Convincing Top Management - DFIR Readiness

  • We encourage our users to use Real Names to build a real community, friendships and networking opportunities.

    [more information]
Nov 22, 2018
5
1
#1
Hi and Hello to all

Proposing ideas is not an easy task especially in convincing the top management to look upon our ideas. Any of you have ideas or maybe experienced on how to convince top management regarding computer forensic readiness in the company/organization?

Much appreciated

edit: Make title more descriptive
 
Last edited by a moderator:

twicesafe

Administrator
Staff member
Sep 4, 2018
84
Ratings
20
8
Vancouver, Canada
www.computerforensicsworld.com
Twitter
Forensic_Notes
#2
Hello @Mo.Muhaimin

Would you be able to further expand on your question?

- What type of business/industry are you in?
- What are your major risks?

Answering these types of questions will help you come up with your argument for more resources. Management won't invest unless they can see that the costs (both to reputation and financially) will be greater than not doing anything. They have to see and feel the pain before it happens otherwise you are asking for a lot of money for 'insurance' they may never need to use.

Please expand on your question so that we can help further.
 
Nov 22, 2018
5
1
#3
1)Currently working in medical field.
Thoughts on any field or business would be appreciated as it can promotes wider perspective on this matter
From my perspective, the company im currently in haven’t encounter any problem regarding this matter. But the threats are there as we handled many p&c documents such as personal data of patience. It would be very bad if something does happen right?
 

BIOS

New Member
Oct 30, 2018
4
Ratings
6
3
#4
It could be very bad & very expensive if something happens.

Convincing management still appears to be a very difficult challenge around the world. Not sure why, especially as every day we hear stories of cyber breaches or malware attacks. I think you need to keep remind them the cost of doing is nothing will eventually be a lot more than if they had invested on doing something. And there is no shortage of examples (including in the medical field), such as the ransomware attack experienced UK NHS (National Health Service) This is how much the WannaCry ransomware attack cost the NHS | ZDNet

According to this article, the cost to the National Health Service was approximately £92m and "led to the cancellation of 19,000 appointments." That's a lot of money, and a lot of angry people who missed likely very important appointments. The article also states that approximately £72m was spent to fix the damage and help ensure that systems were more secure in future. It would be interesting to know how much the cost would've been, had they made the system more secure prior to the ransomware attack?
 

athulin

Member
Experienced Member
Oct 18, 2007
730
Ratings
9
18
#5
Proposing ideas is not an easy task especially in convincing the top management to look upon our ideas. Any of you have ideas or maybe experienced on how to convince top management regarding computer forensic readiness in the company/organization?
Show practical benefit. Benefit to management often involves lower costs, better compliance with legal or other regulatory matters, or improving public relations (such as not being perceived as slow or costly in performing forensic investigations), or solving other problems.

For example: Review past forensic investigations, and show that so and so many hours were spent on hunting for secondary matters, such as identifying log files, or normalizing log timestamps, or just identifying assets. Also show that if activities A, B, and C, addressing these factors were implemented, this time would be reduced to something much smaller, and thus lower costs.

Improvements usually don't come out of nothing: they tend to be based on known problems. What known problems do you have? If management doesn't listen, it could easily be that forensic readiness does not address the most pressing problems of the organization. In such cases, you may need to find out what those problems are, and consider if forensic readiness may play a part in solving or mitigating them.

If they do not, ... you might be able to show that forensic readiness will soon become a major issue, and that it needs to be addressed now in order to lower future costs.

It helps to have some kind of management sponsorship. If anyone in management deals with these issue, talk to that person first.
 

azuleonyx

Member
Experienced Member
Oct 20, 2018
33
Ratings
29
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#6
One of the largest problems with anything dealing with computer security is the benefit factor--how does a company quantify the spending where there is no measurable impact unlike other management tasks?

I also find that most (non-tech centric) companies seem to bind computer security (all types) directly to a known business practice instead of having as a supplemental practice.

As stated by others, you are going to need to show "practical benefit" and the potential cost savings (lost of customer data, lost of custom support and trust, and others). Of course, with cyber security insurance starting to rise, how do companies choose to actually fix the problems at hand or just pay people off with insurance?
 
Nov 22, 2018
5
1
#7
It could be very bad & very expensive if something happens.

