Category Archives: ROI

My RSA Conference Notes and perspective – Tuesday AM 2013

Today kicked off, for me, the RSA conference. The best part of these types of events is the onslaught of ideas shared between peers – generally through networking and random encounters in hallways (such as bumping into Bill Brenner). Thanks first off to RSA for creating the forum for these discussions to occur.

I have the privilege of speaking tomorrow, and look forward to the debate and flow of ideas that will ensue.
While reviewing some of the research provided to attendees, I had the following observations, and wanted to share them in entirety for debate and expansion:

Vendor management by procurement SHOULD include data plus asset chain of custody, and #infosec assurance to YOUR standards#RSAC

So basically – costs per breach are up; # attacks higher; 6 more days to resolve, & the same forms of attack #rsac

Aren’t costs per breach up in 2012 to $8.9 million the result of our greater leverage of information technology & resulting value!

Most botnet, malware, & C&C operators manage MORE devices; across WIDER geographies, & generate a positive ROI. How is your information security?

#rsac Art’s presentation was good. Agree with Taleb perspective, but it must applied at Org to match robustness #infosec

Art Coviello gave an impassioned presentation that I thought was very good for a keynote at that level. Typically there is a risk of sales (which did occur at the end, of course) material, but a couple good analogies and mental positioning. I thought his analogy to Nassim Taleb’s AntiFragile was on point (and funny since I am 1/3 through it, so very fresh in the mind) for the security operations against the cyber threats. I would expand it though to include the business process and information security compliance program. I have found that the block and tackle of information security itself needs to be robust and antifragile. The lacking of these elements forfeits the benefits of the threat intelligence he describes.

This is especially poignant to me given the relative lack of volatility in the type of attacks that succeed against organizations, and their ongoing effectiveness in breaching our company defenses.

If you are looking to enjoy the keynotes (I would recommend at least Art and Scott Charney) live or on-demand here.

RSA thoughts and sessions .. to be continued ..


James DeLuccia

NEW Fraud Survey – Identify Impactful Internal controls

In the mail I received an early copy of the “2008 Report to the Nation on Occupational Fraud and Abuse” from the Association of Certified Fraud Examiners.  The 2006 report has represented de facto standard for qualitative fraud calculations and risk mitigation efforts.  While there is no substitute for reading the full report I will highlight the following key areas – Audience, Nuggets, and Action items.

The report is written for those that have both fraud responsibilities within the organization and those who have assets worth being exploited.  Therefore the audience I see (beyond the obvious Fraud professionals) includes:

  • Chiefs – CFO, CRO (Chief Risk Officer), CAO, CIO, CISO
  • Business Owners – VP, Directors
  • Team Leaders – of small teams


  • 67 pages of facts sum up 959 cases of occupational fraud
  • 7% of Annual Revenues are lost due to fraud (up from 6% two years ago
  • In the U.S. that is approximately $994 Billion in fraud losses
  • 25% of the fraud sample were a million plus in damages
  • Tips identified 46.2% of all frauds
  • Small Business suffers more frequently (39.1% of all frauds) and greater (nearly double that of a public company)
  • Independent audit of financial statements was the most common control and nearly the worst in mitigating fraud (accountability of perception high error area)
  • Most Effective Controls: Internal Audit, Surprise Audits, Management review of Internal Controls and Fraud Hotlines

Action items:

  • Re-prioritize internal controls to address fraud
  • Identify what roles are truly accountable for fraud detection (i.e., address the perception vs. reality conundrum)
  • Emphasize training of employees of fraud (recognition) and the safeguards (whistleblower policies) and mechanisms (confidential hotlines)
  • Institute a mature process that follows-up on all leads completely and objectively (damages of a fraud grow over time, so quick elimination of identified fraud has strong rewards)
  • Establish Surprise Audits and mandatory job rotation

Again, this ACFE report is incredibly valuable and should be a cornerstone of any control environment.  Segments may be adopted today and into the future.  In addition, the ability to eliminate subjective values in risk calculations is tremendous.

Kind regards,

James DeLuccia IV

Looking forward to seeing everyone at the ACFE 19th Annual Fraud Conference next week in Boston.  My session on Best and Worst IT controls is on Monday!

Security Metrics in a Recession – A Better Mindset

Business ebbs and flows in most industries and unless you are demonstrating true value it is hard to respond positively when management must make hard decisions.  If technology services are not demonstrating value – i.e, they are not in alignment with what the business needs or there is waste throughout the system perhaps a healthy dose of self evaluation is in order.  To that point I want to elaborate on an INC. magazine article I contributed entitled, “Instituting Security Metrics” by Lora Shinn.

There are two lines of thought I want to explore, the first is how Security Metrics *can* enhance the value of the technology environment and the other is how they can save the business.

