CBCP, CRISC, CISMsecure360.org/wp-content/uploads/2013/05/Selling... · Associations: ISACA, ISSA, FBI InfraGard, BCPA, ISC(2), ICBA, MBA, ICBM Services Comprehensive Information

Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission.

Background

Minneapolis based

Founded in 2002

Team Certifications: CISSP, CISA, CBCP, CRISC, CISM

Associations: ISACA, ISSA, FBI InfraGard, BCPA, ISC(2), ICBA, MBA, ICBM

Services

Comprehensive Information Security

Risk / Governance / Compliance

Incident Response

Pen Testing / Vulnerability Assessment

Security Training

Business Continuity / Disaster Recovery

Managed Security / Recovery Services


4

CEO “The board of directors

wants to see our DR plan. Put it together!”

CIO: “Boss says we need a DR plan. Get the cost together to

make it happen!”

IT Guy: “Awesome! We’ll need another SAN, 200 new servers, 100MB Fiber, 30 racks in a data center. I’ll call my sales

rep.”

Great! I’ll get my engineers to work on configs, get pricing and schedule demos

of the data center!


5

Let’s look at DR again in a couple

years. You need to add $6M to the budget or we need to kill the SAP

rollout!

I need $6M added to the budget

over the next 3 years and 4 FTEs.

“The cost to do what you’ve asked will be $2M in HW/SW and $100k per month.”


6

QUOTES FROM THE FIELD

“We recommend BCP every year and it always get put off.” VP-IT Credit Union

“I don’t want management to know we don’t have a DR plan. I’m too busy already.” IT Manager

“Management has a bad taste in its mouth from the last consultant who was counting how many pencils we need in a disaster”

CIO – Law firm

“Our insurance policy is our DR plan” President –Home Healthcare Provider

“I’ve got my resume ready” – IT Director


7

AGENDA

• Introduction of Sales Concepts

• Sale 1: DR/BC Initiative Buy-in

• Sale 2: DR/BC Strategy Buy-in

• Summary


8

“STRATEGIC SELLING” MILLER-HEIMAN

A Complex Sale is one in which several people must give their approval before the sale can take place.


9

THE BUSINESS RECOVERY PLANNING

PUZZLE


10


11

BUYING INFLUENCES

Economic • Role: FINAL APPROVAL

• Focus: Bottom Line and

Impact on Organization

• Asks: “What is the ROI?”

User • Role: JOB PERFORMANCE

• Focus: The job to be done

• Asks: “How will this work for

me?”

Technical • Role: Evaluator

• Focus: Product/Service per se

• Asks: “Does it meet the

specifications?”

Coach • Role: Guide the sale

• Focus: Your Success

• Asks: “How can we pull this

off?”


12

RESPONSE MODES

Growth • Perceived “gap” between

reality and growth objective

• Wants: More, better, faster

and improved

Trouble • Panic end of the Euphoria-

Panic Continuum

• Wants: Quick resolution to

the immediate problem.

Even Keel • No perceived “gap” between

Reality and Results Needed

• Wants: Status Quo

Overconfident • Current situation exceeds

expectations

• Wants: You to go away!


13

SALE 1 – INITIATIVE BUY-IN


14

INITIATIVE BUY-IN UNDERSTAND APPLICABLE LAWS AND REGULATIONS

• Financial Services • Gramm-Leach-Bliley Act (GLBA) • NASD 3500 • Guidance - www.ffiec.gov

• Health Insurance Portability and Protection Act (HIPAA) – 164.308(a)(7)

• Sarbanes-Oxley Act (SOX) – Section 404

• Government - FISMA: Federal Information Security Management Act of 2002

http://www.ffiec.gov/


15

LAWS AND REGULATIONS RESOURCE HTTP://WWW.DRJ.COM/RESOURCES/DR-RULES-REGULATIONS.HTML

http://www.drj.com/resources/dr-rules-regulations.html







16

INITIATIVE BUY-IN FIND A COACH

• Ideally, accountable for operational risk or would be impacted the most by business interruption • Understand “big picture” • Has the ear of Sr. Management and Board • Respected Internally – Can get it done!!!


