J tif iJustifyingSSecurityit ExpendituresEditini aTough Economy:Making the Case for SecurityOctober 21, 2009Sara SantarelliChief Network Security OfficerVerizonNetwork SecurityServices1

VerizonCommunications Who We ArePremier broadband Internet company in the U.S.Leading global communications providerIInnovative,tihihigh-techh t h lleaderd FiOS Internet and TV Mobile broadband high-speed wireless data V CAST MusicM i andd MobileM bil TV Most connected global IP network for 10 consecutive years Serves over 133M customer connections(wireline, wireless, broadband, and TV)Source: Telegeography Research 20082

Who We AreVerizon Wireless Largest wireless company in the U.S. with 87.7M customers Most reliable wireless network Mobile broadband available to more than 284M AmericansVerizon Telecom FiOS Internet: passes 13.8Mhomes and businesses Connects averageg of 1Btelephone calls every day3

Who We AreVerizon Business Extended global presence and operations Advanced IP applications: VPN, VoIP, and hosting services SSecuregloball b l access tot customerstini 2,700 2 700 citiesiti andd 150 150 countriest i 485,000 fiber route miles200 data centers#1 communications provider to thefederal government 250 000 customer servers250,000 servers, routersand security devices managedworldwide4

The Extended EnterpriseTechnology and business have converged to create new challenges Business is data, and data is everywhere Limited resources, expertise and capital Customers, employees, partners and Multiple compliance needs and driverss ppliers are globalsuppliers Complex IT, security, communicationand networking challenges Growing environmental pressures 24x7 customer service expectations5

Business Models Have ChangedMMeasuringi againsti t riski kA li ti securityApplicationitMeeting multiple compliancerequirementsData protection /data loss preventionPartnerPt/ supplierli securityit dueddiligenceI fInformationtiaccess controlt lOngoing monitoring and managementSecurity log data handlingBusiness continuityConsumer / employee mobilityAnd . . . economic conditions6

Economic Climate is Driving Change Economic Conditions are Driving the Business Model Change Increased mobilityMore outsourcing Leads to riskier supply chains Reliance on vendors for QA, testing, and endend-useruser supportCapital and technology spending shrinkingProjected IT Budget Growth2006 - 20096.0%5.4%5.0%PercentChange3.4%4.0%3 4% Inflation Rate3.4%3.0%2.0%1.0%2.0%2.0%2.8%IT Budget Growth Rate0 0%0.0%2006-2007Source: Corporate Executive Board 20082007-20082008-20097

Security is NOT Immune!CISOs should expect pressures on their budgets andincreased risk exposure from third parties History shows working conditions change as a result ofeconomic conditions to increase the risk of security incidents Malicious attacks by insiders and recently terminated employeesincreases Overworked employees take riskier shortcuts Overall “lowering of the guard” is seen across the board Employee effort decreases IT misconduct worsensReality check:Information risk can be dwarfed by other business risksSource: Information Risk Executive Council8

Comprehensive Strategic ApproachGartner Information Security Program Maturity Timeline9Gartner -- Best Practices for Moving Up the Information Security Maturity Curve by Tom Scholtz, August 11, 2009

Demonstrating ValueComprehensive Strategic Security PlanSourcesGapsProjectGroupingsPlans10

Comprehensive Strategic ApproachPhase I - SourcesStrategic Imperatives Align your security plan with your business goals Be willing to adapt to change“You can’t keep doing the same thing and expect different results.” Measure and document successIt’s not easy to improveprocess or changehbusiness culture11

Comprehensive Strategic ApproachPhase I - SourcesRisk Assessment (Self) Provide a holistic view of security: policies, processes, people, andtechnologygy Continual assessment; complete annually Include inside SME risk assessment Evaluate against industryindustry-acceptedaccepted controls Deliver to executive management Utilize as baseline for program maturationassessment year over yearBlogssFaccebookTwitterYouTube12

Comprehensive Strategic ApproachPhase I - SourcesRisk Assessment (Third-party) Provide outsider view of security; identify specificareas for action Include general assessment plus special focus on one ormore specific areas Formallyy deliver to executive managementg Utilize as baseline for program maturationassessment year over year13

Comprehensive Strategic ApproachPhase I - SourcesInternal Audit Provide internal view of security; identify specific areas for action Review current internal audit findings Identify potential findings from team knowledge and experience14

Comprehensive Strategic ApproachPhase I - SourcesMetrics Program Develop meaningful and measurable risk-based security metrics Review risk-basedrisk based metrics in place today Identify and develop new and meaningful metrics for reporting15

Comprehensive Strategic ApproachPhase II – Gap Identification Security program gaps create “risk” Risk provides the opportunity for threats to exploit vulnerabilities Risk Threat x Vulnerability x Impact (Value)Adjust scope each year to accommodate various factors Economic/business landscapeOverarching corporate strategic objectives and imperativesMaturity of the security program16

Comprehensive Strategic ApproachPhase II – Gap IdentificationRisk Assessment (Self) vs. Industry-Accepted Controls Compare and contrast: “How well are we doing?” Set a baseline forfo currentc ent performancepe fo mance against industryind st Identify and document gapsRisk Assessment (Third-party) vs. Risk Assessment (Self) Compare and contrast: “What did the third-party miss?” Identify and document gapsKey Point:Gaps become areas of focus for current plan17

Comprehensive Strategic ApproachPhase III – Project Plans and FundingDetailed Project Plans Develop strategic remediation plans to close security program gapsidentified by risk assessment or internal audit Link to capital and operating plans Deliver visibility required for multi-disciplinary project adoption Include project details; the more information, the better your plans Include specific projects, objectives, milestones, sources, owners,funding, etc. Identify dependencies (e.g., capital, expense, other organizations,headcount, etc.) Flag projects for easy reference and sorting (e.g., complexity, funding,audit requirement, etc.) Identify target dates18

Comprehensive Strategic ApproachPhase III – Project Plans and FundingFunding Requirements Identify and document funding requirements Develop funding model; utilize groundwork from phases I – III Easily identify and prioritize projects Develop credibility and justification for fundingProject/DescriptionMilestonesQ1Q2Project 1EvaluationProject 2Comprehensive PlanProjectj3TestingTimeframes dependent on vendorTestTestingRemediationDevelop Comprehensive PlansDeployment to continue into 2010Roll outPhased implementationTimeframes dependent on vendorRe-testApprovalsProject 7Project 8Briefing scheduled for October 21InstallInstallationImplementCommentsProject on trackExecutive BriefingInstallProject 5Q4ImplementationProcure Equipmentq pProject 4Project 6Q3Order equip.DeploymentInstallation expected into 2010Timeframes dependent on vendor19

Comprehensive Strategic PlanComprehensiveCop e e s e StrategicSt ateg c Plana foro Executiveecut e Managementa age e tFormal strategic security plan Describe plan development approach in detail; phases I - III Comprehensive risk assessment Identification of control gaps Dependencies Complexity, timelines, etc. Deliver visibility required for multi-disciplinaryproject adoption Document official request for fundingComprehensiveStrategic PlanPreparedpfor:Executive Management20

Comprehensive Strategic PlanProject Tracking and Operational Metrics Group projects by imperative and function Update progress monthly Provide security program efficiency/effectiveness tracking Require a strong asset management program; data security modelSourcesGGapsProject Group 1Project Group 2StrategicSt t i PlansPlProject Group 3ProjectP j t GroupingsGiProject Group 4Project Group 5Operational Metrics Leveraged to Manage ProcessOperationalMetricsKeyy Point:Leverage operational metrics to manage process21

IP Risk DashboardKeyy Technical Inputsp Vulnerability scan data Open ports Security standards violationsRisk Score Calculated Risk trending over time Tracking against assetgroupings, based on risk(DMZ, financial, privacy)Keyy Benefits Owners prioritize list of boxes to remediateExecutive dashboard to gauge risk levels at a glanceSecurity performance reported in relation to peers, company, & subordinatesAtAt-a-glancelviewioff fifive worstt systemstDetailed remediation instructions22

Where Do You Start? Sources Strategic imperativesReview processes and proceduresRisk assessment (self)() Gaps Plans Projects MetricsWhat have you done to change your security model?23


Verizon Communications Who We Are Premier broadband Internet company in the U.S. Leading global communications provider h i h i ItI nnovative, high- lthdtech leader FiOS Internet and TV Mobile broadband high-speed wirele