1 of 15

UNDERSTANDING RISK CAN FUND TRANSFORMATION

Dan Barker

Chief Architect - RSA Archer

@barkerd427

1

2 of 15

“When you take risks you learn that there will be times when you succeed and there will be times when you fail, and both are equally important.”

Ellen DeGeneres

@barkerd427

2

3 of 15

A transformation that almost wasn’t

@barkerd427

3

4 of 15

Many ways to sell transformation (or any project)

  • Increased revenue (highly speculative)

  • Increased savings (also speculative)

  • Decreased risk

@barkerd427

4

5 of 15

https://pxhere.com/en/photo/779994

@barkerd427

5

6 of 15

https://www.maxpixel.net/Recruit-Hiring-Recruitment-Job-Hire-Employer-1977803

@barkerd427

6

7 of 15

https://pxhere.com/en/photo/624482

@barkerd427

7

8 of 15

Quantifying Risk

The simple way

@barkerd427

8

9 of 15

The data

  • Average data breach = $7.3M (IBM and Ponemon Institute)
  • Third-parties raise the cost (IBM and Ponemon Institute)
  • 668 breaches in 2018 (Privacy Rights Clearinghouse)
  • 1,369,452,404 records stolen in 2018 (Privacy Rights Clearinghouse)
  • 71% increase OSS breaches from 2014 (State of the Software Supply Chain)
  • 57% of proprietary applications are OSS (helpnetsecurity.com)
  • Equifax = over $700M
  • Our base risk was ~$14.4B

@barkerd427

9

10 of 15

Our facts

  • Hundreds of millions of records
  • Financial/Health data (highest cost)
  • Limited patching capabilities (manual)
  • Hundreds of different applications
  • $50M risk budget for CEO
  • $14.4B didn’t seem reasonable

@barkerd427

10

11 of 15

Our facts

  • We had some protections
  • Focused on fixing patching
  • Analyzed our riskiest apps
  • Calculated the risk

@barkerd427

11

12 of 15

Our facts

  • How many likely records x number of vulnerabilities x average cost per record x average likelihood
  • 50,000,000 x 7 x 144 x 1% = $504M
  • Investment to fix the issues = $100M
  • $500M - $100M = $400M

@barkerd427

12

13 of 15

A better way

Factor Analysis of Information Risk (FAIR)

@barkerd427

13

14 of 15

FAIR

  • The Open Group
    • Open FAIR
  • The FAIR Institute
  • Free to use on your own
  • License to use with another company
  • RiskLens and RSA Archer

@barkerd427

14

15 of 15

Dan Barker

dan@danbarker.codes

danbarker.codes

dan.barker@rsa.com

rsa.com

@barkerd427

15