Enhance Value:
Security Metrics are any measure of the organization’s efforts to safeguard the assets of the corporation.  These may be sensitive information databases, actual hardware devices, the staff, or any number of categories depending on your business.  It is important to recognize that these are “a part of” a greater measurement effort within your business.  It is 100% certain that your business is currently calculating ROI, ROA, ROE, and hundreds of other metrics relating to finance, employee turnover, customer satisfaction, competitive industry scorecards, and even compensation baselines.  These existing performance, governance, and business metrics can provide the technology group with a sufficient methodology and format when preparing similar security metrics.

In order to enhance value to an organization, technologists must be able to:

  1. Justify the technology deployed
  2. Identify important assets within the architecture
  3. Measure what the business requires of these assets.

Only at this point can action be taken.  The “action” referred to here may include decommissioning unnecessary hardware, eliminating specific redundant architectures, insourcing or outsourcing specific functions, or transforming the operations to a fully distributed platform.

The end result is a technology services group that achieves optimal balance between mission and cost thereby providing meaningful impacts to both the top and bottom line of the financial statements.

Saving the Business:
Loss of sensitive data, downtime due to forensic / virii, government and industry partner fines, loss of customers, and loss of confidence with business partners are the results of security failing.  Security metrics must consider the inputs into these risks for the business and appropriately mitigate each as necessary.  In future postings and in a recent research briefing I will elaborate on these important points.

Check out the article here, and please post your comments on how you feel security metrics should be positioned, and which are your favorite?


James DeLuccia

IT Compliance and Controls – Best Practices for Implementation, by James DeLuccia IV

The new book is HERE!!!

Here are two quick shots taken while opening up the first shipment of books! Below the pictures I briefly sum up the intent of the book. Of course, the major book sellers present it better, and you can read the entire back covers and inside flaps here.


A brief overview:
Over the past year and a half I have been putting together a book with the magnificent crew at John Wiley & Sons Publishing (a company that is over 200 years old – a point that makes sense if you skim my final closing chapter). I have had a tremendous amount of help from friends, colleagues, companies, and numerous industry and government enforcement groups. My family was especially kind while I put together the book – allowing me to lock myself in my office while I sought to simplify the book to ultimately become:

A global synthesizing of how society and business has progressed over the past 100 years to integrate information technology, and their relative importance to business. The work is based on an analysis of over 140 separate public frameworks, laws, audit reports, and numerous guidance documents plus personal experience auditing and assessing over a million systems around the world. This effort resulted in an identification of key principles that represent the best practices that globally competitive organizations must adopt to balance the risks and rewards of operating in the 21st century. An action plan is designed to enable businesses to evaluate their important controls and consider the next 100 years.

A great deal of time is spent exploring PCI DSS, NERC, SOX, FFIEC, and their related controls. Plus some interesting challenges related to virtualization, grid computing, and the implied reliability of the Internet backbone. Thank you for taking the time to visit and contribute to this forum, and your feedback and future comments on this site.

Kind regards,

James DeLuccia

PCI Compliance: Practices to Achieve Savings

A recent article was published that proffered that companies need not hire expensive consultants to meet PCI compliance. The author goes on to detail the best approach is to first – walk through the documents internally, and second – document your controls. I whole heartedly agree that self reflection and properly recording controls is absolutely pivotal to reaching compliance with PCI, and in fact you could apply it to any mandate or legal burden.

I feel however the author has left a few rocks unturned, and wanted to highlight additional practices (demonstrated by clients in the U.S.) that can maximize your efforts in demonstrating, maintaining, and operating a compliant control environment.
Align control environments and produce a single repository:
Organizations should consider how their existing control environments are deployed, and whether other attestation events will examine the same systems. It is very likely that the identity management system, firewall, logging servers, anti-virus, etc that are identified as core controls for PCI are also applicable to SOX, FERC/NERC, and many others. So, identifying what controls are in place, and then producing a single set of audit documentation can maximize the audit engagement and remove duplication.
Consider having more than one audit at a time:
Audits are done to examine a period of time in the past to validate that the controls are operating correctly. If audit events are stretched out over several months then the test period in question shifts with the audits, and while it is good for the organization to maintain an optimal level of compliance due to these long audit windows it is also extremely wasteful. Similar to the alignment savings, having to provide the logs of your LDAP server once instead of six times has obvious benefits and results in clear savings.
Assign an internal resource to conduct your PCI audit:
Merchants required to produce a report on compliance to VISA and the other card associations may hire an assessor, OR through an “internal audit if signed by an Officer of the company“. That can translate to very large savings both in audit fees and the fact that internal audit departments (or assigned persons) will have greater knowledge of the business than an outsider. A note of caution to this saving recommendation – third parties come with experience of multiple environments (likely areas of weakness), and without assumptions made and accepted by being part of a culture within a company. Extreme diligence must be taken when internal resources are relied upon – especially if those assigned are those running the environments (fox watching hen house).

There are many other areas of savings that can be achieved for PCI, and a larger amount of practices for SOX, and others… but another time. I welcome any additional areas of savings people have seen!!

Best regards,

James DeLuccia IV

IT Compliance and Controls Book Release is March 19th 2008!! Pre-Order Today

Upcoming Speaking Engagements: