UNDERSTANDING RISK CAN FUND TRANSFORMATION

Dan Barker

Chief Architect - RSA Archer

@barkerd427

1

Tell why I chose to join RSA Archer.

“When you take risks you learn that there will be times when you succeed and there will be times when you fail, and both are equally important.”

Ellen DeGeneres

@barkerd427

2

The point of risk analysis isn’t to avoid risks, it’s to take risks mindfully.

It’s valuable to identify risks and learn more about your system.

A transformation that almost wasn’t

@barkerd427

3

Describe the problem

Many ways to sell transformation (or any project)

  • Increased revenue (highly speculative)

  • Increased savings (also speculative)

  • Decreased risk

@barkerd427

4

@barkerd427

5

First we tried to make money

More Washingtons than Benjamins

@barkerd427

6

Tried to say we would decrease employee count

But there’s always a bubble…

and there’s no way to really know if there will be fewer people.

No one wants to fire a good employee.

Is this really an increase revenue proposal?

@barkerd427

7

How do you sell a project that is mostly just about fixing all the things that have allowed you to be successful in the past, but are now holding you back?

This is where we found ourselves.

We had a broken system, and we had to fix it, but it wasn’t clear that it would directly increase revenue or decrease employee count.

So, we focused on risk

Quantifying Risk

The simple way

@barkerd427

8

The data

  • Average data breach = $7.3M (IBM and Ponemon Institute)
  • Third-parties raise the cost (IBM and Ponemon Institute)
  • 668 breaches in 2018 (Privacy Rights Clearinghouse)
  • 1,369,452,404 records stolen in 2018 (Privacy Rights Clearinghouse)
  • 71% increase OSS breaches from 2014 (State of the Software Supply Chain)
  • 57% of proprietary applications are OSS (helpnetsecurity.com)
  • Equifax = over $700M
  • Our base risk was ~$14.4B

@barkerd427

9

Our facts

  • Hundreds of millions of records
  • Financial/Health data (highest cost)
  • Limited patching capabilities (manual)
  • Hundreds of different applications
  • $50M risk budget for CEO
  • $14.4B didn’t seem reasonable

@barkerd427

10

This was more than the company made in a year

We did keep the really large number in our report, but clearly stated we thought the actual risk was much lower.

Our facts

  • We had some protections
  • Focused on fixing patching
  • Analyzed our riskiest apps
  • Calculated the risk

@barkerd427

11

Our facts

  • How many likely records x number of vulnerabilities x average cost per record x average likelihood
  • 50,000,000 x 7 x 144 x 1% = $504M
  • Investment to fix the issues = $100M
  • $500M - $100M = $400M

@barkerd427

12

DLP would trigger before all records were removed

Many other security controls currently in place

400M is bigger than 50M

The Equifax breach costs were revealed during the transformation, which validated our analysis.

We actually underestimated by about half

A better way

Factor Analysis of Information Risk (FAIR)

@barkerd427

13

FAIR

  • The Open Group
    • Open FAIR
  • The FAIR Institute
  • Free to use on your own
  • License to use with another company
  • RiskLens and RSA Archer

@barkerd427

14

Dan Barker

dan@danbarker.codes

danbarker.codes

dan.barker@rsa.com

rsa.com

@barkerd427

15

Understanding risk can fund transformation - Google Slides