Practical Guide for Getting Your RBM Program Up and Run...
RbM Webinar Slides- A Practical Guide for Getting Your RBM Program Up and Run...RbM Webinar Slides- A Practical Guide for Getting Your RBM Program Up and Run...
RbM Webinar Slides- A Practical Guide for Getting Your RBM Program Up and Run...
 
Architecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk ManagementArchitecting the Framework for Compliance & Risk Management
Architecting the Framework for Compliance & Risk Management
 
Enriched Insights in Finance: Blending Data, Boosting Performance
Enriched Insights in Finance: Blending Data, Boosting PerformanceEnriched Insights in Finance: Blending Data, Boosting Performance
Enriched Insights in Finance: Blending Data, Boosting Performance
 
Vulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation SlidesVulnerability Management Whitepaper PowerPoint Presentation Slides
Vulnerability Management Whitepaper PowerPoint Presentation Slides
 

Mais de Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

Mais de Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Último

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Último (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

Creating Order from Chaos: Metrics That Matter

  • 1. SESSION ID: #RSAC James Lugabihl CREATING ORDER FROM CHAOS: METRICS THAT MATTER GRC-W04 Director, Execution Assurance- Global Security Organization, ADP Marta Palanques Security Lead Consultant, Execution Assurance- Global Security Organization, ADP
  • 2. #RSAC Uncomfortable questions 2 The executive asks What controls need to be implemented? Where do those controls need to be implemented? Where do we allocate resources? How can investments be rearranged? What you have available to answer Multiple systems of record Manual processing Data skepticism Disjointed reporting
  • 3. #RSAC Our solution Executive self service Self-service platform that enables security decision making Oriented to answer leadership questions Allows to intuitively navigate data leveraging conceptual relationships Uses data that is currently available in multiple environments Operational Services Cost Resources Projects Coverage and Maturity Business Value Risk Incidents Vulnerab ilities Unit Cost
  • 4. #RSAC Retrospective Where is our program today • Reduced time to execute 3 previous manual reports by 70% • Added 12 more services • Currently using 6 data sources • Monthly report on our key goals and risk areas • 140 users, 54 of which are active What did it take 18 months 3 resources Approximately 3,000 work hours to build
  • 5. #RSAC What to expect • A pragmatic 5-step approach to implement metrics • Survival tips • Ideas on integration with risk framework • Visualization techniques for your audience
  • 6. #RSAC Where to start How do you eat an elephant? Stick to your goal!!! Accelerate decision making Ensure we’re doing the right things the right way Achieve more with less: identify focus areas (“low hanging fruit”) Survival tip #1
  • 7. #RSAC Application of the DIKW pyramid 7 Wisdom Knowledge Information Data (Raw) Understanding, applied knowledge Enabling decision making Missing meaning Missing context List of vulnerabilities in your environment Grouped by host, OS or application Grouped by Data Center or product or line of business Execution plan to eliminate the issues/gaps from the environment
  • 8. #RSAC Wisdom Knowledge Information Data (Raw) Understanding, applied knowledge Enabling decision making Our philosophy Missing meaning Missing context Focusonthevulnerabilities Focusontheplan
  • 9. #RSAC Step 1 – define your requirements Objectives Identify business objectives that establish the need for resilience and cybersecurity Goal Develop one or more goals for each objective Question Develop one or more questions that, when answered, help determine the extent to which the goal is met Indicator Identify one or more pieces of information that are required to answer each question Metric Identify one or more metrics that will use the selected indicators to answer the question Source: Lisa Young, Measuring What Matters
  • 10. #RSAC Places to find “Goals” Security strategy Risk Register Audit/Controls Policies Executive’s questions Survival tip #2
  • 11. #RSAC Step 2 - Searching for data sources Potential sources Process bi-products Technologies assets interact with Peripheral processes External sources Don’t need an inventory
  • 12. #RSAC Step 3 - Choosing your data source Aspects to consider Automatic vs manual Ownership/source Does it align with other sources? Use a common dictionary? Completeness Data variability Refresh frequency Does it contain stale/old data
  • 13. #RSAC Progressive data improvement 13 Find data sources Gather data Report Follow up questions Identify missing data elements Survival tip #3
  • 14. #RSAC Trust curve 14 Data improvement cycles Datatrustlevel Questioning the data Questioning the measured object
  • 15. #RSAC Step 4 - Analyze Don’t need tools Needs to be repeatable Agreed upon approach Analyze deeper than needs to be presented Complexity of metrics
  • 16. #RSAC Step 5 – Communicate / Present Draw attention to the most relevant items
  • 17. #RSAC Step 5 – Communicate / Present Use familiar formats and charts
  • 18. #RSAC Step 5 – Communicate / Present Repeated colors and patterns Why? Because of this
  • 19. #RSAC Relationship between data sources 19 Vulnerabilities Service Technology Risk Result in Identified through Identified usingIncidents cause Supported byDetected by Asset Owner manages Related to Owned by has Impact / affect
  • 20. #RSAC Recap on 5 steps Define requirements • Relevant and meaningful • Use the executive’s questions as guidance Identify potential data sources • Organic data sources • Be creative – an inventory isn’t always the best option Data evaluation / data quality • Doesn’t need to be perfect • Ownership is important Analysis • Make it repeatable • Agree on approach to reduce bias Communicate • Focus on the story • KISS • Make it interactive
  • 21. #RSAC Integration with Risk framework 21 RISK MONITORING RISK RESPONSERISK ANALYSIS RISK IDENTIFICATION Refine scope Prioritize plan of action Set clear goals Use metrics as input for analysis Report on key risk indicators Measure success of plans
  • 22. #RSAC What is next • Continue adding more data points and reports • Leverage reports to drive change in the organization (and measure that change) • Leverage metrics as inputs to FAIR analysis • Reduce operational overhead of maintenance
  • 23. #RSAC Apply it Next week you should: Identify one of your organizational goals In the first three months following this presentation you should: Define your reporting requirements for that goal List potential data sources for your metrics, obtain a sample and compare them to select one Within six months you should: Use the data to answer the following questions: — Is my organization achieving this goal? — If not, what should I focus on first to get closer to it?
  • 24. #RSAC References and Resources 24 Lisa Young, Measuring what matters; https://www.rsaconference.com/writable/presentations/file_upload/ grc-r05_measuring_what_matters.pdf