Convincing management still appears to be a very difficult challenge around the world. Not sure why, especially as every day we hear stories of cyber breaches or malware attacks. I think you need to keep remind them the cost of doing is nothing will eventually be a lot more than if they had invested on doing something. And there is no shortage of examples (including in the medical field), such as the ransomware attack experienced UK NHS (National Health Service) This is how much the WannaCry ransomware attack cost the NHS | ZDNet

According to this article, the cost to the National Health Service was approximately £92m and "led to the cancellation of 19,000 appointments." That's a lot of money, and a lot of angry people who missed likely very important appointments. The article also states that approximately £72m was spent to fix the damage and help ensure that systems were more secure in future. It would be interesting to know how much the cost would've been, had they made the system more secure prior to the ransomware attack?

Do u think that i need to show something that can be measure. A scale, graph or maybe something numeric in term of cases that had happened and show to the management in order to persuade them to take this matter seriously?
 
Nov 22, 2018
5
1
#8
Show practical benefit. Benefit to management often involves lower costs, better compliance with legal or other regulatory matters, or improving public relations (such as not being perceived as slow or costly in performing forensic investigations), or solving other problems.

For example: Review past forensic investigations, and show that so and so many hours were spent on hunting for secondary matters, such as identifying log files, or normalizing log timestamps, or just identifying assets. Also show that if activities A, B, and C, addressing these factors were implemented, this time would be reduced to something much smaller, and thus lower costs.

Improvements usually don't come out of nothing: they tend to be based on known problems. What known problems do you have? If management doesn't listen, it could easily be that forensic readiness does not address the most pressing problems of the organization. In such cases, you may need to find out what those problems are, and consider if forensic readiness may play a part in solving or mitigating them.

If they do not, ... you might be able to show that forensic readiness will soon become a major issue, and that it needs to be addressed now in order to lower future costs.

It helps to have some kind of management sponsorship. If anyone in management deals with these issue, talk to that person first.
Well said. In my working environment the more you can save the better in term of budgeting and money involving matters (maybe happen in most organization) but as a person that is aware of this matter and also trying to convince the management it had been such hassle for me personally. The organization are sceptical with this matter. They doesn't show any interest but deep down they know that the company is prone to this kind of matter yet they doesnt have any preparation in countering it
 
Nov 22, 2018
5
1
#9
One of the largest problems with anything dealing with computer security is the benefit factor--how does a company quantify the spending where there is no measurable impact unlike other management tasks?

I also find that most (non-tech centric) companies seem to bind computer security (all types) directly to a known business practice instead of having as a supplemental practice.

As stated by others, you are going to need to show "practical benefit" and the potential cost savings (lost of customer data, lost of custom support and trust, and others). Of course, with cyber security insurance starting to rise, how do companies choose to actually fix the problems at hand or just pay people off with insurance?
Interesting. Maybe they will choose to just pay off people with insurance rather than choosing to make their hand dirty handling cases at hand (my opinion). Does the cost/cause is greater if we fix the problem at hand than paying off with insurance? What do you think?
 

RobertM

New Member
TRUSTED Contributor
Sep 30, 2018
21
Ratings
9
3
#10
Do u think that i need to show something that can be measure. A scale, graph or maybe something numeric in term of cases that had happened and show to the management in order to persuade them to take this matter seriously?
I think this could be an excellent start. Remember, when talking to management, they don't want to or will they read a 20-page report about something they don't want to believe. You have to create a 1 or 2-page document highlighting key breaches and ransomware attacks on businesses that are similar to your own (same size, industry) and show how much it costs to fix the issue.

I think you also have to start slow. You can't expect them to invest a ton of money and resources to start if they don't see all the issues. In the end, I am sure you are better off getting 5-10% of the amount of time and resources you need to fix the big holes then waiting years to potentially get 80-90% of the money/resources. Highlight the major issues that are easy and quick to fix and really emphasize that the company attack those first as they learn more about the potential issues.

This will hopefully get them interested and want to know more, so have the more detailed report or presentation ready.


Interesting. Maybe they will choose to just pay off people with insurance rather than choosing to make their hand dirty handling cases at hand (my opinion). Does the cost/cause is greater if we fix the problem at hand than paying off with insurance? What do you think?
Insurance is good at helping to pay to get your business back up and running, but it does not fix the companies reputation. If no clients trust the company after a breach or ransomware attack, then the business will die from lack of revenue in the future.

This is similar to house insurance. It is great when you need it, but if you use it, you can expect to pay more next time for the same insurance. Use it a couple of times and suddenly you won't have any insurance as you are then seen as a risking client.

Have cyber insurance as a backup, but don't ever run your company with the idea that you want to use it. Not to mention that most insurance will be extremely expensive unless you can show that you are taking the proper steps to secure the data. Insurance companies only want to ensure organizations that they think are cyber aware and taking the right steps. They recognize how expensive a breach can be to remediate the problem and won't provide insurance to organizations they think are risky.

Hopefully the above information helps.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu