Saturday, January 18, 2014

Red Sky Weekly (1/18/14): IRnomics 102: How much will Lifelock for 110 million cost?

Between 2009 - 2012, Target underwent an enterprise-wide forklift upgrade of their entire payment processing systems. Roughly 1700 stores (~360,000 employees) and their entire backend, were refitted, moving from a proprietary system to a system of integrated systems, virtualization, and third party processes. Few IT personnel are left in the stores, and likely no information security personnel.

According to their annual report, Target realized $2.9 billion in net revenues in 2012. I’ll be interested to see what the ‘13 and ‘14 reports look like.

There are costs to the business. Target is only one example.

Nearly any 'corporate' CISO knows the experience of asking  'the business' for money. It's part of the job. The corporate CISO becomes the vendor, having to prove his/her worth. How many times have you gone to one of those business units and hit them up for money to fund your infosec operation, only to be asked "what do I get for it?"

Welcome my friends, to the world of sales... you now have a new customer, and best friend!

Treat that internal VP like an external customer.

Become an internal entrepreneur. The formula is actually pretty simple to say but slightly harder to do. It’s why not everyone makes it to the ranks of the CISO. Here’s what you do...

  • Make that internal VP a company hero. When you do your job, it should make him/her look good.
  • Communicate. Find things and tell him... preferably before everyone else does.
  • Don't take all day about it. Be right, be brief, and be gone.
  • Use the momentum of that small win to find opportunities to find more.
  • Become the trusted advisor. You'll get your money.
  • It works.

A few months ago I had the opportunity to tell a CISO that one of his business units was leaking data. In fact, I gave him a bit more. I told him that the business unit in question had purchased a multi-million dollar computer aided drafting/manufacturing application from another company.  I told him that the business had purchased it several years ago, and since then, they've been losing data.

We believe the application is probably toast, and since installation, has been sending data home to someone else... important stuff. 15 Gb of important stuff that we know of. Likely a third or so of those drawings were re do's of previous work, drafts, or miscellaneous clutter, but for arguments sake, let's call this a 10 Gb loss. Let’s also assume that each drawing takes one engineer, one eight hour day to produce, not including R&D, corrections/QA, etc... 1Mb = 8 hours of labor (with me so far?)

We had hundreds of drawings. What's it worth? Let's do some math…

  • 1 Gb = 1000 Mb, therefore 10Gb = 10,000 Mb
  • Let's assume each drawing was 1Mb in size (1 Mb seems reasonable)
  • If 1Mb = 1 day to produce, then 10,000 Mb = 10,000 days, or 80,000 hours of work.
  • If true, this company lost nearly 45 man-years of work!
  • Depending on the cost of your people, this could represent $4 to 5 million dollars in labor.
  • I'm betting that for every 1Mb of drawings, there's a month (more or less) of engineering time behind each. This loss, could potentially mean an actual loss of roughly 2,400,000 hours of technical R&D, drawing, QA, and possibly, post-integration upgrades that have been lost.

So what’s the value to this business?

This business (that VP) probably wants to know that they're losing intellectual property, at risk, or will find themselves in the headlights.  And more importantly,  how can they take care of it, quickly, efficiently, while still doing business, not losing face, not be investigated, and continue to keep a high goodwill (reputational) value with their current and future customers.  The business gets paid on sales and margins. Infosec takes away from margins. So, how does the corporate CISO handle this issue?

Every business wants three things:

  • What’s going to hurt them?
  • What do they do about it (as inexpensively as possible)?
  • What can you, the CISO show them that will prove their investment in your team helped reduce their costs to produce their goods or services, or made money for them?

In my own case, we started an “APT” shop years ago. We got about a million dollars from the corporate CISO, and another $3 mil from one of the other businesses. They developed tech that a lot of people wanted... and and when the check came, they became our highest value customer. The budget didn't need to grow much to keep us going, but the value resulting from the relationship built on that "highest value customer" premise ended up funding my former team (started in 2006) for almost 10 years... it's still going, and stronger than ever.

We've been getting this question a lot lately.

How does an information security shop get funded in light of advanced attackers, who hunt and kill so skillfully and so quietly?  My formula is actually quite simple. If you're a CISO, and you need to find funding, go read Dr. John Kotter's 8 Steps to Leading Change. It's a simple model, based largely on common sense and intuition, but written down to allow you to actually follow a process (I need process!) It basically says this.. find the first thing you can do. Be successful, and use the momentum to build more champions, find more opportunities, and continue to act. It's the same process in dealing your business unit customers.. find the first thing. Hit it out of the park. Use the momentum to find number two. Don't strike out.

1800 man years of labor.. gone.

110 million Lifelock accounts.


Thursday night we hosted about 25 ISSA members in the New Hampshire Chapter. It was a great night. Thank you all for coming! Interesting to me is that we (Red Sky) has members all over the world, but only two in all of New England, and one of them is in New Hampshire, so it was really great to be able to show off a little bit to the local infosec teams.

We're in the throes of analysis. We've probably had a dozen calls on the Target breach, and although we did publish a report for the Red Sky members, we don't post anything externally, and we don't comment to non-members. We're keeping our fingers in it, and have come to our own conclusions on the subject. We're updating our reporting to the members as we speak. I guess first to press wins.. and first to out an attacker gets some sort of prize. We're not worried so much about that. We'll take another day or two, and get a detailed report posted to the membership.  BZ to iSight for getting this out.. Nice job!

Ok folks. That's it for now.
Until next time, have a great week!