17

INITIATIVE BUY-IN – USER FEEDBACK UNDERSTAND OBLIGATIONS & CUSTOMER REQUIREMENTS

• Sales / Customer Service Service Level Agreements Warranties

• Finance / Accounting / Risk Mgmt Obligations Business Insurance and Exclusions

• Production Manufacturing commitments Inventory management

• Compliance Previous audit findings Vendor management


18

INITIATIVE BUY-IN - USER

• Site Recent Incidents • Area flooding • Power outages • Tornados • Security Breaches • Recent “brush with

disaster”

• Look for Growth / Trouble Mode

• Ask Implication Questions – “5 Why’s”


19

5 WHY’S

1. We cannot have any downtime.

2. My people need to access the network.

3. Because they have to use ERP.

4. Without accessing ERP, we cannot fulfill orders.

5. Our brand / reputation would be irreparably damaged, missed deadlines, lose customers, fines/penalties, excessive downtime costs, etc.


20

TECHNICAL BUYER UNDERSTAND BC CAPABILITIES UNDER VARIOUS

SCENARIOS AND HAS IT BEEN TESTED?

“Under what circumstances have you had to actually execute your DR plan, either full or in part, excluding tests?”

7%

26%

26%

33%

34%

36%

37%

39%

41%

45%

53%

54%

59%

0% 10% 20% 30% 40% 50% 60% 70%

Never

Configuration Issues (storage, database)

Configuration Issues

Man Made Disaster (war, terrorism)

Configuration / Change Mgmt Issues

Malicious Employee Behavior

Data Leakage or Loss

IT Problem Management

User / Operator Error

Power Outage

Natural Disaster

External Computer Threats (virus, hackers)

Computer Systems Failure

Source: Symantec Disaster Recovery Global


21

THE BUSINESS RECOVERY PLANNING

PUZZLE


22

ECONOMIC BUYER SELL IT –SPIN SELLING APPROACH (AUTHOR: NEIL RACKHAM)

S – Situation Revenue dependency on availability laws/regulations, client

commitments

P – Problem We’re at risk; capabilities unknown; untested

I – Implication Customer confidence, Shareholding loss, compliance

violations, damaged reputation

N – Need / Payoff Identify requirements; evaluate alternatives


23

DOWNTIME COSTS ARE EXPONENTIAL

--NOT LINEAR

$0 $200,000 $400,000 $600,000 $800,000 $1,000,000

48

24

12

8

4

1

Impact Cost/Hour

Ou

tag

e D

ura

tio

n H

ou

rs


24

TIP: REVIEW RISK FACTORS IN 10K


25

“WE FACE RISKS RELATED TO SYSTEM INTERRUPTION

AND LACK OF REDUNDANCY”

Our computer and communications systems and operations could be damaged or interrupted by fire, flood, power loss, telecommunications failure, earthquakes, acts of war or terrorism, acts of God, computer viruses, physical or electronic break-ins, and similar events or disruptions. Any of these events could cause system interruption, delays, and loss of critical data, and could prevent us from accepting and fulfilling customer orders and providing services, which could make our product and service offerings less attractive and subject us to liability. Our systems are not fully redundant and our disaster recovery planning may not be sufficient. In addition, we may have inadequate insurance coverage to compensate for any related losses. Any of these events could damage our reputation and be expensive to remedy.


26

GLOBAL PAYMENTS, INC. 1.5 MILLION CREDIT CARD RECORDS BREACHED APRIL 1, 2012


27

RECOMMEND A PROCESS

Facility Risk Assessment

Preventive Measures

Recoverability Assessment

Impact Analysis

Potential Loss

RECOVER

Y PLAN

Strategy Selection

Plan Development Test / Update / Maintain


28

SALE 2 – STRATEGY BUY-IN


29

I. BUSINESS IMPACT ANALYSIS (BIA)

A Business Impact Analysis (BIA) sets realistic recovery goals and priorities based on impact to the business.

• Define business requirements

• What functions are critical to the business? • What resources are needed? • How would interruption impact the company • When would the functionality need to be

restored?


30

BIA PURPOSE

• Quantifies Losses Over Time

• Identifies Operational Impacts Over Time

Time To Recovery

$

8 hrs

24 hrs

48 hrs

Days Days 72 hrs

Impact

Long Term Financial Impact /

Customer Base Lost

Determine The Impact

Productivity / Quality Losses

Short Term Financial Impact / Customer Base

Affected

Copyright © 2013, Assurity River Group All rights reserved. No duplication without written permission. 31

CONTINUITY RISK MANAGEMENT

31


32

BUSINESS PROCESS PRIORITIES – 1-3

DAYS S

olu

tio

n C

ost

s

Time to Recover

Low

High

Hours-

Data Replication

Days/Weeks –

Tape Restore

Customer Service •Comm to Distributors, End

Users, DM •Order Entry / Pricing &

Availability •Switchboard IMS •Customer Service Service Parts •Inventory Control /

Receiving / Stocking •Order Entry •Purchasing •Shipping

Electrical Components •Manufacturing / Shipping Service Parts •Maint of Item / Customer

Master Lists

1 Days

Electrical Components •Production of Rate Card Facilities •Door Access Security IMS •Finished Goods

Engineering

4 hours 3 Days


33

MATCH STRATEGY TO IT SERVICE

CLASSIFICATION--TECHNICAL

Time to Recover

No Recovery Option

30 Min.

Rapid Recovery (Mirrored)

Mobile Site / Equipment Drop Ship

Data Electronic Vaulting

Vendor Contracted Hot Site

8-24 Hours

1-4 Days

5-8 Days

9-15 Days

16+ Days

Cold / Warm Site

$ C

ost

to

Rec

ov

er $

Recovery Solutions


3 4

Cold Site Recovery Process

OUTAGE EMERGENCY RECOVERY TASKS


35

TIMELINE AT TIME OF DISASTER

Week 1 Week 2 Week 3 Week 4 Week 5 Week 6

Find Alternate Site

Order Equipment

Start up iSeries w/ Remote Access

Prepare Data Center Space

Move Disk Backups to Alt Site

Order Internet

Order Communication Lines

Install Hardware, Build Servers,

Restore Data

iSeries Connectivity at

Verify Communications for Users


36

STRATEGY BUY-IN FINANCIAL JUSTIFICATION – ECONOMIC

Annualized Loss Expectancy (ALE) • Risk = Probability x Impact

Threat Probability Impact ALE Mitigation

Options

Cost Disposition

Facility

Disaster

5% $10M $500k Redundant Data

Center

$2M $1.5M

Facility

Disaster

5% $10M $500k Hot-site for

critical services

$200k $300k

Hardware

Failure

50% $100k $50k Replication /

Hot Spare

$50k $20k

Power

Outage

100% $150k $150k Diesel

Generator

$100k $50k


37

FINAL THOUGHTS

• Identify Buying Influences (E, U, T, C)

• Do Your Homework!

• Target Growth and Trouble Response Modes

• Build Case with USER Input - IMPLICATIONS

• Match Solutions to Business Requirements

• Identify Additional Benefits


38

http://images.google.com/imgres?imgurl=http://www.clipartheaven.com/clipart/holidays/halloween/costume-grim-reaper-clipart.gif&imgrefurl=http://www.clipartheaven.com/show/clipart/holidays/halloween/costume-grim-reaper-clipart-gif.html&h=537&w=490&sz=15&hl=en&start=15&sig2=FFHrfUqTt5aYgMjOLg7FiA&um=1&usg=___wOwMyaeLXBhjCrrdQ_co9rHsZ0=&tbnid=Aap_JVzY0eLytM:&tbnh=132&tbnw=120&ei=iuUOSav-J43ENInKrZ4E&prev=/images?q=Grim+Reaper&um=1&hl=en&sa=X


39


40

THANK YOU!

Jeff Olejnik, CEO

952-230-6488

[email protected]

www.assurityriver.com

@assurityriver

mailto:[email protected]

http://www.assurityriver.com/

Documents

CBCP, CRISC, CISMsecure360.org/wp-content/uploads/2013/05/Selling... · Associations: ISACA, ISSA, FBI InfraGard, BCPA, ISC(2), ICBA, MBA, ICBM Services Comprehensive Information